All Products
Search

This Product

    Certificate Management Service:CreateRootCACertificate

    Document Center

    Certificate Management Service:CreateRootCACertificate

    Last Updated:Dec 16, 2025

    Creates a root CA certificate.

    Operation description

    This operation creates a self-signed root CA certificate. A root CA certificate is the starting point of a private trust chain within an enterprise. After you create a root CA certificate, you can use it to issue intermediate CA certificates. You can then use the intermediate CA certificates to issue client and server-side certificates.

    Before calling this operation, purchase a private root CA in the SSL Certificate Service console. Otherwise, the call fails. For more information, see Purchase a private CA.

    QPS limit

    The queries per second (QPS) limit for this operation is 10 calls per second per user. If you exceed the limit, API calls are throttled, which may affect your business. Call the API at a reasonable rate.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    yundun-cert:CreateRootCACertificate

    create

    *All Resource

    *

    		 None None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    CommonName

    string

    Yes

    The common name or abbreviation of the organization. Supports Chinese characters and letters.

    Alibaba
    OrganizationUnit

    string

    Yes

    The name of the department or branch in the organization. Supports Chinese characters and letters.

    Security
    Organization

    string

    Yes

    The name of the organization for the root CA certificate. This is typically your company or enterprise name. Supports Chinese characters and letters.

    Aliyun
    Locality

    string

    Yes

    The name of the city where the organization is located. Supports Chinese characters and letters.

    Hangzhou
    State

    string

    Yes

    The name of the province or state where the organization is located. Supports Chinese characters and letters.

    Zhejiang
    CountryCode

    string

    No

    The two-letter uppercase code of the country or region where the organization is located. For example, CN indicates China and US indicates the United States.

    For more information about country codes, see the Country codes section in Manage company information.

    CN
    Algorithm

    string

    No

    The key algorithm of the root CA certificate. The key algorithm is in the <encryption algorithm>_<key length> format. Valid values:

    • RSA_1024: The corresponding signature algorithm is Sha256WithRSA.

    • RSA_2048: The corresponding signature algorithm is Sha256WithRSA.

    • RSA_4096: The corresponding signature algorithm is Sha256WithRSA.

    • ECC_256: The corresponding signature algorithm is Sha256WithECDSA.

    • ECC_384: The corresponding signature algorithm is Sha256WithECDSA.

    • ECC_512: The corresponding signature algorithm is Sha256WithECDSA.

    • SM2_256: The corresponding signature algorithm is SM3WithSM2.

    The encryption algorithm of the root CA certificate must be the same as the Certificate Algorithm of the private root CA that you purchased. For example, if you set Certificate Algorithm to RSA when you purchase a private root CA, the key algorithm of the root CA certificate must be RSA_1024, RSA_2048, or RSA_4096.

    RSA_2048
    Years

    integer

    Yes

    The validity period of the root CA certificate. Unit: years.

    Note

    Set the validity period to 5 to 10 years.

    10
    ClientToken

    string

    No

    A client token to ensure the idempotence of the request.

    Generate a unique value for this parameter from your client. The token supports only ASCII characters.

    Note

    If you do not specify this parameter, the system uses the RequestId of the request as the ClientToken. The RequestId may be different for each request.

    3838B684-3075-582B-9A45-8C99104029DF
    Tags

    array<object>

    No

    The list of tags.

    object

    No

    The list of tags.

    Key

    string

    No

    The tag key.

    runtime
    Value

    string

    No

    The tag value.

    1
    ResourceGroupId

    string

    No

    The ID of the resource group.

    rg-aek****wia

    When you call this operation, specify the common request parameters and the operation-specific parameters. For more information about the request format, see the request example in the Examples section of this topic.

    For the API request format, see the example in the Example section of this topic.

    Response elements

    Element

    Type

    Description

    Example

    object

    The response object.

    RequestId

    string

    The unique ID of the request. You can use this ID to troubleshoot issues.

    6D9B4C5F-7140-5B41-924C-329181DC00C1
    Identifier

    string

    The unique identifier of the created root CA certificate.

    1a83bcbb89e562885e40aa0108f5****
    Certificate

    string

    The created root certificate in PEM format.

    -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
    CertificateChain

    string

    The CA certificate chain of the created root certificate.

    -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n

    Examples

    Success response

    JSON format

    {
  "RequestId": "6D9B4C5F-7140-5B41-924C-329181DC00C1",
  "Identifier": "1a83bcbb89e562885e40aa0108f5****",
  "Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n"
}

    Error codes

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.