Certificate Management Service provides various types and brands of wildcard, multi-domain, and hybrid certificates for different types and scales of websites. This topic describes how to select a certificate that best suits your requirements.
Quick selection
Many factors affect SSL certificate selection, such as your budget, domain name type and quantity, security level, encryption algorithm, and compatibility.
Selection example for individual users
If you have a personal website or blog that is used to display content and does not involve data transmission, you can refer to the table below to select a suitable SSL certificate.
Factor | Business characteristic | Recommended certificate |
Domain name type and quantity | The certificate needs to be bound to only one domain name (you have only one website and one single domain name). | Select a single-domain certificate, which can protect only one domain name. |
Authentication strength and security level | The verification process of the certificate is simple and fast, and the security level is moderate. | Select a DV certificate. The certificate can be issued in a minimum of 10 minutes because the related certificate authority (CA) verifies only the authenticity of the domain name. |
Encryption algorithm | The certificate is compatible with mainstream browsers without special encryption requirements. | Select the RSA algorithm, which is compatible with most browsers. |
Certificate brand and budget | The certificate is reliable and cost-effective. | Select an Alibaba Cloud Certificate, which is the most cost-effective. |
Selection example for enterprise users
If you are an enterprise user, visit the Certificate Management Service product page to obtain technical support.
Select certificates by scenario
Certificate price
The price of an SSL certificate varies based on factors such as the certificate type and brand.
Domain name type and quantity
You can use a certificate by binding domain names or IP addresses to it. You must determine the type and number of certificates that you want to apply for based on the type and number of domain names pointing to your website.
Authentication strength and security level
SSL certificates are classified into three types based on their security level, encryption level, and verification method: Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV). These certificate types differ significantly in terms of security, supported brands, and applicable website types.
Encryption algorithm
SSL certificates use common encryption algorithms such as RSA, ECC. These encryption algorithms differ in security level, performance efficiency, compatibility, and application scenarios.
Alibaba Cloud SSL certificates support the RSA, ECC, encryption algorithms. If your business has specific requirements for algorithm type and performance, you can refer to the following information to select a certificate.
International standard algorithms:
RSA: A widely used asymmetric encryption algorithm that provides the best compatibility and universal applicability.
ECC (Elliptic Curve Cryptography): Appeared later than RSA, and compared to RSA, it is more advanced and secure, with faster encryption speed, higher efficiency, and lower resource consumption. It has been promoted in mainstream browsers.
NoteCertificates using RSA and ECC algorithms can be used in websites, mini programs, apps, and other application scenarios. However, when ensuring performance, compatibility, and meeting specific compliance requirements, evaluation and planning are necessary.
Comparison item
RSA algorithm
ECC algorithm
Security and key length
The algorithm requires a longer key length. Supported key lengths are 2,048 and 4,096 bits.
The algorithm supports a shorter key length to provide the same level of security as other algorithms.
256-bit: An ECC 256-bit key can provide the same security as an RSA 2,048-bit key.
384-bit: An ECC 384-bit key can provide the same security as an RSA 3,072-bit key.
Performance efficiency/encryption-decryption speed
Slow.
Fast, especially in environments with limited resources, such as mobile and IoT devices.
Memory and CPU usage
High.
Low.
Compatibility
Good.
Good, slightly lower than RSA.
Algorithm support for various brands and types of SSL certificates:
Certificate brand | Certificate type | RSA | ECC | ||||||
Signature algorithm | Key length | Signature algorithm | Key length | ||||||
SHA256withECDSA | SHA384withECDSA | 2048 | 4096 | prime256v1 | secp384r1 | SHA256withRSA | SHA384withRSA | ||
DigiCert | DV |
|
|
|
|
|
|
|
|
OV |
|
|
|
|
|
|
|
| |
EV |
|
|
|
|
|
|
|
| |
GlobalSign | DV |
|
|
|
|
|
|
|
|
OV |
|
|
|
|
|
|
|
| |
Alibaba Cloud | DV |
|
|
|
|
|
|
|
|
SSL certificate signature algorithms by default use SHA256withRSA or SHA256withECDSA. The Certificate Management Service console does not currently support selecting signature algorithms with the SHA384 hash function. To use such signature algorithms to issue certificates, you need to create a CSR file locally and upload it to the console. For more information, see How do I create a CSR file? and Upload CSR.
Certificate brand
In most cases, the certificate brand is not a primary factor that you need to consider when you select a certificate for the first time. However, when you renew an existing certificate or want to use a certificate of the same brand in new workloads, ensuring certificate brand consistency can streamline decision-making.
References
For more information about how to purchase a paid SSL certificate, see Purchase an official certificate.
For more information about SSL certificate refunds, see Refund policies.