An SSL certificate is a digital certificate used to verify website identity and encrypt communications. It is issued by a CA to enable the HTTPS protocol, ensuring data transmission security and enhancing browser trust. - Certificate Management Service

An SSL certificate, now more commonly known as a TLS certificate, is a digital certificate that verifies a website's identity and encrypts communication between a browser and a server. A certificate is issued by a trusted certificate authority (CA) and is essential for implementing the HTTPS protocol, which ensures the security and integrity of data transmissions. This topic describes the core value, working principle, and usage procedure of SSL certificates.

Core value

Deploying an SSL/TLS certificate is a necessary security measure for modern websites. It primarily addresses the following issues:

Data encryption: Encrypts data transmitted between a client, such as a browser, and a web server to prevent sensitive data from being intercepted or tampered with.
Identity verification: Verifies the legitimacy of the server to prevent users from accessing counterfeit or phishing websites.
Enhanced browser trust: Eliminates "Not Secure" warnings in browsers and displays a security lock icon in the address bar.
Compliance assurance: Meets the requirements of network security and data protection regulations, such as MLPS 2.0 and PCI DSS.
Search engine optimization (SEO): Major search engines prioritize indexing HTTPS websites, which helps improve search rankings.

How it works

The SSL/TLS protocol uses a hybrid encryption mechanism: asymmetric encryption for identity verification and symmetric encryption for data transmission.

Certificate issuance and verification (trust chain construction)

Generate a request: The server generates a key pair (2048-bit RSA or 256-bit ECC) and packages the public key and organization information into a Certificate Signing Request (CSR).
Sign by the CA: After the CA verifies domain ownership, it extracts the public key and applicant information from the CSR. The CA then creates the certificate content, which includes issuer information, a validity period, and extension fields. The CA uses its private key to digitally sign the content, which generates an X.509 standard certificate.
Propagate trust: The browser verifies the server certificate signature step-by-step using pre-installed root certificates to establish a trust chain.

Encrypted session establishment (TLS handshake)

Initiate the handshake: The client sends a ClientHello message that includes the supported protocol versions and a list of cipher suites.
Transmit the certificate: The server responds with a ServerHello message and sends its certificate chain.
Verify identity: The client verifies the certificate's validity period and that the domain name matches. It also confirms that the certificate is not revoked using a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP). Some deployments use the OCSP Stapling feature to optimize this process.
Exchange keys: Both parties generate a session key through a key exchange mechanism.
- ECDHE mode (recommended): Both parties generate temporary key pairs, exchange public keys, and independently calculate the same session key.
- RSA mode (legacy): The client generates a pre-master key, encrypts it with the server's public key, and then sends it. After the server decrypts the key, both parties derive the session key.
Communicate symmetrically: After the handshake is complete, all data is transmitted using the session key for symmetric encryption.

Note

The public key in the certificate, which is based on an RSA, ECC, or SM2 algorithm, is used to verify the server's identity and establish a secure channel for key exchange. The actual data is encrypted with a negotiated symmetric key, such as AES, to ensure performance. For more information, see What are public and private keys.

Procedure

Purchase a certificate

Select a certificate type based on your needs. For more information, see SSL certificate selection guide.
Fill in the purchase information. For more information, see Purchase an official certificate.

Create a certificate

If you did not associate a domain name with your quota during purchase, you must create a certificate to complete the association. During this process, the Quick Issue option is available:

Select Quick Issue: You must provide the application information. The system then automatically submits a certificate application to the CA. You only need to complete the domain name ownership verification.
If you do not select Quick Issue, you must log on to the Certificate Service console to manually fill in and submit an application after the certificate is created. For more information, see Submit an application to a CA.

Note

The certificate list displays only certificates that are bound to a domain name. Unbound certificates appear after you complete the Create Certificate operation.

Apply for a certificate

Submit an application to a certificate authority (CA)
Fill in the required information based on the certificate type. This information may include the domain name or IP address to be bound, contact details, company information, and a business license. Then, submit the certificate application to the CA. For more information, see Apply for a certificate.
Domain name ownership verification
When you submit an application to the CA, you must verify your ownership of the domain name. For more information, see Domain name ownership verification.
- DV (Domain Validated) certificates support three verification methods: Automatic DNS Verification, Manual DNS Verification, and File Verification.
- For EV or OV certificates, you must complete the verification based on the content of the domain name verification email sent by the CA.
CA review
After you submit the application and complete the domain name ownership verification, you must wait for the CA to review your application. To view the review progress and result, see Handle CA review results. The average issuance time for a domain validated (DV) certificate is 1 to 15 minutes. The average issuance time for an organization validated (OV) or extended validation (EV) certificate is 5 calendar days.

Deploy the certificate

After the CA approves your application and the certificate status changes to Issued, you can deploy the certificate file to your web server, such as Nginx, Apache, or IIS, or to a cloud service. This enables the HTTPS feature for your site. For more information, see Deploy an SSL certificate.

Important

If your server is located in the Chinese mainland, you must apply for an ICP filing. Otherwise, your website will be inaccessible.

If you use an Alibaba Cloud server, go to the Alibaba Cloud ICP Filing system to complete the ICP filing for your website. For more information, see ICP filing process.
If you do not use an Alibaba Cloud server, go to your server provider's ICP filing system or the MIIT ICP Filing website to complete the filing.

What to do next

Certificate renewal

After an SSL certificate expires, you must promptly renew it or apply for a new one. You must also install the new SSL certificate to maintain the encrypted connection and security of your website. For more information, see SSL certificate renewal and expiration.

Certificate revocation

If you no longer use a certificate, you can revoke it. For more information, see Revoke and delete an SSL certificate.

Warning

The revocation operation is irreversible. A revoked certificate is removed from the CA's trusted list. Browsers and clients identify it as invalid during verification and display a security warning to visitors.

FAQ

What do I do if I cannot find my certificate after purchase?

If you did not enter domain name information during the purchase, you receive a certificate creation quota instead of a certificate that is displayed in the certificate list. You must create an SSL certificate and bind a domain name to it before it appears in the list.

Do SSL certificates support Chinese domain names?

Yes, they do. If you bind a Chinese domain name, you must convert it to Punycode as prompted in the console before you can apply for a certificate. You can also use a transcoding tool to perform the conversion. For more information, see Convert a Chinese domain name.

Can I apply for an Alibaba Cloud SSL Certificate if my DNS provider is not Alibaba Cloud?

Yes, you can. You only need to complete the domain ownership validation. This is independent of your DNS provider.

Solution	Method	Advantage
Configure the record at your current provider.	Log on to your current domain name platform and add the SSL certificate validation record (TXT) from Alibaba Cloud. Note Contact your provider's support if you need assistance.	Fast and direct. No domain name transfer is required.
Transfer your domain to Alibaba Cloud.	Follow the steps to transfer a domain name to Alibaba Cloud. Once complete, you can manage all DNS records in the Alibaba Cloud DNS console. Important Transferring a domain requires paying a one-year renewal fee.	Convenient for future certificate renewals and unified domain name management.