Quick start - Key Management Service - Alibaba Cloud Documentation Center

Certificates Manager in Key Management Service (KMS) handles the full lifecycle of X.509 certificates — from generating a key pair and certificate signing request (CSR) to importing the CA-signed certificate and using it for digital signatures.

This guide walks you through the end-to-end workflow: create a certificate, get it signed by a certificate authority (CA), import it, and use it to sign and verify data.

Prerequisites

Before you begin, make sure you have:

Access to the KMS console
A certificate authority (CA) that can sign your CSR — either a public CA (such as DigiCert) or your organization's internal CA

Step 1: Create a certificate and download the CSR

Certificates Manager generates a key pair on your behalf and produces a CSR containing the public key and your organization's identity information.

Log on to the KMS console.
In the top navigation bar, select the region where you want to create the certificate.
In the left-side navigation pane, click Certificates.
On the Certificate page, click Create Certificate.

In the Create Certificate dialog box, fill in the following parameters.

Parameter	Description
CommonName(CN)	The name of the entity that uses the certificate
Country(C)	The ISO 3166-1 alpha-2 country code. For example, `CN` for China
StateOrProvince(ST)	Province, municipality, autonomous region, or special administrative region
Locality(L)	City name
Organization(O)	Legal name of the organization. Click + to add multiple names
OrganizationUnit(OU)	Department name. Click + to add multiple names
Email(E)	Email address of the certificate holder or administrator
SubjectAlternativeNames	For domain validated (DV) certificates only. Add subject alternative names to generate a multi-domain CSR: click +, enter the domain name (for example, `example.com` or `*.example.com`), then click
Key Spec	The cryptographic algorithm for the key pair. Choose based on your CA and application requirements: EC_P256 offers stronger security; RSA_2048 offers wider compatibility but will no longer be supported by some systems after December 31, 2030; EC_SM2 is designed for systems that use China's national cryptography standard
Exportable Key	Whether the private key can be exported from KMS. For security purposes, we recommend that you select No

Click Create Certificate.
In the Successfully created certificate dialog box, click Download certificate request to download the CSR file.
Click OK.

Step 2: Get the CSR signed by a CA

Submit the CSR file you downloaded to your CA. The CA verifies your identity and returns two files:

Certificate (.cer or .pem): the signed public certificate
Certificate chain: the CA's intermediate and root certificates that establish the trust path back to a known root

How you submit the CSR depends on your CA — most public CAs provide an online portal, while internal CAs typically use a command-line or API workflow. Keep both files: you need them in Step 3.

Step 3: Import the certificate

In the certificate list, find the certificate, then choose More > Import certificate in the Actions column.
In the Import certificate dialog box, upload the certificate and certificate chain from Step 2 — or paste their contents directly.
Click OK.

After import, the certificate status changes to Active — it's ready to use for generating and verifying digital signatures.

Step 4: Generate a signature

Use the certificate's private key to sign data. The message must be Base64-encoded and no larger than 4 KB.

Choose the method that fits your integration:

API — best for direct server-to-server calls or when you want minimal dependencies. Call the CertificatePrivateKeySign operation.
SDK — best when you're already using the KMS SDK in your application. See SDK overview for setup instructions.

The following Java example signs data using the SDK. It assumes:

client is an initialized DefaultAcsClient. See the Alibaba Cloud SDK for Java documentation for initialization steps.
certId is the certificate ID shown in the KMS console.
sigAlg is the signing algorithm — see the CertificatePrivateKeySign API reference for valid values.
message is the raw content to sign (no larger than 4 KB).

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.kms.model.v20160120.CertificatePrivateKeySignRequest;
import com.aliyuncs.kms.model.v20160120.CertificatePrivateKeySignResponse;
import org.apache.commons.codec.binary.Base64;

public byte[] doSignByCertificate(DefaultAcsClient client, String certId, String sigAlg, byte[] message) throws ClientException {
    String msgB64 = Base64.encodeBase64String(message); // Base64-encode the message

    CertificatePrivateKeySignRequest request = new CertificatePrivateKeySignRequest();
    request.setCertificateId(certId);
    request.setAlgorithm(sigAlg);
    request.setMessage(msgB64);

    CertificatePrivateKeySignResponse response = client.getAcsResponse(request);

    String sigB64 = response.getSignatureValue();
    return Base64.decodeBase64(sigB64); // Decode the Base64-encoded signature
}

Step 5: Verify a signature

Use the certificate's public key to verify that a signature is valid and the data has not been tampered with.

Choose the method that fits your integration:

API — Call the CertificatePublicKeyVerify operation.
SDK — Use the KMS SDK. See SDK overview for setup instructions.

The following Java example verifies a signature using the SDK. It assumes the same setup as Step 4, plus:

signature is the raw signature bytes returned by the signing operation.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.kms.model.v20160120.CertificatePublicKeyVerifyRequest;
import com.aliyuncs.kms.model.v20160120.CertificatePublicKeyVerifyResponse;
import org.apache.commons.codec.binary.Base64;

public Boolean doVerifyByCertificate(DefaultAcsClient client, String certId, String sigAlg, byte[] message, byte[] signature) throws ClientException {
    String msgB64 = Base64.encodeBase64String(message);    // Base64-encode the message
    String sigB64 = Base64.encodeBase64String(signature);  // Base64-encode the signature

    CertificatePublicKeyVerifyRequest request = new CertificatePublicKeyVerifyRequest();
    request.setCertificateId(certId);
    request.setAlgorithm(sigAlg);
    request.setMessage(msgB64);
    request.setSignatureValue(sigB64);

    CertificatePublicKeyVerifyResponse response = client.getAcsResponse(request);

    return response.getSignatureValid();
}

What's next

SDK overview — SDK setup and full API reference for Certificates Manager
CertificatePrivateKeySign API reference — signing algorithms and request parameters
CertificatePublicKeyVerify API reference — verification parameters and response fields