All Products
Search
Document Center

Certificate Management Service:CreateCustomCertificate

Last Updated:Jul 09, 2024

Issues a certificate based on the specified key usage, extended key usage, and name and alias of the entity that uses the certificate.

Operation description

By default, the name of the entity is obtained from the certificate signing request (CSR) of the certificate that you want to issue. If you specify a different name for the entity, the name of the entity in the CSR becomes invalid. The specified name is used to issue the certificate.

You must specify the key usage and extended key usage based on the certificate type. The following list describes common certificate types:

  • Server certificate

Key usage: digitalSignature or keyEncipherment

Extended key usage: serverAuth

  • Client certificate

Key usage: digitalSignature or keyEncipherment

Extended key usage: clientAuth

  • Mutual Transport Layer Security (TLS) authentication certificate

Key usage: digitalSignature or keyEncipherment

Extended key usage: serverAuth or clientAuth

  • Email certificate

Key usage: digitalSignature or contentCommitment

Extended key usage: emailProtection

Note: Compliant certificate authorities (CAs) are managed by third-party authorities. This operation is not supported for compliant CAs.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

ParameterTypeRequiredDescriptionExample
ParentIdentifierstringYes

The identifier of the certificate.

1ed4068c-6f1b-6deb-8e32-3f8439a851cb
CsrstringYes

The content of the CSR. You can generate a CSR by using the OpenSSL tool or the Keytool tool. For more information, see How do I create a CSR file?

-----BEGIN CERTIFICATE REQUEST----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... vbIgMQIhAKHDWD6/WAMbtezAt4bysJ/BZIDz1jPWuUR5GV4TJ/mS -----END CERTIFICATE REQUEST-----
ValiditystringYes

The validity period of the certificate. The value cannot exceed the validity period of the certificate instance. Relative time and absolute time are supported.

Units of relative time: year, month, and day.

  • Use y to specify years.
  • Use m to specify months.
  • Use d to specify days.

Absolute time: Use Greenwich Mean Time (GMT). Format: yyyy-MM-dd'T'HH:mm:ss'Z'

  • Format of the end time: $NotAfter
  • Format of the start time and end time: $NotBefore/$NotAfter
Relative time: ● 1y ● 3m ● 7d Absolute time: ● 2006-01-02T15:04:05Z ● 2006-01-02T15:04:05Z/2023-03-09T17:48:13Z
ApiPassthroughobjectNo

The passthrough parameters.

SubjectobjectNo

The name of the entity that uses the certificate.

CountrystringNo

The code of the country. The value is an alpha-2 country code that complies with the ISO 3166-1 standard. For more information about country codes, visit https://www.iso.org/obp/ui/#search/code/.

CN
StatestringNo

The name of the province or state in which the organization associated with the certificate is located.

Zhejiang
LocalitystringNo

The name of the city in which the organization is located. The value can contain letters.

Hangzhou
OrganizationstringNo

The name of the organization.

XXX company
OrganizationUnitstringNo

The name of the department or branch in the organization.

XXX department
CommonNamestringNo

The common name of the certificate user.

Bob
CustomAttributesarray<object>No

Customize the Subject attributes of the certificate.

objectNo
ObjectIdentifierstringNo

Custom attribute type as:

  • 2.5.4.6 : country
  • 2.5.4.10 : organization
  • 2.5.4.11 : organizational unit
  • 2.5.4.12 : title
  • 2.5.4.3 : common name
  • 2.5.4.9 : street
  • 2.5.4.5 : serial number
  • 2.5.4.7 : locality
  • 2.5.4.8 : state
  • 1.3.6.1.4.1.37244.1.1 : Matter Operational Certificate - Node ID
  • 1.3.6.1.4.1.37244.1.5 : Matter Operational Certificate - Fabric ID
  • 1.3.6.1.4.1.37244.2.1 : Matter Device Attestation Certificate Vender ID (VID)
  • 1.3.6.1.4.1.37244.2.2 : Matter Device Attestation Certificate Product ID (PID).
2.5.4.3
ValuestringNo

Custom attribute value.

Aliyun
ExtensionsobjectNo

The extensions of the certificate.

KeyUsageobjectNo

The key usage.

DigitalSignaturebooleanNo

Specifies whether the key can be used for digital signing. If you set this parameter to true, the private key of the certificate can be used to generate digital signatures, and the public key of the certificate can be used to verify digital signatures.

true
ContentCommitmentbooleanNo

The original name of the parameter is NonRepudiation.

false
NonRepudiationbooleanNo

Specifies whether the key can be used for non-repudiation. This parameter is renamed ContentCommitment in the X.509 standard.

false
KeyEnciphermentbooleanNo

Specifies whether the key can be used for data encipherment.

false
DataEnciphermentbooleanNo

Specifies whether the key can be used for data encryption.

false
KeyAgreementbooleanNo

Specifies whether the key can be used for key agreement.

false
EncipherOnlybooleanNo

Specifies whether the key can be used only for data encryption.

false
DecipherOnlybooleanNo

Specifies whether the key can be used only for data decryption.

false
ExtendedKeyUsagesarrayNo

The extended key usage.

stringNo

The extended key usage. Valid values:

  • any: any
  • serverAuth: server authentication
  • clientAuth: client authentication
  • codeSigning: code signing
  • emailProtection: email protection
  • timeStamping: timestamp
  • OCSPSigning: Online Certificate Status Protocol (OCSP) signing
  • Object identifier of other extended key usage.
1.3.6.1.4.1.311.20.2.2
SubjectAlternativeNamesarray<object>No

The aliases of the entities.

objectNo

The alias of the entity.

TypestringYes

The type of the alias. Valid values:

  • rfc822Name: email address
  • dNSName: domain name
  • uniformResourceIdentifier: URI
  • iPAddress: IP address
dNSName
ValuestringNo

The alias that meets the requirement of a specified type.

rfc822Name: exmaple@certqa.cn dNSName: www.certqa.cn uniformResourceIdentifier: acs:ecs:regionid:15619224785*****:instance/i-bp1bzvz55uz27hf***** iPAddress: 127.0.0.1
CriticalsarrayNo

If it is a necessary parameter, the critical list contains the parameter name.

stringNo

The parameter name of the necessary parameter, such as extendedKeyUsage.

ExtendedKeyUsages
SerialNumberstringNo

The serial number MUST be a positive integer assigned by the CA to each certificate.

16889526086333
ImmediatelyintegerNo

Specifies whether to immediately issue the certificate. Valid values:

  • 0: asynchronously issues the certificate.
  • 1: immediately issues the certificate.
  • 2: immediately issues the certificate and returns the certificate chain.
0
EnableCrllongNo

include the CRL address.

  • 0- No
  • 1- Yes
1

Response parameters

ParameterTypeDescriptionExample
object

OpenApiResponseV1

Identifierstring

The unique identifier of the certificate.

160ae6bb538d538c70c01f81dcf2****
Certificatestring

The content of the certificate. This parameter is returned only if Immediately is set to 1 or 2.

-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ... ... ... KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
CertificateChainstring

The certificate chain of the certificate. This parameter is returned only if Immediately is set to 2.

-----BEGIN CERTIFICATE----- MIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ ... ... ... ZYYG -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... ... ... KL5cUmF -----END CERTIFICATE-----
SerialNumberstring

The serial number of the certificate. This parameter is returned only if Immediately is set to 1 or 2.

084bde9cd233f0ddae33adc438cfbbbd****
RequestIdstring

The request ID.

12345678-1234-1234-1234-123456789ABC

Examples

Sample success responses

JSONformat

{
  "Identifier": "160ae6bb538d538c70c01f81dcf2****",
  "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n...\n...\n...\nKOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\nMIIBfzCCATGgAwIBAgIUfI5kSdcO2S0+LkpdL3b2VUJG10YwBQYDK2VwMDUxCzAJ\n...\n...\n...\nZYYG\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ\n...\n...\n...\nKL5cUmF\n-----END CERTIFICATE-----",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "12345678-1234-1234-1234-123456789ABC"
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-10-16The internal configuration of the API is changed, but the call is not affectedView Change Details
2023-09-05API Description Update. The request parameters of the API has changedView Change Details