Help Center/ Cloud Certificate & Manager/ API Reference/ API/ Managing Private Certificates/ Private Certificate Management/ Exporting a Certificate
Updated on 2025-11-28 GMT+08:00
View PDF
Share

Exporting a Certificate

Function

Export the certificates.

  • International algorithm

    • There are two methods for different compression statuses:

      • If is_compressed is set to true, a compressed file package is returned. The package name is in the format of Certificate name_Lowercase letters of the type field.zip, for example, test_apache.zip.

        • The system generates a key issuing certificate.

          • If type is set to APACHE, the compressed package contains three files: server.key (key file in PEM format. If a password is set during certificate export, the encrypted private key is used.), chain.crt (certificate chain in PEM format), and server.crt (certificate in PEM format).

          • If type is set to IIS, the compressed package contains two files: keystorePass.txt (keystore password. If the password is set during certificate export, the password file does not exist.) and server.pfx (PFX certificate, which is contained in the same file as the certificate chain)

          • If type is set to NGINX, the compressed package contains two files: server.key (key file in PEM format. If a password is set during certificate export, the encrypted private key is used.) and server.crt (The content is in PEM format. The certificate and certificate chain are contained in the same file.)

          • If type is set to TOMCAT, the package contains two files: keystorePass.txt (keystore password, if the password is set during certificate export, the password file does not exist.) and server.jks (JKX certificate, which is contained in the same file as the certificate chain).

          • If type is set to OTHER, the compressed package contains three files: server.key (key file in PEM format. If a password is set during certificate export, the encrypted private key is used.), chain.pem (certificate chain), and server.pem (certificate)

        • Import the CSR certificate.

          • If type is set to APACHE, IIS, or TOMCAT, the package contains two files: chain.crt (certificate chain in PEM format) and server.crt (certificate in PEM format).

          • If type is set to NGINX, the compressed package contains the server.crt file (certificate in PEM format).

          • If type is set to OTHER, the compressed package contains two files: chain.pem (certificate chain in PEM format) and cert.pem (certificate in PEM format).

      • If is_compressed is set to false, a certificate in JSON format is returned, including the following parameters:

        • The system generates a key issuing certificate.

          • If type is set to APACHE, NGINX, or OTHER, the following parameters are returned:

            • certificate: indicates the certificate content in PEM format.

            • certificate_chain: indicates the certificate chain in PEM format.

            • private_key (certificate private key in PEM format. If a password is set when the certificate is exported, the encrypted private key is used.)

          • If type is set to "IIS" or "TOMCAT", it is not defined currently.

        • Import the CSR certificate.

          • If type is set to APACHE, NGINX, IIS, TOMCAT, or OTHER, the following parameters are returned:

            • certificate: indicates the certificate content in PEM format.

            • certificate_chain: indicates the certificate chain in PEM format.

  • SM algorithm (Chinese mainland website)

    • Set whether to compress and whether to use the SM algorithm, depending on the following situations:

      • If is_compressed is set to true and is_sm_standard is set to true, a compressed file package is returned. The package name is in the format of Certificate name_Lowercase letters of the type field.zip, for example, test_apache.zip.

        • The system generates a key issuing certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

        • If type is set to OTHER, the package contains five files: chain.pem (certificate chain in PEM format), signCert.key (signature certificate key file in PEM format. If a password is set during certificate export, the encrypted private key is used.), signCert.pem (signature certificate in PEM format), encSm2EnvelopedKey.key (digital envelope file in the SM algorithm GMT0009 standard specification of the encryption certificate, encoded using Base64), signedAndEnvelopedData.key (digital envelope file in the SM algorithm GMT0010 standard specification of the encryption certificate, encoded using Base64), and encCert.pem (encryption certificate in PEM format).

        • Import the CSR certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

          • If type is set to OTHER, the compressed package contains four files: chain.pem (certificate chain in PEM format), signCert.pem (signature certificate in PEM format), encSm2EnvelopedKey.key (digital envelope file in the SM algorithm GMT0009 standard specification of the encryption certificate, encoded using Base64), signedAndEnvelopedData.key (digital envelope file in the SM algorithm GMT0010 standard specification of the encryption certificate, encoded using Base64), and encCert.pem (encryption certificate in PEM format).

      • If is_compressed is set to true and is_sm_standard is set to false, a compressed file package is returned. The package name is in the format of Certificate name_Lowercase letters of the type field.zip, for example, test_apache.zip.

        • The system generates a key issuing certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

          • If type is set to OTHER, the package contains five files: chain.pem (certificate chain in PEM format), signCert.key (signature certificate key file in PEM format. If a password is set during certificate export, the encrypted private key is used.), signCert.pem (signature certificate in PEM format), encCert.key (encryption certificate key file in PEM format. If a password is set when the certificate is exported, the encrypted private key is used.), and encCert.pem (encryption certificate in PEM format).

        • Import the CSR certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

          • If type is set to OTHER, the compressed package contains four files: chain.pem (certificate chain in PEM format), signCert.pem (signature certificate in PEM format), encCert.key (encryption certificate key file in PEM format), and encCert.pem (encryption certificate in PEM format).

      • If is_compressed is set to false and is_sm_standard is set to true, a certificate in JSON format is returned, including the following parameters:

        • The system generates a key issuing certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

          • If type is set to OTHER, the following parameters are returned:

            • certificate_chain: indicates the certificate chain in PEM format.

            • certificate: indicates the signature certificate content in PEM format.

            • private_key: indicates the private key of the signature certificate in PEM format. If a password is set when the certificate is exported, the private key is encrypted.

            • enc_certificate: indicates the encryption certificate content in PEM format.

            • enc_sm2_enveloped_key: indicates the SM algorithm GMT0009 standard digital envelope file of the encryption certificate, encoded using Base64.

            • signed_and_enveloped_data: indicates the SM series cryptographic algorithm GMT0010 standard digital envelope file of the encryption certificate, encoded using Base64.

        • Import the CSR certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

          • If type is set to OTHER, the following parameters are returned:

            • certificate_chain: indicates the certificate chain in PEM format.

            • certificate: indicates the signature certificate content in PEM format.

            • enc_certificate: indicates the encryption certificate content in PEM format.

            • enc_sm2_enveloped_key: indicates the SM algorithm GMT0009 standard digital envelope file of the encryption certificate, encoded using Base64.

            • signed_and_enveloped_data: indicates the SM algorithm GMT0010 standard digital envelope file of the encryption certificate, encoded using Base64.

      • If is_compressed is set to false and is_sm_standard is set to false, a certificate in JSON format is returned, including the following parameters:

        • The system generates a key issuing certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

          • If type is set to OTHER, the following parameters are returned:

            • certificate_chain: indicates the certificate chain in PEM format.

            • certificate: indicates the signature certificate content in PEM format.

            • private_key: indicates the private key of the signature certificate in PEM format. If a password is set when the certificate is exported, the private key is encrypted.

            • enc_certificate: indicates the encryption certificate content in PEM format.

            • enc_private_key: indicates the private key of the encryption certificate in PEM format. If a password is set when the certificate is exported, the private key is encrypted.

        • Import the CSR certificate.

          • If type is set to APACHE, IIS, NGINX, or TOMCAT, the value is not defined.

          • If type is set to OTHER, the following parameters are returned:

            • certificate_chain: indicates the certificate chain in PEM format.

            • certificate: indicates the signature certificate content in PEM format.

            • enc_certificate: indicates the encryption certificate content in PEM format.

            • enc_private_key: indicates the private key of the encryption certificate in PEM format.

Only certificates in the Issued status can be exported.

Debugging

You can debug this API through automatic authentication in API Explorer or use the SDK sample code generated by API Explorer.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

  • If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
  • If you are using identity policy-based authorization, the following identity policy-based permissions are required.

    Action

    Access Level

    Resource Type (*: required)

    Condition Key

    Alias

    Dependencies

    pca:cert:export

    Read

    -

    g:EnterpriseProjectId

    -

    -

URI

POST /v1/private-certificates/{certificate_id}/export

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

certificate_id

Yes

String

ID of the private certificate you want to export.

Minimum: 36

Maximum: 36

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. For details, see [Obtaining a User Token] (https://support.huaweicloud.com/intl/en-us/api-iam/iam_30_0001.html).
Table 3 Request body parameters

Parameter

Mandatory

Type

Description

is_compressed

Yes

String

Whether to compress.

  • true

  • false

type

Yes

String

Type of the server on which the certificate is installed. The options are as follows:

  • APACHE: This parameter is recommended for Apache servers.

  • NGINX: This parameter is recommended for Nginx servers. - IIS: This parameter is recommended for Windows servers. - TOMCAT: This parameter is recommended for Tomcat servers.

  • ** OTHER**: This parameter is recommended when you expect to download a certificate in PEM format.

is_sm_standard

No

String

Whether the SM series cryptographic algorithm GMT0009 and SM series cryptographic algorithm GMT0010 standards are required. This parameter is valid only when the certificate algorithm is SM2. If this parameter is not specified, the default value is false.

  • true

  • false

password

No

String

The password used to encrypt private keys. It can contain letters, digits, and some special characters (,.+-_#.). It can contain a maximum of 32 characters. If you do not specify it, private keys will not be encrypted when you export them.

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

private_key

String

Private key content.

certificate

String

Certificate content.

certificate_chain

String

Certificate chain content.

enc_certificate

String

Encryption certificate content.

enc_private_key

String

Private key of the encryption certificate.

enc_sm2_enveloped_key

String

GMT 0009 SM2 digital envelope for encrypting private keys.

signed_and_enveloped_data

String

Encrypted and signed private key digital envelope, which complies with the SM series cryptographic algorithm GMT0010 standard.

Status code: 400

Table 5 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 401

Table 6 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 403

Table 7 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 404

Table 8 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 500

Table 9 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Example Requests

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

POST https://ccm.cn-north-4.myhuaweicloud.com/v1/private-certificates/6434f74f-2d13-4e6a-89eb-93ee313f1a43/export

{
  "type" : "other",
  "is_compressed" : false,
  "password" : "test"
}

Example Responses

Status code: 200

Request succeeded.

{
  "certificate" : "-----BEGIN CERTIFICATE-----\r\n******\r\n-----END CERTIFICATE-----",
  "certificate_chain" : "-----BEGIN CERTIFICATE-----\r\n******\r\n-----END CERTIFICATE-----\r\n-----BEGIN CERTIFICATE-----\r\n******\r\n-----END CERTIFICATE-----",
  "private_key" : "-----BEGIN RSA PRIVATE KEY-----\r\n******\r\n-----END RSA PRIVATE KEY-----\r\n"
}

Status code: 400

Invalid request parameters.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 401

Token required for the requested page.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 403

Authentication failed.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 404

No resources available or found.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 500

Internal service error.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

SDK Sample Code

The SDK sample code is as follows.

Java

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.ccm.v1.region.CcmRegion;
import com.huaweicloud.sdk.ccm.v1.*;
import com.huaweicloud.sdk.ccm.v1.model.*;


public class ExportCertificateSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new GlobalCredentials()
                .withAk(ak)
                .withSk(sk);

        CcmClient client = CcmClient.newBuilder()
                .withCredential(auth)
                .withRegion(CcmRegion.valueOf("<YOUR REGION>"))
                .build();
        ExportCertificateRequest request = new ExportCertificateRequest();
        request.withCertificateId("{certificate_id}");
        ExportCertificateRequestBody body = new ExportCertificateRequestBody();
        body.withPassword("test");
        body.withType("other");
        body.withIsCompressed("false");
        request.withBody(body);
        try {
            ExportCertificateResponse response = client.exportCertificate(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Python

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkccm.v1.region.ccm_region import CcmRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkccm.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = GlobalCredentials(ak, sk)

    client = CcmClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CcmRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ExportCertificateRequest()
        request.certificate_id = "{certificate_id}"
        request.body = ExportCertificateRequestBody(
            password="test",
            type="other",
            is_compressed="false"
        )
        response = client.export_certificate(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Go

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
    ccm "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := global.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := ccm.NewCcmClient(
        ccm.CcmClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ExportCertificateRequest{}
	request.CertificateId = "{certificate_id}"
	passwordExportCertificateRequestBody:= "test"
	request.Body = &model.ExportCertificateRequestBody{
		Password: &passwordExportCertificateRequestBody,
		Type: "other",
		IsCompressed: "false",
	}
	response, err := client.ExportCertificate(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Request succeeded.

400

Invalid request parameters.

401

Token required for the requested page.

403

Authentication failed.

404

No resources available or found.

500

Internal service error.

Error Codes

See Error Codes.