DescribeCACertificate - Certificate Management Service - Alibaba Cloud Documentation Center

Queries the details of a CA certificate.

Operation description

You can call this operation to query the details of a root or subordinate CA certificate by its unique identifier. The details include the serial number, subject information, and certificate content.

Before you call this operation, you must create a root CA certificate by calling CreateRootCACertificate and a subordinate CA certificate by calling CreateSubCACertificate.

QPS limit

The queries per second (QPS) limit for this operation is 10 calls per second for each user. If you exceed the limit, API calls are throttled, which can affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:DescribeCACertificate

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Identifier	string	No	The unique identifier of the CA certificate to query. Note Call DescribeCACertificateList to query the unique identifiers of all CA certificates.	160ae6bb538d538c70c01f81dcf2****

Response elements

Element	Type	Description	Example
	object	DescribeCertificateResponse.
Certificate	object	The details of the CA certificate.
CertificateType	string	The type of the CA certificate. Valid values: ROOT: A root CA certificate. SUB_ROOT: A subordinate CA certificate.	SUB_ROOT
X509Certificate	string	The content of the CA certificate.	-----BEGIN CERTIFICATE----- …… -----END CERTIFICATE-----
Identifier	string	The unique identifier of the CA certificate.	160ae6bb538d538c70c01f81dcf2****
SerialNumber	string	The serial number of the CA certificate.	70e3b2566d92805173767869727fb92e****
SubjectDN	string	The subject of the CA certificate. It contains the following information: C: The country code of the organization. O: The name of the organization. OU: The department of the organization. L: The city where the organization is located. ST: The province or state where the organization is located. CN: The common name or abbreviation of the organization.	C=CN,O=aliyun,OU=Security,L=Hangzhou,ST=Zhejiang,CN=Aliyun
CommonName	string	The common name or abbreviation of the organization that is associated with the CA certificate.	Aliyun
OrganizationUnit	string	The name of the department in the organization that is associated with the CA certificate.	Security
Organization	string	The name of the organization that is associated with the CA certificate.	aliyun
Locality	string	The name of the city where the organization associated with the CA certificate is located.	Hangzhou
State	string	The name of the province or state where the organization associated with the CA certificate is located.	Zhejiang
CountryCode	string	The country code of the organization that is associated with the CA certificate. For more information about country codes, see the International codes section in Manage company information.	CN
Sans	string	This parameter is deprecated.	1
Status	string	The status of the CA certificate. Valid values: ISSUE: The certificate is issued. REVOKE: The certificate is revoked.	ISSUE
Algorithm	string	The type of the encryption algorithm of the CA certificate. Valid values: RSA: The RSA algorithm. ECC: The ECC algorithm. SM2: The SM2 algorithm.	RSA
KeySize	integer	The key length of the CA certificate.	2048
SignAlgorithm	string	The signature algorithm of the CA certificate.	SHA256WITHRSA
BeforeDate	integer	The date when the CA certificate was issued. This is a UNIX timestamp. Unit: milliseconds.	1634283958000
AfterDate	integer	The date when the CA certificate expires. This is a UNIX timestamp. Unit: milliseconds.	1665819958000
ParentIdentifier	string	The unique identifier of the root CA certificate that issued the CA certificate. Note This parameter is returned only when CertificateType is SUB_ROOT, which indicates a subordinate CA certificate.	1a83bcbb89e562885e40aa0108f5****
Sha2	string	The SHA-256 fingerprint of the CA certificate.	14dcc8afc7578e1fcec36d658f7e20de18f6957bbac42b373a66bc9de4e9****
Md5	string	The MD5 fingerprint of the CA certificate.	160ae6bb538d538c70c01f81dcf2****
CrlStatus	string	The status of the Certificate Revocation List (CRL).	ACTIVE
CrlUrl	string	The CRL URL.	https://crl-cn-publish.oss-cn-hangzhou.aliyuncs.com/pca/crl/1925647866611395/1ed40789-483f-6023-b6b8-29ddd3bb0a9a.crl
CertTotalCount	integer	The total certificate quota you purchased.	40
CertRemainingCount	integer	The number of remaining certificates that can be issued.	30
CertIssuedCount	integer	The number of certificates that the private CA instance has issued.	10
CaCertChain	string	The complete certificate chain.	-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
CrlDay	integer	The validity period of the CRL. Valid values: 1 to 365. Unit: days.	90
IssuerType	string	The issuer of the CA. Valid values: local: A private certificate. iTrusChina: A compliance CA. external: An imported certificate.	local
Years	integer	The validity period of the CA certificate. Unit: years.	1
FullAlgorithm	string	The algorithm and its key length.	RSA_2048
ResourceGroupId	string	The ID of the resource group to which the certificate belongs.	rg-aek2pxd7ekpoo2y
ClusterId	string	The ID of the hardware security module (HSM) cluster. This parameter is available when the CA is enabled using an HSM.	XXX-id
KeyIndex	integer	The index of the key in the HSM. This parameter is available when the CA is enabled using an HSM.	8
Tags	array<object>	The list of tags.
	object	A tag.
TagKey	string	The key of the tag.	使用状态
TagValue	string	The value of the tag.	BMS
RequestId	string	The ID of the request.	15C66C7B-671A-4297-9187-2C4477247A74
Years	integer	The validity period of the CA certificate. Unit: years.	10

Examples

Success response

JSON format

{
  "Certificate": {
    "CertificateType": "SUB_ROOT",
    "X509Certificate": "-----BEGIN CERTIFICATE----- …… -----END CERTIFICATE-----",
    "Identifier": "160ae6bb538d538c70c01f81dcf2****",
    "SerialNumber": "70e3b2566d92805173767869727fb92e****",
    "SubjectDN": "C=CN,O=aliyun,OU=Security,L=Hangzhou,ST=Zhejiang,CN=Aliyun",
    "CommonName": "Aliyun",
    "OrganizationUnit": "Security",
    "Organization": "aliyun",
    "Locality": "Hangzhou",
    "State": "Zhejiang",
    "CountryCode": "CN",
    "Sans": "1",
    "Status": "ISSUE",
    "Algorithm": "RSA",
    "KeySize": 2048,
    "SignAlgorithm": "SHA256WITHRSA",
    "BeforeDate": 1634283958000,
    "AfterDate": 1665819958000,
    "ParentIdentifier": "1a83bcbb89e562885e40aa0108f5****",
    "Sha2": "14dcc8afc7578e1fcec36d658f7e20de18f6957bbac42b373a66bc9de4e9****",
    "Md5": "160ae6bb538d538c70c01f81dcf2****",
    "CrlStatus": "ACTIVE",
    "CrlUrl": "https://crl-cn-publish.oss-cn-hangzhou.aliyuncs.com/pca/crl/1925647866611395/1ed40789-483f-6023-b6b8-29ddd3bb0a9a.crl",
    "CertTotalCount": 40,
    "CertRemainingCount": 30,
    "CertIssuedCount": 10,
    "CaCertChain": "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----",
    "CrlDay": 90,
    "IssuerType": "local",
    "Years": 1,
    "FullAlgorithm": "RSA_2048",
    "ResourceGroupId": "rg-aek2pxd7ekpoo2y",
    "ClusterId": "XXX-id",
    "KeyIndex": 8,
    "Tags": [
      {
        "TagKey": "使用状态",
        "TagValue": "BMS"
      }
    ]
  },
  "RequestId": "15C66C7B-671A-4297-9187-2C4477247A74",
  "Years": 10
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.