CreateSubCACertificate - Certificate Management Service - Alibaba Cloud Documentation Center

Creates an intermediate certificate authority (CA) certificate.

Operation description

This operation issues an intermediate certificate authority (CA) certificate from an existing root CA certificate. You can use the intermediate CA certificate to issue client and server certificates.

Before calling this operation, you must call the CreateRootCACertificate operation to create a root CA certificate.

QPS limit

The queries per second (QPS) limit for this operation is 10 calls per user. Calls that exceed this limit are throttled. This may affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateSubCACertificate

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
ParentIdentifier	string	No	The unique identifier of the root CA certificate. Note Call the DescribeCACertificateList operation to get the unique identifiers of all CA certificates.	1a83bcbb89e562885e40aa0108f5****
CommonName	string	Yes	The common name of your organization. The name can contain Chinese characters and English letters.	Aliyun
OrganizationUnit	string	Yes	The name of the department in your organization. The name can contain Chinese characters and English letters.	Security
Organization	string	Yes	The name of your organization, such as your company. The name can contain Chinese characters and English letters.	Alibaba
Locality	string	Yes	The name of the city where your organization is located. The name can contain Chinese characters and English letters.	Hangzhou
State	string	Yes	The name of the province or state where the organization is located. Chinese characters and English letters are supported.	Zhejiang
CountryCode	string	No	The two- or three-letter country or region code in uppercase. For example, CN indicates China and US indicates the United States. For more information, see the Country codes section in Manage company information.	CN
Algorithm	string	Yes	The key algorithm for the intermediate CA certificate. The algorithm is in the `<Encryption algorithm>_<Key length>` format. Valid values: RSA_1024: The corresponding signature algorithm is Sha256WithRSA. RSA_2048: The corresponding signature algorithm is Sha256WithRSA. RSA_4096: The corresponding signature algorithm is Sha256WithRSA. ECC_256: The corresponding signature algorithm is Sha256WithECDSA. SM2_256: The corresponding signature algorithm is SM3WithSM2. The encryption algorithm of the intermediate CA certificate must be the same as that of the root CA certificate, but the key length can be different. For example, if the root CA certificate uses the RSA_2048 algorithm, the intermediate CA certificate must use RSA_1024, RSA_2048, or RSA_4096. Note Call the DescribeCACertificate operation to get the key algorithm of the root CA certificate.	RSA_2048
Years	integer	Yes	The validity period of the intermediate CA certificate, in years. Valid values: 5 to 10. Set this parameter to a value from 5 to 10. Note The validity period of the intermediate CA certificate cannot exceed that of the root CA certificate. Call the DescribeCACertificate operation to get the validity period of the root CA certificate.	5
PathLenConstraint	integer	No	The certificate path length constraint. The default value is 0.	0
ExtendedKeyUsages	array	No	The extended key usages.
	string	No	The extended key usage. Valid values: any serverAuth clientAuth codeSigning emailProtection timeStamping OCSPSigning Other extended key usage object identifiers (OIDs). Valid values: codeSigning : Code signing emailProtection : Email protection serverAuth : Server authentication timeStamping : Timestamping any : Any clientAuth : Client authentication OCSPSigning : OCSP signing	serverAuth
EnableCrl	boolean	No	Specifies whether to enable the certificate revocation list (CRL) feature. false: No true: Yes Valid values: true : true false : false	true
CrlDay	integer	No	The validity period of the CRL, in days. Valid values: 1 to 365.	30
Tags	array<object>	No	A list of tags.
	object	No	A list of tags.
Key	string	No	The tag key.	testKey
Value	string	No	The tag value.	test
ResourceGroupId	string	No	The ID of the resource group.	rg-ae****vty
ClientToken	string	No	A client-generated token that is used to ensure the idempotence of the request. The token must be unique for each request. The token can be up to 64 ASCII characters in length.	XXX

Response elements

Element	Type	Description	Example
	object	The response object.
RequestId	string	The ID of the request.	15C66C7B-671A-4297-9187-2C4477247A74
Identifier	string	The unique identifier of the intermediate CA certificate.	160ae6bb538d538c70c01f81dcf2****
Certificate	string	The certificate returned by this call, in PEM format.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
CertificateChain	string	The CA certificate chain of the certificate that is returned by the call.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n

serverAuth: Server authentication
clientAuth: Client authentication
codeSigning: Code signing
emailProtection: Email protection
timeStamping: Timestamping
OCSPSigning: OCSP signing
Other extended key usage OIDs

Examples

Success response

JSON format

{
  "RequestId": "15C66C7B-671A-4297-9187-2C4477247A74",
  "Identifier": "160ae6bb538d538c70c01f81dcf2****",
  "Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.