Creating a CA_Private CA Management_Managing Private Certificates_API_API Reference

Function

There are three methods to create CAs.

Creating a root CA: All mandatory parameters must be specified.
Creating a subordinate CA and activating the certificate: All mandatory parameters must be specified.
Creating a subordinate CA without activating it: The request body contains only issuer_id, signature_algorithm, or validity.

Debugging

You can debug this API through automatic authentication in API Explorer or use the SDK sample code generated by API Explorer.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.

If you are using identity policy-based authorization, the following identity policy-based permissions are required.

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
pca:ca:create	Write	ca *	-	-	-
pca:ca:create	Write	-	g:EnterpriseProjectId g:RequestTag/<tag-key> g:TagKeys	-	-

URI

POST /v1/private-certificate-authorities

Request Parameters

**Table 1** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. For details, see [Obtaining a User Token] (https://support.huaweicloud.com/intl/en-us/api-iam/iam_30_0001.html).

**Table 2** Request body parameters
Parameter	Mandatory	Type	Description
type	Yes	String	Type of the CA you want to create: ROOT: root CA SUBORDINATE: subordinate CA
distinguished_name	Yes	DistinguishedName object	Certificate name. For details, see data structure for the DistinguishedName field.
key_algorithm	Yes	String	Key algorithm. The options are as follows: RSA2048: RSA algorithm. The key length is 2048 bits. RSA4096: RSA algorithm. The key length is 4096 bits. EC256: Elliptic Curve Digital Signature Algorithm (ECDSA). The key length is 256 bits. EC384: Elliptic Curve Digital Signature Algorithm (ECDSA). The key length is 384 bits. SM2: Elliptic curve algorithm (signature hash algorithm SM3) issued by the China State Cryptography Administration. The key length is 256 bits. (Huawei Cloud Chinese Mainland website)
validity	No	Validity object	Validity period of a certificate. The options are as follows: This parameter is mandatory when you create a root CA. This parameter is mandatory when you create and activate a subordinate CA. This parameter can be ignored when you create a subordinate CA but do not activate it. However, you still need to specify this parameter when you activate the subordinate CA later. NOTE: For details, see data structure description of the Validity field.
hsm_cluster_info	No	HsmClusterInfo object	HSM cluster information. This method can be used to encrypt CA only for users in the whitelist. For details, see HsmClusterInfo field description.
issuer_id	No	String	ID of the parent CA. The options are as follows: If you want to create a root CA, this parameter can be ignored. This is because a root CA is a self-signed certificate and has no parent CA. If you want to create and activate a subordinate CA, this parameter is mandatory. If you want to create a subordinate CA but do not activate it, this parameter can be ignored. However, you still need to specify this parameter when you activate the subordinate CA later. Minimum: 36 Maximum: 36
path_length	No	Integer	Length of the CA certificate path. The options are as follows: If you want to create a root CA, this parameter is not required by default. This means CA path length is not limited and you can expand the CA hierarchies. You can limit the CA hierarchy levels by subordinate CAs If you want to create and activate a subordinate CA, this parameter is customizable. If you do not specify this parameter, 0 is used by default. If you want to create a subordinate CA but do not activate it, this parameter can be ignored. You still need to specify this parameter when you activate the subordinate CA later. Minimum: 0 Maximum: 6
signature_algorithm	No	String	Signature hash algorithm. There are three cases: If you want to create a root CA, this parameter is mandatory. If you want to create a subordinate CA and activate it, this parameter is mandatory. If you want to create a subordinate CA but not activate it immediately, this parameter is not required. You can specify this parameter when activating the subordinate CA. The options are as follows: SHA256 SHA384 SHA512 SM3 (Chinese mainland website, SM2)
key_usages	No	Array of strings	Key usage. For details, see [4.2.1.3] in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) digitalSignature: used as digital signatures. nonRepudiation: used for non-repudiation keyEncipherment: used to encrypt key data. dataEncipherment: used to encrypt data. keyAgreement: used for key negotiation keyCertSign: used to issue a certificate. cRLSign: used to issue the revocation list. encipherOnly: used only for encryption. decipherOnly: used only for decryption. The default values are as follows: NOTE: Root CA certificate: The default value is [digitalSignature,keyCertSign,cRLSign]. The value you specified will be ignored. Subordinate CA certificate: The default value is [digitalSignature,keyCertSign,cRLSign]. You can customize the value.
crl_configuration	No	CrlConfiguration object	Certificate CRL. For details, see data structure for the CrlConfiguration field.
enterprise_project_id	No	String	Enterprise project ID. If the enterprise project function is not enabled, you do not need to set this parameter. If the enterprise project function is enabled, you can set this parameter when querying a resource. If this parameter is not specified, the system searches for the required resource in all the enterprise projects that you have permissions for. In this case, the value of enterprise_project_id is all. The parameter value must meet one of the following requirements: Is all Is 0 Matches the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$.
ca_id	No	String	ID of the CA certificate. If the value is empty, a pay-per-use CA is created. If the value is not empty, the yearly/monthly CA information is saved. Minimum: 36 Maximum: 36

**Table 3** DistinguishedName
Parameter	Mandatory	Type	Description
common_name	Yes	String	Common name (CN) of a certificate. The value can contain a maximum of 64 characters, including only letters, digits, spaces, Chinese characters, hyphens (-), underscores (_), periods (.), commas (,), and asterisks (*). Minimum: 1 Maximum: 64
country	Yes	String	Country code. The value is a string of two characters and can contain only letters. Minimum: 2 Maximum: 2
state	Yes	String	Name of a province or city. The value can contain a maximum of 128 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 128
locality	Yes	String	Region name. The value can contain a maximum of 128 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 128
organization	Yes	String	Organization name. The value can contain a maximum of 64 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 64
organizational_unit	Yes	String	Organization unit name. The value can contain a maximum of 64 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 64

**Table 4** Validity
Parameter	Mandatory	Type	Description
type	Yes	String	Validity period type, which is mandatory. The options are as follows: YEAR: by the year (12 months) MONTH:by the month (31 days) DAY: by the day HOUR: by the hour
value	Yes	Integer	The certificate validity period. The value of this parameter varies depending on the value of type: Root CAs: The validity period is less than or equal to 30 years. Subordinate CAs and private certificates: The validity period is less than or equal to 20 years.
start_from	No	Integer	Start time. The options are as follows: The format is a timestamp in milliseconds. For example, 1645146939688 indicates 2022-02-18 09:15:39. The start time can begin no more than five minutes earlier than the current time. It means the value of start_from must be larger than the value of current_time minus 5 minutes.

**Table 5** HsmClusterInfo
Parameter	Mandatory	Type	Description
hsm_project	Yes	String	Project information. For example, cn-north-7
hsm_cluster_id	Yes	String	HSM cluster identifier. For example, 54d8301b-b859-4c55-a628-21fcf90e609e
hsm_ca_cert	Yes	String	String following base64 of the certificate in PEM format MXXXXX

**Table 6** CrlConfiguration
Parameter	Mandatory	Type	Description
enabled	Yes	Boolean	Whether to enable the gray release function of CRL. true false
crl_name	No	String	Name of the certificate revocation list. NOTE: If you do not specify this parameter, the system uses the ID of the parent CA that issues the current certificate by default.
obs_bucket_name	No	String	Specifies the OBS bucket name. NOTE: To enable the CRL release function: This parameter is mandatory. You must have created an agency and assigned PCA permissions on OBS to it. For details, see Certificate Revocation > Checking Permissions of an Agency and Certificate Revocation > Creating an Agency . The specified OBS bucket must exist. Otherwise, an error will be reported.
valid_days	No	Integer	CRL update interval, in days. This parameter is mandatory when the CRL release function is enabled. Minimum: 7 Maximum: 30

Response Parameters

Status code: 200

**Table 7** Response body parameters
Parameter	Type	Description
ca_id	String	ID of the CA certificate being issued. Minimum: 36 Maximum: 36

Status code: 400

**Table 8** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 401

**Table 9** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 403

**Table 10** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 404

**Table 11** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 500

**Table 12** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Example Requests

When you use this API to create a CA certificate, a token is required in the X-Auth-Token field in the request header. The token must have the permission to access the API.

POST https://ccm.cn-north-4.myhuaweicloud.com/v1/private-certificate-authorities

{
  "type" : "ROOT",
  "key_algorithm" : "RSA4096",
  "signature_algorithm" : "SHA512",
  "distinguished_name" : {
    "common_name" : "demoRootRSA",
    "country" : "CN",
    "locality" : "chengdu",
    "organization" : "HW",
    "organizational_unit" : "dew",
    "state" : "sichuan"
  },
  "validity" : {
    "type" : "YEAR",
    "value" : 3
  },
  "crl_configuration" : {
    "enabled" : false,
    "obs_bucket_name" : "demoBucket",
    "valid_days" : 8
  }
}

Example Responses

Status code: 200

Request succeeded.

{
  "ca_id" : "66504812-fedc-414a-9b7c-4c1836398524"
}

Status code: 400

Invalid request parameters.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 401

Token required for the requested page.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 403

Authentication failed.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 404

No resources available or found.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 500

Internal service error.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

SDK Sample Code

The SDK sample code is as follows.

Java

When you use this API to create a CA certificate, a token is required in the X-Auth-Token field in the request header. The token must have the permission to access the API.

    
     
       
       
         package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.ccm.v1.region.CcmRegion;
import com.huaweicloud.sdk.ccm.v1.*;
import com.huaweicloud.sdk.ccm.v1.model.*;


public class CreateCertificateAuthoritySolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new GlobalCredentials()
                .withAk(ak)
                .withSk(sk);

        CcmClient client = CcmClient.newBuilder()
                .withCredential(auth)
                .withRegion(CcmRegion.valueOf("<YOUR REGION>"))
                .build();
        CreateCertificateAuthorityRequest request = new CreateCertificateAuthorityRequest();
        CreateCertificateAuthorityRequestBody body = new CreateCertificateAuthorityRequestBody();
        CrlConfiguration crlConfigurationbody = new CrlConfiguration();
        crlConfigurationbody.withEnabled(false)
            .withObsBucketName("demoBucket")
            .withValidDays(8);
        Validity validitybody = new Validity();
        validitybody.withType("YEAR")
            .withValue(3);
        DistinguishedName distinguishedNamebody = new DistinguishedName();
        distinguishedNamebody.withCommonName("demoRootRSA")
            .withCountry("CN")
            .withState("sichuan")
            .withLocality("chengdu")
            .withOrganization("HW")
            .withOrganizationalUnit("dew");
        body.withCrlConfiguration(crlConfigurationbody);
        body.withSignatureAlgorithm("SHA512");
        body.withValidity(validitybody);
        body.withKeyAlgorithm("RSA4096");
        body.withDistinguishedName(distinguishedNamebody);
        body.withType("ROOT");
        request.withBody(body);
        try {
            CreateCertificateAuthorityResponse response = client.createCertificateAuthority(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

        

      

    
   

Python

When you use this API to create a CA certificate, a token is required in the X-Auth-Token field in the request header. The token must have the permission to access the API.

    
     
       
       
         # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkccm.v1.region.ccm_region import CcmRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkccm.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = GlobalCredentials(ak, sk)

    client = CcmClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CcmRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = CreateCertificateAuthorityRequest()
        crlConfigurationbody = CrlConfiguration(
            enabled=False,
            obs_bucket_name="demoBucket",
            valid_days=8
        )
        validitybody = Validity(
            type="YEAR",
            value=3
        )
        distinguishedNamebody = DistinguishedName(
            common_name="demoRootRSA",
            country="CN",
            state="sichuan",
            locality="chengdu",
            organization="HW",
            organizational_unit="dew"
        )
        request.body = CreateCertificateAuthorityRequestBody(
            crl_configuration=crlConfigurationbody,
            signature_algorithm="SHA512",
            validity=validitybody,
            key_algorithm="RSA4096",
            distinguished_name=distinguishedNamebody,
            type="ROOT"
        )
        response = client.create_certificate_authority(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

        

      

    
   

Go

When you use this API to create a CA certificate, a token is required in the X-Auth-Token field in the request header. The token must have the permission to access the API.

    
     
       
       
         package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
    ccm "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := global.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := ccm.NewCcmClient(
        ccm.CcmClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.CreateCertificateAuthorityRequest{}
	obsBucketNameCrlConfiguration:= "demoBucket"
	validDaysCrlConfiguration:= int32(8)
	crlConfigurationbody := &model.CrlConfiguration{
		Enabled: false,
		ObsBucketName: &obsBucketNameCrlConfiguration,
		ValidDays: &validDaysCrlConfiguration,
	}
	validitybody := &model.Validity{
		Type: "YEAR",
		Value: int32(3),
	}
	distinguishedNamebody := &model.DistinguishedName{
		CommonName: "demoRootRSA",
		Country: "CN",
		State: "sichuan",
		Locality: "chengdu",
		Organization: "HW",
		OrganizationalUnit: "dew",
	}
	signatureAlgorithmCreateCertificateAuthorityRequestBody:= "SHA512"
	request.Body = &model.CreateCertificateAuthorityRequestBody{
		CrlConfiguration: crlConfigurationbody,
		SignatureAlgorithm: &signatureAlgorithmCreateCertificateAuthorityRequestBody,
		Validity: validitybody,
		KeyAlgorithm: "RSA4096",
		DistinguishedName: distinguishedNamebody,
		Type: "ROOT",
	}
	response, err := client.CreateCertificateAuthority(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

        

      

    
   

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code	Description
200	Request succeeded.
400	Invalid request parameters.
401	Token required for the requested page.
403	Authentication failed.
404	No resources available or found.
500	Internal service error.

Error Codes

See Error Codes.

Creating a CA

Function

Debugging

Authorization Information

URI

Request Parameters

Response Parameters

Example Requests

Example Responses

SDK Sample Code

Java

Python

Go

More

Status Codes

Error Codes

Feedback

Was this page helpful?