Creates a root certificate authority (CA) certificate.

Usage notes

You can call the CreateRootCACertificate operation to create a self-signed root CA certificate. A root CA certificate is the trust anchor in a chain of trust for private certificates that are used within an enterprise. You must create a root CA certificate before you can use the root CA certificate to issue intermediate CA certificates. Then, you can use the intermediate CA certificates to issue client certificates and server certificates.

Before you call this operation, make sure that you have purchased a private root CA instance by using the Certificate Management Service console. For more information, see Create a private CA.

Limits

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateRootCACertificate

The operation that you want to perform. Set the value to CreateRootCACertificate.

Organization String Yes Alibaba

The name of the organization that is associated with the root CA certificate. You can enter the name of your enterprise or company. The value can contain letters.

OrganizationUnit String Yes Security

The name of the department or branch in the organization. The value can contain letters.

CountryCode String Yes CN

The code of the country or region in which the organization is located. You can enter an alpha-2 code. For example, you can use CN to indicate China and use US to indicate the United States.

For more information about country codes, see the "Country codes" section in Manage company profiles.

State String Yes Zhejiang

The name of the province or state in which the organization is located. The value can contain letters.

Locality String Yes Hangzhou

The name of the city in which the organization is located. The value can contain letters.

CommonName String Yes Alibaba

The common name or abbreviation of the organization. The value can contain letters.

Algorithm String Yes RSA_2048

The type of the key algorithm of the root CA certificate. The key algorithm is in the <Encryption algorithm>_<Key length> format. Valid values:

  • RSA_1024: The signature algorithm is Sha256WithRSA.
  • RSA_2048: The signature algorithm is Sha256WithRSA.
  • RSA_4096: The signature algorithm is Sha256WithRSA.
  • ECC_256: The signature algorithm is Sha256WithECDSA.
  • ECC_384: The signature algorithm is Sha256WithECDSA.
  • ECC_512: The signature algorithm is Sha256WithECDSA.
  • SM2_256: The signature algorithm is SM3WithSM2.

The encryption algorithm of the root CA certificate must be consistent with the encryption algorithm of the private root CA instance that you purchase. For example, if the encryption algorithm of the private root CA instance that you purchase is RSA, the key algorithm of the root CA certificate must be RSA_1024, RSA_2048, or RSA_4096.

Years Integer Yes 10

The validity period of the root CA certificate. Unit: years.

Note We recommend that you set this parameter to 5 to 10.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
Identifier String 1a83bcbb89e562885e40aa0108f5****

The unique identifier of the root CA certificate.

RequestId String 6D9B4C5F-7140-5B41-924C-329181DC00C1

The ID of the request, which is used to locate and troubleshoot issues.

Certificate String -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----

The root CA certificate in the PEM format.

CertificateChain String -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n

The certificate chain of the root CA certificate.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateRootCACertificate
&Organization=Alibaba
&OrganizationUnit=Security
&CountryCode=CN
&State=Zhejiang
&Locality=Hangzhou
&CommonName=Alibaba
&Algorithm=RSA_2048
&Years=10
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateRootCACertificateResponse>
    <Identifier>1a83bcbb89e562885e40aa0108f5****</Identifier>
    <RequestId>6D9B4C5F-7140-5B41-924C-329181DC00C1</RequestId>
    <Certificate>-----BEGIN CERTIFICATE-----
      ......
      -----END CERTIFICATE-----
    </Certificate>
    <CertificateChain>-----BEGIN CERTIFICATE-----
      ......
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      ......
      -----END CERTIFICATE-----
    </CertificateChain>
</CreateRootCACertificateResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "Identifier" : "1a83bcbb89e562885e40aa0108f5****",
  "RequestId" : "6D9B4C5F-7140-5B41-924C-329181DC00C1",
  "Certificate" : "-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----",
  "CertificateChain" : "-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n"
}

Error codes

For a list of error codes, visit the API Error Center.