Create and issue an external subordinate CA certificate using a CSR and API parameters.
Operation description
Request
Creates an external subordinate CA certificate from a certificate signing request (CSR) and optional API pass-through parameters.
The required
InstanceIdparameter specifies the instance ID of the external subordinate CA.The
Csrparameter must contain a valid certificate signing request.The
Validityparameter specifies the certificate's validity period and accepts values in either relative or absolute time formats.The
ApiPassthroughparameter lets you override information in the CSR, such as subject information, or add certificate extensions.Note: For end-entity CA certificates, set the
pathLenConstraintparameter to 0.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
yundun-cert:CreateExternalCACertificate |
create |
*All Resource
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| InstanceId |
string |
No |
The ID of the external subordinate CA instance. |
cas_deposit-cn-1234abcd |
| Csr |
string |
No |
The certificate signing request (CSR). The CSR can contain information such as the SubjectDN and custom extensions for the CA certificate. The CA generates the SubjectKeyIdentifier, AuthorityKeyIdentifier, and CRLDistributionPoints extensions, ignoring any corresponding values in the CSR. |
-----BEGIN CERTIFICATE REQUEST----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... vbIgMQIhAKHDWD6/WAMbtezAt4bysJ/BZIDz1jPWuUR5GV4TJ/mS -----END CERTIFICATE REQUEST----- |
| Validity |
string |
No |
The certificate validity period. You can specify this using either relative or absolute time. Note
Relative time: Supported units are year, month, and day.
Note
Absolute time: Use GMT time in the
|
10y |
| ApiPassthrough |
object |
No |
Specifies API parameters that override content from the CSR or add information to the CA certificate. |
|
| Subject |
object |
No |
The subject information for the CA certificate. If specified, this value overwrites the SubjectDN from the CSR. |
|
| Country |
string |
No |
The two-letter country code (ISO 3166-1). |
CN |
| State |
string |
No |
The state or province. |
Zhejiang |
| Locality |
string |
No |
The city or region. |
Hangzhou |
| Organization |
string |
No |
The organization or company. |
Alibaba |
| OrganizationUnit |
string |
No |
The organizational subdivision, such as a department, team, project group, or branch. |
Cloud Security |
| CommonName |
string |
No |
The name of the CA certificate. |
Testing CA |
| Extensions |
object |
No |
Specifies the extensions for the CA certificate. If specified, these values override the corresponding extensions in the CSR or are added to the CA certificate. |
|
| PathLenConstraint |
integer |
No |
The certificate path length constraint. For an end-entity CA, set this parameter to 0. A value of 0 indicates the CA will issue end-entity certificates. |
0 |
| ExtendedKeyUsages |
array |
No |
The extended key usages. |
|
|
string |
No |
Valid values:
Valid values:
|
serverAuth |
|
| Tags |
array<object> |
No |
The tags to add to the certificate. |
|
|
object |
No |
A key-value pair that represents a single tag. |
||
| Key |
string |
No |
The tag's key. |
database |
| Value |
string |
No |
The tag's value. |
1 |
| ResourceGroupId |
string |
No |
The ID of the resource group. |
test |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
OpenApiResponse |
||
| RequestId |
string |
The request ID. |
12345678-1234-1234-1234-123456789ABC |
| Identifier |
string |
The unique identifier for the certificate. |
1ed4068c-6f1b-6deb-8e32-3f8439a851cb |
| Certificate |
string |
The content of the certificate. |
-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ... ... ... KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- |
| CertificateChain |
string |
The CA certificate chain. |
-----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE----- |
Examples
Success response
JSON format
{
"RequestId": "12345678-1234-1234-1234-123456789ABC",
"Identifier": "1ed4068c-6f1b-6deb-8e32-3f8439a851cb",
"Certificate": "-----BEGIN CERTIFICATE-----\nMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n...\n...\n...\nKOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n-----END CERTIFICATE-----\n",
"CertificateChain": "-----BEGIN CERTIFICATE-----\n...\n...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n...\n...\n-----END CERTIFICATE-----\n"
}
Error codes
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.