Decrypts data by using a specific certificate.

Limit: The encryption algorithm in the request parameters must match the key type.

The following table describes the mapping between encryption algorithms and key types.

Algorithm

Key Spec

RSAES_OAEP_SHA_1

RSA_2048

RSAES_OAEP_SHA_256

RSA_2048

SM2PKE

EC_SM2

In this example, the certificate whose ID is 12345678-1234-1234-1234-12345678**** and the encryption algorithm RSAES_OAEP_SHA_256 are used to decrypt the data ZOyIygCyaOW6Gj****MlNKiuyjfzw=.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CertificatePrivateKeyDecrypt

The operation that you want to perform. Set the value to CertificatePrivateKeyDecrypt.

CertificateId String Yes 12345678-1234-1234-1234-12345678****

The ID of the certificate. The ID must be globally unique in Certificates Manager.

Algorithm String Yes RSAES_OAEP_SHA_256

The encryption algorithm. Valid values:

  • RSAES_OAEP_SHA_1
  • RSAES_OAEP_SHA_256
  • SM2PKE
    Note The SM2PKE encryption algorithm is supported only in regions in mainland China. In these regions, managed hardware security modules (HSMs) are used. For more information, see Managed HSM overview.
CiphertextBlob String Yes ZOyIygCyaOW6Gj****MlNKiuyjfzw=

The data that you want to decrypt.

The value is encoded in Base64.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
RequestId String 5979d897-d69f-4fc9-87dd-f3bb73c40b80

The ID of the request, which is used to locate and troubleshoot issues.

CertificateId String 12345678-1234-1234-1234-12345678****

The ID of the certificate.

Plaintext String VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4

The plaintext after data is decrypted.

The value is encoded in Base64.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CertificatePrivateKeyDecrypt
&CertificateId=12345678-1234-1234-1234-12345678****
&Algorithm=RSAES_OAEP_SHA_256
&CiphertextBlob=ZOyIygCyaOW6Gj****MlNKiuyjfzw=
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CertificatePrivateKeyDecryptResponse>
    <RequestId>5979d897-d69f-4fc9-87dd-f3bb73c40b80</RequestId>
    <CertificateId>12345678-1234-1234-1234-12345678****</CertificateId>
    <Plaintext>VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4</Plaintext>
</CertificatePrivateKeyDecryptResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "5979d897-d69f-4fc9-87dd-f3bb73c40b80",
  "CertificateId" : "12345678-1234-1234-1234-12345678****",
  "Plaintext" : "VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4"
}

Error codes

HTTP status code Error code Error message Description
400 InvalidParameter The specified parameter is not valid. The error message returned because an invalid value is specified for the parameter.
404 Certificate.NotFound The specified certificate is not found. The error message returned because the specified certificate does not exist.
404 InvalidAccessKeyId.NotFound The Access Key ID provided does not exist in our records. The error message returned because the specified AccessKey ID does not exist.

For a list of error codes, visit the API Error Center.