All Products
Search

This Product

    Certificate Management Service:CreateClientCertificate

    Document Center

    Certificate Management Service:CreateClientCertificate

    Last Updated:Jan 21, 2026

    Issues a client certificate based on a system-generated Certificate Signing Request (CSR).

    Operation description

    Before you call this operation, you must create a root CA certificate by calling CreateRootCACertificate and a subordinate CA certificate by calling CreateSubCACertificate. Only subordinate CA certificates can issue client certificates.

    QPS limit

    The queries per second (QPS) limit for this operation is 10 calls per second per user. Calls that exceed this limit are throttled, which can impact your business. We recommend that you call this operation at a reasonable rate.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    yundun-cert:CreateClientCertificate

    create

    *All Resource

    *

    		 None None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    SanType

    integer

    No

    The type of Subject Alternative Name (SAN) extension for the client certificate. Valid values:

    • 1: Email

    • 6: Uniform Resource Identifier (URI)

    1
    SanValue

    string

    No

    The extension information for the client certificate. To enter multiple extensions, separate them with commas (,).

    somebody@example.com
    Organization

    string

    No

    The name of the organization. Default: Alibaba Inc.

    阿里云
    OrganizationUnit

    string

    No

    The name of the department. Default: Alibaba Cloud CDN.

    IT
    Country

    string

    No

    The country code. Default: CN.

    CN
    CommonName

    string

    No

    The name of the certificate user. For a client authentication (ClientAuth) certificate, the user is typically an individual, a company, an organization, or an application. Specify the common name of the user, such as John Doe, Alibaba, Alibaba Cloud Cryptography Platform, or Tmall Genie.

    aliyun
    State

    string

    No

    Specify the province or state of the certificate organization. The value can contain letters. The default value is the province or state of the organization for the intermediate CA that issued the certificate.

    Zhejiang
    Locality

    string

    No

    The name of the city where the organization is located. The default value is the city of the subordinate CA that issues the certificate.

    杭州市
    Algorithm

    string

    No

    The key algorithm for the client certificate. The format is <encryption algorithm>_<key length>. Valid values:

    • RSA_1024: The signature algorithm is Sha256WithRSA.

    • RSA_2048: The signature algorithm is Sha256WithRSA.

    • RSA_4096: The signature algorithm is Sha256WithRSA.

    • ECC_256: The signature algorithm is Sha256WithECDSA.

    • ECC_384: The signature algorithm is Sha256WithECDSA.

    • ECC_512: The signature algorithm is Sha256WithECDSA.

    • SM2_256: The signature algorithm is SM3WithSM2.

    The encryption algorithm of the client certificate must be the same as the subordinate CA certificate. The key length can be different. For example, if the subordinate CA certificate uses the RSA_2048 key algorithm, the client certificate must use RSA_1024, RSA_2048, or RSA_4096.

    Note

    Call DescribeCACertificate to find the key algorithm of the subordinate CA certificate.

    RSA_2048
    ParentIdentifier

    string

    No

    The unique identifier of the subordinate CA certificate that issues this certificate.

    Note

    Call DescribeCACertificateList to query the unique identifier of the subordinate CA certificate.

    273ae6bb538d538c70c01f81jh2****
    Years

    integer

    No

    The validity period of the certificate in years.

    5
    Months

    integer

    No

    The validity period of the certificate in months.

    1
    Days

    integer

    No

    The validity period of the client certificate in days. The Days, BeforeTime, or AfterTime parameters cannot all be empty. The BeforeTime and AfterTime parameters must be set together or left empty. The parameters are configured as follows:

    • If you set the Days parameter, the BeforeTime and AfterTime parameters are optional.

    • If you do not set the Days parameter, you must set both the BeforeTime and AfterTime parameters.

    Note

    • If you set the Days, BeforeTime, and AfterTime parameters, the value of the Days parameter takes precedence.

    • The validity period of the client certificate cannot exceed the validity period of the subordinate CA certificate. To view the validity period of the subordinate CA certificate, you can call DescribeCACertificate.

    365
    BeforeTime

    integer

    No

    The issuance time of the client certificate in UNIX timestamp format. The unit is seconds. The default value is the time when you call this operation.

    Note

    BeforeTime and AfterTime must be specified together or left empty together.

    1634283958
    AfterTime

    integer

    No

    The expiration time of the client certificate in UNIX timestamp format. The unit is seconds.

    Note

    BeforeTime and AfterTime must be specified together or left empty together.

    1665819958
    Immediately

    integer

    No

    Specifies whether to return the digital certificate immediately.

    • 0: No. This is the default value.

    • 1: Yes, return the certificate.

    • 2: Yes, return the certificate and its certificate chain.

    1
    EnableCrl

    integer

    No

    Specifies whether to include the Certificate Revocation List (CRL) address.

    Valid values: 0 (No) and 1 (Yes).

    1
    Tags

    array<object>

    No

    A list of tags.

    object

    No

    A list of tags.

    Key

    string

    No

    The tag key.

    account
    Value

    string

    No

    The tag value.

    1
    ResourceGroupId

    string

    No

    The ID of the resource group.

    rg-aek****wia
    CustomIdentifier

    string

    No

    A custom identifier. This is a unique key.

    ****6bb538d538c70c01f81jh2****
    AliasName

    string

    No

    Set the name of the issued certificate.

    cert-name
    ClientToken

    string

    No

    Used to ensure request idempotence. The client generates this parameter value, which must be unique across different requests. It can contain a maximum of 64 ASCII characters and must not include any non-ASCII characters.

    XXX

    In addition to the request parameters specific to this operation, you must also specify the common request parameters for Alibaba Cloud APIs.

    For more information, see the request sample in the Examples section.

    Response elements

    Element

    Type

    Description

    Example

    object

    CreateCertificateResponse

    X509Certificate

    string

    The content of the client certificate.

    -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
    CertificateChain

    string

    The CA certificate chain.

    -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n
    Identifier

    string

    The unique identifier of the client certificate.

    190ae6bb538d538c70c01f81dcf2****
    SerialNumber

    string

    The certificate serial number.

    084bde9cd233f0ddae33adc438cfbbbd****
    RequestId

    string

    The ID of the request.

    8C467B38-3910-447D-87BC-AC049166F216

    Examples

    Success response

    JSON format

    {
  "X509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n",
  "Identifier": "190ae6bb538d538c70c01f81dcf2****",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "8C467B38-3910-447D-87BC-AC049166F216"
}

    Error codes

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.