How to purchase an SSL certificate - Certificate Management Service

Purchasing a commercial certificate makes you eligible to apply for an SSL certificate. After you complete the purchase, you must submit a certificate application. You can obtain the SSL certificate after your application is approved by the Certificate Authority (CA).

Free domain names with certificate purchase

When you purchase a paid certificate from Alibaba Cloud Certificate Service and bind it to your domain name, Alibaba Cloud includes a free corresponding domain name if your domain name meets the conditions.

Conditions

The following table describes the scenarios in which free domain names are supported.

Certificate brand	Certificate type	Domain name type	Domain level limit	Domain validation method
DigiCert, RapidSSL, GeoTrust, vTrus, WoSign	DV	Single-domain	No limit	DNS validation
		Wildcard
	OV	Single-domain	Top-level domain name	No limit
		Wildcard
	EV	Single-domain	Top-level domain name	No limit
GlobalSign	DV	Single-domain	No limit	DNS validation
		Wildcard
	OV	Single-domain	No limit	No limit
		Wildcard
	EV	Single-domain	Top-level domain name	No limit
CFCA	OV	Single-domain	Top-level domain name	No limit
		Wildcard
	EV	Single-domain	Top-level domain name	No limit
Alibaba Cloud	DV	Single-domain	`www` subdomain of a top-level domain name	No limit
		Wildcard

Note

The free domain name must be at the same level as the purchased domain name. Free domain names are not provided across different domain levels. For example, for the wildcard domain name *.doc.example.com, the system provides doc.example.com as a free primary domain name, but not example.com.
For multi-domain and mixed-domain certificates, a free domain name is provided only when the first domain name in the list meets the conditions. The free domain name corresponds to this first domain name.

Important

To receive a free First-level Primary Domain Name with your purchased Alibaba Cloud-branded certificate, you must attach the www subdomain of the First-level Domain Name.

For example, if you bind the certificate to www.example.com, the system provides example.com as a free primary domain name by default. If you bind the certificate to other domain names such as example.com or *.example.com, no free www subdomain is provided. If you bind the certificate to a multi-level domain name, no corresponding free domain names are provided.

Formats and rules for free domain names

When you purchase a certificate and bind it to a domain name, you receive a corresponding free domain name if the conditions are met. The following rules apply:

Single-domain certificate:
- If you bind the certificate to a primary domain name, you receive its www subdomain for free.
  - If you bind the certificate to example.com, www.example.com is provided for free.
  - If you bind the certificate to doc.example.com, www.doc.example.com is provided for free.
- If you bind the certificate to a www subdomain, you receive its corresponding primary domain name for free.
  - If you bind the certificate to www.example.com, example.com is provided for free.
  - If you bind the certificate to www.doc.example.com, doc.example.com is provided for free.
Wildcard certificate: If you bind the certificate to a wildcard domain name, you receive its corresponding primary domain name for free.
- If you bind the certificate to *.example.com, example.com is provided for free.
- If you bind the certificate to *.doc.example.com, doc.example.com is provided for free.
Multi-domain and mixed-domain certificates: A free domain name is provided only when the first domain name meets the conditions. The free domain name corresponds to the first domain name.
- For example, if a certificate is bound to a.example.com and b.example.com, only www.a.example.com is provided for free.

Procedure

Go to the Certificate Service product page.

Configure the purchase parameters as described in the following table, click Buy Now, and complete the payment.

After the purchase is complete, you can query the purchased SSL certificate order. In the navigation pane on the left, choose General Management > Order And Refund Management. You can use the tag feature to label the purchased order. Click the icon to add a tag to the current order.

Parameter	Description
Domain Name Type	Select the type of domain name to which you want to bind the SSL certificate: Single Domain: You can bind a primary domain name, a subdomain, or an IPv4 public address to a certificate. Examples: `aliyundoc.com`, `abc.example.com`, and `1.1.X.X`. Wildcard Domain: If you have multiple servers that use subdomains at the same level, you need to only purchase one wildcard certificate. The following list describes the matching rules of a wildcard domain name: Only subdomains at the same level can be matched. For example, if you bind .aliyundoc.com to a certificate, subdomains such as demo.aliyundoc.com and learn.aliyundoc.com are matched, but subdomains such as guide.demo.aliyundoc.com and developer.demo.aliyundoc.com are not matched. You can apply for a certificate bound to one wildcard domain name. You cannot apply for a certificate bound to multiple wildcard domain names. If you want to bind multiple wildcard domain names to a certificate, you can combine multiple certificates of the same brand and type to generate a multi-domain wildcard certificate. For more information, see Combine certificates. Multiple Domains: If you select this value, you can bind up to five single domain names to the certificate. Note* For information about the rules for free domain names, see Free domain names with certificate purchase.
Brand	When selecting a certificate brand, consider factors such as the supported certificate types, signature algorithm types, key lengths, domain name types, and prices. Also consider your business requirements and budget. If you are still unsure which certificate brand to choose, go to the product page to consult with technical experts for an evaluation. DigiCert: DigiCert (formerly Symantec) is a well-known CA and a trusted SSL certificate brand. All its certificates use industry-leading encryption technologies to provide security solutions for different websites and servers. Alibaba Cloud: Alibaba Cloud's own SSL certificate brand. Compared to other brands, Alibaba Cloud certificates are more cost-effective. GlobalSign: GlobalSign is one of the earliest CAs and has been dedicated to network security authentication and digital certificate services. It is a trusted CA and SSL digital certificate provider. Important DigiCert does not issue certificates for domain names with special suffixes such as `.edu`, `.gov`, `.org`, `.jp`, `.pay`, `.bank`, `.live`, `.nuclear`, and `.ru`. For more information about certificate selection, see SSL certificate selection guide.
Certificate Type	Alibaba Cloud supports the purchase of three types of SSL certificates: DV, OV, and EV. These certificate types differ in security, supported brands, authentication strength, and applicable website types. The following list briefly describes the scenarios for the three types of SSL certificates. For more information about the differences among certificate types, see SSL certificate selection guide. DV SSL: A domain validated certificate. It is suitable for personal websites, app services, informational websites, and test websites for enterprises or individuals. OV SSL: An organization validated certificate. It is suitable for government organizations, small and medium-sized enterprises, and educational institutions. OV_PRO SSL uses a stronger encryption algorithm. EV SSL: An extended validation certificate. It is suitable for large enterprises, financial institutions, and e-commerce sites that handle transactions and private data. EV_PRO SSL uses a stronger encryption algorithm.
Number Of Domain Names	The number of domain names to which the SSL certificate will be bound. This parameter can be set only when you select the Multiple Domains type.
Quantity	The number of SSL certificates. This is fixed at 1 and cannot be increased.
Service Period	Select the service duration for the SSL certificate. The options are: 1 Year: Purchase an SSL certificate with a one-year service period. The certificate is valid for one year by default. After the certificate expires, you must manually purchase a new SSL certificate. 2 Years: Purchase an SSL certificate with a service period of two years. This includes two one-year certificates and one hosting service. For more information about the hosting service, see What is a hosting service?. 3 Years: Purchase an SSL certificate with a service period of three years. This includes three one-year certificates and two hosting services.

What to do next

After purchasing the certificate, you must submit a certificate request to the corresponding CA. The CA issues the certificate after approving your request. For more information about how to submit a certificate request, see Apply for a certificate.

SSL certificate refunds

If you no longer need the certificate, you can apply for a refund. Refunds are issued to the original payment method. Refunds are not supported in certain situations, such as if the purchase was made more than 7 days ago or if a coupon was used. For more information about refunds, see SSL certificate refunds.

References

For more information about how to select a suitable SSL certificate, see SSL certificate selection guide.
For more information about wildcard domain name certificates, see How do I replace a purchased or issued single-domain certificate with a wildcard certificate?.
To enable automatic renewal for an expiring certificate, see Enable certificate hosting.