CreateCustomCertificate - Certificate Management Service

Issues a certificate based on the specified key usage, extended key usage, and name and alias of the entity that uses the certificate.

Operation description

By default, the name of the entity is obtained from the certificate signing request (CSR) of the certificate that you want to issue. If you specify a different name for the entity, the name of the entity in the CSR becomes invalid. The specified name is used to issue the certificate.

You must specify the key usage and extended key usage based on the certificate type. The following list describes common certificate types:

Server certificate

Key usage: digitalSignature or keyEncipherment

Extended key usage: serverAuth

Client certificate

Key usage: digitalSignature or keyEncipherment

Extended key usage: clientAuth

Mutual Transport Layer Security (TLS) authentication certificate

Key usage: digitalSignature or keyEncipherment

Extended key usage: serverAuth or clientAuth

Email certificate

Key usage: digitalSignature or contentCommitment

Extended key usage: emailProtection

Note: Compliant certificate authorities (CAs) are managed by third-party authorities. This operation is not supported for compliant CAs.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
ParentIdentifier	string	Yes	The identifier of the certificate.	1ed4068c-6f1b-6deb-8e32-3f8439a851cb
Csr	string	Yes	The content of the CSR. You can generate a CSR by using the OpenSSL tool or the Keytool tool. For more information, see How do I create a CSR file?	-----BEGIN CERTIFICATE REQUEST----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... vbIgMQIhAKHDWD6/WAMbtezAt4bysJ/BZIDz1jPWuUR5GV4TJ/mS -----END CERTIFICATE REQUEST-----
Validity	string	Yes	The validity period of the certificate. The value cannot exceed the validity period of the certificate instance. Relative time and absolute time are supported. Units of relative time: year, month, and day. Use y to specify years. Use m to specify months. Use d to specify days. Absolute time: Use Greenwich Mean Time (GMT). Format: `yyyy-MM-dd'T'HH:mm:ss'Z'` Format of the end time: $NotAfter Format of the start time and end time: $NotBefore/$NotAfter	Relative time: ● 1y ● 3m ● 7d Absolute time: ● 2006-01-02T15:04:05Z ● 2006-01-02T15:04:05Z/2023-03-09T17:48:13Z
ApiPassthrough	object	No	The passthrough parameters.
Subject	object	No	The name of the entity that uses the certificate.
Country	string	No	The code of the country. The value is an alpha-2 country code that complies with the ISO 3166-1 standard. For more information about country codes, visit https://www.iso.org/obp/ui/#search/code/.	CN
State	string	No	The name of the province or state in which the organization associated with the certificate is located.	Zhejiang
Locality	string	No	The name of the city in which the organization is located. The value can contain letters.	Hangzhou
Organization	string	No	The name of the organization.	XXX company
OrganizationUnit	string	No	The name of the department or branch in the organization.	XXX department
CommonName	string	No	The common name of the certificate user.	Bob
CustomAttributes	object []	No	Customize the Subject attributes of the certificate.
ObjectIdentifier	string	No	Custom attribute type as: 2.5.4.6 : country 2.5.4.10 : organization 2.5.4.11 : organizational unit 2.5.4.12 : title 2.5.4.3 : common name 2.5.4.9 : street 2.5.4.5 : serial number 2.5.4.7 : locality 2.5.4.8 : state 1.3.6.1.4.1.37244.1.1 : Matter Operational Certificate - Node ID 1.3.6.1.4.1.37244.1.5 : Matter Operational Certificate - Fabric ID 1.3.6.1.4.1.37244.2.1 : Matter Device Attestation Certificate Vender ID (VID) 1.3.6.1.4.1.37244.2.2 : Matter Device Attestation Certificate Product ID (PID).	2.5.4.3
Value	string	No	Custom attribute value.	Aliyun
Extensions	object	No	The extensions of the certificate.
KeyUsage	object	No	The key usage.
DigitalSignature	boolean	No	Specifies whether the key can be used for digital signing. If you set this parameter to true, the private key of the certificate can be used to generate digital signatures, and the public key of the certificate can be used to verify digital signatures.	true
ContentCommitment	boolean	No	The original name of the parameter is NonRepudiation.	false
NonRepudiation	boolean	No	Specifies whether the key can be used for non-repudiation. This parameter is renamed ContentCommitment in the X.509 standard.	false
KeyEncipherment	boolean	No	Specifies whether the key can be used for data encipherment.	false
DataEncipherment	boolean	No	Specifies whether the key can be used for data encryption.	false
KeyAgreement	boolean	No	Specifies whether the key can be used for key agreement.	false
EncipherOnly	boolean	No	Specifies whether the key can be used only for data encryption.	false
DecipherOnly	boolean	No	Specifies whether the key can be used only for data decryption.	false
ExtendedKeyUsages	array	No	The extended key usage.
	string	No	The extended key usage. Valid values: any: any serverAuth: server authentication clientAuth: client authentication codeSigning: code signing emailProtection: email protection timeStamping: timestamp OCSPSigning: Online Certificate Status Protocol (OCSP) signing Object identifier of other extended key usage.	1.3.6.1.4.1.311.20.2.2
SubjectAlternativeNames	object []	No	The aliases of the entities.
Type	string	Yes	The type of the alias. Valid values: rfc822Name: email address dNSName: domain name uniformResourceIdentifier: URI iPAddress: IP address	dNSName
Value	string	No	The alias that meets the requirement of a specified type.	rfc822Name: exmaple@certqa.cn dNSName: www.certqa.cn uniformResourceIdentifier: acs:ecs:regionid:15619224785***:instance/i-bp1bzvz55uz27hf*** iPAddress: 127.0.0.1
Criticals	array	No	If it is a necessary parameter, the critical list contains the parameter name.
	string	No	The parameter name of the necessary parameter, such as extendedKeyUsage.	ExtendedKeyUsages
SerialNumber	string	No	The serial number MUST be a positive integer assigned by the CA to each certificate.	16889526086333
Immediately	integer	No	Specifies whether to immediately issue the certificate. Valid values: 0: asynchronously issues the certificate. 1: immediately issues the certificate. 2: immediately issues the certificate and returns the certificate chain.	0
EnableCrl	long	No	include the CRL address. 0- No 1- Yes	1

Response parameters

Parameter	Type	Description	Example
	object	OpenApiResponseV1
Identifier	string	The unique identifier of the certificate.	160ae6bb538d538c70c01f81dcf2****
Certificate	string	The content of the certificate. This parameter is returned only if Immediately is set to 1 or 2.	-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ... ... ... KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
CertificateChain	string	The certificate chain of the certificate. This parameter is returned only if Immediately is set to 2.	-----BEGIN CERTIFICATE----- MIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ ... ... ... ZYYG -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... KL5cUmF -----END CERTIFICATE-----
SerialNumber	string	The serial number of the certificate. This parameter is returned only if Immediately is set to 1 or 2.	084bde9cd233f0ddae33adc438cfbbbd****
RequestId	string	The request ID.	12345678-1234-1234-1234-123456789ABC

Examples

Sample success responses

JSONformat

{
  "Identifier": "160ae6bb538d538c70c01f81dcf2****",
  "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n...\n...\n...\nKOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\nMIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ\n...\n...\n...\nZYYG\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ\n...\n...\n...\nKL5cUmF\n-----END CERTIFICATE-----",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "12345678-1234-1234-1234-123456789ABC"
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2023-10-16

The internal configuration of the API is changed, but the call is not affected

see changesets

Change item	Change content
	The internal configuration of the API is changed, but the call is not affected.

2023-09-05

API Description Update. The request parameters of the API has changed

see changesets

Change item	Change content
API Description	API Description Update.
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: EnableCrl