How to purchase an SSL certificate - Certificate Management Service

Purchase an SSL certificate on the Certificate Service console, then submit an application for a certificate authority (CA) to review and issue.

Choose a certificate

Use the guidance below to select the right certificate type, specification, brand, and service duration before purchasing.

Certificate type

Type	Protects	Notes
Single Domain	One domain name, subdomain, or public IPv4 address. Examples: `aliyun.com`, `abc.example.com`, `1.1.X.X`	Cannot protect subdomains unless purchased separately. A certificate for `www.yourdomain.com` automatically includes `yourdomain.com`, and vice versa.
Wildcard Domain	An apex domain and all its first-level subdomains. Example: `*.aliyun.com` covers `demo.aliyun.com`	Matches only one subdomain level — `.aliyun.com` does not* cover `guide.demo.aliyun.com`. By default, supports only one wildcard domain per certificate. To include multiple wildcard domains, see Merge certificate requests.
Multi-Domain	Up to 5 individual domain names with one certificate	Wildcard domain names are not supported. The complimentary domain offer applies only to the first domain listed.

When you purchase certain certificates, the system automatically includes a complimentary domain. For details, see Complimentary domains.

Certificate specification

Choose based on your security requirements:

DV (Domain Validated): Verifies domain ownership only — the fastest and lowest-cost option, typically issued within 1 to 15 minutes. Best for personal websites, brochure sites, or test environments.
OV (Organization Validated): Verifies both domain ownership and organizational identity. Displays the organization name in the certificate details. Typically issued within 5 calendar days. Best for government entities, small- to medium-sized enterprises, or educational institutions. OV_PRO SSL offers higher encryption than OV SSL.
EV (Extended Validation): Requires the most rigorous identity verification and displays the organization's full legal name. Best for large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive user data. Typically issued within 5 calendar days. EV_PRO SSL offers higher encryption than EV SSL.

Brand

Brand	Best for
DigiCert	Maximum global trust and brand recognition
GlobalSign	Reliable international coverage
Alibaba Cloud	Cost-effective option

For a full comparison, see Selection guide.

Important

DigiCert does not issue certificates for domains with special suffixes such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru.

Service duration

For multi-year plans, the system automatically requests a renewal certificate before the current one expires:

Duration	Certificates included	Hosting service	Renewal trigger
1 year	1 certificate (1-year validity)	Not included	N/A
2 years	2 certificates (each 1-year validity)	1 included	When the active certificate has fewer than 30 days remaining
3 years	3 certificates (each 1-year validity)	2 included	When the active certificate has fewer than 30 days remaining

Purchase a certificate

Step 1: Configure certificate

Go to the SSL Certificate Management page, click Commercial Certificates > Purchase Certificate, and fill in the parameters:

Parameter	Description
Domain Type	Select Single Domain, Wildcard Domain, or Multiple Domains. See Certificate type.
Brand	Select DigiCert, GlobalSign, or Alibaba Cloud. See Brand.
Certificate Specifications	Select the validation level: DV SSL, OV SSL, OV_PRO SSL, EV SSL, or EV_PRO SSL. Available options vary by domain type.
Domain Names	The number of domain names to protect. Set this only when Domain Type is Multiple Domains.
Quantity	Fixed at 1.
Service Duration	Select 1 Year, 2 Years, or 3 Years. See Service duration.

Important

For purchase questions, contact an expert by filling out the form on the product page.

Step 2: Confirm and pay

Click Buy Now, read and agree to the Terms of Service, then click Pay. After purchase, find the order on the Order Refund Management page.

Step 3: View the purchased certificate

After purchase, the certificate appears in Certificates with the status Pending Application.

What's next

Submit an application to the CA for review and issuance. The CA reviews the application and issues the certificate after approval.

Complimentary domains for SSL certificates

When you purchase certain certificates, a complimentary domain is automatically included to cover both the www and non-www versions of your site. The rules vary by brand and certificate type.

Conditions

GlobalSign

DV: Domain validation must use DNS validation.
OV: No special restrictions.
EV: The domain must be an apex domain.

Alibaba Cloud

The bound domain must be the www subdomain corresponding to an apex domain.

Note

A complimentary apex domain aliyun.com is provided only when you bind www.aliyun.com.
If you bind a domain such as aliyun.com or *.aliyun.com, the corresponding www subdomain is not included.

DigiCert

DV: Domain validation must use DNS validation.
OV, EV: The domain must be an apex domain.

Alibaba Cloud

The domain must be a www subdomain (for example, www.aliyun.com).

This offer is not reciprocal. Securing an apex domain (such as aliyun.com) or a wildcard domain (such as *.aliyun.com) does not include the www subdomain.

Purchase a certificate

To acquire a certificate, you must first place a purchase order and then apply to a certificate authority (CA) for issuance.

Step 1: Purchase options

Go to the SSL Certificate Management page, click Commercial Certificates > Purchase Certificate, and fill in the required information as described below.

Domain Type:
- Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples: aliyun.com, abc.example.com, and 1.1.X.X.
- Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.
  - Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for *.aliyun.com can match demo.aliyun.com, but cannot match guide.demo.aliyun.com.
  - Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.
- Multiple Domains: Used to attach multiple single domain names at the same time. You can attach up to five single domain names. Only single domain names are supported. Wildcard domain names are not supported.
Certificate Type:
The available certificate types vary depending on the domain type.
- DV: A domain-validated certificate that requires only domain control validation. It is suitable for personal websites, informational sites, or test environments. This is the fastest and most affordable option.
- OV: An organization-validated certificate that verifies both the domain and the organization's identity. It is suitable for government organizations, small to medium-sized enterprises, or educational institutions.
- OV_PRO: Offers a higher level of encryption and security than a standard OV certificate.
- EV: An extended validation certificate that involves the most rigorous corporate verification. It is suitable for large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.
- EV_PRO: Offers a higher level of encryption and security than a standard EV certificate.
Brand:
Supports DigiCert, GlobalSign, and Alibaba Cloud. For more information, see SSL certificate selection guide.
Important
DigiCert does not issue certificates for domains with special suffixes such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru.
Domains: You can set this parameter only if you select the Multiple Domains type.
Certificate Instance Quantity: This value is fixed at 1 and cannot be changed.
Service Duration: The duration of the subscription or purchase.
Important
A subscription period may include multiple certificates with different validity periods. For more information, see Changes to certificate validity periods.

Important

If you have any questions during the purchase process, you can consult a technical expert on the product details page.

Step 2: Payment

Click Buy Now, read and agree to the Terms of Service, and then click Buy Now to complete the payment. After the purchase is complete, you can view your SSL certificate order on the Order and Refund Management page.

Step 3: View certificate

After you complete the purchase, the certificate appears in the Certificates with a status of Pending Application.

Next steps

If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.

Complimentary rules

Single Domain certificate: The matching apex domain or www subdomain is automatically included.
- Certificate for yourdomain.com → www.yourdomain.com added for free
- Certificate for www.yourdomain.com → yourdomain.com added for free
Wildcard certificate: The corresponding apex domain is automatically included.
- Certificate for *.yourdomain.com → yourdomain.com added for free
Multi-Domain certificate: The free domain offer applies only to the first domain listed in your certificate request. Example: If the first domain is www.domain-a.com, the system adds domain-a.com for free. No complimentary domain is added for the second domain, domain-b.com.

Billing

The final price for all billable items is shown on the purchase page. For details, see SSL certificates billing.

FAQ

What do I do if I chose the wrong certificate type or brand?

It depends on when you purchased and whether the certificate has been issued:

Within 7 days of purchase, and the certificate has not been issued: Go to the Refund Management page to request a full refund, then purchase the correct certificate.
More than 7 days after purchase, or the certificate has already been issued: A refund is not available. For security reasons, revoke and delete the SSL certificate.

What if I entered the wrong domain when submitting the application to a CA?

If the certificate has not yet been issued, cancel the application. The certificate returns to the Unused section, and you can click Create Certificate to start a new application with the correct domain.

If the certificate has already been issued, the domain cannot be changed.