Updated on 2023-10-20 GMT+08:00

Submitting an SSL Certificate Application to the CA

After you purchase a certificate, you still need to associate a domain name with it, provide certain details, and then submit it to the corresponding CA for approval. The CA will not issue the certificate until all the submitted details have been reviewed.

This topic describes how to apply for a certificate.

Prerequisites

You have an SSL certificate in the Pending application status. For details, see Purchasing an SSL Certificate.

Constraints

  • A Chinese domain name can only be associated with a certificate when it is encoded with Punycode.
  • If the domain name associated with your DV certificate contains special words, such as edu, gov, bank, and live, the certificate may fail to pass the security review. In this case, select an OV or EV certificate. For details about known special words, see Immoderate Words.
  • Each CA has different promotion activities for www domain names. For details, see Certificate Authorities.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The service console is displayed.
  3. In the navigation pane on the left, choose SSL Certificate Manager > SSL Certificates. In the row containing the desired certificate, click Apply for Certificate in the Operation column.
  4. On the displayed page, enter the domain name, organization, and applicant information.

    Figure 1 Domain name and other information
    1. CSR

      A certificate signing request (CSR) contains information about your server and company. When applying for a certificate, you need to submit a CSR file of your certificate to the CA for review.

      CSR file generation method:

      • System generated CSR (recommended): The system automatically generates a certificate private key. Once the certificate is issued, you can download your certificate and private key on the certificate management page.
      • Select an existing CSR: Select a CSR file that you have created in or uploaded to the CSRs tab.
      • Upload a CSR: You need to manually generate a CSR file and paste the content of the CSR file generated into the text box. For details, see How Do I Make a CSR File?

      For details about the differences between the two types of CSR files, see What Are the Differences Between a System-generated CSR and an Uploaded CSR?

    2. Domain Name
      • If you select Upload a CSR for CSR, the domain name is auto-filled.
      • If you select System generated CSR for CSR, manually enter the domain name.
        Table 1 Associating a certificate with a domain name

        Type

        Description

        Single domain

        Enter one domain name to be associated.

        For example, if the domain name is example.com, configure the parameters as shown in the following figure.

        Multiple domains

        The primary domain name and additional domain name must be configured.

        For example, if the domain names are example.com, a.example.com, and b.example.com, configure the parameters as shown in the following figure.

        NOTE:
        • The number of additional domain names must be greater than or equal to 1. You can add one or more additional domain names at a time. For more details, see Adding an Additional Domain Name.
        • One additional domain name per line.
        • A primary domain and additional domains can be equally protected.

        Wildcard domain

        Enter the wildcard domain name to be bound.

        For example, if the domain name to be bound is *.example.com, set the parameters as shown in the following figure.

        To associate a Chinese domain name with a certificate, use encoding tool Punycode to encode the Chinese domain name and then enter the encoded data.

        For example, if the encoded data is xn--siq1ht8k.com, set this parameter to xn--siq1ht8k.com.

    3. Root Certificate Hash Algorithm

      If you purchase a GeoTrust or DigiCert OV certificate, keep the default settings and do not select SHA-256 unless you have to.

      If SHA-256 is used for a root certificate, there might be some compatibility issues on browsers of earlier versions.

    4. Key Algorithm

      Select an algorithm for the certificate. The default cryptographic algorithm is RSA_2048. Available cryptographic algorithms:

      • Rivest–Shamir–Adleman (RSA) is an asymmetric cryptographic algorithm that is widely used around the world. It has the best compatibility among the three algorithms and supports mainstream browsers and all-platform OSs. Generally, RSA uses a 2048-bit or 3072-bit key.
      • Elliptical curve cryptography (ECC) features faster encryption, higher efficiency, and lower server resource consumption compared with RSA. ECC is being promoted in mainstream browsers and is becoming a new-generation mainstream algorithm. Generally, ECC uses a 256-bit key.

      For details about the cryptographic algorithms supported by each type of certificate, see Cryptographic algorithms

    5. Company Information
      Enter your organization information as prompted.
      • This parameter is mandatory only for OV and EV certificates.
      • Enter the full name of the company you registered on your business license.
    6. Applicant Details
      • The CA will contact you through the applicant email address and phone number you provide to verify information.
      • Personal information used as contact details is not included in the issued certificate.
    7. Technical Contact Information

      This parameter is optional. If you set this parameter, ensure that the name, phone number, and email address of the technical support person are correct.

  5. After confirming that the entered information is correct, read through the Cloud Certificate Manager Statement, Privacy Statement, and the authorization statement, and check the box to agree to the disclaimer and statements
  6. Click Submit.

    The system will submit your application to the CA. During the approval process, make sure that you can be reached by phone and that you regularly check for emails from the CA.

Follow-up Procedure

  • The CA will handle your application within 2 to 3 working days and send a verification email to you.

    Perform domain name verification as required. For more details, see Verifying Domain Name Ownership.

  • If you have submitted a certificate application but then discover there are incorrect details included, you can withdraw the application, modify information, and apply for a new certificate. For details, see Withdrawing an Application.