CreateServerCertificate - Certificate Management Service

Creates a server-side certificate from a system-generated Certificate Signing Request (CSR).

Operation description

Before you call this operation, you must create a root CA certificate by calling CreateRootCACertificate and a subordinate CA certificate by calling CreateSubCACertificate. Only subordinate CA certificates can issue server-side certificates.

QPS limit

The queries per second (QPS) limit for this operation is 10 calls per second per user. If you exceed this limit, API calls are throttled, which may affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateServerCertificate

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Domain	string	No	The additional domain names and IP addresses for the server-side certificate. This lets you apply the certificate to multiple domain names or IP addresses. Separate multiple entries with a comma (,).	example.com
Organization	string	No	The name of the organization. Default: Alibaba Inc.	阿里云
OrganizationUnit	string	No	The name of the department. Default: Alibaba Cloud CDN.	IT
Country	string	No	The country code, such as CN or US.	CN
CommonName	string	Yes	The name of the certificate user. For a server authentication (ServerAuth) certificate, the user is the server. Enter the domain name or IP address of the server.	www.example.com
State	string	No	The name of the province or state where the organization is located. The value supports Chinese and English characters. If you leave this empty, the value from the issuing subordinate CA certificate is used.	Zhejiang
Locality	string	No	The name of the city where the organization is located. The value supports Chinese and English characters. If you leave this empty, the value from the issuing subordinate CA certificate is used.	Hangzhou
Algorithm	string	Yes	The key algorithm of the server-side certificate. The format is `<Encryption Algorithm>_<Key Length>`. Valid values: RSA_1024: The corresponding signature algorithm is Sha256WithRSA. RSA_2048: The corresponding signature algorithm is Sha256WithRSA. RSA_4096: The corresponding signature algorithm is Sha256WithRSA. ECC_256: The corresponding signature algorithm is Sha256WithECDSA. ECC_384: The corresponding signature algorithm is Sha256WithECDSA. ECC_512: The corresponding signature algorithm is Sha256WithECDSA. SM2_256: The corresponding signature algorithm is SM3WithSM2. The encryption algorithm of the server-side certificate must be the same as that of the subordinate CA certificate. The key length can be different. For example, if the key algorithm of the subordinate CA certificate is RSA_2048, the key algorithm for the server-side certificate must be RSA_1024, RSA_2048, or RSA_4096. Note Call DescribeCACertificate to query the key algorithm of the subordinate CA certificate.	RSA_2048
ParentIdentifier	string	Yes	The unique identifier of the subordinate CA certificate that issues this certificate. Note Call DescribeCACertificateList to query the unique identifiers of subordinate CA certificates.	271ae6bb538d538c70c01f81dg3****
Years	integer	No	The validity period of the certificate in years.	1
Months	integer	No	The validity period of the certificate in months.	12
Days	integer	No	The validity period of the server-side certificate, in days. Specify the validity period using at least one of the following parameter combinations: Days BeforeTime and AfterTime Note If you specify Days, BeforeTime, and AfterTime at the same time, the value of Days takes precedence. The validity period of the server-side certificate cannot exceed the validity period of the issuing subordinate CA certificate. Call DescribeCACertificate to view the validity period of the subordinate CA certificate.	365
BeforeTime	integer	No	The time when the certificate is issued. This is a UNIX timestamp in seconds. The default value is the time when you call this operation. Note The BeforeTime and AfterTime parameters must be specified together or left empty together.	1634283958
AfterTime	integer	No	The expiration time of the server-side certificate. This is a UNIX timestamp in seconds. Note The BeforeTime and AfterTime parameters must be specified together or left empty together.	1665819958
Immediately	integer	No	Specifies whether to immediately return the digital certificate. 0: Does not return the certificate. This is the default value. 1: Returns the certificate. 2: Returns the certificate and its certificate chain.	1
EnableCrl	integer	No	Specifies whether to include the Certificate Revocation List (CRL) address. 0: No 1: Yes	1
Tags	array<object>	No	A list of tags.
	object	No	A list of tags.
Key	string	No	The tag key.	account
Value	string	No	The tag value.	test
ResourceGroupId	string	No	The ID of the resource group. Call the ListResources operation to obtain this ID.	test

In addition to the API-specific request parameters in this topic, you must also include common request parameters. For the request format, see the request sample in the Examples section.

Response elements

Element	Type	Description	Example
	object	CreateCertificateResponse
X509Certificate	string	The content of the server-side certificate.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
CertificateChain	string	The CA certificate chain.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n
Identifier	string	The unique identifier of the server-side certificate.	160ae6bb538d538c70c01f81dcf2****
SerialNumber	string	The certificate serial number.	084bde9cd233f0ddae33adc438cfbbbd****
RequestId	string	The unique ID of the request. Use this ID to troubleshoot issues.	15C66C7B-671A-4297-9187-2C4477247A74

Examples

Success response

JSON format

{
  "X509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n",
  "Identifier": "160ae6bb538d538c70c01f81dcf2****",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "15C66C7B-671A-4297-9187-2C4477247A74"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.