更新时间:2024-10-09 GMT+08:00
申请证书
请求签发私有证书,需要拥有处于“已激活”状态的私有CA。
相关参数详情请参见申请证书参数说明。
import com.huaweicloud.sdk.ccm.v1.CcmClient; import com.huaweicloud.sdk.ccm.v1.model.CertDistinguishedName; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateRequest; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateRequestBody; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateResponse; import com.huaweicloud.sdk.ccm.v1.model.ExtendedKeyUsage; import com.huaweicloud.sdk.ccm.v1.model.SubjectAlternativeName; import com.huaweicloud.sdk.ccm.v1.model.Validity; import com.huaweicloud.sdk.core.auth.GlobalCredentials; import java.util.ArrayList; import java.util.List; /** * 签发私有证书,需要拥有处于激活状态的私有CA */ public class createCertificateExample { /** * 基础认证信息: * - ACCESS_KEY: 华为云账号Access Key * - SECRET_ACCESS_KEY: 华为云账号Secret Access Key * - DOMAIN_ID: 华为云账号ID * - CCM_ENDPOINT: 华为云CCM服务(PCA属于CCM下的微服务)访问终端地址 * 认证使用的ak和sk硬编到代码中或明文存储存在较大安全风险,建议在配置文件或环境变量中密文存放,使用时解密,确保安全; * 本示例ak和sk保存在环境变量中为例,运行本示例前请先在本地环境中设置环境变量HUAWEICLOUD_SDK_AK和HUAWEICLOUD_SDK_SK。 */ private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK"); private static final String SECRET_ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_SK"); private static final String DOMAIN_ID = "<DomainID>"; private static final String CCM_ENDPOINT = "<CcmEndpoint>"; public static void main(String[] args) { // 1.准备访问华为云的认证信息,PCA为全局服务 final GlobalCredentials auth = new GlobalCredentials() .withAk(ACCESS_KEY) .withSk(SECRET_ACCESS_KEY) .withDomainId(DOMAIN_ID); // 2.初始化SDK,传入认证信息及CCM服务的访问终端地址 final CcmClient ccmClient = CcmClient.newBuilder() .withCredential(auth) .withEndpoint(CCM_ENDPOINT).build(); // 3、构造请求参数 // (1)用于签发证书的CA的ID,该CA需要处于激活状态(ACTIVED) String issuerId = "3a02c7f6-d8f5-497e-9f60-18dfd3eeb4e6"; // (2)证书密钥算法 String keyAlgorithm = "RSA2048"; // (3)签名哈希算法 String signatureAlgorithm = "SHA512"; /* * (4)证书有效期定义 * - type: 时间类型,可选:"YEAR"、"MONTH"、"DAY"、"HOUR" * - value: 对应的值 */ Validity validity = new Validity(); validity.setType("MONTH"); validity.setValue(2); /* * (5)定义CA证书的唯一标识信息 * - organization: 组织名称 * - organizationalUnit: 部门名称 * - country: 国家缩写,仅限两个字符,如中国-CN * - state: 省市名称 * - locality: 城市名称 * - commonName: CA名称(CN) */ CertDistinguishedName subjectInfo = new CertDistinguishedName(); subjectInfo.setOrganization("your organization"); subjectInfo.setOrganizationalUnit("your organizational unit"); subjectInfo.setCountry("CN"); subjectInfo.setState("your state"); subjectInfo.setLocality("your locality"); subjectInfo.setCommonName("your dns"); /* * (6)密钥用法,服务器证书通常只赋予keyAgreement与digitalSignature,为可选值 * - digitalSignature : 数字签名; * - nonRepudiation : 不可抵赖; * - keyEncipherment : 密钥用于加密密钥数据; * - dataEncipherment : 用于加密数据; * - keyAgreement : 密钥协商; * - keyCertSign : 签发证书; * - cRLSign : 签发吊销列表; * - encipherOnly : 仅用于加密; * - decipherOnly : 仅用于解密。 */ List<String> keyUsages = new ArrayList<>(); keyUsages.add("digitalSignature"); keyUsages.add("keyAgreement"); /* * (7)主体备用名称: 暂时支持DNS、IP、URI与EMAIL,为可选值 * SubjectAlternativeName: * type:类型 * value:对应值 */ List<SubjectAlternativeName> subjectAlternativeName = new ArrayList<>(); // a、添加备用DNS SubjectAlternativeName alterNameDNS = new SubjectAlternativeName(); alterNameDNS.setType("DNS"); alterNameDNS.setValue("*.example.com"); subjectAlternativeName.add(alterNameDNS); // b、添加备用IP SubjectAlternativeName alterNameIP = new SubjectAlternativeName(); alterNameIP.setType("IP"); alterNameIP.setValue("127.0.0.1"); subjectAlternativeName.add(alterNameIP); // b、添加备用email SubjectAlternativeName alterNameEmail = new SubjectAlternativeName(); alterNameEmail.setType("EMAIL"); alterNameEmail.setValue("myEmail@qq.com"); subjectAlternativeName.add(alterNameEmail); ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(); extendedKeyUsage.setClientAuth(true); extendedKeyUsage.setServerAuth(true); // (8)请求体各属性赋值 // 各属性的取值约束,请查阅:https://support.huaweicloud.com/api-ccm/CreateCertificate.html CreateCertificateRequestBody requestBody = new CreateCertificateRequestBody(); requestBody.setIssuerId(issuerId); requestBody.setKeyAlgorithm(keyAlgorithm); requestBody.setSignatureAlgorithm(signatureAlgorithm); requestBody.setValidity(validity); requestBody.setDistinguishedName(subjectInfo); requestBody.setKeyUsages(keyUsages); requestBody.setSubjectAlternativeNames(subjectAlternativeName); requestBody.setExtendedKeyUsage(extendedKeyUsage); // 4、构造请求体 CreateCertificateRequest request = new CreateCertificateRequest() .withBody(requestBody); // 5、开始发起请求 CreateCertificateResponse response; try { response = ccmClient.createCertificate(request); } catch (Exception e) { throw new RuntimeException(e.getMessage()); } // 6、获取响应消息 String certId = response.getCertificateId(); System.out.println(certId); } }
父主题: 私有证书管理代码示例