CreateExternalCACertificate

更新时间:
复制 MD 格式

Create and issue an external subordinate CA certificate using a CSR and API parameters.

Operation description

Request

  • Creates an external subordinate CA certificate from a certificate signing request (CSR) and optional API pass-through parameters.

  • The required InstanceId parameter specifies the instance ID of the external subordinate CA.

  • The Csr parameter must contain a valid certificate signing request.

  • The Validity parameter specifies the certificate's validity period and accepts values in either relative or absolute time formats.

  • The ApiPassthrough parameter lets you override information in the CSR, such as subject information, or add certificate extensions.

  • Note: For end-entity CA certificates, set the pathLenConstraint parameter to 0.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cert:CreateExternalCACertificate

create

*All Resource

*

None None

Request parameters

Parameter

Type

Required

Description

Example

InstanceId

string

No

The ID of the external subordinate CA instance.

cas_deposit-cn-1234abcd

Csr

string

No

The certificate signing request (CSR). The CSR can contain information such as the SubjectDN and custom extensions for the CA certificate. The CA generates the SubjectKeyIdentifier, AuthorityKeyIdentifier, and CRLDistributionPoints extensions, ignoring any corresponding values in the CSR.

-----BEGIN CERTIFICATE REQUEST----- MIIBczCCARgCAQAwgYoxFDASBgNVBAMMC2FsaXl1bi50ZXN0MQ0wCwYDVQQ ... vbIgMQIhAKHDWD6/WAMbtezAt4bysJ/BZIDz1jPWuUR5GV4TJ/mS -----END CERTIFICATE REQUEST-----

Validity

string

No

The certificate validity period. You can specify this using either relative or absolute time.

Note

Relative time: Supported units are year, month, and day.

  • y - year

  • m - month

  • d - day

Note

Absolute time: Use GMT time in the yyyy-MM-dd'T'HH:mm:ss'Z' format.

  • To specify only the expiration time, use $NotAfter.

  • To specify both the start and expiration times, use $NotBefore/$NotAfter.

10y

ApiPassthrough

object

No

Specifies API parameters that override content from the CSR or add information to the CA certificate.

Subject

object

No

The subject information for the CA certificate. If specified, this value overwrites the SubjectDN from the CSR.

Country

string

No

The two-letter country code (ISO 3166-1).

CN

State

string

No

The state or province.

Zhejiang

Locality

string

No

The city or region.

Hangzhou

Organization

string

No

The organization or company.

Alibaba

OrganizationUnit

string

No

The organizational subdivision, such as a department, team, project group, or branch.

Cloud Security

CommonName

string

No

The name of the CA certificate.

Testing CA

Extensions

object

No

Specifies the extensions for the CA certificate. If specified, these values override the corresponding extensions in the CSR or are added to the CA certificate.

PathLenConstraint

integer

No

The certificate path length constraint. For an end-entity CA, set this parameter to 0. A value of 0 indicates the CA will issue end-entity certificates.

0

ExtendedKeyUsages

array

No

The extended key usages.

string

No

Valid values:

  • any: No restrictions

  • serverAuth: Server authentication

  • clientAuth: Client authentication

  • codeSigning: Code signing

  • emailProtection: Email protection

  • timeStamping: Timestamping

  • OCSPSigning: OCSP signing

  • Any other valid object identifier (OID) for an extended key usage.

Valid values:

  • codeSigning :

    codeSigning

  • emailProtection :

    emailProtection

  • serverAuth :

    serverAuth

  • timeStamping :

    timeStamping

  • any :

    any

  • clientAuth :

    clientAuth

  • OCSPSigning :

    OCSPSigning

serverAuth

Tags

array<object>

No

The tags to add to the certificate.

object

No

A key-value pair that represents a single tag.

Key

string

No

The tag's key.

database

Value

string

No

The tag's value.

1

ResourceGroupId

string

No

The ID of the resource group.

test

Response elements

Element

Type

Description

Example

object

OpenApiResponse

RequestId

string

The request ID.

12345678-1234-1234-1234-123456789ABC

Identifier

string

The unique identifier for the certificate.

1ed4068c-6f1b-6deb-8e32-3f8439a851cb

Certificate

string

The content of the certificate.

-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ... ... ... KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----

CertificateChain

string

The CA certificate chain.

-----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE-----

Examples

Success response

JSON format

{
  "RequestId": "12345678-1234-1234-1234-123456789ABC",
  "Identifier": "1ed4068c-6f1b-6deb-8e32-3f8439a851cb",
  "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n...\n...\n...\nKOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n-----END CERTIFICATE-----\n",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\n...\n...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n...\n...\n-----END CERTIFICATE-----\n"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.