CreateCustomCertificate - Certificate Management Service

Issues a digital certificate using the specified certificate subject, subject alternative name, key usage, and extended key usage.

Operation description

By default, the certificate subject is retrieved from the Certificate Signing Request (CSR). If you specify a certificate subject, the subject from the CSR is ignored and the specified subject is used to issue the certificate.

You must specify the key usage or extended key usage based on your scenario. The following examples show common scenarios:

Server-side authentication certificate

Key usage: digitalSignature, keyEncipherment

Extended key usage: serverAuth

Client authentication certificate

Key usage: digitalSignature, keyEncipherment

Extended key usage: clientAuth

mTLS mutual authentication certificate

Key usage: digitalSignature, keyEncipherment

Extended key usage: serverAuth, clientAuth

Email signing certificate

Key usage: digitalSignature, contentCommitment

Extended key usage: emailProtection

Note: Compliance CAs are managed by third-party authorities and do not support this operation.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateCustomCertificate

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
ParentIdentifier	string	Yes	The identifier of the CA certificate.	1ed4068c-6f1b-6deb-8e32-3f8439a851cb
Csr	string	Yes	The content of the CSR. You can generate a CSR using tools such as OpenSSL or Keytool. For more information, see Create a CSR file.	-----BEGIN CERTIFICATE REQUEST----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... vbIgMQIhAKHDWD6/WAMbtezAt4bysJ/BZIDz1jPWuUR5GV4TJ/mS -----END CERTIFICATE REQUEST-----
Validity	string	Yes	The validity period of the certificate. This period cannot exceed the validity period of the instance. You can use relative time or absolute time. Relative time: Supports years, months, and days. Year - y Month - m Day - d Absolute time: Uses GMT. Format: `yyyy-MM-dd'T'HH:mm:ss'Z'` Specify the end time - $NotAfter Specify the start and end times - $NotBefore/$NotAfter	相对时间： ● 1y ● 3m ● 7d 绝对时间： ● 2006-01-02T15:04:05Z ● 2006-01-02T15:04:05Z/2023-03-09T17:48:13Z
ApiPassthrough	object	No	Pass-through parameters.
Subject	object	No	The certificate subject.
Country	string	No	The country code. Use the two-letter country code from ISO 3166-1. For more information, see ISO.	CN
State	string	No	The province or state where the organization is located.	浙江省
Locality	string	No	The name of the city where the organization is located. Chinese characters and letters are supported.	杭州市
Organization	string	No	The name of the organization.	XXX公司
OrganizationUnit	string	No	The name of the department or branch within the organization.	XXX部门
CommonName	string	No	The common name of the certificate user.	张三
CustomAttributes	array<object>	No	The custom subject properties of the certificate.
	object	No	The custom subject properties of the certificate.
ObjectIdentifier	string	No	The key of the custom property. It must comply with industry standards. Examples: 2.5.4.6: Country code 2.5.4.10: Organization 2.5.4.11: Organizational unit name 2.5.4.12: Title 2.5.4.3: Common name 2.5.4.9: Street 2.5.4.5: Serial number 2.5.4.7: Locality 2.5.4.8: State or province 1.3.6.1.4.1.37244.1.1: Matter certificate - Node ID 1.3.6.1.4.1.37244.1.5: Matter certificate - Fabric ID 1.3.6.1.4.1.37244.2.1: Matter certificate Vendor ID (VID) 1.3.6.1.4.1.37244.2.2: Matter certificate Product ID (PID)	2.5.4.3
Value	string	No	The value of the custom property.	Aliyun
Extensions	object	No	The certificate extensions.
KeyUsage	object	No	The key usage.
DigitalSignature	boolean	No	Digital signature. Allows the private key of the certificate to be used for digital signatures and the public key to be used to verify digital signatures.	true
ContentCommitment	boolean	No	Content commitment. Formerly known as NonRepudiation. Allows the certificate key to be used for content commitment.	false
NonRepudiation	boolean	No	Non-repudiation. This has been renamed to ContentCommitment in the X.509 standard.	false
KeyEncipherment	boolean	No	Key encipherment. Allows the certificate key to be used to encrypt other keys.	false
DataEncipherment	boolean	No	Data encipherment.	false
KeyAgreement	boolean	No	Key agreement.	false
EncipherOnly	boolean	No	When KeyAgreement is true, this marks that the certificate key can only be used for encryption.	false
DecipherOnly	boolean	No	When KeyAgreement is true, this marks that the certificate key can only be used for decryption.	false
ExtendedKeyUsages	array	No	The extended key usages.
	string	No	The following values are allowed: any - No restrictions serverAuth - Server authentication clientAuth - Client authentication codeSigning - Code signing emailProtection - Email protection timeStamping - Timestamping OCSPSigning - OCSP signing Other extended key usage OIDs	1.3.6.1.4.1.311.20.2.2
SubjectAlternativeNames	array<object>	No	The subject alternative names (SANs) of the certificate.
	object	No	The subject alternative names (SANs) of the certificate.
Type	string	Yes	The following values are allowed: rfc822Name - Email address dNSName - Domain name uniformResourceIdentifier - Uniform Resource Identifier (URI) iPAddress - IP address	dNSName
Value	string	No	A value that matches the specified Type.	rfc822Name: example.aliyundoc.com dNSName: learn.aliyundoc.com uniformResourceIdentifier: acs:ecs:regionid:15619224785***:instance/i-bp1bzvz55uz27hf*** iPAddress: 127.0.0.1
Criticals	array	No	If an extension is critical, its name is included in the criticals list.
	string	No	The name of the critical extension, such as ExtendedKeyUsages.	ExtendedKeyUsages
SerialNumber	string	No	The custom serial number of the certificate. Must be a long integer.	16889526086333
Immediately	integer	No	Obtain the certificate immediately. 0 - Issue the certificate asynchronously. 1 - Issue the certificate immediately. 2 - Issue the certificate immediately and return the CA certificate chain.	0
EnableCrl	integer	No	Specifies whether to include a CRL address. 0 - No 1 - Yes	1
Tags	array<object>	No	The list of tags.
	object	No	The list of tags.
Key	string	No	The tag key.	testKey
Value	string	No	The tag value.	1
ResourceGroupId	string	No	The ID of the resource group. You can obtain this ID by calling the ListResources operation.	rg-aek****wia
customIdentifier	string	No	A custom identifier.	XXX068c-6f1b-6deb-8e32-3f8439a8XXX

Response elements

Element	Type	Description	Example
	object	OpenApiResponseV1
Identifier	string	The unique identifier of the certificate.	160ae6bb538d538c70c01f81dcf2****
Certificate	string	The content of the certificate. This is returned when Immediately is set to 1 or 2.	-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ... ... ... KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
CertificateChain	string	The CA certificate chain. This is returned when Immediately is set to 2.	-----BEGIN CERTIFICATE----- MIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ ... ... ... ZYYG -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... KL5cUmF -----END CERTIFICATE-----
SerialNumber	string	The serial number of the certificate. This is returned when Immediately is set to 1 or 2.	084bde9cd233f0ddae33adc438cfbbbd****
RequestId	string	The ID of the request. This is a unique identifier generated by Alibaba Cloud for the request. Use this ID to troubleshoot issues.	12345678-1234-1234-1234-123456789ABC

Examples

Success response

JSON format

{
  "Identifier": "160ae6bb538d538c70c01f81dcf2****",
  "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n...\n...\n...\nKOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\nMIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ\n...\n...\n...\nZYYG\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ\n...\n...\n...\nKL5cUmF\n-----END CERTIFICATE-----",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "12345678-1234-1234-1234-123456789ABC"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.