CreateServerCertificateWithCsr - Certificate Management Service

Issues a server-side certificate based on a custom Certificate Signing Request (CSR).

Operation description

Before you call this operation, you must create a root certificate authority (CA) certificate by calling CreateRootCACertificate and a subordinate CA certificate by calling CreateSubCACertificate. Only subordinate CA certificates can issue server-side certificates.

QPS limit

This operation has a queries per second (QPS) limit of 10 calls per second for each user. API calls that exceed this limit are throttled. This may affect your business operations. We recommend that you plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateServerCertificateWithCsr

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Csr	string	Yes	The content of the CSR. Use OpenSSL or Keytool to generate a CSR file. For more information, see How to create a CSR file.	-----BEGIN CERTIFICATE REQUEST----- ...... -----END CERTIFICATE REQUEST-----
Domain	string	No	The additional domain names or IP addresses for the server-side certificate. This lets you apply the certificate to multiple domain names or IP addresses. Enter multiple domain names and IP addresses. To enter multiple values, separate them with a comma (,).	example.com
Organization	string	No	The name of the organization. Default value: Alibaba Inc.	阿里云
OrganizationUnit	string	No	The name of the department. Default value: Alibaba Cloud CDN.	IT
Country	string	No	The country code. For example, CN.	CN
CommonName	string	No	The common name of the certificate. Chinese characters, letters, and other characters are supported. Note If you set the Csr parameter, the common name from the CSR file is used.	mtcsq.com
State	string	No	The name of the province or state where the organization is located. Chinese characters, letters, and other characters are supported. The default value is the province or state of the organization that is associated with the issuing subordinate CA certificate.	Zhejiang
Locality	string	No	The name of the city where the organization is located. Chinese characters, letters, and other characters are supported. The default value is the city of the organization that is associated with the issuing subordinate CA certificate.	Hangzhou
Algorithm	string	No	The key algorithm of the server-side certificate. The key algorithm is in the `<encryption algorithm>_<key length>` format. Valid values: RSA_1024: The signature algorithm is Sha256WithRSA. RSA_2048: The signature algorithm is Sha256WithRSA. RSA_4096: The signature algorithm is Sha256WithRSA. ECC_256: The signature algorithm is Sha256WithECDSA. ECC_384: The signature algorithm is Sha256WithECDSA. ECC_512: The signature algorithm is Sha256WithECDSA. SM2_256: The signature algorithm is SM3WithSM2. The encryption algorithm of the server-side certificate must be the same as the encryption algorithm of the subordinate CA certificate. The key length can be different. For example, if the key algorithm of the subordinate CA certificate is RSA_2048, the key algorithm of the server-side certificate must be RSA_1024, RSA_2048, or RSA_4096. Note Call DescribeCACertificate to query the key algorithm of a subordinate CA certificate.	RSA_2048
ParentIdentifier	string	Yes	The unique identifier of the subordinate CA certificate that issues the certificate. Note Call DescribeCACertificateList to query the unique identifiers of subordinate CA certificates.	270oe6bb538d538c70c01f81hfd3****
Years	integer	No	The validity period of the certificate in years.	1
Months	integer	No	The validity period of the certificate in months.	12
Days	integer	No	The validity period of the server-side certificate in days. The Days, BeforeTime, and AfterTime parameters cannot be all empty. The BeforeTime and AfterTime parameters must be both empty or both specified. The following list describes how to set these parameters: If you set the Days parameter, you can specify the BeforeTime and AfterTime parameters or leave them empty. If you do not set the Days parameter, you must specify the BeforeTime and AfterTime parameters. Note If you set the Days, BeforeTime, and AfterTime parameters at the same time, the validity period of the server-side certificate is determined by the value of the Days parameter. The validity period of the server-side certificate cannot exceed the validity period of the subordinate CA certificate. Call DescribeCACertificate to view the validity period of a subordinate CA certificate.	365
BeforeTime	integer	No	The time when the server-side certificate is issued. This value is a UNIX timestamp. The default value is the time when you call this operation. Unit: seconds. Note The BeforeTime and AfterTime parameters must be both empty or both specified.	1634283958
AfterTime	integer	No	The time when the server-side certificate expires. This value is a UNIX timestamp. Unit: seconds. Note The BeforeTime and AfterTime parameters must be both empty or both specified.	1665819958
Immediately	integer	No	Specifies whether to return the digital certificate immediately. 0: Does not return the certificate. This is the default value. 1: Returns the certificate. 2: Returns the certificate and its certificate chain.	1
EnableCrl	integer	No	Specifies whether to include the certificate revocation list (CRL) address. 0: No 1: Yes	1
Tags	array<object>	No	The list of tags.
	object	No	The list of tags.
Key	string	No	The tag key.	account
Value	string	No	The value of the tag.	test
ResourceGroupId	string	No	The ID of the resource group.	rg-aek****wia

In addition to the parameters described in this topic, you must specify common request parameters when you call this API operation. For information about the request format, see the request example in the Examples section of this topic.

For the API request format, see the Example section of this topic.

Response elements

Element	Type	Description	Example
	object	CreateCertificateResponse.
X509Certificate	string	The content of the server-side certificate.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
CertificateChain	string	The CA certificate chain.	-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n
Identifier	string	The unique identifier of the server-side certificate.	180ae6bb538d538c70c01f81dcf2****
SerialNumber	string	The certificate serial number.	084bde9cd233f0ddae33adc438cfbbbd****
RequestId	string	The ID of the request. Alibaba Cloud generates a unique ID for each request. You can use the ID to troubleshoot issues.	55C66C7B-671A-4297-9187-2C4477247A74

Examples

Success response

JSON format

{
  "X509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n",
  "Identifier": "180ae6bb538d538c70c01f81dcf2****",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "55C66C7B-671A-4297-9187-2C4477247A74"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.