CreateServerCertificateWithCsr - Certificate Management Service

Issues a server-side certificate based on a custom Certificate Signing Request (CSR).

Operation description

Before you call this operation, you must call CreateRootCACertificate to create a root CA certificate and CreateSubCACertificate to create a subordinate CA certificate. Server-side certificates can be issued only by subordinate CA certificates.

Limits

This operation has a queries per second (QPS) limit of 10 requests per user. If you exceed this limit, rate limiting is triggered, which may affect your business. Call this operation only as needed.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateServerCertificateWithCsr

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Csr	string	Yes	You can generate a CSR using OpenSSL or Keytool. For more information, see How to create a CSR file.	-----BEGIN CERTIFICATE REQUEST----- ...... -----END CERTIFICATE REQUEST-----
Domain	string	No	Additional domain names or IP addresses for the server-side certificate. Adding this information lets you apply the certificate to multiple domains or IP addresses. You can enter multiple domain names and IP addresses. Separate them with commas (,).	example.com
Organization	string	No	Organization name. Default: Alibaba Inc.	阿里云
OrganizationUnit	string	No	Department name. Default: Aliyun CDN.	IT
Country	string	No	Country code, such as CN.	CN
CommonName	string	No	Set the common name for the certificate. Supports Chinese, English, and other characters. Note If you set the Csr parameter, the value of CommonName comes from the corresponding field in the Csr parameter.	mtcsq.com
State	string	No	Set the name of the state or province where the organization is located. Supports Chinese, English, and other characters. Defaults to the state or province of the issuing sub-CA certificate's organization.	Zhejiang
Locality	string	No	The city where the organization for the certificate is located. The name can contain both Chinese and English characters. By default, this parameter is set to the city of the organization for the issuing subordinate Certificate Authority (CA).	Hangzhou
Algorithm	string	No	Key algorithm for the server-side certificate. Use the format `<encryption algorithm>_<key length>`. Valid values: RSA_1024: Signature algorithm is Sha256WithRSA. RSA_2048: Signature algorithm is Sha256WithRSA. RSA_4096: Signature algorithm is Sha256WithRSA. ECC_256: Signature algorithm is Sha256WithECDSA. ECC_384: Signature algorithm is Sha256WithECDSA. ECC_512: Signature algorithm is Sha256WithECDSA. SM2_256: Signature algorithm is SM3WithSM2. The encryption algorithm of the server-side certificate must match that of the sub-CA certificate. The key length can differ. For example, if the sub-CA certificate uses RSA_2048, the server-side certificate must use RSA_1024, RSA_2048, or RSA_4096. Note Call DescribeCACertificate to check the key algorithm of the sub-CA certificate.	RSA_2048
ParentIdentifier	string	Yes	Unique identifier of the sub-CA certificate that issues this certificate. Note Call DescribeCACertificateList to query the unique identifier of the sub-CA certificate.	270oe6bb538d538c70c01f81hfd3****
Years	integer	No	Certificate validity period. Unit: years.	1
Months	integer	No	Certificate validity period. Unit: months.	12
Days	integer	No	The Days, BeforeTime, and AfterTime parameters cannot all be empty. The BeforeTime and AfterTime parameters must both be empty or both set. Follow these rules: If you set Days, you can optionally set BeforeTime and AfterTime. If you do not set Days, you must set both BeforeTime and AfterTime. Note If you set Days, BeforeTime, and AfterTime together, the validity period uses the value of Days. The server-side certificate validity period cannot exceed that of the sub-CA certificate. Call DescribeCACertificate to check the sub-CA certificate validity period.	365
BeforeTime	integer	No	Issue time of the server-side certificate, in UNIX timestamp format. Default: current time when you call this API. Unit: seconds. Note The BeforeTime and AfterTime parameters must both be empty or both configured.	1634283958
AfterTime	integer	No	Expiration time of the server-side certificate, in UNIX timestamp format. Unit: seconds. Note The BeforeTime and AfterTime parameters must both be empty or both configured.	1665819958
Immediately	integer	No	Return the digital certificate immediately. 0: Do not return. Default. 1: Return the certificate. 2: Return the certificate and its certificate chain.	1
EnableCrl	integer	No	Include CRL address. 0 - No 1 - Yes	1
Tags	array<object>	No	List of tags.
	object	No	List of tags.
Key	string	No	Tag key.	account
Value	string	No	Tag value.	test
ResourceGroupId	string	No	Resource group ID.	rg-aek****wia
CustomIdentifier	string	No	Custom identifier. Unique key.	*e6bb538d538c70c01f81hfd3**

When you call this operation, you must include the common request parameters for Alibaba Cloud APIs in addition to the parameters that are described in this topic.

For information about the request format, see the Examples section.

Response elements

Element	Type	Description	Example
	object	CreateCertificateResponse
X509Certificate	string	Content of the server-side certificate.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
CertificateChain	string	CA certificate chain.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n
Identifier	string	Unique identifier of the server-side certificate.	180ae6bb538d538c70c01f81dcf2****
SerialNumber	string	Certificate serial number.	084bde9cd233f0ddae33adc438cfbbbd****
RequestId	string	Request ID generated by Alibaba Cloud for this call. Use it to troubleshoot issues.	55C66C7B-671A-4297-9187-2C4477247A74

Examples

Success response

JSON format

{
  "X509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n",
  "Identifier": "180ae6bb538d538c70c01f81dcf2****",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "55C66C7B-671A-4297-9187-2C4477247A74"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.