Queries the encrypted private key of a client certificate or a server certificate.
Usage notes
You can call the DescribeCertificatePrivateKey operation to obtain the encrypted private key of a client certificate or a server certificate. The certificate is issued based on a system-generated certificate signing request (CSR). Before you call this operation, make sure that you have issued a client certificate or a server certificate by calling the following operation:
To ensure the security of private key transmission, the DescribeCertificatePrivateKey operation encrypts the private key by using the private key password that you specify and returns the encrypted private key. The private key password is an string that is used to encrypt the private key. After you obtain the encrypted private key of the certificate, you can use the following methods to decrypt the private key:
- If the encryption algorithm of the certificate is RSA, you must run the
openssl rsa -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file>
command in the computer on which OpenSSL or BabaSSL is installed. - If the encryption algorithm of the certificate is ECC, you must run the
openssl ec -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file>
command in the computer on which OpenSSL or BabaSSL is installed. - If the encryption algorithm of the certificate is SM2, you must run the
openssl ec -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file>
command in the computer on which BabaSSL is installed.
Limits
You can call this operation up to 100 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | DescribeCertificatePrivateKey |
The operation that you want to perform. Set the value to DescribeCertificatePrivateKey. |
Identifier | String | Yes | bc37133bb7ed68c7938d928fd26d**** |
The unique identifier of the client certificate or server certificate that you want to query. Note You can call the ListClientCertificate operation to query the unique identifiers of all client certificates and server certificates.
|
EncryptedCode | String | Yes | !QA@WS3ed |
The password that is used to encrypt the private key. The password can contain letters,
digits, and special characters, such as Warning You must remember the password that you specify. The password is required to decrypt
the encrypted private key. If you forget the password, the encrypted private key that
is returned cannot be decrypted. You must call this operation again.
|
All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.
For more information about sample requests, see the "Examples" section of this topic.
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
EncryptedData | String | ----- BEGIN ENCRYPTED PRIVATE KEY -----... ----- END ENCRYPTED PRIVATE KEY----- |
The content of the encrypted private key. |
RequestId | String | 09470F19-CEE8-5C63-BF2C-02B5E3F07A17 |
The ID of the request. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeCertificatePrivateKey
&Identifier=bc37133bb7ed68c7938d928fd26d****
&EncryptedCode=!QA@WS3ed
&Common request parameters
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribeCertificatePrivateKeyResponse>
<EncryptedData>-----BEGIN ENCRYPTED PRIVATE KEY----- …… -----END ENCRYPTED PRIVATE KEY-----</EncryptedData>
<RequestId>09470F19-CEE8-5C63-BF2C-02B5E3F07A17</RequestId>
</DescribeCertificatePrivateKeyResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"EncryptedData" : "-----BEGIN ENCRYPTED PRIVATE KEY----- …… -----END ENCRYPTED PRIVATE KEY-----",
"RequestId" : "09470F19-CEE8-5C63-BF2C-02B5E3F07A17"
}
Error codes
For a list of error codes, visit the API Error Center.