Help Center> Cloud Certificate Manager> Best Practices> Best Practices for Private Certificate Management> Best Practices of PCA Code Examples> Example Code for Managing Private CAs> Creating a CA
Updated on 2023-11-21 GMT+08:00
View PDF

Creating a CA

For details about the parameters for creating a private CA, see Parameters for Creating a CA.

import com.huaweicloud.sdk.ccm.v1.CcmClient;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequest;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequestBody;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityResponse;
import com.huaweicloud.sdk.ccm.v1.model.CrlConfiguration;
import com.huaweicloud.sdk.ccm.v1.model.DistinguishedName;
import com.huaweicloud.sdk.ccm.v1.model.Validity;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;

/**
* Create a CA.
 */
public class CreateCertificateAuthorityExample {
    /**
     * Basic authentication information:
     * - ACCESS_KEY: access key of the Huawei Cloud account
     * - SECRET_ACCESS_KEY: secret access key of the Huawei Cloud account
    * - DOMAIN_ID: Huawei Cloud account ID.
    * - CCM_ENDPOINT: Endpoint address for accessing HUAWEI CLOUD CCM (PCA is a microservice of CCM).
......*Hard-coded or plaintext AK and SK are risky. For security, encrypt your AK and SK and store them in the configuration file or environment variables.
     * In this example, the AK and SK are stored in environment variables for identity authentication. Before running this example, configure environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK.
     */
    private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK");
    private static final String SECRET_ACCESS_KEY =  System.getenv("HUAWEICLOUD_SDK_SK");
    private static final String DOMAIN_ID = "<DomainID>";
    private static final String CCM_ENDPOINT = "<CcmEndpoint>";

    public static void main(String[] args) {
      // 1. Prepare the credentials for accessing Huawei Cloud. PCA is a global service.
        final GlobalCredentials auth = new GlobalCredentials()
                .withAk(ACCESS_KEY)
                .withSk(SECRET_ACCESS_KEY)
                .withDomainId(DOMAIN_ID);

        // 2. Initialize the SDK and transfer the credentials and endpoint address of CCM.
        final CcmClient ccmClient = CcmClient.newBuilder()
                .withCredential(auth)
                .withEndpoint(CCM_ENDPOINT).build();

       // 3. Make request parameters.
       // (1) Type of the CA certificate you want to create. ROOT for root CAs and SUBORDINATE for subordinate CAs
        String CAType = "ROOT";
        // (2) CA key algorithm
        String keyAlgorithm = "RSA2048";
        // Signature hash algorithm
        String signatureAlgorithm = "SHA512";

        /*
         * (4) Determining CA validity period
         * - type: time type. The options are YEAR, MONTH, DAY, and HOUR.
        * - value: corresponding value.
         */
        Validity validity = new Validity();
        validity.setType("YEAR");
        validity.setValue(20);

        /*
        * (5) Define the unique identifier of the CA.
        * - organization: organization name.
        * - organizationalUnit: department name.
         * - country: abbreviation of a country. The value can contain only two characters, for example, US for the United States.
        * - state: province or city name.
        * - locality: city name.
        * - commonName: CA name (CN)
         */
        DistinguishedName subjectInfo = new DistinguishedName();
        subjectInfo.setOrganization("your organization");
        subjectInfo.setOrganizationalUnit("your organizational unit");
        subjectInfo.setCountry("CN");
        subjectInfo.setState("your state");
        subjectInfo.setLocality("your locality");
        subjectInfo.setCommonName("your CA name");

        /*
        * (6) CRL configuration information
         * - enabled: whether to enable the CRL configuration.
        * - obsBucketName: OBS bucket name, which is used to release the CRLs. OBS buckets must be authorized.
        * - crlName: name of the CRL file. If this parameter is not specified, the CA ID is used as the file name by default.
         * - validDays: CRL update period.
         */
        CrlConfiguration crlConfiguration = new CrlConfiguration();
        crlConfiguration.setEnabled(false);
        crlConfiguration.setObsBucketName("your OBS buck name");
        crlConfiguration.setCrlName("your CRL file name");
        crlConfiguration.setValidDays(7);

       // (7) Assign values to the attributes of the request body.
        CreateCertificateAuthorityRequestBody requestBody = new CreateCertificateAuthorityRequestBody();
        requestBody.setType(CAType);
        requestBody.setKeyAlgorithm(keyAlgorithm);
        requestBody.setSignatureAlgorithm(signatureAlgorithm);
        requestBody.setValidity(validity);
        requestBody.setDistinguishedName(subjectInfo);
        requestBody.setCrlConfiguration(crlConfiguration);

       // 4. Construct a request body.
        CreateCertificateAuthorityRequest request = new CreateCertificateAuthorityRequest().withBody(requestBody);

       // 5. Start to send the request.
        CreateCertificateAuthorityResponse response;
        try {
            response = ccmClient.createCertificateAuthority(request);
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }

       // 6. Obtain the ID of the CA that is successfully created.
        String caId = response.getCaId();

        System.out.println(caId);
    }

}