Issues an intermediate certificate authority (CA) certificate.

Usage notes

You can call the CreateSubCACertificate operation to issue an intermediate CA certificate by using an existing root CA certificate. Intermediate CA certificates can be used to issue client certificates and server certificates.

Before you call this operation, make sure that you have issued a root CA certificate by calling the CreateRootCACertificate operation.

Limits

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateSubCACertificate

The operation that you want to perform. Set the value to CreateSubCACertificate.

ParentIdentifier String Yes 1a83bcbb89e562885e40aa0108f5****

The unique identifier of the root CA certificate.

Note You can call the DescribeCACertificateList operation to query the unique identifiers of all CA certificates.
Organization String Yes Alibaba Cloud Computing Co., Ltd.

The name of the organization that is associated with the intermediate CA certificate. You can enter the name of your enterprise or company. The value can contain letters.

OrganizationUnit String Yes Security

The name of the department or branch in the organization. The value can contain letters.

CountryCode String Yes CN

The code of the country or region in which the organization is located. You can enter an alpha-2 code. For example, you can use CN to indicate China and use US to indicate the United States.

For more information about country codes, see the "Country codes" section in Manage company profiles.

State String Yes Zhejiang

The name of the province or state in which the organization is located. The value can contain letters.

Locality String Yes Hangzhou

The name of the city in which the organization is located. The value can contain letters.

CommonName String Yes Aliyun

The common name or abbreviation of the organization. The value can contain letters.

Algorithm String Yes RSA_2048

The type of the key algorithm of the intermediate CA. The key algorithm is in the <Encryption algorithm>_<Key length> format. Valid values:

  • RSA_1024: The signature algorithm is Sha256WithRSA.
  • RSA_2048: The signature algorithm is Sha256WithRSA.
  • RSA_4096: The signature algorithm is Sha256WithRSA.
  • ECC_256: The signature algorithm is Sha256WithECDSA.
  • SM2_256: The signature algorithm is SM3WithSM2.

The encryption algorithm of an intermediate CA certificate must be consistent with the encryption algorithm of a root CA certificate. The length of the keys can be different. For example, if the key algorithm of the root CA certificate is RSA_2048, the key algorithm of the intermediate CA certificate must be RSA_1024, RSA_2048, or RSA_4096.

Note You can call the DescribeCACertificate operation to query the key algorithm of a root CA certificate.
Years Integer Yes 5

The validity period of the intermediate CA certificate. Unit: years.

We recommend that you set this parameter to 5 to 10.

Note The validity period of the intermediate CA certificate cannot exceed the validity period of the root CA certificate. You can call the DescribeCACertificate operation to query the validity period of a root CA certificate.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
Identifier String 160ae6bb538d538c70c01f81dcf2****

The unique identifier of the intermediate CA certificate.

RequestId String 15C66C7B-671A-4297-9187-2C4477247A74

The ID of the request, which is used to locate and troubleshoot issues.

Certificate String -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----

The intermediate CA certificate in the PEM format.

CertificateChain String -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n

The certificate chain of the intermediate CA certificate.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateSubCACertificate
&ParentIdentifier=1a83bcbb89e562885e40aa0108f5****
&Organization=Alibaba Cloud Computing Co., Ltd.
&OrganizationUnit=Security
&CountryCode=CN
&State=Zhejiang
&Locality=Hangzhou
&CommonName=Aliyun
&Algorithm=RSA_2048
&Years=5
&<Common request parameters>

Sample success responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateSubCACertificateResponse>
    <Identifier>160ae6bb538d538c70c01f81dcf2****</Identifier>
    <RequestId>15C66C7B-671A-4297-9187-2C4477247A74</RequestId>
    <Certificate>-----BEGIN CERTIFICATE-----
      ......
      -----END CERTIFICATE-----
    </Certificate>
    <CertificateChain>-----BEGIN CERTIFICATE-----
      ......
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      ......
      -----END CERTIFICATE-----
    </CertificateChain>
</CreateSubCACertificateResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "Identifier" : "160ae6bb538d538c70c01f81dcf2****",
  "RequestId" : "15C66C7B-671A-4297-9187-2C4477247A74",
  "Certificate" : "-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----",
  "CertificateChain" : "-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n"
}

Error codes

For a list of error codes, visit the API Error Center.