Information and materials that are required to apply for a DV, OV, or EV certificate - Certificate Management Service

When you apply for a domain validated (DV), organization validated (OV), or extended validation (EV) certificate by using Certificate Management Service, you must specify the application information based on the certificate type and submit the application to the required CA for review. The information includes the domain name or IP address that you want to bind to the certificate, method for domain name ownership verification, contact, company, and business license of the company. This topic describes the information that you must specify when you apply for a certificate and the materials that you need to prepare.

Note

Alibaba Cloud Certificate Management Service sends the application information that you submit to the certificate authority (CA) for review. The application information includes the domain name that you want to bind to the certificate and the contact information. For more information about how to apply for a certificate, see Apply for a certificate.

Required information for DV certificate application

When you apply for a DV certificate, you must configure the following parameters.

Parameter	Description
Domains to Bind	Enter the domain name that you want to protect by using the certificate. You can move the pointer over the icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to configure this parameter. The number and type of supported domain names vary based on the specifications of your certificate. Important The type of the domain name must be the same as the value of the Domain Type parameter that you select when you purchase the certificate. If you enter a wildcard domain name, you must use an asterisk (``). Example: `.aliyundoc.com`. If you apply for a DigiCert certificate, you cannot enter domain names that are suffixed with special words such as `.edu`, `.gov`, `.org`, `.jp`, `.pay`, `.bank`, `.live`, and `.nuclear`. This limit does not apply to GlobalSign certificates. If you want to bind a Chinese domain name to a certificate, you can use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert Chinese domain name. You can enter IP addresses only if you apply for GlobalSign single-domain OV certificates.
Domain Verification Method	Select a method to verify the ownership of the domain name. If Alibaba Cloud DNS is activated within the Alibaba Cloud account of the certificate applicant, Automatic DNS Verification is automatically selected. No manual configuration is required. In this case, Alibaba Cloud automatically verifies the domain name for you. If Alibaba Cloud DNS is not activated within the Alibaba Cloud account of the certificate applicant, you can use one of the following methods: Manual DNS Verification: You must log on to the system of your DNS service provider. Then, you must add a TXT record for the domain name to the DNS list of the system. The TXT record must be the same as the DNS record that is provided in the Certificate Management Service console. File Verification: You must create a specific file on the web application server of the domain name. Then, Alibaba Cloud verifies the ownership of the domain name. For more information about the two verification methods, see Verify the ownership of a domain name.
Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.
Location	Select the city or region where the applicant is located.
Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems. Important The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Supported encryption algorithms.
CSR Generation	A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder. When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR. Valid values: Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Encryption Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Important Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files. The encryption algorithm of the CSR file that you manually enter must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review. If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR. Important The encryption algorithm of the CSR file that you select must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.
CSR File	Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

Required information for OV certificate application

When you apply for an OV certificate, you must configure the following parameters.

Parameter	Description
Domains to Bind	Enter the domain name that you want to protect by using the certificate. You can move the pointer over the icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to configure this parameter. The number and type of supported domain names vary based on the configuration of your certificate. Important The type of the domain name must be the same as the value of the Domain Type parameter that you select when you purchase the certificate. If you enter a wildcard domain name, you must use an asterisk character (``). Example: `.aliyundoc.com`. If you want to bind a Chinese domain name to a certificate, you can use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert Chinese domain name. You can bind IP addresses only to GlobalSign OV certificates.
Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.
Company	Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address. If you have not created company profiles, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for you to use next time. For more information about how to create a company profile, see Create a company profile. If you apply for an OV certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.
Business License	After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.
Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems. Important The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Supported encryption algorithms.
CSR Generation	A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder. When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR. Valid values: Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Encryption Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Important Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files. The encryption algorithm of the CSR file that you manually enter must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review. If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR. Important The encryption algorithm of the CSR file that you select must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.
CSR File	Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

Required information for EV certificate application

When you apply for an EV certificate, you must configure the following parameters. The following table describes only the key parameters.

Parameter	Description
Domains to Bind	Enter the domain name that you want to protect by using the certificate. You can move the pointer over the icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to configure this parameter. The number and type of supported domain names vary based on the configuration of your certificate. Important The type of the domain name must be the same as the value of the Domain Type parameter that you select when you purchase the certificate. If you enter a wildcard domain name, you must use an asterisk character (``). Example: `.aliyundoc.com`. If you want to bind a Chinese domain name to a certificate, you can use a transcoding tool to transcode the Chinese domain name, and then bind the transcoded domain name to the certificate. For more information, see Convert Chinese domain name. You can bind IP addresses only to GlobalSign OV certificates.
Contact	Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number. Important After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid. If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.
Company	Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address. If you have not created company profiles, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for you to use next time. For more information about how to create a company profile, see Create a company profile. If you apply for an OV certificate for a domain name that is suffixed with .gov, make sure that the registrant contact information stored in the Whois database is consistent with the company name to specify.
Business License	After you select a value for Company, the system automatically identifies the business license picture in the company profile. If you did not upload a business license picture when you create the company profile, the business license picture is empty. To facilitate the approval of your certificate application, we recommend that you upload the business license picture of your company.
Encryption Algorithm	Select the key algorithm for the certificate. This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values: RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value. ECC: The ECC algorithm is an encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers. SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems. Important The ECC and SM2 algorithms are supported only by specific certificate brands and types. For more information, see Supported encryption algorithms.
CSR Generation	A CSR file includes your request for a certificate. A CSR file contains the information about an SSL certificate that you want to apply for. The information includes the domain names that you want to bind to the certificate and the name and the geographical location of the certificate holder. When you submit a certificate application to a CA, you must provide a CSR. After the CA approves your certificate application, the CA uses the private key of the root CA to sign your CSR and generates a public key file. The public key file is the SSL certificate that the CA issues to you. The private key of the SSL certificate is generated when you create the CSR. Valid values: Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Encryption Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended. Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file confidential. For more information about how to create a CSR file and a private key file, see How do I create a CSR file? Important Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for application. This avoids application failures caused by the inaccurate content of CSR files. The encryption algorithm of the CSR file that you manually enter must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review. If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate. Select Existing CSR: You can select a CSR file that is uploaded to or generated in the Certificate Management Service console. The domain name that is contained in the CSR file must be the same as the value that you specify for Domains to Bind. Before you can use this method, you must upload existing CSR files or use the CSR generator that is provided by Certificate Management Service to generate CSR files. For more information, see Create a CSR and Upload a CSR. Important The encryption algorithm of the CSR file that you select must be the same as the value of the Encryption Algorithm parameter that you specify. Otherwise, you cannot submit your certificate application for review.
CSR File	Configure this parameter only if you set CSR Generation to Manual or Select Existing CSR. Enter the content of your CSR file.

Certificate Management Service:Required information for certificate application

Required information for DV certificate application

Required information for OV certificate application

Required information for EV certificate application

FAQ