CreateSubCACertificate - Certificate Management Service - Alibaba Cloud Documentation Center

Creates an intermediate certificate authority (CA) certificate.

Operation description

This operation issues an intermediate certificate authority (CA) certificate from an existing root CA certificate. You can use the intermediate CA certificate to issue client and server certificates.

Before you call this operation, you must call the CreateRootCACertificate operation to create a root CA certificate.

QPS limit

This operation has a queries per second (QPS) limit of 10 for each user. Calls that exceed this limit are throttled. This may affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateSubCACertificate

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
ParentIdentifier	string	No	The unique identifier of the root CA certificate. Note Call the DescribeCACertificateList operation to query the unique identifiers of all CA certificates.	1a83bcbb89e562885e40aa0108f5****
CommonName	string	Yes	The common name or abbreviation of the organization. The name can contain Chinese characters and English letters.	Aliyun
OrganizationUnit	string	Yes	The name of the department or branch in the organization. The name can contain Chinese characters and English letters.	Security
Organization	string	Yes	The name of the organization that is associated with the intermediate CA certificate. This is usually the name of your company or enterprise. The name can contain Chinese characters and English letters.	Alibaba
Locality	string	Yes	The name of the city where the organization is located. The name can contain Chinese characters and English letters.	Hangzhou
State	string	Yes	The name of the province or state where the organization is located. The name can contain letters.	Zhejiang
CountryCode	string	No	The two-letter or three-letter country or region code in uppercase. For example, CN indicates China and US indicates the United States. For more information about country codes, see the Country codes section in Manage company information.	CN
Algorithm	string	Yes	The type of the key algorithm for the intermediate CA certificate. The key algorithm is in the `<Encryption algorithm>_<Key length>` format. Valid values: RSA_1024: The corresponding signature algorithm is Sha256WithRSA. RSA_2048: The corresponding signature algorithm is Sha256WithRSA. RSA_4096: The corresponding signature algorithm is Sha256WithRSA. ECC_256: The corresponding signature algorithm is Sha256WithECDSA. SM2_256: The corresponding signature algorithm is SM3WithSM2. The encryption algorithm of the intermediate CA certificate must be the same as the encryption algorithm of the root CA certificate. The key length can be different. For example, if the key algorithm of the root CA certificate is RSA_2048, the key algorithm of the intermediate CA certificate must be RSA_1024, RSA_2048, or RSA_4096. Note Call the DescribeCACertificate operation to query the key algorithm of the root CA certificate.	RSA_2048
Years	integer	Yes	The validity period of the intermediate CA certificate. Unit: years. Set this parameter to a value from 5 to 10. Note The validity period of the intermediate CA certificate cannot exceed the validity period of the root CA certificate. Call the DescribeCACertificate operation to query the validity period of the root CA certificate.	5
PathLenConstraint	integer	No	The certificate path length. The default value is 0.	0
ExtendedKeyUsages	array	No	The extended key usages.
	string	No	The extended key usage. Valid values: any: Any serverAuth: Server authentication clientAuth: Client authentication codeSigning emailProtection timeStamping OCSP Signing Other extended key usage OIDs Valid values: codeSigning : Code signing emailProtection : Email protection serverAuth : Server authentication timeStamping : Timestamping any : Any clientAuth : Client authentication OCSPSigning : OCSP signing	serverAuth
EnableCrl	boolean	No	This setting turns the Certificate Revocation List (CRL) service on or off. 0: No 1: Yes	1
CrlDay	integer	No	The validity period for the CRL, in days. The value must be from 1 to 365.	30
Tags	array<object>	No	A list of tags.
	object	No	A list of tags.
Key	string	No	The tag key.	testKey
Value	string	No	The tag value.	test
ResourceGroupId	string	No	The ID of the resource group.	rg-ae****vty
ClientToken	string	No	A client token used to ensure the idempotence of the request. The client generates the value, which must be unique among different requests. The token can be up to 64 ASCII characters in length and cannot contain non-ASCII characters.	XXX

Response elements

Element	Type	Description	Example
	object	The response object.
RequestId	string	The ID of the request. Alibaba Cloud generates this ID for each request. You can use this ID to troubleshoot and locate issues.	15C66C7B-671A-4297-9187-2C4477247A74
Identifier	string	The unique identifier of the intermediate CA certificate that is created.	160ae6bb538d538c70c01f81dcf2****
Certificate	string	The certificate in PEM format that is created.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
CertificateChain	string	The CA certificate chain of the certificate that is created.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n

serverAuth: Server Authentication
clientAuth: Client Authentication
codeSigning: Code Signing
emailProtection: Email Protection
timeStamping: Timestamping
OCSPSigning: OCSP Signing
Other extended key usage OIDs

Examples

Success response

JSON format

{
  "RequestId": "15C66C7B-671A-4297-9187-2C4477247A74",
  "Identifier": "160ae6bb538d538c70c01f81dcf2****",
  "Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.