Create a certificate - Certificate Management Service - Alibaba Cloud Documentation Center

After you purchase a quota for SSL certificates, you must create a certificate and bind a domain name or an IP address to the certificate. In this case, SSL certificates refer to server certificates.

Prerequisites

A quota for SSL certificates is purchased. For more information, see Purchase an official certificate.

Procedure

A quota for SSL certificates is consumed when you create a certificate. After you purchase a quota for SSL certificates, you can create a certificate. When you create a certificate, you must select a certificate type and enter the domain name that you want to protect, such as www.aliyundoc.com. This way, the certificate can protect the specified domain name.

Create an official certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Official Certificate tab, click Create Certificate in the data statistics section or below the certificate list.

In the Create Certificate panel, configure the following parameters.

Parameter	Description
Certificate Type	Select a certificate type based on the type of the domain name that you want to bind to the certificate. Valid values: Single Domain: You can bind a single domain name to the certificate. For example, you can bind www.aliyundoc.com to the certificate. Multiple Domains: You can bind up to five single domain names to the certificate. Wildcard Domain: You can bind a wildcard domain name to the certificate. For example, you can bind *.aliyundoc.com to the certificate. For more information about the matching rules of wildcard domain names, see What kind of domain names are supported by wildcard certificates?
Certificate Specifications	Select the brand and type of the certificate that you want to apply for from the drop-down list. The drop-down list displays your quotas for certificates of different specifications. You can select the required specifications only if you have purchased a quota for certificates of the specifications. If the required specification is not displayed in the drop-down list, you must first purchase a quota for certificates of the specification.
Domain Name	Enter the domain name that you want to protect by using the certificate. You must enter a domain name based on the certificate type that you select. If you set Certificate Type to Single Domain, enter a single domain name. If you set Certificate Type to Wildcard Domain, enter a wildcard domain name. If you set Certificate Type to Multiple Domains, enter no more than five domain names. Separate multiple domain names with commas (,).
Validity Period (Years)	Specify the validity period for the certificate service. If you want to use the certificate service for more than one year, you must first purchase the certificate hosting feature. You can extend the validity period of the certificate service by consuming your hosting quota. The validity period of the certificate service can be extended to one year by consuming the hosting quota of 1. If you use the hosting service to extend the validity period, you can receive free technical support services, including certificate configuration guidance. For more information about the certificate hosting feature, see Introduction to the certificate hosting feature. Important By default, the validity period of a certificate is one year. The validity period of certificates issued by all certificate authorities (CAs) is up to 397 days. This parameter specifies the validity period of the certificate service. For example, if you set this parameter to 2, you can apply for two certificates that are valid for one year, by consuming a hosting quota of 1. In this case, when the first certificate is about to expire, Certificate Management Service automatically renews the certificate. You can obtain the second certificate without the need to submit a certificate application again.
Quick Issue	If you want to immediately apply for the certificate after it is created, select Quick Issue. After you specify the required information, Certificate Management Service automatically applies for the certificate.

Click OK to create the certificate. Perform this operation if you do not select Quick Issue.

If you select Quick Issue, specify the required information based on your certificate type. Then, click Submit to create the certificate. The following table describes the required information.

EV certificate

Parameter	Description
Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for subsequent use. For more information about how to create a contact, see Manage contacts.
Company	Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address. If you have not created company profiles, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for subsequent use. For more information about how to create a company profile, see Manage company profiles. If you apply for an organization validated (OV) certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.
Business License	After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.
Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a certificate signing request (CSR) file. Valid values: RSA: The Rivest-Shamir-Adleman (RSA) algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value. ECC: The elliptic-curve cryptography (ECC) algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. Important The ECC algorithm is supported only by specific certificate brands and types. For more information, see Select an SSL certificate.
CSR Generation	A CSR is a file used to request a certificate. A CSR file contains the information about the SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and geographical location of the certificate holder. When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR. Valid values: Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for Key Algorithm. After your certificate is issued, you can download the certificate and private key. This method is recommended. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Important If you set CSR Generation to Manual, you cannot deploy the certificate to Alibaba Cloud services by using the Certificate Management Service console after the certificate is issued. If you set CSR Generation to Manual when you apply for a certificate that uses an SM algorithm, you can obtain an encryption certificate, which requires a private key for decryption. However, the private key is not stored on Alibaba Cloud. You must contact the generator of the private key for assistance. Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files. The encryption algorithm of the CSR file that you manually generate must be the same as the value of Key Algorithm that you specify. Otherwise, you cannot submit your certificate application for review. If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR. Important The encryption algorithm of the CSR file that you select must be the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review.
CSR File	Enter the content of your CSR file. This parameter is required only if you set CSR Generation to Manual or Select Existing CSR.
Permit for Opening a Bank Account	This parameter is required only if you apply for a GeoTrust or DigiCert certificate. You must save a scanned copy of the bank account opening license of the company to your computer in advance. Then, you can click Upload File to upload the scanned copy from your computer. Note Make sure that the scanned copy is in the PNG or JPEG format and is no more than 500 KB in size.

OV certificate

Parameter	Description
Domains to Bind	Enter the domain name that you want to protect by using the certificate. You can move the pointer over the icon to view the number and type of the supported domain names. You can also click View More to view the descriptions on how to configure this parameter. The number and type of the supported domain names vary based on the specifications of your certificate. Important The type of the domain name must be the same as the value of Domain Type that you select when you purchase a quota for SSL certificates. If you enter a wildcard domain name, you must use an asterisk (``). Example: `.aliyundoc.com`. If you want to bind a Chinese domain name to a certificate, you must use the transcoding tool provided by Certificate Management Service to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name. You can bind IP addresses only to GlobalSign OV single-domain certificates.
Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. You can also click Edit to modify the information about an existing contact. Certificate Management Service saves the created contact for subsequent use. For more information about how to create a contact, see Manage contacts.
Company	Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address. If you have not created company profiles, you can click Create Company Profile to create one. You can also click Edit to modify the information about an existing company profile. Certificate Management Service saves the created company profile for subsequent use. For more information about how to create a company profile, see Manage company profiles. If you apply for an OV certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.
Business License	After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.
Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. Important The ECC algorithm is supported only by specific certificate brands and types. For more information, see Select an SSL certificate.
CSR Generation	A CSR is a file used to request a certificate. A CSR file contains the information about the SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and geographical location of the certificate holder. When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR. Valid values: Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for Key Algorithm. After your certificate is issued, you can download the certificate and private key. This method is recommended. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Important If you set CSR Generation to Manual, you cannot deploy the certificate to Alibaba Cloud services by using the Certificate Management Service console after the certificate is issued. If you set CSR Generation to Manual when you apply for a certificate that uses an SM algorithm, you can obtain an encryption certificate, which requires a private key for decryption. However, the private key is not stored on Alibaba Cloud. You must contact the generator of the private key for assistance. Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files. The encryption algorithm of the CSR file that you manually enter must be the same as the value of Key Algorithm that you specify. Otherwise, you cannot submit your certificate application for review. If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR. Important The encryption algorithm of the CSR file that you select must be the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review.
CSR File	Enter the content of your CSR file. This parameter is required only if you set CSR Generation to Manual or Select Existing CSR.

DV certificate

Parameter	Description
Domains to Bind	Enter the domain name that you want to protect by using the certificate. You can move the pointer over the icon to view the number and the type of supported domain names. You can also click View More to view the descriptions on how to configure this parameter. The number and the type of supported domain names vary based on the specifications of your certificate. Important The type of the domain name must be the same as the value of Domain Type that you select when you purchase the certificate. If you enter a wildcard domain name, you must use an asterisk (``). Example: `.aliyundoc.com`. If you want to bind a Chinese domain name to a certificate, you must use the transcoding tool provided by Certificate Management Service to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name. You can bind IP addresses only to GlobalSign OV single-domain certificates.
Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. You can also click Edit to modify the information about an existing contact. Certificate Management Service saves the created contact for subsequent use. For more information about how to create a contact, see Manage contacts.
Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. Important The ECC algorithm is supported only by specific certificate brands and types. For more information, see Select an SSL certificate.
CSR Generation	A CSR is a file used to request a certificate. A CSR file contains the information about the SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and geographical location of the certificate holder. When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR. Valid values: Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for Key Algorithm. After your certificate is issued, you can download the certificate and private key. This method is recommended. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Important If you set CSR Generation to Manual, you cannot deploy the certificate to Alibaba Cloud services by using the Certificate Management Service console after the certificate is issued. If you set CSR Generation to Manual when you apply for a certificate that uses an SM algorithm, you can obtain an encryption certificate, which requires a private key for decryption. However, the private key is not stored on Alibaba Cloud. You must contact the generator of the private key for assistance. Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files. The encryption algorithm of the CSR file that you manually enter must be the same as the value of Key Algorithm that you specify. Otherwise, you cannot submit your certificate application for review. If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR. Important The encryption algorithm of the CSR file that you select must be the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review.
CSR File	Enter the content of your CSR file. This parameter is required only if you set CSR Generation to Manual or Select Existing CSR.

What to do next

Scenario 1: Quick Issue is selected. After you specify the required information and submit your certificate application, the system sends the application to the CA for review. You can move the pointer over the 状态标签 icon in the Status column and click View Progress in the Certificate Progress panel to view the progress of the certificate application. For more information, see Step 3: Verify the ownership of a domain name.

Scenario 2: Quick Issue is not selected. After the certificate is created, you can view the certificate in the certificate list. In this case, the value of the certificate in the Status column is Pending Application. You must submit a certificate application to the CA for review. After the CA approves your certificate application, the CA issues the certificate. For more information, see Step 2: Apply for a certificate.