Help Center/ Cloud Certificate & Manager/ API Reference/ API/ Managing Private Certificates/ Private CA Management/ Querying CA Details
Updated on 2025-11-28 GMT+08:00
View PDF
Share

Querying CA Details

Function

This API is used to query details about a CA.

Debugging

You can debug this API through automatic authentication in API Explorer or use the SDK sample code generated by API Explorer.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

  • If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
  • If you are using identity policy-based authorization, the following identity policy-based permissions are required.

    Action

    Access Level

    Resource Type (*: required)

    Condition Key

    Alias

    Dependencies

    pca:ca:get

    Read

    ca *

    g:ResourceTag/<tag-key>

    -

    -

    -

    g:EnterpriseProjectId

URI

GET /v1/private-certificate-authorities/{ca_id}

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

ca_id

Yes

String

ID of the CA certificate

Minimum: 36

Maximum: 36

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. For details, see [Obtaining a User Token] (https://support.huaweicloud.com/intl/en-us/api-iam/iam_30_0001.html).

Response Parameters

Status code: 200

Table 3 Response body parameters

Parameter

Type

Description

ca_id

String

ID of the CA certificate

Minimum: 36

Maximum: 36

type

String

The CA type can be:

  • ROOT: root CA

  • SUBORDINATE: subordinate CA

status

String

CA certificate status:

  • PENDING: The CA certificate is not activated. The CA cannot issue certificates.

  • ACTIVED: The CA certificate has been activated. You can use the CA to issue certificates.

  • DISABLED: The CA certificate is disabled. The CA cannot issue certificates.

  • DELETED: The CA certificate is to be deleted as scheduled. In this state, the CA cannot issue certificates.

  • EXPIRED: The CA certificate has expired. An expired CA cannot issue certificates.

path_length

Integer

CA path length.

NOTE:

Note: The path length of the generated root CA certificate is not limited, but this field is set to 7 in the database. The path length of a subordinate CA is specified by you when you create subordinate CA. The default value is 0.

Minimum: 0

Maximum: 6

issuer_id

String

The ID of the CA certificate that issues the certificate. For a root CA, the value of this parameter is null.

Minimum: 36

Maximum: 36

issuer_name

String

The name of the parent CA certificate. For a root CA, the value of this parameter is null.

Minimum: 1

Maximum: 64

key_algorithm

String

Key algorithm

signature_algorithm

String

Signature hash algorithm.

freeze_flag

Integer

Freezing tag:

  • 0: non-frozen

  • Other values: frozen state. This is currently reserved.

gen_mode

String

Certificate generation method.

  • GENERATE: generated by the PCA system.

  • IMPORT: imported externally.

  • CSR: issued by an internal CA with CSRs imported externally. This means the private key is not managed by PCA.

serial_number

String

Serial number of the certificate.

Minimum: 1

Maximum: 64

create_time

Long

Time the certificate was created. The value is a timestamp in milliseconds.

delete_time

Long

Time the certificate was deleted. The value is a timestamp in milliseconds.

not_before

Long

Time the certificate was created. The value is a timestamp in milliseconds.

not_after

Long

Time the certificate expires. The value is a timestamp in milliseconds.

distinguished_name

DistinguishedName object

Certificate name. For details, see data structure for the DistinguishedName field.

crl_configuration

ListCrlConfiguration object

Certificate CRL. For details, see data structure for the ListCrlConfiguration field.

enterprise_project_id

String

Enterprise project ID. The default value is 0. For users who have enabled the enterprise project function, this value indicates that resources are in the default enterprise project. For users who have not enabled the enterprise project function, this value indicates that resources are not in the default enterprise project.

free_quota

Integer

Free certificate quota.

charging_mode

Integer

Billing mode. The value can be:

  • 0: yearly/monthly

  • 1: pay-per-use

cluster_id

String

DHSM cluster ID.

Minimum: 1

Maximum: 64

domain_id

String

Account ID.

Minimum: 0

Maximum: 100
Table 4 DistinguishedName

Parameter

Type

Description

common_name

String

Common name (CN) of a certificate. The value can contain a maximum of 64 characters, including only letters, digits, spaces, Chinese characters, hyphens (-), underscores (_), periods (.), commas (,), and asterisks (*).

Minimum: 1

Maximum: 64

country

String

Country code. The value is a string of two characters and can contain only letters.

Minimum: 2

Maximum: 2

state

String

Name of a province or city. The value can contain a maximum of 128 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,).

Minimum: 1

Maximum: 128

locality

String

Region name. The value can contain a maximum of 128 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,).

Minimum: 1

Maximum: 128

organization

String

Organization name. The value can contain a maximum of 64 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,).

Minimum: 1

Maximum: 64

organizational_unit

String

Organization unit name. The value can contain a maximum of 64 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,).

Minimum: 1

Maximum: 64
Table 5 ListCrlConfiguration

Parameter

Type

Description

enabled

Boolean

Whether to enable the gray release function of CRL.

  • true

  • false

crl_name

String

Name of the certificate revocation list.

NOTE:

If you do not specify this parameter, the system uses the ID of the parent CA that issues the current certificate by default.

obs_bucket_name

String

OBS bucket name.

valid_days

Integer

CRL update interval, in days. This parameter is mandatory when the CRL release function is enabled.

Minimum: 7

Maximum: 30

crl_dis_point

String

The address of the CRL file in the OBS bucket.

NOTE:

This parameter is composed of crl_name, ** obs_bucket_name**, and OBS address.

Status code: 400

Table 6 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 401

Table 7 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 403

Table 8 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 404

Table 9 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Status code: 500

Table 10 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 3

Maximum: 36

error_msg

String

Error message

Minimum: 0

Maximum: 1024

Example Requests

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

GET https://ccm.cn-north-4.myhuaweicloud.com/v1/private-certificate-authorities/4c0e772e-a30c-4029-b929-b7acb04143f7

Example Responses

Status code: 200

Request succeeded.

{
  "signature_algorithm" : "SHA384",
  "issuer_id" : "928bd666-e879-448a-ab54-82f6ae3d81e0",
  "issuer_name" : "Huawei IT Root CA",
  "not_after" : 1647567892000,
  "not_before" : 1645148632000,
  "status" : "ACTIVED",
  "freeze_flag" : 0,
  "gen_mode" : "CSR",
  "serial_number" : "202202180143522338893611",
  "distinguished_name" : {
    "country" : "CN",
    "state" : "guangdong",
    "locality" : "shenzhen",
    "organization" : "Huawei",
    "organizational_unit" : "IT",
    "common_name" : "Huawei IT Root CA"
  },
  "key_algorithm" : "RSA",
  "create_time" : 1645148633000,
  "delete_time" : null,
  "ca_id" : "4c0e772e-a30c-4029-b929-b7acb04143f7",
  "type" : "SUBORDINATE",
  "path_length" : 0,
  "crl_configuration" : {
    "enabled" : false,
    "obs_bucket_name" : null,
    "valid_days" : null,
    "crl_name" : null,
    "crl_dis_point" : null
  },
  "cluster_id" : "54d8301b-b859-4c55-a628-21fcf90e609e"
}

Status code: 400

Invalid request parameters.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 401

Token required for the requested page.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 403

Authentication failed.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 404

No resources available or found.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 500

Internal service error.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

SDK Sample Code

The SDK sample code is as follows.

Java

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.ccm.v1.region.CcmRegion;
import com.huaweicloud.sdk.ccm.v1.*;
import com.huaweicloud.sdk.ccm.v1.model.*;


public class ShowCertificateAuthoritySolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new GlobalCredentials()
                .withAk(ak)
                .withSk(sk);

        CcmClient client = CcmClient.newBuilder()
                .withCredential(auth)
                .withRegion(CcmRegion.valueOf("<YOUR REGION>"))
                .build();
        ShowCertificateAuthorityRequest request = new ShowCertificateAuthorityRequest();
        request.withCaId("{ca_id}");
        try {
            ShowCertificateAuthorityResponse response = client.showCertificateAuthority(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkccm.v1.region.ccm_region import CcmRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkccm.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = GlobalCredentials(ak, sk)

    client = CcmClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CcmRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ShowCertificateAuthorityRequest()
        request.ca_id = "{ca_id}"
        response = client.show_certificate_authority(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Go

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
    ccm "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := global.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := ccm.NewCcmClient(
        ccm.CcmClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ShowCertificateAuthorityRequest{}
	request.CaId = "{ca_id}"
	response, err := client.ShowCertificateAuthority(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Request succeeded.

400

Invalid request parameters.

401

Token required for the requested page.

403

Authentication failed.

404

No resources available or found.

500

Internal service error.

Error Codes

See Error Codes.

Parent topic: Private CA Management