Encrypts data by using a specific certificate.

Limit: The encryption algorithm in the request parameters must match the key type.

The following table describes the mapping between encryption algorithms and key types.


Key Type







In this example, the certificate whose ID is 12345678-1234-1234-1234-12345678**** and the encryption algorithm RSAES_OAEP_SHA_256 are used to encrypt the data VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4=.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CertificatePublicKeyEncrypt

The operation that you want to perform. Set the value to CertificatePublicKeyEncrypt.

Algorithm String Yes RSAES_OAEP_SHA_256

The encryption algorithm. Valid values:

  • SM2PKE
    Note The SM2PKE encryption algorithm is supported only in regions in mainland China. In these regions, managed hardware security modules (HSMs) are used. For more information, see Overview of managed HSM.
CertificateId String Yes 12345678-1234-1234-1234-12345678****

The ID of the certificate. It is the globally unique identifier (GUID) of the certificate in Certificates Manager.

Plaintext String Yes VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4=

The data that you want to encrypt.

The value must be encoded in Base64. For example, if the hexadecimal data that you want to encrypt is [0x31, 0x32, 0x33, 0x34], the Base64-encoded data is MTIzNA==.

The size of data that can be encrypted varies based on the encryption algorithm that you use:

  • RSAES_OAEP_SHA_1: 214 bytes
  • RSAES_OAEP_SHA_256: 190 bytes
  • SM2PKE: 6,047 bytes

If the size of data that you want to encrypt exceeds the preceding limits, you can call the GenerateDataKey operation to generate a data key to encrypt the data. Then, call the CertificatePublicKeyEncrypt operation to encrypt the data key.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
CertificateId String 12345678-1234-1234-1234-12345678****

The ID of the certificate.

CiphertextBlob String ZOyIygCyaOW6Gj****MlNKiuyjfzw=

The ciphertext after data is encrypted.

The value is encoded in Base64.

RequestId String 5979d897-d69f-4fc9-87dd-f3bb73c40b80

The ID of the request.


Sample requests

&<Common request parameters>

Sample success responses

XML format


JSON format

  "CertificateId": "12345678-1234-1234-1234-12345678****",
  "CiphertextBlob": "ZOyIygCyaOW6Gj****MlNKiuyjfzw=",
  "RequestId": "5979d897-d69f-4fc9-87dd-f3bb73c40b80"

Error codes

HttpCode Error code Error message Description
404 Certificate.NotFound The specified certificate is not found. The error message returned because the specified certificate does not exist.

For a list of error codes, visit the API Error Center.