You can use Certificates Manager to manage private keys and certificates. You can also use Certificates Manager to generate and verify signatures. This topic describes how to create a certificate, download a certificate signing request (CSR), import a certificate, and use a certificate.
Step 1: Create a certificate and download the CSR
- In the Create Certificate dialog box, configure the following parameters.
Parameter Description CommonName(CN) The name of the entity that uses the certificate. Country(C) The alpha-2 country code that complies with the ISO 3166-1 standard. For example, CN indicates China. StateOrProvince(ST) The name of the province, municipality, autonomous region, or special administrative region. Locality(L) The name of the city. Organization(O) The legal name of the enterprise, company, organization, or institution. You can click the plus sign (+) to add more names.
OrganizationUnit(OU) The name of the department. You can click the plus sign (+) to add more names.
Email(E) The email address of the certificate holder or administrator. SubjectAlternativeNames If the certificate is a domain validated (DV) certificate, you can add subject alternative names to generate a multi-domain CSR. Click the plus sign (+), enter a subject alternative name, and then click the
icon.
Key Spec Valid values: - RSA_2048
- EC_SM2
- EC_P256
Note Select a value based on the algorithm that is supported by the certificate application system. EC_P256 provides advanced security, and RSA_2048 provides high compatibility. However, specific application systems will no longer support RSA_2048 as of December 31, 2030.Exportable Key Specifies whether the private key of the certificate can be exported for use. Valid values: - Yes: The private key of the certificate can be exported for use.
- No: The private key of the certificate cannot be exported for use. For security purpose, we recommend that you select No.
Step 2: Obtain a CA-issued certificate
Submit the CSR file that you downloaded in Step 1 to a certificate authority (CA) to obtain the validated certificate and certificate chain.
Step 3: Import the certificate
Step 4: Use the certificate to generate a signature
- Method 1: Call the CertificatePrivateKeySign operation to generate a signature by using the certificate.
- Method 2: Use KMS SDKs to generate a signature by using the certificate. For more
information about KMS SDKs, see SDK overview. Sample Java code:
import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.kms.model.v20160120.CertificatePrivateKeySignRequest; import com.aliyuncs.kms.model.v20160120.CertificatePrivateKeySignResponse; import org.apache.commons.codec.binary.Base64; /** * @param client The Alibaba Cloud SDK client. For more information, see the documentation of Alibaba Cloud SDK for Java. * @param certId The ID of the certificate that you want to use. * @param sigAlg The digital signature algorithm. For more information, see the reference document of the KMS API operation CertificatePrivateKeySign. * @param message The content that you want to sign. The size of the content must be less than or equal to 4 KB. */ public byte[] doSignByCertificate(DefaultAcsClient client, String certId, String sigAlg, byte[] message) throws ClientException { String msgB64 = Base64.encodeBase64String(message); // Encode the content that you want to sign in Base64. CertificatePrivateKeySignRequest request = new CertificatePrivateKeySignRequest(); request.setCertificateId(certId); request.setAlgorithm(sigAlg); request.setMessage(msgB64); CertificatePrivateKeySignResponse response = client.getAcsResponse(request); String sigB64 = response.getSignatureValue(); return Base64.decodeBase64(sigB64); // Decode the Base64-encoded data that is returned to obtain the value of the signature. }
Step 5: Use the certificate to verify a signature
- Method 1: Call the CertificatePublicKeyVerify operation to verify a signature by using the certificate.
- Method 2: Use KMS SDKs to verify a digital signature by using the certificate. For
more information about KMS SDKs, see SDK overview. Sample Java code:
import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.kms.model.v20160120.CertificatePublicKeyVerifyRequest; import com.aliyuncs.kms.model.v20160120.CertificatePublicKeyVerifyResponse; import org.apache.commons.codec.binary.Base64; /** * @param client The Alibaba Cloud SDK Client. For more information, see the documentation of Alibaba Cloud SDK for Java. * @param certId The ID of the certificate that you want to use. * @param sigAlg The digital signature algorithm. For more information, see the reference document of the KMS API operation CertificatePrivateKeySign. * @param message The content that you want to verify. The size of the content must be less than or equal to 4 KB. * @param signature The digital signature of the content that you want to verify. */ public Boolean doVerifyByCertificate(DefaultAcsClient client, String certId, String sigAlg, byte[] message, byte[] signature) throws ClientException { String msgB64 = Base64.encodeBase64String(message); // Encode the content that you want to verify in Base64. String sigB64 = Base64.encodeBase64String(signature); // Encode the signature value in Base64. CertificatePublicKeyVerifyRequest request = new CertificatePublicKeyVerifyRequest(); request.setCertificateId(certId); request.setAlgorithm(sigAlg); request.setMessage(msgB64); request.setSignatureValue(sigB64); CertificatePublicKeyVerifyResponse response = client.getAcsResponse(request); return response.getSignatureValid(); }