All Products
Search

This Product

    Key Management Service:CertificatePrivateKeyDecrypt

    Document Center

    Key Management Service:CertificatePrivateKeyDecrypt

    Last Updated:Jul 29, 2025

    Decrypts data by using a specific certificate.

    Operation description

    Limit: The encryption algorithm in the request parameters must match the key type.

    The following table describes the mapping between encryption algorithms and key types.

    AlgorithmKey Spec
    RSAES_OAEP_SHA_1RSA_2048
    RSAES_OAEP_SHA_256RSA_2048
    SM2PKEEC_SM2
    In this example, the certificate whose ID is 12345678-1234-1234-1234-12345678**** and the encryption algorithm RSAES_OAEP_SHA_256 are used to decrypt the data ZOyIygCyaOW6Gj****MlNKiuyjfzw=.

    Debugging

    You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

    Authorization information

    There is currently no authorization information disclosed in the API.

    Request parameters

    ParameterTypeRequiredDescriptionExample
    CertificateIdstringYes

    The ID of the certificate. The ID must be globally unique in Certificates Manager.

    		12345678-1234-1234-1234-12345678****
    AlgorithmstringYes

    The encryption algorithm. Valid values:

    • RSAES_OAEP_SHA_1

    • RSAES_OAEP_SHA_256

    • SM2PKE

    Note The SM2PKE encryption algorithm is supported only in regions in mainland China. In these regions, managed hardware security modules (HSMs) are used. For more information, see Managed HSM overview.
    		RSAES_OAEP_SHA_256
    CiphertextBlobstringYes

    The data that you want to decrypt.

    The value is encoded in Base64.

    		ZOyIygCyaOW6Gj****MlNKiuyjfzw=

    For more information about common request parameters, see Common parameters.

    Response parameters

    ParameterTypeDescriptionExample
    object
    RequestIdstring

    The ID of the request, which is used to locate and troubleshoot issues.

    		5979d897-d69f-4fc9-87dd-f3bb73c40b80
    CertificateIdstring

    The ID of the certificate.

    		12345678-1234-1234-1234-12345678****
    Plaintextstring

    The plaintext after data is decrypted.

    The value is encoded in Base64.

    		VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4

    Examples

    Sample success responses

    JSONformat

    {
  "RequestId": "5979d897-d69f-4fc9-87dd-f3bb73c40b80",
  "CertificateId": "12345678-1234-1234-1234-12345678****",
  "Plaintext": "VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4"
}

    Error codes

    HTTP status codeError codeError messageDescription
    400InvalidParameterThe specified parameter is not valid.An invalid value is specified for the parameter.
    404Certificate.NotFoundThe specified certificate is not found.The specified certificate does not exist.
    404InvalidAccessKeyId.NotFoundThe Access Key ID provided does not exist in our records.-

    For a list of error codes, visit the Service error codes.