All Products
Search

This Product

    Certificate Management Service:CreateServerCertificateWithCsr

    Document Center

    Certificate Management Service:CreateServerCertificateWithCsr

    Last Updated:Dec 16, 2025

    Issues a server certificate based on a custom certificate signing request (CSR).

    Operation description

    Before you call this operation, call CreateRootCACertificate to create a root certificate authority (CA) certificate and CreateSubCACertificate to create a subordinate CA certificate. Only subordinate CA certificates can be used to issue server certificates.

    QPS limit

    The queries per second (QPS) limit for a single user is 10 calls per second. If you exceed this limit, API calls are throttled. This may affect your business operations. Plan your calls accordingly.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    yundun-cert:CreateServerCertificateWithCsr

    create

    *All Resource

    *

    		 None None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    Csr

    string

    Yes

    The content of the certificate signing request (CSR). Generate a CSR using OpenSSL or Keytool. For more information, see Create a CSR file.

    -----BEGIN CERTIFICATE REQUEST----- ...... -----END CERTIFICATE REQUEST-----
    Domain

    string

    No

    The additional domain names or IP addresses for the server certificate. This lets you apply the certificate to multiple domain names or IP addresses.

    To specify multiple domain names or IP addresses, separate them with commas (,).

    example.com
    Organization

    string

    No

    The name of the organization. The default value is Alibaba Inc.

    阿里云
    OrganizationUnit

    string

    No

    The name of the department. The default value is Aliyun CDN.

    IT
    Country

    string

    No

    The country code, such as CN.

    CN
    CommonName

    string

    No

    The common name of the certificate. Chinese and English characters are supported.

    Note

    If you set the Csr parameter, the value of the CommonName parameter is determined by the information in the Csr parameter.

    mtcsq.com
    State

    string

    No

    The province or state of the organization. The value can contain letters. By default, this is the province or state of the issuing intermediate CA's organization.

    Zhejiang
    Locality

    string

    No

    The city where the organization is located. Chinese and English characters are supported. The default value is the city of the organization that is associated with the issuing subordinate CA certificate.

    Hangzhou
    Algorithm

    string

    No

    The key algorithm of the server certificate. The key algorithm is in the <Encryption algorithm>_<Key length> format. Valid values:

    • RSA_1024: The corresponding signature algorithm is Sha256WithRSA.

    • RSA_2048: The corresponding signature algorithm is Sha256WithRSA.

    • RSA_4096: The corresponding signature algorithm is Sha256WithRSA.

    • ECC_256: The corresponding signature algorithm is Sha256WithECDSA.

    • ECC_384: The corresponding signature algorithm is Sha256WithECDSA.

    • ECC_512: The corresponding signature algorithm is Sha256WithECDSA.

    • SM2_256: The corresponding signature algorithm is SM3WithSM2.

    The encryption algorithm of the server certificate must be the same as that of the subordinate CA certificate, but the key length can be different. For example, if the key algorithm of the subordinate CA certificate is RSA_2048, the key algorithm of the server certificate must be RSA_1024, RSA_2048, or RSA_4096.

    Note

    Call DescribeCACertificate to query the key algorithm of the subordinate CA certificate.

    RSA_2048
    ParentIdentifier

    string

    Yes

    The unique identifier of the subordinate CA certificate that issues the server certificate.

    Note

    Call DescribeCACertificateList to query the unique identifiers of subordinate CA certificates.

    270oe6bb538d538c70c01f81hfd3****
    Years

    integer

    No

    The validity period of the certificate, in years.

    1
    Months

    integer

    No

    The validity period of the certificate, in months.

    12
    Days

    integer

    No

    The validity period of the server certificate, in days. The Days, BeforeTime, and AfterTime parameters cannot all be empty. The BeforeTime and AfterTime parameters must be either both empty or both specified. The following list describes how to set these parameters:

    • If you set the Days parameter, you can optionally set the BeforeTime and AfterTime parameters.

    • If you do not set the Days parameter, you must set the BeforeTime and AfterTime parameters.

    Note

    • If you set the Days, BeforeTime, and AfterTime parameters, the validity period is determined by the Days parameter.

    • The validity period of the server certificate cannot exceed that of the subordinate CA certificate. Call DescribeCACertificate to view the validity period of a subordinate CA certificate.

    365
    BeforeTime

    integer

    No

    The issuance time of the server certificate. This is a UNIX timestamp in seconds. The default value is the time when you call this operation.

    Note

    The BeforeTime and AfterTime parameters must be either both empty or both specified.

    1634283958
    AfterTime

    integer

    No

    The expiration time of the server certificate. This is a UNIX timestamp in seconds.

    Note

    The BeforeTime and AfterTime parameters must be either both empty or both specified.

    1665819958
    Immediately

    integer

    No

    Specifies whether to immediately return the digital certificate.

    • 0: Does not return the certificate. This is the default value.

    • 1: Returns the certificate.

    • 2: Returns the certificate and its certificate chain.

    1
    EnableCrl

    integer

    No

    Specifies whether to include the certificate revocation list (CRL) address.

    0: No

    1: Yes

    1
    Tags

    array<object>

    No

    A list of tags.

    object

    No

    A list of tags.

    Key

    string

    No

    The key of the tag.

    account
    Value

    string

    No

    The value of the tag.

    test
    ResourceGroupId

    string

    No

    The ID of the resource group.

    rg-aek****wia

    You must include the common request parameters for Alibaba Cloud APIs in your request.

    For the request format, see the example in the Examples section.

    Response elements

    Element

    Type

    Description

    Example

    object

    CreateCertificateResponse

    X509Certificate

    string

    The content of the server certificate.

    -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----
    CertificateChain

    string

    The CA certificate chain.

    -----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n......\n-----END CERTIFICATE-----\n
    Identifier

    string

    The unique identifier of the server certificate.

    180ae6bb538d538c70c01f81dcf2****
    SerialNumber

    string

    The certificate serial number.

    084bde9cd233f0ddae33adc438cfbbbd****
    RequestId

    string

    The ID of the request. Alibaba Cloud generates a unique ID for each request. Use this ID to troubleshoot issues.

    55C66C7B-671A-4297-9187-2C4477247A74

    Examples

    Success response

    JSON format

    {
  "X509Certificate": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\n......\\n-----END CERTIFICATE-----\\n",
  "Identifier": "180ae6bb538d538c70c01f81dcf2****",
  "SerialNumber": "084bde9cd233f0ddae33adc438cfbbbd****",
  "RequestId": "55C66C7B-671A-4297-9187-2C4477247A74"
}

    Error codes

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.