All Products
Search
Document Center

Key Management Service:Initialize client

Last Updated:Mar 31, 2026

Before making API requests with the Key Management Service (KMS) instance SDK, initialize an SDK client with your instance credentials.

Prerequisites

Before you begin, ensure that you have:

  • A KMS instance (Software Key Management or Hardware Key Management)

  • A ClientKey file (clientKey_****.json) and its password file (clientKey_****_Password.txt)

  • The instance CA certificate (PrivateKmsCA_kst-******.pem)

Initialize the client

Important

Always configure the CA certificate in production. It verifies the SSL/TLS certificate authenticity of your KMS instance, preventing man-in-the-middle attacks. For offline testing only, you can skip verification by setting IgnoreSSL to true in the RuntimeOptions parameter.

<?php

use AlibabaCloud\Dkms\Gcs\Sdk\Client as AlibabaCloudDkmsGcsSdkClient;
use AlibabaCloud\Dkms\Gcs\OpenApi\Models\Config as AlibabaCloudDkmsGcsOpenApiConfig;


function getDkmsGcsSdkClient()
{
    global $clientKeyContent, $password, $endpoint;

    // Construct the KMS instance SDK client configuration.
    $config = new AlibabaCloudDkmsGcsOpenApiConfig();
    // The connection protocol. Set the value to https. The KMS instance service only allows access through the HTTPS protocol.
    $config->protocol = 'https';
    // Client Key.
    $config->clientKeyContent = $clientKeyContent;
    // Client Key security token.
    $config->password = $password;
    // The endpoint of your KMS instance. Set the value in the following format: <ID of your KMS instance >.cryptoservice.kms.aliyuncs.com.
    $config->endpoint = $endpoint;
    // Instance CA certificate.
    $config->caFilePath = 'path/to/caCert.pem';

    // Construct the KMS instance SDK client object.
    return new AlibabaCloudDkmsGcsSdkClient($config);
}

The following table describes each configuration parameter and where to get its value.

ParameterDescriptionWhere to get it
protocolConnection protocol. Must be set to https — KMS only allows HTTPS connections.Fixed value: 'https'
clientKeyContentContent of the ClientKey file, which holds the application's identity credentials.Downloaded automatically when you create a ClientKey. Default filename: clientKey_****.json
passwordSecurity token for the ClientKey.Downloaded automatically when you create a ClientKey. Default filename: clientKey_****_Password.txt
endpointDedicated gateway endpoint of your KMS instance. Format: <ID of your KMS instance>.cryptoservice.kms.aliyuncs.comSee Find your endpoint
caFilePathFile path to the CA certificate associated with your KMS instance.See Download the CA certificate

Find your endpoint

The Endpoint is the dedicated gateway endpoint representing the domain address of your KMS instance.

  1. Go to the Instances page and click the Software Key Management or Hardware Key Management tab.

  2. Click the target KMS instance.

  3. In the Basic Information section, copy the value from the Instance VPC Endpoint field.

    image

Download the CA certificate

  1. Go to the Instances page and click the Software Key Management or Hardware Key Management tab.

  2. Click the instance ID or click Details in the Actions column.

  3. On the details page, click download next to Instance CA Certificate.

    The downloaded file is named PrivateKmsCA_kst-******.pem by default. Store it securely.

    image

What's next

After initializing the client, use it to call KMS instance SDK operations such as encrypting data, decrypting data, or generating data keys.