DescribeCertificatePrivateKey - Certificate Management Service

Queries the encrypted private key of a client certificate or a server certificate.

Operation description

Usage notes

You can call the DescribeCertificatePrivateKey operation to obtain the encrypted private key of a client certificate or a server certificate. The certificate is issued based on a system-generated certificate signing request (CSR). Before you call this operation, make sure that you have issued a client certificate or a server certificate by calling the following operation:

To ensure the security of private key transmission, the DescribeCertificatePrivateKey operation encrypts the private key by using the private key password that you specify and returns the encrypted private key. The private key password is a string that is used to encrypt the private key. After you obtain the encrypted private key of the certificate, you can use the following methods to decrypt the private key:

If the encryption algorithm of the certificate is RSA, you must run the openssl rsa -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file> command in the computer on which OpenSSL or BabaSSL is installed.
If the encryption algorithm of the certificate is ECC, you must run the openssl ec -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file> command in the computer on which OpenSSL or BabaSSL is installed.
If the encryption algorithm of the certificate is SM2, you must run the openssl ec -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file> command in the computer on which BabaSSL is installed.

Note You can call the [DescribeClientCertificate] operation to query the encryption algorithm type of a client certificate or a server certificate.

Limits

You can call this operation up to 100 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
Identifier	string	Yes	The unique identifier of the client certificate or server certificate that you want to query. Note You can call the ListClientCertificate operation to query the unique identifiers of all client certificates and server certificates.	bc37133bb7ed68c7938d928fd26d****
EncryptedCode	string	Yes	The password that is used to encrypt the private key. The password can contain letters, digits, and special characters, such as `, + - _ #`. The password can be up to 32 bytes in length. Warning You must remember the password that you specify. The password is required to decrypt the encrypted private key. If you forget the password, the encrypted private key that is returned cannot be decrypted. You must call this operation again.	!QA@WS3ed

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter	Type	Description	Example
	object	GetCertificatePrivateKeyResponse.
EncryptedData	string	The content of the encrypted private key.	-----BEGIN ENCRYPTED PRIVATE KEY----- …… -----END ENCRYPTED PRIVATE KEY-----
RequestId	string	The ID of the request.	09470F19-CEE8-5C63-BF2C-02B5E3F07A17

Examples

Sample success responses

JSONformat

{
  "EncryptedData": "-----BEGIN ENCRYPTED PRIVATE KEY----- …… -----END ENCRYPTED PRIVATE KEY-----",
  "RequestId": "09470F19-CEE8-5C63-BF2C-02B5E3F07A17"
}

Error codes

For a list of error codes, visit the Service error codes.