Alibaba Cloud Certificate Management Service provides various types and brands of SSL certificates for different types of websites, including personal websites, e-commerce websites, and websites of small- and large-sized enterprises. Certificate Management Service also provides wildcard certificates, multi-domain certificates, and hybrid certificates to meet different business requirements, such as protecting multiple subdomains or different domain names. This topic describes how to select a certificate that best suites your website scale, business requirements, and budget.
Examples
Before you select a certificate, you must consider factors such as the number of domain names that you want to protect, security level of the certificate, compatibility of the encryption algorithm with clients or servers, the performance of the encryption algorithm, and compliance requirements.
Individual users: If your website is owned by an individual who builds personal blogs or a test website, and the website is only for displaying information without data transmission, you can select a certificate based on the following table.
Factor
Business characteristic
Recommended certificate type
Number of domain names to protect
Protect only one website and one domain name.
Select a single-domain certificate. A single-domain certificate can protect only one domain name.
Authentication strength and security level
The verification process is simple and fast, and the security level is moderate.
Select a domain validated (DV) certificate. Only the authenticity of the domain name needs to be verified. The certificate can be issued in at least 10 minutes.
Encryption algorithm
Compatible with mainstream browsers.
Select the Rivest-Shamir-Adleman (RSA) algorithm, which is compatible with most browsers.
Certificate brand and budget
Reliable and cost-effective.
Select a DigiCert certificate, which is the most cost-effective.
Enterprise users: If you are an enterprise user, visit the Certificate Management Service product page to obtain technical support.
Selection details
Select a domain name type based on the number of domain names
A certificate can be used by binding domain names or IP addresses to the certificate. You can select a certificate based on the number of domain names that you want to bind to the certificate. Alibaba Cloud supports single-domain certificates, multi-domain certificates, wildcard certificates, and hybrid certificates. The following table describes the differences among the types of domain names and how to select a domain name type.
Domain name type | Description | Available certificate brand and type |
Single domain name | A single-domain certificate can protect only one primary domain name, one subdomain, or one public IPv4 address. Example: www.aliyundoc.com. If your website or mini program has only one domain name or IP address, select a single-domain certificate. | All brands and types of certificates are supported. You can bind IP addresses only if you apply for GlobalSign single-domain organization validated (OV) certificates. |
Multiple domain names | A multi-domain certificate allows you to bind multiple primary domain names, subdomains, or public IPv4 addresses. If your website has multiple primary domain names or subdomains, you can select a multi-domain certificate. Note You can bind up to five single domain names to a multi-domain certificate that is purchased from Certificate Management Service. | OV and extended validation (EV) certificates of all brands. You can bind public IPv4 addresses to a multi-domain certificate only if the certificate is a GlobalSign OV certificate. |
Wildcard domain name | A wildcard domain name can match its parent domain name and all first-level subdomains of the parent domain name. If your website has multiple subdomains at the same level, you need to purchase only a wildcard certificate instead of a separate certificate for each subdomain. The following list describes the rules that are used to match the subdomains of a wildcard domain name:
| DV and OV certificates of all brands. |
Hybrid domain name | A hybrid certificate allows you to bind multiple domain names of different types. For example, if you bind | OV certificates of all brands. |
Select a certificate based on authentication strength and security
Alibaba Cloud supports the following types of certificates: DV certificates, OV certificates, and EV certificates. Different types of certificates provide different levels of security, support different certificate brands, and are suitable for different types of websites.
Certificate type | Applicable website | Credibility level | Authentication strength | Security level | Verification method and required material | Time required for certificate issuance | Available certificate brand |
DV | Personal websites that are used for app services, information display, enterprise testing, or personal testing. Note If your website is owned by an individual who does not have an enterprise business license, you can apply only for free certificates or DV certificates. | Moderate | Certificate authorities (CAs) verify the authenticity of a website. CAs do not verify the authenticity of an enterprise. | Moderate | DNS verification. You need to only specify a domain name. | 1 to 2 business days in most cases, 10 minutes at least |
|
OV | Websites for public service sectors, small- and medium-sized enterprises, and educational institutions. Note For general enterprises, mobile websites, or API call-related applications, we recommend that you purchase OV certificates or certificates that provide a higher level of trust. | High | CAs verify the authenticity of an organization or an enterprise. | High | Email or phone call. You must submit the information for domain name ownership verification, a company profile, and a business license. | 3 to 7 business days |
|
EV | High-privacy websites that involve transactions, payments, and privacy data, including websites of large-sized enterprises and websites that involve industries such as finance and e-commerce. Note For financial or payment enterprises, we recommend that you purchase EV certificates. | Highest | CAs perform strict authentication. | Highest | Email or phone call. You must submit the information for domain name ownership verification, a company profile, and a business license. | 3 to 7 business days | DigiCert |
Select a certificate based on the encryption algorithm
Alibaba Cloud SSL certificates support the following encryption algorithms: RSA, elliptic curve cryptography (ECC), and SM2. If your business has requirements on the algorithm type and performance, you can refer to the following section to select a certificate:
Internationally accepted algorithms: The RSA algorithm is a is widely used asymmetric algorithm, which uses a public key and a private key for secure data transmission and verification. Compared with the ECC algorithm, the RSA algorithm provides higher compatibility and is more widely used. The ECC algorithm is a public key encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is supported by mainstream browsers. Certificates that use the RSA and ECC algorithms can be used in scenarios such as websites, mini programs, and apps. To ensure that performance, compatibility, and compliance requirements are met, you must evaluate and plan the algorithms.
Comparison item
RSA
ECC
Security and key length
The algorithm requires a longer key length. Supported key lengths are 2,048 and 4,096 bits.
The algorithm supports a shorter key length to provide the same level of security as other algorithms.
256-bit: An ECC 256-bit key can provide the same security as an RSA 2048-bit key.
384-bit: An ECC 384-bit key can provide the same security as an RSA 3072-bit key.
Performance and efficiency
Encryption and decryption are slow.
Encryption and decryption are fast, especially in environments that have limited resources, such as mobile devices and IoT devices.
Memory usage and CPU utilization
High.
Low.
Compatibility
The algorithm provides high compatibility with existing systems, browsers, and applications.
The compatibility of the algorithm is high, but is still lower than the compatibility of the RSA algorithm.
SM2 algorithm: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems. A certificate that uses the SM2 algorithm is suitable in scenarios in which you need to meet the compliance requirements of regulatory authorities in China.
Certificate brand | Certificate type | Key length | Signature algorithm | ||||||||
RSA | ECC | SM2 | RSA | ECC | SM2 | ||||||
2048 | 4096 | prime256v1 | secp384r1 | sm2p256v1 | SHA256withRSA | SHA384withRSA | SHA256withECDSA | SHA384withECDSA | SM3withSM2 | ||
DigiCert | DV |
|
|
|
|
|
|
|
|
|
|
OV |
|
|
|
|
|
|
|
|
|
| |
EV |
|
|
|
|
|
|
|
|
|
| |
GlobalSign | DV |
|
|
|
|
|
|
|
|
|
|
OV |
|
|
|
|
|
|
|
|
|
| |
Alibaba Cloud | DV |
|
|
|
|
|
|
|
|
|
|
By default, SSL certificates use the SHA256withRSA or SHA256withECDSA signature algorithm. You cannot select a signature algorithm that uses the SHA384 hash function in the Certificate Management Service console. To use a signature algorithm that uses the SHA394 hash function to issue certificates, you must create a Certificate Signing Request (CSR) file on your computer and upload the CSR file to the Certificate Management Service console. For more information, see How do I create a CSR file? and Manage CSRs.
Select a certificate based on the certificate brand
After CAs verify website or domain name information, the CAs issue certificates. You can select from various well-known CAs, including international CAs such as DigiCert, GeoTrust, and GlobalSign. When you select a certificate brand, you must consider the certificate type, signature algorithm type, key length, domain name type, price, and business requirements. If you cannot determine a certificate brand, visit the Certificate Management Service product page to obtain technical support.
Certificate brand | CA | Description |
DigiCert | DigiCert, Inc. | DigiCert is a well-known and trusted SSL certificate brand in the industry. All DigiCert certificates use prominent encryption technologies to provide enhanced security solutions for different websites and servers. DigiCert is formerly known as Symantec. |
GlobalSign and Alibaba Cloud | GMO GlobalSign Pte Ltd. | GlobalSign is an early CA in the industry. GlobalSign is committed to network security authentication and digital certificate services. GlobalSign is a trusted CA and SSL certificate provider. Compared with other brands of certificates, Alibaba Cloud certificates are more cost-effective. |
Comparison of certificate price among brands
Certificate brand | Certificate type | Price (per certificate-year) | |
Single domain name | Wildcard domain name | ||
Alibaba Cloud | DV | USD 99 | 199 |
DigiCert | DV | USD 149 | 629 |
OV |
|
| |
EV |
| N/A | |
GlobalSign | DV | USD 249 | USD 849 |
OV | USD 349 | USD 949 | |
References
For more information about how to purchase a paid certificate, see Purchase SSL certificates.
For more information about how to request a refund for a certificate, see Refund policies.