Canceling a certificate application in the Pending Application state returns the quota to your account. This topic describes how to use the returned certificate quota to manually create a new SSL certificate instance, bind a domain, and initiate the certificate request process.
Newly purchased certificates are automatically created in the Pending Application state. Skip this topic and proceed directly to submit a request to the CA.
Prerequisites
You have available quota for an official (paid) certificate.
Workflow
Procedure
Log on to the Certificate Management Service console, choose , then click Create Certificate.
Step 1: Configure basic settings
Configure the basic parameters as described below. The Quick Issue setting controls what happens next. Quick Issue selected: the system automatically submits the certificate request. Quick Issue cleared: clicking OK creates a certificate draft in Pending Application state, which you must submit to the CA later.
Certificate Type
The system displays the types of certificates that you can create, such as single-domain, multi-domain, and wildcard. You can only select types for which you have available quota.
Certificate Specifications
Select the certificate brand and validation level. The options shown are based on the certificate quota you currently hold. If the required specification is not available, purchase additional certificates.
Domain Name
General validation rules
Type consistency: The domain format must match the certificate type. For example, a wildcard certificate requires a wildcard domain.
Length limits: A single domain name cannot exceed 253 characters. Individual labels separated by periods (.) cannot exceed 63 characters.
Format-specific rules:
Wildcard domains: Must start with an asterisk (
*), such as*.example.com.Chinese domain names: Must be converted to Punycode format. For example,
Alibaba Cloud.companyis converted toxn--fhq546a.xn--55qx5d. You can use the console prompt or an external transcoding tool.IP address: Supported only by OV single-domain certificates from specific brands (GlobalSign and GeoTrust).
TLD restrictions: DigiCert-branded certificates cannot be issued for domain names with special TLDs, including
.edu,.gov,.org,.jp,.pay,.bank,.live,.nuclear, and.ru. GlobalSign-branded certificates do not have such restriction.Complimentary domain name: If the domain name you enter meets the eligibility requirements, a complimentary domain name is automatically included.
Validity Period (Years)
Select the subscription duration.
The standard validity period for a CA-issued certificate is one year (maximum 397 days). A validity period longer than one year is provided as a Managed Service that spans multiple years.
Service periods longer than one year require the certificate hosting service and multiple certificates of the same specification. Each additional year of service consumes one certificate quota and one hosting service instance.
NoteFor example, a 2-year service period:
Consumes two one-year certificates and one hosting service instance.
As the first certificate approaches expiration, the service automatically renews it. The second certificate is issued without a new application.
Quick Issue
Select this option to fill in the application details. The system will automatically submit the request to the CA upon creation. You will only need to complete the domain ownership verification.
Step 2 (Optional): Provide application details (Quick Issue)
If you selected Quick Issue, you must provide the verification details required by the CA. After entering the information, click Submit. The certificate status changes to Validating Application. You must then complete the domain name ownership verification. The required fields vary by certificate validation level (DV, OV, or EV).
DV certificates
Provide the following details:
Domain Verification Method
DNS in different account
Manual DNS Verification (Recommended): Sign in to your DNS provider's platform and add the specified TXT DNS record.
File Verification: Upload the verification file to the specified directory on your web server.
ImportantFile verification is not supported for wildcard domain names.
DNS in same account
The system uses the Automatic DNS Verification method and configures the required DNS record in the Alibaba Cloud DNS console to verify ownership. No manual action is required.
Contact
Select a contact for this application. To create or update a contact, choose Create Contact or Edit, or go to the Contact Management page.
ImportantAfter receiving the request, the CA sends a validation email to the contact's email address. The CA may also use the mobile number to verify review details . Ensure that the contact information is accurate and valid.
Location
Select the city or region where the applicant is located.
Encryption Algorithm
RSA (Default): The industry standard for asymmetric encryption. It offers the broadest compatibility with legacy browsers and client devices.
ECC: Elliptic Curve Cryptography. Offers stronger security with shorter key lengths compared to RSA. It provides faster processing and lower server resource consumption, and is supported by most modern browsers.
ImportantECC algorithms are supported only by specific certificate brands and types. For more information, see SSL certificate selection guide.
CSR Generation
A Certificate Signing Request (CSR) contains your domain name, organization information, and public key. You must securely store the corresponding private key.
Automatic (Recommended)
Alibaba Cloud generates both the CSR and the private key. You can download the private key directly from the console after the certificate is issued.
Manual
Use tools such as OpenSSL or Keytool to manually generate a CSR and private key. Securely store the private key, then copy the CSR content to the CSR File field below. For details, see How to create a CSR file.
ImportantYou are solely responsible for the security of your private key. If the private key is lost, it cannot be recovered, and the certificate becomes unusable. You must generate a new key pair and reapply for the certificate.
The encryption algorithm of the CSR must match the key algorithm that you selected.
Select Existing CSR
From the CSRs that you previously created or uploaded in the Certificate Service console, select one that matches the Domains to Bind. For instructions on creating and uploading a CSR, see Create a CSR.
CSR File
This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file here.
OV certificates
Provide the following details:
Contact
Select a contact for this application. To create or update a contact, choose Create Contact or Edit, or go to the Contact Management page.
ImportantAfter receiving the request, the CA sends a validation email to the contact's email address. The CA may also use the mobile number to verify review details . Ensure that the contact information is accurate and valid.
Company
Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, you can click Create Company Profile or Edit, or go to the Company Information Management page.
ImportantWhen you apply for an OV certificate for a .gov domain name, the organization name in the WHOIS record must be identical to your company name.
Business License
After you select a Company, the system automatically identifies the business license image that was uploaded for that company. If you did not upload a business license when you created the company profile, this field is empty. To ensure a quick review by the CA, upload your company's business license.
Encryption Algorithm
Select the key algorithm for the certificate.
RSA (Default): The industry standard for asymmetric encryption. It offers the broadest compatibility with legacy browsers and client devices.
ECC: Elliptic Curve Cryptography. Offers stronger security with shorter key lengths compared to RSA. It provides faster processing and lower server resource consumption, and is supported by most modern browsers.
ImportantECC algorithms are supported only by specific certificate brands and types. For more information, see SSL certificate selection guide.
CSR Generation
A Certificate Signing Request (CSR) contains your domain name, organization information, and public key. You must securely store the corresponding private key.
Automatic (Recommended)
Alibaba Cloud generates both the CSR and the private key. You can download the private key directly from the console after the certificate is issued.
Manual
Use tools such as OpenSSL or Keytool to manually generate a CSR and private key. Securely store the private key, then copy the CSR content to the CSR File field below. For details, see How to create a CSR file.
ImportantYou are solely responsible for the security of your private key. If the private key is lost, it cannot be recovered, and the certificate becomes unusable. You must generate a new key pair and reapply for the certificate.
The encryption algorithm of the CSR must match the key algorithm that you selected.
Select Existing CSR
From the CSRs that you previously created or uploaded in the Certificate Service console, select one that matches the Domains to Bind. For instructions on creating and uploading a CSR, see Create a CSR.
CSR File
This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file here.
EV certificates
Provide the following details:
Contact
Select a contact for this application. To create or update a contact, choose Create Contact or Edit, or go to the Contact Management page.
ImportantAfter receiving the request, the CA sends a validation email to the contact's email address. The CA may also use the mobile number to verify review details . Ensure that the contact information is accurate and valid.
Company
Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, you can click Create Company Profile or Edit, or go to the Company Information Management page.
ImportantWhen you apply for an OV certificate for a .gov domain name, the organization name in the WHOIS record must be identical to your company name.
Business License
After you select a Company, the system automatically identifies the business license image that was uploaded for that company. If you did not upload a business license when you created the company profile, this field is empty. To ensure a quick review by the CA, upload your company's business license.
Encryption Algorithm
Select the key algorithm for the certificate.
RSA (Default): The industry standard for asymmetric encryption. It offers the broadest compatibility with legacy browsers and client devices.
ECC: Elliptic Curve Cryptography. Offers stronger security with shorter key lengths compared to RSA. It provides faster processing and lower server resource consumption, and is supported by most modern browsers.
ImportantECC algorithms are supported only by specific certificate brands and types. For more information, see SSL certificate selection guide.
CSR Generation
A Certificate Signing Request (CSR) contains your domain name, organization information, and public key. You must securely store the corresponding private key.
Automatic (Recommended)
Alibaba Cloud generates both the CSR and the private key. You can download the private key directly from the console after the certificate is issued.
Manual
Use tools such as OpenSSL or Keytool to manually generate a CSR and private key. Securely store the private key, then copy the CSR content to the CSR File field below. For details, see How to create a CSR file.
ImportantYou are solely responsible for the security of your private key. If the private key is lost, it cannot be recovered, and the certificate becomes unusable. You must generate a new key pair and reapply for the certificate.
The encryption algorithm of the CSR must match the key algorithm that you selected.
Select Existing CSR
From the CSRs that you previously created or uploaded in the Certificate Service console, select one that matches the Domains to Bind. For instructions on creating and uploading a CSR, see Create a CSR.
CSR File
This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file here.
Next steps
Scenario 1: You selected Quick Issue.
The system has submitted your application to the CA. You can hover over the
icon in the Status column. In the tooltip that appears, click View Progress to track the review status. Then, complete the domain name ownership verification.
Scenario 2: You did not select Quick Issue.
The certificate is created but hasn't been sent to the CA. Locate the certificate in the list. The Status will be Pending Application. You must submit a request to a CA. Only after this submission and verification process will the CA issue the certificate.
Complimentary domains for SSL certificates
When you purchase a certificate that meets certain conditions, a complimentary domain is automatically included to secure both the www and non-www versions of your site. The complimentary rules vary by certificate type and brand.
Conditions
GlobalSign
DV: The domain validation must be DNS validation.
OV: No special restrictions.
EV: The domain must be an apex domain.
DigiCert
DV: The domain validation must be DNS validation.
OV, EV: The domain must be an apex domain.
Alibaba Cloud
The domain must be a www subdomain such as www.aliyun.com.
This offer is not reciprocal; securing an apex (such as aliyun.com) or wildcard domain (such as *.aliyun.com) will not include the www subdomain.
Complimentary rules
Single domain certificate:
The matching apex domain or
wwwsubdomain is automatically included.If your certificate is for
yourdomain.com,www.yourdomain.comis added for free.If your certificate is for
www.yourdomain.com,yourdomain.comis added for free.
Wildcard certificate:
The corresponding apex domain is automatically included.
If your certificate is for
*.yourdomain.com,yourdomain.comis added for free.
Multi-domain certificate:
The free domain offer applies only to the first domain listed in your certificate request.
Example: If the first domain in your request is
www.domain-a.com, system will automatically include domain-a.com for free. No complimentary domain will be added for the second domain,domain-b.com.
FAQ
Unable to create a certificate due to insufficient quota.
Cause | Solution |
Quota is locked by pending applications. | In the console, filter the certificate list by the Pending Application status. For any draft certificates you do not plan to use, click Cancel Apply. This immediately releases the associated quota back to your account. Important Revoking or deleting an issued certificate does not refund or restore the original quota. |
Quota is fully used. | If all existing quotas are being used by valid certificates and no drafts can be canceled, purchase an official certificate resources and then retry creating the certificate. |
Can I bind Chinese (IDN) domain names?
Yes. If you use a Chinese domain name, you must convert it to Punycode format as prompted in the console to request a certificate. Alternatively, you can use a transcoding tool to perform the conversion. For more information, see Chinese Domain Name Conversion.