Certificate Management Service:Apply for a certificate

Procedure

When you apply for an official certificate, you must specify the application information based on the certificate type and submit the application to the required CA for review. Official certificates contain domain validated (DV), organization validated (OV), and extended validation (EV) certificates.

1. Log on to the Certificate Management Service console.

2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

3. On the Official Certificate tab, find the certificate that you want to manage and click Apply for Certificate in the Actions column. Alternatively, you can move the pointer over the icon in the Status column of the certificate and click Apply for Certificate in the message that appears.

4. In the Apply for Certificate panel, configure the parameters and click Submit. The following table describes the parameters.

   Note

   Alibaba Cloud Certificate Management Service sends the application information that you submit to the CA for review.

   Required information for DV certificate application

   

   Parameter	Description
   Domains to Bind	Enter the domain name that you want to protect by using the certificate. The domain name type must be the same as that you specify when you purchase the certificate. You can move the pointer over the icon to view the number and type of supported domain names. A single domain name can contain up to 253 characters, and each label of the domain name can contain up to 63 characters. Labels of a domain name are separated by periods (.). Important If you enter a wildcard domain name, you must use an asterisk (*). Example: *.aliyundoc.com. For more information about the matching rules of wildcard domain names, see What kind of domain names are supported by wildcard certificates? If you want to bind a Chinese domain name to a certificate, you must use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name. If you apply for a DigiCert certificate, you cannot enter domain names that are suffixed with special words such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, and .ru. This limit does not apply to GlobalSign certificates. You can bind IP addresses only to GlobalSign OV certificates.
   Domain Verification Method	Select a method to verify the ownership of the domain name. If Alibaba Cloud DNS is activated within the Alibaba Cloud account of the certificate applicant, Automatic DNS Verification is automatically selected. No manual configuration is required. In this case, Alibaba Cloud automatically verifies the ownership of the domain name. If Alibaba Cloud DNS is not activated within the Alibaba Cloud account of the certificate applicant, you can use one of the following methods: Manual DNS Verification: You must log on to the system of your DNS service provider. Then, you must add a TXT record for the domain name to the DNS list of the system. The TXT record must be the same as the DNS record that is provided in the Certificate Management Service console. File Verification: You must create a specific file on the web application server of the domain name. Then, Alibaba Cloud verifies the ownership of the domain name. For more information about the verification methods, see Verify the ownership of a domain name. Warning Make sure that the domain name in Alibaba Cloud DNS is the same as the domain name bound to the certificate. Otherwise, the verification fails. For more information about domain name ownership verification, see FAQ about domain name ownership verification.
   Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. You can also click Edit next to a contact to modify the information about the contact. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.
   Location	Select the city or region where the applicant is located.
   Encryption Algorithm	This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA (default): The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. This algorithm is suitable for government agencies, public institutions, large state-owned enterprises, and financial banks that need to implement localization transformation and comply with Chinese cryptographic algorithm requirements. Important The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Select a certificate based on the encryption algorithm.
   CSR Generation	A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. You must submit the CSR file to the CA for review. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder. Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you select Automatic. Valid values: Automatic (recommended): Alibaba Cloud automatically generates a CSR file based on the key algorithm that you specify for Encryption Algorithm and the certificate information. After your certificate is issued, you can download the certificate, which includes the certificate file and private key file. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. The encryption algorithm of the CSR file that you manually enter must be the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review. Important If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR. Make sure that the encryption algorithm of the CSR file that you select is the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review.
   CSR File	Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

   Required information for OV certificate application

   

   Parameter	Description
   Domains to Bind	Enter the domain name that you want to protect by using the certificate. The domain name type must be the same as that you specify when you purchase the certificate. You can move the pointer over the icon to view the number and type of supported domain names. A single domain name can contain up to 253 characters, and each label of the domain name can contain up to 63 characters. Labels of a domain name are separated by periods (.). Important If you enter a wildcard domain name, you must use an asterisk character (*). Example: *.aliyundoc.com. If you want to bind a Chinese domain name to a certificate, you must use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name. You can bind IP addresses only to GlobalSign OV certificates.
   Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. You can also click Edit next to a contact to modify the information about the contact. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.
   Company	Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address. If you have not created company profiles, you can click Create Company Profile to create one. You can also click Edit next to a company profile to modify the information about the company profile. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a company profile, see Create a company profile. If you apply for an OV certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.
   Business License	After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.
   Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA (default): The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. This algorithm is suitable for government agencies, public institutions, large state-owned enterprises, and financial banks that need to implement localization transformation and comply with Chinese cryptographic algorithm requirements. Important The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Select a certificate based on the encryption algorithm.
   CSR Generation	A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. You must submit the CSR file to the CA for review. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder. Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you select Automatic. Valid values: Automatic (recommended): Alibaba Cloud automatically generates a CSR file based on the key algorithm that you specify for Encryption Algorithm and the certificate information. After your certificate is issued, you can download the certificate, which includes the certificate file and private key file. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. The encryption algorithm of the CSR file that you manually enter must be the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review. Important If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR. Make sure that the encryption algorithm of the CSR file that you select is the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review.
   CSR File	Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

   Required information for EV certificate application

   Parameter	Description
   Domains to Bind	Enter the domain name that you want to protect by using the certificate. The domain name type must be the same as that you specify when you purchase the certificate. You can move the pointer over the icon to view the number and type of supported domain names. A single domain name can contain up to 253 characters, and each label of the domain name can contain up to 63 characters. Labels of a domain name are separated by periods (.). Important If you enter a wildcard domain name, you must use an asterisk character (*). Example: *.aliyundoc.com. If you want to bind a Chinese domain name to a certificate, you must use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name. You can bind IP addresses only to GlobalSign OV certificates.
   Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. You can also click Edit next to a contact to modify the information about the contact. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.
   Company	Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address. If you have not created company profiles, you can click Create Company Profile to create one. You can also click Edit next to a company profile to modify the information about the company profile. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a company profile, see Create a company profile. If you apply for an OV certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.
   Business License	After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.
   Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA (default): The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. This algorithm is suitable for government agencies, public institutions, large state-owned enterprises, and financial banks that need to implement localization transformation and comply with Chinese cryptographic algorithm requirements. Important The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Select a certificate based on the encryption algorithm.
   CSR Generation	A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. You must submit the CSR file to the CA for review. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder. Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you select Automatic. Valid values: Automatic (recommended): Alibaba Cloud automatically generates a CSR file based on the key algorithm that you specify for Encryption Algorithm and the certificate information. After your certificate is issued, you can download the certificate, which includes the certificate file and private key file. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. The encryption algorithm of the CSR file that you manually enter must be the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review. Important If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR. Make sure that the encryption algorithm of the CSR file that you select is the same as the value of Encryption Algorithm that you specify. Otherwise, you cannot submit your certificate application for review.
   CSR File	Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

5. After you confirm the application information, you must perform domain name ownership verification. The methods of domain name ownership verification vary based on the certificate type. For more information about domain name ownership verification, see Verify the ownership of a domain name.

Certificate review durations

What to do next

• Before the certificate is issued

  If you want to modify the information in your certificate application before the certificate is issued, cancel the application, modify the information, and then resubmit the application. After the certificate is issued, you can no longer cancel the application.

  After you submit your certificate application, you can check the review progress in the Status column. To check the review progress, click the icon. In the message that appears, click View Progress to view the review progress.

  

  The CA uses different methods to review applications for different types of certificates. To ensure that your certificate can be issued, you must cooperate with the CA and perform the required operations based on the certificate type. The following table describes the required operations.

  Certificate type	Required operation
  DV certificate	Wait for the CA to review your certificate application. After the CA approves the application, the CA issues the certificate. You can view the status of the certificate in the certificate list. After the certificate is issued, the value of Status for the certificate changes to Issued.
  OV or EV certificate	After the CA receives your certificate application, the CA verifies the information in your application. The CA issues the certificate only after the information passes the verification. The application requirements vary based on CAs. Therefore, the time required for verification varies based on CAs. After you submit your certificate application, you must cooperate with the CA staff to complete the following verification process: Domain name ownership verification: After the CA receives your certificate application, the CA sends an email for domain name ownership verification to your contact email address. You must complete the verification based on the following process. Verification by phone: The CA staff may contact you by phone to verify the information in your application. Make sure that the phone calls from the CA are properly answered. After your certificate application is approved, you can view your certificate status in the certificate list. After the certificate is issued, the value of Status for the certificate instance changes to Issued. If your certificate application is rejected, the value of Status for the certificate changes to Validation Failed. You can view the cause of the failure in the Status column. To view the cause of the failure, click the icon in the Status column. In the message that appears, click View Cause to view the cause of the failure in the Create Certificate panel. You must modify the information in your application, especially the enterprise qualification information, based on the cause of the failure. Then, resubmit the application.

• After the certificate is issued

  After the certificate is issued, the value of Status for the certificate changes to Issued. You can click More in the Actions column to view the certificate details or download the certificate.

Cancel a certificate application

If you want to modify the information in your certificate application, such as the encryption algorithm or contact, you can perform the following operations:

• If the certificate is in the Validating Application state, click Cancel in the Actions column of the certificate. After the certificate application is canceled, specify the correct information and submit a new certificate application. Then, wait until the certificate is issued.

  

• If the certificate is in the Issued state, you must revoke the certificate. If the certificate is issued for no more than 28 calendar days and you did not change the domain name that is bound to the certificate or append a domain name to the certificate, the system returns the quota that is consumed to apply for the certificate after you submit a revocation request and the certificate is revoked. You can specify the correct information and use the returned quota to submit a new certificate application. Then, wait until the certificate is issued. For more information, see Revoke and delete a certificate.

References

If your certificate is in the Validating Application state but is no longer required due to business changes, you can request a refund within seven calendar days after you complete the payment. For more information about how to request a refund, see Request a refund for an SSL certificate.

If you encounter issues during certificate application, refer to FAQ about SSL certificate application.