All Products
Search
Document Center

Certificate Management Service:CreateWHClientCertificate

Last Updated:Apr 02, 2026

Issues a single client certificate from the general user certificate repository.

Operation description

This API is limited to 10 QPS per user. Exceeding this limit triggers throttling, which can affect your business. Call this API at a reasonable rate to avoid disruption.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter

Type

Required

Description

Example

SanType

integer

No

The type of the subject alternative name (SAN) for the client certificate. Valid values:

  • 1: email address.

  • 2: domain name.

  • 6: Uniform Resource Identifier (URI).

  • 7: IP address.

2

SanValue

string

No

The value of the SAN extension. To specify multiple values, separate them with commas (,).

example.com

CommonName

string

No

The common name of the client certificate. Supports Chinese, English, and other characters.

aliyun

Algorithm

string

No

The key algorithm for the client certificate. The format is <encryption_algorithm>_<key_length>. Valid values:

  • RSA_1024: The corresponding signature algorithm is Sha256WithRSA.

  • RSA_2048: The corresponding signature algorithm is Sha256WithRSA.

  • RSA_4096: The corresponding signature algorithm is Sha256WithRSA.

  • ECC_256: The corresponding signature algorithm is Sha256WithECDSA.

  • ECC_384: The corresponding signature algorithm is Sha256WithECDSA.

  • ECC_512: The corresponding signature algorithm is Sha256WithECDSA.

  • SM2_256: The corresponding signature algorithm is SM3WithSM2.

The encryption algorithm of the client certificate must match that of the issuing subordinate CA certificate, but the key lengths can differ. For example, if the key algorithm of the subordinate CA certificate is RSA_2048, the key algorithm for the client certificate must be one of RSA_1024, RSA_2048, or RSA_4096.

RSA_2048

Csr

string

No

The content of the certificate signing request (CSR). You can generate a CSR with tools like OpenSSL or Keytool.

-----BEGIN CERTIFICATE REQUEST----- ...... -----END CERTIFICATE REQUEST-----

ParentIdentifier

string

Yes

The unique identifier of the issuing subordinate CA certificate.

273ae6bb538d538c70c01f81jh2****

Days

integer

No

The validity period of the client certificate, in days.

You cannot leave the Days, BeforeTime, and AfterTime parameters all empty. The BeforeTime and AfterTime parameters must be specified together or not at all.

  • If you specify the Days parameter, specifying BeforeTime and AfterTime is optional.

  • If you do not specify the Days parameter, you must specify both BeforeTime and AfterTime.

Note

If you specify Days, BeforeTime, and AfterTime simultaneously, the Days parameter takes precedence in determining the validity period.

365

BeforeTime

integer

No

The issuance time of the client certificate, as a Unix timestamp in seconds. If omitted, this defaults to the time of the API call.

Note

The BeforeTime and AfterTime parameters must be specified together or not at all.

1634283958

AfterTime

integer

No

The expiration time of the client certificate, specified as a Unix timestamp in seconds.

Note

The BeforeTime and AfterTime parameters must be specified together or not at all.

1665819958

Organization

string

No

The organization name associated with the root CA certificate, typically your company or enterprise name. Supports Chinese, English, and other characters.

Alibaba Cloud Computing Co., Ltd.

OrganizationUnit

string

No

The name of the department or business unit within the organization.

IT

Country

string

No

The country where the organization is located.

CN

State

string

No

The province, municipality, or autonomous region where the organization is located. Chinese, English, and other characters are supported.

Zhejiang

Locality

string

No

The city where the organization is located. Chinese, English, and other characters are supported.

Hangzhou

Years

integer

No

The validity period of the certificate, in years.

1

Months

integer

No

The validity period of the certificate, in months.

12

Immediately

integer

No

Specifies which certificate content to return in the response.

  • 0: Does not return the certificate (default).

  • 1: Returns the certificate.

  • 2: Returns the certificate and its certificate chain.

1

Response elements

Element

Type

Description

Example

object

The response object.

Identifier

string

The unique identifier of the client certificate.

190ae6bb538d538c70c01f81dcf2****

RequestId

string

The request ID. This unique ID is generated by Alibaba Cloud for each request and can be used for troubleshooting.

8C467B38-3910-447D-87BC-AC049166F216

RootX509Certificate

string

The content of the root CA certificate.

-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----

ParentX509Certificate

string

The content of the subordinate CA certificate.

-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----

X509Certificate

string

The content of the client certificate.

-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----

CertificateChain

string

The certificate chain.

-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n

Examples

Success response

JSON format

{
  "Identifier": "190ae6bb538d538c70c01f81dcf2****",
  "RequestId": "8C467B38-3910-447D-87BC-AC049166F216",
  "RootX509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "ParentX509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "X509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.