Queries the encrypted private key of a client certificate or a server certificate.

Usage notes

You can call the DescribeCertificatePrivateKey operation to obtain the encrypted private key of a client certificate or a server certificate. The certificate is issued based on a system-generated certificate signing request (CSR). Before you call this operation, make sure that you have issued a client certificate or a server certificate by calling the following operation:

Notice If you call the CreateCertificateWithExtension operation to issue a certificate, do not specify the CsrPemString parameter. Otherwise, the certificate is issued based on a custom CSR. You cannot obtain the private key of the certificate by calling the DescribeCertificatePrivateKey operation.

To ensure the security of private key transmission, the DescribeCertificatePrivateKey operation encrypts the private key by using the private key password that you specify and returns the encrypted private key. The private key password is an string that is used to encrypt the private key. After you obtain the encrypted private key of the certificate, you can use the following methods to decrypt the private key:

  • If the encryption algorithm of the certificate is RSA, you must run the openssl rsa -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file> command in the computer on which OpenSSL or BabaSSL is installed.
  • If the encryption algorithm of the certificate is ECC, you must run the openssl ec -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file> command in the computer on which OpenSSL or BabaSSL is installed.
  • If the encryption algorithm of the certificate is SM2, you must run the openssl ec -in <Encrypted private key file> -passin pass:<Private key password> -out <Decrypted private key file> command in the computer on which BabaSSL is installed.
Note You can call the DescribeClientCertificate operation to query the encryption algorithm type of a client certificate or a server certificate.

Limits

You can call this operation up to 100 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeCertificatePrivateKey

The operation that you want to perform. Set the value to DescribeCertificatePrivateKey.

Identifier String Yes bc37133bb7ed68c7938d928fd26d****

The unique identifier of the client certificate or server certificate that you want to query.

Note You can call the ListClientCertificate operation to query the unique identifiers of all client certificates and server certificates.
EncryptedCode String Yes !QA@WS3ed

The password that is used to encrypt the private key. The password can contain letters, digits, and special characters, such as , + - _ #. The password can be up to 32 bytes in length.

Warning You must remember the password that you specify. The password is required to decrypt the encrypted private key. If you forget the password, the encrypted private key that is returned cannot be decrypted. You must call this operation again.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
EncryptedData String ----- BEGIN ENCRYPTED PRIVATE KEY -----... ----- END ENCRYPTED PRIVATE KEY-----

The content of the encrypted private key.

RequestId String 09470F19-CEE8-5C63-BF2C-02B5E3F07A17

The ID of the request.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeCertificatePrivateKey
&Identifier=bc37133bb7ed68c7938d928fd26d****
&EncryptedCode=!QA@WS3ed
&Common request parameters

Sample success responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeCertificatePrivateKeyResponse>
    <EncryptedData>-----BEGIN ENCRYPTED PRIVATE KEY----- …… -----END ENCRYPTED PRIVATE KEY-----</EncryptedData>
    <RequestId>09470F19-CEE8-5C63-BF2C-02B5E3F07A17</RequestId>
</DescribeCertificatePrivateKeyResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "EncryptedData" : "-----BEGIN ENCRYPTED PRIVATE KEY----- …… -----END ENCRYPTED PRIVATE KEY-----",
  "RequestId" : "09470F19-CEE8-5C63-BF2C-02B5E3F07A17"
}

Error codes

For a list of error codes, visit the API Error Center.