All Products
Search

This Product

    Key Management Service:Initialize client

    Document Center

    Key Management Service:Initialize client

    Last Updated:Mar 31, 2026

    Initialize the C# client before making API requests with the Key Management Service (KMS) instance SDK.

    Prerequisites

    Before you begin, make sure you have:

    • The KMS instance SDK for C# installed (AlibabaCloud.Dkms.Gcs.Sdk)

    • A KMS instance endpoint (see endpoint)

    • A ClientKey file (clientKey_****.json) downloaded from the KMS console

    • A ClientKey password file (clientKey_****_Password.txt) downloaded from the KMS console

    • A CA certificate file (PrivateKmsCA_kst-******.pem) downloaded from the KMS console

    Initialize the client

    Set the ClientKeyFile and Password environment variables to the paths of your ClientKey and password files, then run the following code:

    # macOS or Linux
export ClientKeyFile=/path/to/clientKey_****.json
export Password=/path/to/clientKey_****_Password.txt

# Windows Command Prompt
set ClientKeyFile=C:\path\to\clientKey_****.json
set Password=C:\path\to\clientKey_****_Password.txt

# Windows PowerShell
$Env:ClientKeyFile="C:\path\to\clientKey_****.json"
$Env:Password="C:\path\to\clientKey_****_Password.txt"
    using System;

string regionId = "<REGION_ID>";

// Path to the CA certificate of the KMS instance.
string caFilePath = "<CA_CERTIFICATE>";

// Endpoint format: <your KMS Instance Id>.cryptoservice.kms.aliyuncs.com
string endpoint = "<ENDPOINT>";

// Build the KMS instance config using the ClientKey and password from environment variables.
AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config kmsInstanceConfig = CreateKmsInstanceConfig(
    AlibabaCloud.DarabonbaEnv.Client.GetEnv("ClientKeyFile"),
    AlibabaCloud.DarabonbaEnv.Client.GetEnv("Password"),
    endpoint,
    caFilePath
);

AlibabaCloud.Dkms.Gcs.Sdk.Client client = CreateClient(kmsInstanceConfig);
    Important

    Always keep SSL/TLS certificate verification enabled in production. The CA certificate verifies the authenticity of your KMS instance's SSL/TLS certificate. To disable verification for offline testing only, set the IgnoreSSL field in RuntimeOptions to true.

    Parameters

    endpoint

    The endpoint is the dedicated gateway address of your KMS instance, in the format <your KMS Instance Id>.cryptoservice.kms.aliyuncs.com.

    To find your endpoint:

    1. On the Instances page, click Software Key Management or Hardware Key Management, then click your KMS instance.

    2. In the Basic Information section, copy the value in the Instance VPC Endpoint field.

    image

    ClientKeyFile

    The ClientKeyFile is the path to your application's identity credentials. When you create a ClientKey in the KMS console, the browser automatically downloads it as clientKey_****.json.

    Password

    The Password is the security token for your ClientKey. The browser downloads it automatically when you create a ClientKey, as clientKey_****_Password.txt.

    CaFilePath

    The CaFilePath is the path to the CA certificate associated with your KMS instance.

    To download the CA certificate:

    1. On the Instances page, go to the Instance CA Certificate section and click Download.

    2. In the Instance CA Certificate dialog box, select your instance ID and click Download. Store the file securely.

    The default filename is PrivateKmsCA_kst-******.pem.

    image