Help Center/
Cloud Certificate Manager/
Best Practices/
Best Practices for Private Certificate Management/
Best Practices of PCA Code Examples/
Example Code for Managing Private Certificates/
Applying for a Certificate
Updated on 2024-12-17 GMT+08:00
Applying for a Certificate
To apply for a private certificate, you must have a private CA that is in the Activated state.
For details, see Parameters for Applying for a Certificate.
import com.huaweicloud.sdk.ccm.v1.CcmClient; import com.huaweicloud.sdk.ccm.v1.model.CertDistinguishedName; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateRequest; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateRequestBody; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateResponse; import com.huaweicloud.sdk.ccm.v1.model.ExtendedKeyUsage; import com.huaweicloud.sdk.ccm.v1.model.SubjectAlternativeName; import com.huaweicloud.sdk.ccm.v1.model.Validity; import com.huaweicloud.sdk.core.auth.GlobalCredentials; import java.util.ArrayList; import java.util.List; /** * To issue a private certificate, there is at least one private CA in the Activated state. */ public class createCertificateExample { /** * Basic authentication information: * - ACCESS_KEY: access key of the Huawei Cloud account * - SECRET_ACCESS_KEY: secret access key of the Huawei Cloud account * - DOMAIN_ID: Huawei Cloud account ID. * - CCM_ENDPOINT: Endpoint address for accessing Huawei Cloud CCM (PCA is included in CCM). ......*Hard-coded or plaintext AK and SK are risky. For security, encrypt your AK and SK and store them in the configuration file or environment variables. * In this example, the AK and SK are stored in environment variables for identity authentication. Before running this example, configure environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK. */ private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK"); private static final String SECRET_ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_SK"); private static final String DOMAIN_ID = "<DomainID>"; private static final String CCM_ENDPOINT = "<CcmEndpoint>"; public static void main(String[] args) { // 1. Prepare the credentials for accessing Huawei Cloud. PCA is a global service. final GlobalCredentials auth = new GlobalCredentials() .withAk(ACCESS_KEY) .withSk(SECRET_ACCESS_KEY) .withDomainId(DOMAIN_ID); // 2. Initialize the SDK and transfer the credentials and endpoint address of CCM. final CcmClient ccmClient = CcmClient.newBuilder() .withCredential(auth) .withEndpoint(CCM_ENDPOINT).build(); // 3. Make request parameters. // (1) ID of the CA that issues the private certificates. The CA must be in the ACTIVED state. String issuerId = "3a02c7f6-d8f5-497e-9f60-18dfd3eeb4e6"; // (2) Private key algorithm String keyAlgorithm = "RSA2048"; // Signature hash algorithm String signatureAlgorithm = "SHA512"; /* * (4) Determine the certificate validity period. * - type: time type. The options are YEAR, MONTH, DAY, and HOUR. * - value: corresponding value. */ Validity validity = new Validity(); validity.setType("MONTH"); validity.setValue(2); /* * (5) Define the unique identifier of the CA certificate. * - organization: organization name. * - organizationalUnit: department name. * - country: abbreviation of a country. The value can contain only two characters, for example, US for the United States. * - state: province or city name. * - locality: city name. * - commonName: CA name (CN) */ CertDistinguishedName subjectInfo = new CertDistinguishedName(); subjectInfo.setOrganization("your organization"); subjectInfo.setOrganizationalUnit("your organizational unit"); subjectInfo.setCountry("CN"); subjectInfo.setState("your state"); subjectInfo.setLocality("your locality"); subjectInfo.setCommonName("your dns"); /* * (6) Key usage. Generally, only keyAgreement and digitalSignature are specified for server certificates, which are optional. * - digitalSignature: The key is used as a digital signature. * - nonRepudiation: The key is used for non-repudiation. * - keyEncipherment: The key is used to encrypt key data. * - dataEncipherment: The key is used to encrypt data. - **keyAgreement**: The key is used for key negotiation. * - keyCertSign: The key can issue certificates. * - cRLSign: The key can issue a certificate revocation list (CRL). * - encipherOnly: The key is used only for encryption. * - decipherOnly: The key is used only for decryption. */ List<String> keyUsages = new ArrayList<>(); keyUsages.add("digitalSignature"); keyUsages.add("keyAgreement"); /* * (7) Alternative name of the subject: DNS, IP address, URI, and email address are supported currently. This parameter is optional. * SubjectAlternativeName: * type: type * value: corresponding value. */ List<SubjectAlternativeName> subjectAlternativeName = new ArrayList<>(); // a. Add a standby DNS server. SubjectAlternativeName alterNameDNS = new SubjectAlternativeName(); alterNameDNS.setType("DNS"); alterNameDNS.setValue("*.example.com"); subjectAlternativeName.add(alterNameDNS); // b. Add a standby IP address. SubjectAlternativeName alterNameIP = new SubjectAlternativeName(); alterNameIP.setType("IP"); alterNameIP.setValue("127.0.0.1"); subjectAlternativeName.add(alterNameIP); // b. Add a standby email. SubjectAlternativeName alterNameEmail = new SubjectAlternativeName(); alterNameEmail.setType("EMAIL"); alterNameEmail.setValue("myEmail@qq.com"); subjectAlternativeName.add(alterNameEmail); ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(); extendedKeyUsage.setClientAuth(true); extendedKeyUsage.setServerAuth(true); // (8) Assign values to the attributes of the request body. // For details about the restrictions on the value of each attribute, see https://support.huaweicloud.com/en-us/api-ccm/CreateCertificate.html. CreateCertificateRequestBody requestBody = new CreateCertificateRequestBody(); requestBody.setIssuerId(issuerId); requestBody.setKeyAlgorithm(keyAlgorithm); requestBody.setSignatureAlgorithm(signatureAlgorithm); requestBody.setValidity(validity); requestBody.setDistinguishedName(subjectInfo); requestBody.setKeyUsages(keyUsages); requestBody.setSubjectAlternativeNames(subjectAlternativeName); requestBody.setExtendedKeyUsage(extendedKeyUsage); // 4. Construct a request body. CreateCertificateRequest request = new CreateCertificateRequest() .withBody(requestBody); // 5. Start to send the request. CreateCertificateResponse response; try { response = ccmClient.createCertificate(request); } catch (Exception e) { throw new RuntimeException(e.getMessage()); } // 6. Obtain the response message. String certId = response.getCertificateId(); System.out.println(certId); } }
Parent topic: Example Code for Managing Private Certificates
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot