Help Center> Cloud Certificate Manager> Best Practices> Best Practices for Private Certificate Management> Best Practices of PCA Code Examples> Example Code for Managing Private Certificates> Applying for a Certificate
Updated on 2023-11-21 GMT+08:00
View PDF

Applying for a Certificate

To apply for a private certificate, you must have a private CA that is in the Activated state.

For details, see Parameters for Applying for a Certificate.

import com.huaweicloud.sdk.ccm.v1.CcmClient;
import com.huaweicloud.sdk.ccm.v1.model.CertDistinguishedName;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateRequest;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateRequestBody;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateResponse;
import com.huaweicloud.sdk.ccm.v1.model.ExtendedKeyUsage;
import com.huaweicloud.sdk.ccm.v1.model.SubjectAlternativeName;
import com.huaweicloud.sdk.ccm.v1.model.Validity;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;

import java.util.ArrayList;
import java.util.List;

/**
* To issue a private certificate, there is at least one private CA in the Activated state.
 */
public class createCertificateExample {
    /**
     * Basic authentication information:
     * - ACCESS_KEY: access key of the Huawei Cloud account
     * - SECRET_ACCESS_KEY: secret access key of the Huawei Cloud account
    * - DOMAIN_ID: Huawei Cloud account ID.
    * - CCM_ENDPOINT: Endpoint address for accessing Huawei Cloud CCM (PCA is included in CCM).
......*Hard-coded or plaintext AK and SK are risky. For security, encrypt your AK and SK and store them in the configuration file or environment variables.
     * In this example, the AK and SK are stored in environment variables for identity authentication. Before running this example, configure environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK.
     */
    private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK");
    private static final String SECRET_ACCESS_KEY =  System.getenv("HUAWEICLOUD_SDK_SK");
    private static final String DOMAIN_ID = "<DomainID>";
    private static final String CCM_ENDPOINT = "<CcmEndpoint>";

    public static void main(String[] args) {
      // 1. Prepare the credentials for accessing Huawei Cloud. PCA is a global service.
        final GlobalCredentials auth = new GlobalCredentials()
                .withAk(ACCESS_KEY)
                .withSk(SECRET_ACCESS_KEY)
                .withDomainId(DOMAIN_ID);

        // 2. Initialize the SDK and transfer the credentials and endpoint address of CCM.
        final CcmClient ccmClient = CcmClient.newBuilder()
                .withCredential(auth)
                .withEndpoint(CCM_ENDPOINT).build();

       // 3. Make request parameters.
       // (1) ID of the CA that issues the private certificates. The CA must be in the ACTIVED state.
        String issuerId = "3a02c7f6-d8f5-497e-9f60-18dfd3eeb4e6";
        // (2) Private key algorithm
        String keyAlgorithm = "RSA2048";
        // Signature hash algorithm
        String signatureAlgorithm = "SHA512";

        /*
         * (4) Determine the certificate validity period.
         * - type: time type. The options are YEAR, MONTH, DAY, and HOUR.
        * - value: corresponding value.
         */
        Validity validity = new Validity();
        validity.setType("MONTH");
        validity.setValue(2);

        /*
        * (5) Define the unique identifier of the CA certificate.
        * - organization: organization name.
        * - organizationalUnit: department name.
         * - country: abbreviation of a country. The value can contain only two characters, for example, US for the United States.
        * - state: province or city name.
        * - locality: city name.
        * - commonName: CA name (CN)
         */
        CertDistinguishedName subjectInfo = new CertDistinguishedName();
        subjectInfo.setOrganization("your organization");
        subjectInfo.setOrganizationalUnit("your organizational unit");
        subjectInfo.setCountry("CN");
        subjectInfo.setState("your state");
        subjectInfo.setLocality("your locality");
        subjectInfo.setCommonName("your dns");

        /*
        * (6) Key usage. Generally, only keyAgreement and digitalSignature are specified for server certificates, which are optional.
        * - digitalSignature: The key is used as a digital signature.
         * - nonRepudiation: The key is used for non-repudiation.
        * - keyEncipherment: The key is used to encrypt key data.
        * - dataEncipherment: The key is used to encrypt data.
            - **keyAgreement**: The key is used for key negotiation.
          * - keyCertSign: The key can issue certificates.
          * - cRLSign: The key can issue a certificate revocation list (CRL).
         * - encipherOnly: The key is used only for encryption.
         * - decipherOnly: The key is used only for decryption.
         */
        List<String> keyUsages = new ArrayList<>();
        keyUsages.add("digitalSignature");
        keyUsages.add("keyAgreement");

        /*
         * (7) Alternative name of the subject: DNS, IP address, URI, and email address are supported currently. This parameter is optional.
         *  SubjectAlternativeName:
         *        type: type
        *         value: corresponding value.
         */
        List<SubjectAlternativeName> subjectAlternativeName = new ArrayList<>();
      // a. Add a standby DNS server.
        SubjectAlternativeName alterNameDNS = new SubjectAlternativeName();
        alterNameDNS.setType("DNS");
        alterNameDNS.setValue("*.example.com");
        subjectAlternativeName.add(alterNameDNS);
     // b. Add a standby IP address.
        SubjectAlternativeName alterNameIP = new SubjectAlternativeName();
        alterNameIP.setType("IP");
        alterNameIP.setValue("127.0.0.1");
        subjectAlternativeName.add(alterNameIP);
     // b. Add a standby email.
        SubjectAlternativeName alterNameEmail = new SubjectAlternativeName();
        alterNameEmail.setType("EMAIL");
        alterNameEmail.setValue("myEmail@qq.com");
        subjectAlternativeName.add(alterNameEmail);
        ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage();
        extendedKeyUsage.setClientAuth(true);
        extendedKeyUsage.setServerAuth(true);


       // (8) Assign values to the attributes of the request body.
       // For details about the restrictions on the value of each attribute, see https://support.huaweicloud.com/en-us/api-ccm/CreateCertificate.html.
        CreateCertificateRequestBody requestBody = new CreateCertificateRequestBody();
        requestBody.setIssuerId(issuerId);
        requestBody.setKeyAlgorithm(keyAlgorithm);
        requestBody.setSignatureAlgorithm(signatureAlgorithm);
        requestBody.setValidity(validity);
        requestBody.setDistinguishedName(subjectInfo);
        requestBody.setKeyUsages(keyUsages);
        requestBody.setSubjectAlternativeNames(subjectAlternativeName);
        requestBody.setExtendedKeyUsage(extendedKeyUsage);


       // 4. Construct a request body.
        CreateCertificateRequest request = new CreateCertificateRequest()
                .withBody(requestBody);

       // 5. Start to send the request.
        CreateCertificateResponse response;
        try {
            response = ccmClient.createCertificate(request);
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }

       // 6. Obtain the response message.
        String certId = response.getCertificateId();
        System.out.println(certId);
    }

}