CertificatePublicKeyEncrypt - Key Management Service - Alibaba Cloud Documentation Center

Encrypts data by using a specific certificate.

Operation description

Limit: The encryption algorithm in the request parameters must match the key type.

The following table describes the mapping between encryption algorithms and key types.

Algorithm	Key Spec
RSAES_OAEP_SHA_1	RSA_2048
RSAES_OAEP_SHA_256	RSA_2048
SM2PKE	EC_SM2
In this example, the certificate whose ID is `12345678-1234-1234-1234-12345678****` and the encryption algorithm `RSAES_OAEP_SHA_256` are used to encrypt the data `VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4=`.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
CertificateId	string	Yes	The ID of the certificate. The ID must be globally unique in Certificates Manager.	12345678-1234-1234-1234-12345678****
Algorithm	string	Yes	The encryption algorithm. Valid values: RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 SM2PKE Note The SM2PKE encryption algorithm is supported only in regions in mainland China. In these regions, managed hardware security modules (HSMs) are used. For more information, see Managed HSM overview.	RSAES_OAEP_SHA_256
Plaintext	string	Yes	The data that you want to encrypt. The value is encoded in Base64. For example, if the hexadecimal data that you want to encrypt is `[0x31, 0x32, 0x33, 0x34]`, the Base64-encoded data is `MTIzNA==`. The size of data that can be encrypted varies based on the encryption algorithm that you use: RSAES_OAEP_SHA_1: 214 bytes RSAES_OAEP_SHA_256: 190 bytes SM2PKE: 6,047 bytes If the size of data that you want to encrypt exceeds the preceding limits, you can call the GenerateDataKey operation to generate a data key to encrypt the data. Then, call the CertificatePublicKeyEncrypt operation to encrypt the data key.	VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4=

For more information about common request parameters, see Common parameters.

Response parameters

Parameter	Type	Description	Example
	object
CiphertextBlob	string	The ciphertext. The value is encoded in Base64.	ZOyIygCyaOW6Gj****MlNKiuyjfzw=
RequestId	string	The ID of the request, which is used to locate and troubleshoot issues.	5979d897-d69f-4fc9-87dd-f3bb73c40b80
CertificateId	string	The ID of the certificate.	12345678-1234-1234-1234-12345678****

Examples

Sample success responses

JSONformat

{
  "CiphertextBlob": "ZOyIygCyaOW6Gj****MlNKiuyjfzw=",
  "RequestId": "5979d897-d69f-4fc9-87dd-f3bb73c40b80",
  "CertificateId": "12345678-1234-1234-1234-12345678****"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The specified parameter is not valid.	An invalid value is specified for the parameter.
404	Certificate.NotFound	The specified certificate is not found.	The specified certificate does not exist.
404	InvalidAccessKeyId.NotFound	The Access Key ID provided does not exist in our records.	-

For a list of error codes, visit the Service error codes.