Creates a certificate.

To create a certificate, you must specify the type of the asymmetric key. Certificates Manager generates a private key and returns a certificate signing request (CSR). Submit the CSR in the Privacy Enhanced Mail (PEM) format to a certificate authority (CA) to obtain the formal certificate and certificate chain. Then, call the UploadCertificate operation to import the certificate into Certificates Manager.

In this example, a certificate is created and the CSR is obtained.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateCertificate

The operation that you want to perform. Set the value to CreateCertificate.

KeySpec String Yes RSA_2048

The type of the key. Valid values:

  • RSA_2048
  • EC_P256
  • EC_SM2
Subject String Yes CN=userName,OU=kms,O=aliyun,C=CN

The certificate subject, which is the owner of the certificate.

Specify the value in the distinguished name (DN) format, as defined in RFC 2253. A DN is a sequence of relative distinguished names (RDNs).

RDNs are key-value pairs in the format of attribute1=value1,attribute2=value2. Separate multiple RDNs with commas (,).

The Subject parameter consists of the following fields:

  • CN: required. The name of the certificate subject.
  • C: required. The two-character country or region code in the ISO 3166-1 standard. For example, CN indicates China.
  • O: required. The legal name of the enterprise, company, organization, or institution.
  • OU: required. The name of the department.
  • ST: optional. The name of the province, municipality, autonomous region, or special administrative region.
  • L: optional. The name of the city.
SubjectAlternativeNames Json No ["",""]

The subject alternative names.

A domain name list is supported. A maximum of 10 domain names are supported.

ExportablePrivateKey Boolean No true

Specifies whether the private key of the certificate can be exported for use. Valid values:

  • true: The private key of the certificate can be exported for use. This is the default value.
  • false: The private key of the certificate cannot be exported for use. We recommend that you set this parameter to false to protect keys with a higher security level.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
Arn String acs:kms:cn-hangzhou:154035569884****:certificate/98e85c94-52d0-40c9-b3b2-afda52f4****

The Alibaba Cloud Resource Name (ARN) of the certificate.

CertificateId String 9a28de48-8d8b-484d-a766-dec4****

The ID of the certificate. It is the globally unique identifier (GUID) of the certificate in Certificates Manager.


The CSR in the PEM format.

RequestId String 15a735a1-8fe6-45cc-a64c-3c4ff839334e

The ID of the request.


Sample requests

&<Common request parameters>

Sample success responses

JSON format

	"CertificateId": "98e85c94-52d0-40c9-b3b2-afda52f4****",
	"Arn": "acs:kms:cn-hangzhou:154035569884****:certificate/98e85c94-52d0-40c9-b3b2-afda52f4****",
	"RequestId": "15a735a1-8fe6-45cc-a64c-3c4ff839334e"

Error codes

HTTP status code Error code Error message Description
404 InvalidAccessKeyId.NotFound The specified AccessKey ID does not exist. The error message returned because the specified AccessKey ID does not exist. Check whether a valid AccessKey ID is specified when you call the operation.

For a list of error codes, visit the API Error Center.