All Products
Search
Document Center

Certificate Management Service:Required information for certificate application

Last Updated:Dec 13, 2024

When you apply for a domain validated (DV), organization validated (OV), or extended validation (EV) certificate by using Certificate Management Service, you must specify the application information based on the certificate type and submit the application to the required CA for review. The information includes the domain name or IP address that you want to bind to the certificate, method for domain name ownership verification, contact, company, and business license of the company. This topic describes the information that you must specify when you apply for a certificate and the materials that you need to prepare.

Note

Alibaba Cloud Certificate Management Service sends the application information that you submit to the certificate authority (CA) for review. The application information includes the domain name that you want to bind to the certificate and the contact information. For more information about how to apply for a certificate, see Apply for a certificate.

Required information for DV certificate application

When you apply for a DV certificate, you must configure the following parameters.

image.png

Parameter

Description

Domains to Bind

Enter the domain name that you want to protect by using the certificate.

You can move the pointer over the image.png icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to configure this parameter. The number and type of supported domain names vary based on the specifications of your certificate.

Important
  • The type of the domain name must be the same as the value of the Domain Type parameter that you select when you purchase the certificate.

  • If you enter a wildcard domain name, you must use an asterisk (*). Example: *.aliyundoc.com.

  • If you apply for a DigiCert certificate, you cannot enter domain names that are suffixed with special words such as .edu, .gov, .org, .jp, .pay, .bank, .live, and .nuclear. This limit does not apply to GlobalSign certificates.

  • If you want to bind a Chinese domain name to a certificate, you must use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name.

  • You can enter IP addresses only if you apply for GlobalSign single-domain OV certificates.

Domain Verification Method

Select a method to verify the ownership of the domain name.

If Alibaba Cloud DNS is activated within the Alibaba Cloud account of the certificate applicant, Automatic DNS Verification is automatically selected. No manual configuration is required. In this case, Alibaba Cloud automatically verifies the ownership of the domain name.

If Alibaba Cloud DNS is not activated within the Alibaba Cloud account of the certificate applicant, you can use one of the following methods:

  • Manual DNS Verification: You must log on to the system of your DNS service provider. Then, you must add a TXT record for the domain name to the DNS list of the system. The TXT record must be the same as the DNS record that is provided in the Certificate Management Service console.

  • File Verification: You must create a specific file on the web application server of the domain name. Then, Alibaba Cloud verifies the ownership of the domain name.

For more information about the verification methods, see Verify the ownership of a domain name.

Contact

Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number.

Important

After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid.

If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.

Location

Select the city or region where the applicant is located.

Encryption Algorithm

Select the key algorithm for the certificate.

This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values:

  • RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value.

  • ECC: The ECC algorithm is an encryption algorithm based on elliptic curves.

    Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

  • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.

Important

The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Select a certificate based on the encryption algorithm.

CSR Generation

A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder.

When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR.

Valid values:

  • Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Encryption Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended.

  • Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file?

    Important
    • Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set the CSR Generation parameter to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files.

    • The encryption algorithm of the CSR file that you manually enter must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.

    • If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate.

  • Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind.

    Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR.

    Important

    The encryption algorithm of the CSR file that you select must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.

CSR File

Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

Required information for OV certificate application

When you apply for an OV certificate, you must configure the following parameters.

image.png

Parameter

Description

Domains to Bind

Enter the domain name that you want to protect by using the certificate.

You can move the pointer over the image.png icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to configure this parameter. The number and type of supported domain names vary based on the configuration of your certificate.

Important
  • The type of the domain name must be the same as the value of the Domain Type parameter that you select when you purchase the certificate.

  • If you enter a wildcard domain name, you must use an asterisk character (*). Example: *.aliyundoc.com.

  • If you want to bind a Chinese domain name to a certificate, you must use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name.

  • You can bind IP addresses only to GlobalSign OV single-domain certificates.

Contact

Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number.

Important

After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid.

If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.

Company

Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address.

If you have not created company profiles, you can click Create Company Profile to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a company profile, see Create a company profile.

If you apply for an OV certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.

Business License

After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.

Encryption Algorithm

Select the key algorithm for the certificate.

This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values:

  • RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value.

  • ECC: The ECC algorithm is an encryption algorithm based on elliptic curves.

    Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

  • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.

Important

The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Select a certificate based on the encryption algorithm.

CSR Generation

A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder.

When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR.

Valid values:

  • Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Encryption Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended.

  • Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file?

    Important
    • Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set the CSR Generation parameter to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files.

    • The encryption algorithm of the CSR file that you manually enter must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.

    • If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate.

  • Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind.

    Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR.

    Important

    The encryption algorithm of the CSR file that you select must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.

CSR File

Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

Required information for EV certificate application

When you apply for an EV certificate, you must configure the following parameters. The following table describes only the key parameters.

Parameter

Description

Domains to Bind

Enter the domain name that you want to protect by using the certificate.

You can move the pointer over the image.png icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to configure this parameter. The number and type of supported domain names vary based on the configuration of your certificate.

Important
  • The type of the domain name must be the same as the value of the Domain Type parameter that you select when you purchase the certificate.

  • If you enter a wildcard domain name, you must use an asterisk character (*). Example: *.aliyundoc.com.

  • If you want to bind a Chinese domain name to a certificate, you must use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert a Chinese domain name.

  • You can bind IP addresses only to GlobalSign OV single-domain certificates.

Contact

Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number.

Important

After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid.

If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.

Company

Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address.

If you have not created company profiles, you can click Create Company Profile to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a company profile, see Create a company profile.

If you apply for an OV certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.

Business License

After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.

Encryption Algorithm

Select the key algorithm for the certificate.

This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values:

  • RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value.

  • ECC: The ECC algorithm is an encryption algorithm based on elliptic curves.

    Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

  • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.

Important

The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Select a certificate based on the encryption algorithm.

CSR Generation

A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder.

When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR.

Valid values:

  • Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Encryption Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended.

  • Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file?

    Important
    • Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set the CSR Generation parameter to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files.

    • The encryption algorithm of the CSR file that you manually enter must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.

    • If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate.

  • Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind.

    Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR.

    Important

    The encryption algorithm of the CSR file that you select must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.

CSR File

Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

FAQ