CreateClientCertificateWithCsr - Certificate Management Service

Issues a client certificate based on a custom Certificate Signing Request (CSR).

Operation description

Before you call this operation, call CreateRootCACertificate to create a root CA certificate and CreateSubCACertificate to create a subordinate CA certificate. Only subordinate CA certificates can be used to issue client certificates.

QPS limit

The queries per second (QPS) limit for this operation is 10 calls per second for each user. API calls that exceed this limit are throttled. This may affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateClientCertificateWithCsr

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Csr	string	No	The content of the CSR. Use OpenSSL or Keytool to generate a CSR. For more information, see How to create a CSR file. You can also create a CSR in the SSL Certificate Service console. For more information, see Create a CSR.	-----BEGIN CERTIFICATE REQUEST----- ...... -----END CERTIFICATE REQUEST-----
SanType	integer	No	The type of the Subject Alternative Name (SAN) extension of the client certificate. Valid values: 1: Email address. 6: Uniform Resource Identifier (URI).	1
SanValue	string	No	The content of the SAN extension. You can specify multiple SANs. Separate them with commas (,).	somebody@example.com
Organization	string	No	The name of the organization. Default value: Alibaba Inc.	阿里云计算有限公司
OrganizationUnit	string	No	The name of the department. Default value: Aliyun CDN.	Security
Country	string	No	The country code. For example, CN or US.	CN
CommonName	string	No	The common name of the certificate. The name can contain characters in various languages, such as Chinese and English. Note If you set the CsrPemString parameter, the common name from the Certificate Signing Request (CSR) overrides the value of this parameter.	aliyundoc.com
State	string	No	The name of the province or state where the organization is located. Chinese and English characters are supported. By default, this parameter uses the province or state from the subordinate CA certificate that issues the client certificate.	Zhejiang
Locality	string	No	The name of the city where the organization is located. Chinese and English characters are supported. By default, this parameter uses the city from the subordinate CA certificate that issues the client certificate.	Hangzhou
Algorithm	string	No	The key algorithm of the client certificate. The key algorithm is in the `<Encryption algorithm>_<Key length>` format. Valid values: RSA_1024: The corresponding signature algorithm is Sha256WithRSA. RSA_2048: The corresponding signature algorithm is Sha256WithRSA. RSA_4096: The corresponding signature algorithm is Sha256WithRSA. ECC_256: The corresponding signature algorithm is Sha256WithECDSA. ECC_384: The corresponding signature algorithm is Sha256WithECDSA. ECC_512: The corresponding signature algorithm is Sha256WithECDSA. SM2_256: The corresponding signature algorithm is SM3WithSM2. The encryption algorithm of the client certificate must be the same as the encryption algorithm of the subordinate CA certificate, but the key length can be different. For example, if the key algorithm of the subordinate CA certificate is RSA_2048, the key algorithm of the client certificate must be RSA_1024, RSA_2048, or RSA_4096. Note For more information, see DescribeCACertificate to query the key algorithm of the subordinate CA certificate.	RSA_2048
ParentIdentifier	string	No	The unique identifier of the subordinate CA certificate that issues the client certificate. Note For more information, see DescribeCACertificateList to query the unique identifier of the subordinate CA certificate.	270ae6bb538d538c70c01f81fg3****
Years	integer	No	The validity period of the certificate in years.	1
Months	integer	No	The validity period of the certificate in months.	12
Days	integer	No	The validity period of the client certificate in days. You must specify the validity period. You can use the Days parameter, or the BeforeTime and AfterTime parameters. If you specify Days, you can optionally specify BeforeTime and AfterTime. If all three are specified, Days takes precedence. If you do not specify Days, you must specify both BeforeTime and AfterTime. Note The validity period of the client certificate cannot exceed the validity period of the subordinate CA certificate. For more information, see DescribeCACertificate. A client certificate's validity period cannot exceed that of the subordinate CA certificate. Call DescribeCACertificate to check the validity period of the subordinate CA certificate.	365
BeforeTime	integer	No	The issuance time of the client certificate. This is a UNIX timestamp. The default value is the time when you call this operation. Unit: seconds. Note The BeforeTime and AfterTime parameters must be both empty or both specified.	1634283958
AfterTime	integer	No	The expiration time of the client certificate. This is a UNIX timestamp. Unit: seconds. Note The BeforeTime and AfterTime parameters must be both empty or both specified.	1665819958
Immediately	integer	No	Specifies whether to immediately return the digital certificate. 0: Does not return the certificate. This is the default value. 1: Returns the certificate. 2: Returns the certificate and its certificate chain.	1
EnableCrl	integer	No	Specifies whether to include the Certificate Revocation List (CRL) address. 0: No 1: Yes	1
Tags	array<object>	No	The list of tags.
	object	No	The list of tags.
Key	string	No	The tag key.	database
Value	string	No	The value of the tag.	1
ResourceGroupId	string	No	The ID of the resource group to which the certificate belongs.	rg-ae******4wia

When you call this operation, you must include the common request parameters in addition to the parameters listed in this topic. For more information about the request format, see the request example in the Examples section.

For the format for calling an API, see the request example in the Example section of this topic.

Response elements

Element	Type	Description	Example
	object	CreateCertificateResponse
X509Certificate	string	The content of the client certificate.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
CertificateChain	string	The CA certificate chain.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n
Identifier	string	The unique identifier of the client certificate.	200ae6bb538d538c70c01f81dcf2****
SerialNumber	string	The certificate serial number.	084bde9cd233f0ddae33adc438cfbbbd****
RequestId	string	The ID of the request. This ID is a unique identifier generated by Alibaba Cloud for the request. You can use this ID to troubleshoot issues.	31C66C7B-671A-4297-9187-2C4477247A74
CertSignBufKmc	string	The encrypted content of the certificate.	MIIDYDCCAwWgAwIBAgIU *** TmTk0CS3WNweqsjMEETyxd2pzU6DA
CertKmcRep1	string	The ciphertext of the encrypted certificate.	userSeal=MHkCIEu94PQAahFWuFk% *** EtFw%2FkMMBjw8i5bFfSkV%2FIUrcOJD

Examples

Success response

JSON format

{
  "X509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n",
  "Identifier": "200ae6bb538d538c70c01f81dcf2****",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "31C66C7B-671A-4297-9187-2C4477247A74",
  "CertSignBufKmc": "MIIDYDCCAwWgAwIBAgIU\n***\nTmTk0CS3WNweqsjMEETyxd2pzU6DA",
  "CertKmcRep1": "userSeal=MHkCIEu94PQAahFWuFk%\n***\nEtFw%2FkMMBjw8i5bFfSkV%2FIUrcOJD"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.