CreateCustomCertificate - Certificate Management Service

Issues a digital certificate with the specified subject, subject alternative names, key usage, and extended key usage.

Operation description

By default, the certificate is issued using the subject from the Certificate Signing Request (CSR). If you specify a subject, it is used instead of the subject in the CSR.

Specify the key usage or extended key usage based on your scenario. The following examples show common scenarios:

Server authentication certificate

Key usage: digitalSignature, keyEncipherment

Extended key usage: serverAuth

Client authentication certificate

Key usage: digitalSignature, keyEncipherment

Extended key usage: clientAuth

mTLS mutual authentication certificate

Key usage: digitalSignature, keyEncipherment

Extended key usage: serverAuth, clientAuth

Email signing certificate

Key usage: digitalSignature, contentCommitment

Extended key usage: emailProtection

Note: This operation is not supported for compliant certificate authorities (CAs) that are managed by third-party authorities.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateCustomCertificate

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
ParentIdentifier	string	Yes	The ID of the CA certificate.	1ed4068c-6f1b-6deb-8e32-3f8439a851cb
Csr	string	Yes	The content of the CSR. You can use OpenSSL or Keytool to generate a CSR. For more information, see Create a CSR.	-----BEGIN CERTIFICATE REQUEST----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... vbIgMQIhAKHDWD6/WAMbtezAt4bysJ/BZIDz1jPWuUR5GV4TJ/mS -----END CERTIFICATE REQUEST-----
Validity	string	Yes	The validity period of the certificate. The validity period cannot exceed the validity period of the instance. You can use a relative time or an absolute time. Relative time: You can use years, months, and days. Year - y Month - m Day - d Absolute time: Use GMT. The format is `yyyy-MM-dd'T'HH:mm:ss'Z'`. Specify the end time - $NotAfter Specify the start and end times - $NotBefore/$NotAfter	相对时间： ● 1y ● 3m ● 7d 绝对时间： ● 2006-01-02T15:04:05Z ● 2006-01-02T15:04:05Z/2023-03-09T17:48:13Z
ApiPassthrough	object	No	The pass-through parameter.
Subject	object	No	The subject of the certificate.
Country	string	No	The country code. Use the two-letter country code from ISO 3166-1. For more information, see ISO.	CN
State	string	No	The province or state where the organization is located.	浙江省
Locality	string	No	The city where the organization is located. Chinese and English characters are supported.	杭州市
Organization	string	No	The name of the organization.	XXX公司
OrganizationUnit	string	No	The name of the department or branch in the organization.	XXX部门
CommonName	string	No	The common name of the certificate user.	张三
CustomAttributes	array<object>	No	The custom subject attributes of the certificate.
	object	No	The custom subject attributes of the certificate.
ObjectIdentifier	string	No	The key of the custom attribute. The key must be an Object Identifier (OID) that complies with industry standards. Examples: 2.5.4.6: Country code 2.5.4.10: Organization 2.5.4.11: Organizational unit name 2.5.4.12: Title 2.5.4.3: Common name 2.5.4.9: Street 2.5.4.5: Serial number 2.5.4.7: Locality 2.5.4.8: State or province 1.3.6.1.4.1.37244.1.1: Matter certificate - Node ID 1.3.6.1.4.1.37244.1.5: Matter certificate - Fabric ID 1.3.6.1.4.1.37244.2.1: Matter certificate Vendor ID (VID) 1.3.6.1.4.1.37244.2.2: Matter certificate Product ID (PID)	2.5.4.3
Value	string	No	The value of the custom attribute.	Aliyun
Extensions	object	No	The certificate extensions.
KeyUsage	object	No	The key usage.
DigitalSignature	boolean	No	Digital signature. Allows the private key to sign data and the public key to verify the signature.	true
ContentCommitment	boolean	No	Content commitment. Formerly known as NonRepudiation. Allows the certificate key to be used for content commitment.	false
NonRepudiation	boolean	No	Non-repudiation. This has been renamed to ContentCommitment in the X.509 standard.	false
KeyEncipherment	boolean	No	Key encipherment. Allows the certificate key to encrypt other keys.	false
DataEncipherment	boolean	No	Data encipherment.	false
KeyAgreement	boolean	No	Key agreement.	false
EncipherOnly	boolean	No	If KeyAgreement is true, this marks that the certificate key can only be used for encryption.	false
DecipherOnly	boolean	No	If KeyAgreement is true, this marks that the certificate key can only be used for decryption.	false
ExtendedKeyUsages	array	No	The extended key usage.
	string	No	Valid values: any: No limit serverAuth: Server authentication clientAuth: Client authentication codeSigning: Code signing emailProtection: Email protection timeStamping: Timestamping OCSPSigning: OCSP signing Other extended key usage OIDs	1.3.6.1.4.1.311.20.2.2
SubjectAlternativeNames	array<object>	No	The subject alternative names.
	object	No	The subject alternative names.
Type	string	Yes	Valid values: rfc822Name: Email address dNSName: Domain name uniformResourceIdentifier: Uniform Resource Identifier (URI) iPAddress: IP address	dNSName
Value	string	No	A value that matches the specified Type.	rfc822Name: example.aliyundoc.com dNSName: learn.aliyundoc.com uniformResourceIdentifier: acs:ecs:regionid:15619224785***:instance/i-bp1bzvz55uz27hf*** iPAddress: 127.0.0.1
Criticals	array	No	If an extension is critical, its name is included in the criticals list.
	string	No	The name of the critical extension, such as ExtendedKeyUsages.	ExtendedKeyUsages
SerialNumber	string	No	The custom serial number of the certificate. It must be a long integer.	16889526086333
Immediately	integer	No	Specifies whether to obtain the certificate immediately. 0: Issues the certificate asynchronously. 1: Issues the certificate immediately. 2: Issues the certificate immediately and returns the CA certificate chain.	0
EnableCrl	integer	No	Specifies whether to include a Certificate Revocation List (CRL) address. 0: No 1: Yes	1
Tags	array<object>	No	The list of tags.
	object	No	The list of tags.
Key	string	No	The tag key.	testKey
Value	string	No	The tag value.	1
ResourceGroupId	string	No	The ID of the resource group. You can obtain this ID by calling the ListResources operation.	rg-aek****wia

Response elements

Element	Type	Description	Example
	object	OpenApiResponseV1
Identifier	string	The unique identifier of the certificate.	160ae6bb538d538c70c01f81dcf2****
Certificate	string	The content of the certificate. This parameter is returned when Immediately is set to 1 or 2.	-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ... ... ... KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
CertificateChain	string	The CA certificate chain. This parameter is returned when Immediately is set to 2.	-----BEGIN CERTIFICATE----- MIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ ... ... ... ZYYG -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... KL5cUmF -----END CERTIFICATE-----
SerialNumber	string	The serial number of the certificate. This parameter is returned when Immediately is set to 1 or 2.	084bde9cd233f0ddae33adc438cfbbbd****
RequestId	string	The ID of the request. Alibaba Cloud generates a unique ID for each request. You can use the ID to troubleshoot and locate issues.	12345678-1234-1234-1234-123456789ABC

Examples

Success response

JSON format

{
  "Identifier": "160ae6bb538d538c70c01f81dcf2****",
  "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n...\n...\n...\nKOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\nMIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ\n...\n...\n...\nZYYG\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ\n...\n...\n...\nKL5cUmF\n-----END CERTIFICATE-----",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "12345678-1234-1234-1234-123456789ABC"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.