All Products
Search
Document Center

Key Management Service:Initialize the client

Last Updated:Jun 21, 2026

To make KMS instance API requests with the SDK, you must first initialize a client.

Initialize the client

import com.aliyun.dkms.gcs.openapi.models.Config;
import com.aliyun.dkms.gcs.sdk.Client;
 public static void initClient() throws Exception {
        // The protocol must be "https". The KMS instance service only allows access over HTTPS.
        Config config = new Config();
        config.setProtocol("https");
        // Path to the ClientKey file.
        config.setClientKeyFile("<YOUR_CLIENT_KEY_FILE>");
         // Password for the ClientKey.
        config.setPassword("<YOUR_PASSWORD>");
         // Set the endpoint to <your-kms-instance-id>.cryptoservice.kms.aliyuncs.com.
        config.setEndpoint("<YOUR_ENDPOINT>");
        // The CA certificate of the KMS instance. You can specify a file path or the content directly.
        config.setCaFilePath("<PATH_TO_YOUR_CACERT>");
        // Alternatively, you can set the CA certificate content.
        //config.setCa("<your-ca-certificate-content");
        client = new Client(config);
    }
Important

A CA certificate is critical for securing communication in a production environment. It validates the authenticity of the SSL/TLS certificate. We recommend always keeping this verification enabled. If you must disable SSL/TLS certificate verification, for example, in an offline testing environment, you can set the IgnoreSSL field of the RuntimeOptions parameter to true.

Parameters

Endpoint

The domain name of the KMS instance.

  1. On the Instances page, click the Software Key Management or Hardware Key Management tab, and then select the target KMS instance.

  2. Click the instance ID to go to the details page and view the Instance VPC Endpoint. In the Basic Information section of the instance details page, view the Instance VPC Endpoint field. This address is the endpoint of the instance, and is in a format such as kst-xxx.cryptoservice.kms.aliyuncs.com.

ClientKey file path

The path to your application's credential file. When you create a ClientKey, the file is downloaded automatically by your browser. The default filename is clientKey_****.json.

Password

The password for the ClientKey. When you create a ClientKey, a password file is downloaded automatically by your browser. The default filename is clientKey_****_Password.txt.

Ca and caFilePath

The CA certificate of the KMS instance.

  1. On the Instances page, click the Software Key Management or Hardware Key Management tab, and then select the target KMS instance.

  2. Click the instance ID or click Details in the Actions column. On the Details page, in the Instance CA Certificate section, click Download and save the certificate securely.

    Note

    The downloaded CA certificate file is named PrivateKmsCA_kst-******.pem by default.