Activating a CA_Private CA Management_Managing Private Certificates_API_API Reference

Function

This API is used to activate a CA.

You can activate a certificate only when it is in the Pending activation status.

Debugging

You can debug this API through automatic authentication in API Explorer or use the SDK sample code generated by API Explorer.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.

If you are using identity policy-based authorization, the following identity policy-based permissions are required.

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
pca:ca:activate	Write	ca *	g:ResourceTag/<tag-key>	pca:ca:active	-
pca:ca:activate	Write	-	g:EnterpriseProjectId	pca:ca:active	-

URI

POST /v1/private-certificate-authorities/{ca_id}/activate

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
ca_id	Yes	String	ID of the subordinate CA you want to activate. Minimum: 36 Maximum: 36

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. For details, see [Obtaining a User Token] (https://support.huaweicloud.com/intl/en-us/api-iam/iam_30_0001.html).

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
issuer_id	Yes	String	ID of the parent CA. Minimum: 1 Maximum: 64
path_length	No	Integer	Path length. Minimum: 0 Maximum: 6
signature_algorithm	Yes	String	Signature hash algorithm. The options are as follows: SHA256 SHA384 SHA512 SM3 (Huawei Cloud Chinese Mainland website)
validity	Yes	Validity object	Certificate validity. For details, see data structure for the Validity field.
hsm_cluster_info	No	HsmClusterInfo object	HSM cluster information. This method can be used to encrypt CA only for users in the whitelist. For details, see HsmClusterInfo field description.
type	No	String	Type of the CA you want to create: (This parameter is mandatory if a yearly/monthly CA is activated.) ROOT: root CA SUBORDINATE: subordinate CA
distinguished_name	No	DistinguishedName object	Certificate name. For details, see data structure of the DistinguishedName field. (This parameter is mandatory if a yearly/monthly CA is activated.)
key_algorithm	No	String	Key algorithm. This parameter is mandatory if a yearly/monthly CA is activated. The options are as follows: RSA2048: RSA algorithm with the key length of 2048 bits RSA4096: RSA algorithm with the key length of 4096 bits EC256: Elliptic Curve Digital Signature Algorithm (ECDSA) with the key length of 256 bits EC384: Elliptic Curve Digital Signature Algorithm (ECDSA) with the key length of 384 bits SM2: An Elliptic Curve Digital Signature Algorithm (ECDSA) (signature hash algorithm SM3) issued by China State Cryptography Administration. The key length is 256 bits. (Chinese mainland website)
key_usages	No	Array of strings	Key usage. For details, see [4.2.1.3] in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) digitalSignature: The key can be used as a digital signature. nonRepudiation: The key can be used for non-repudiation. keyEncipherment: The key is used to encrypt key data. dataEncipherment: The key is used to encrypt data. keyAgreement: The key is used for key negotiation. keyCertSign: The key can issue a certificate. cRLSign: The key can issue a certificate revocation list (CRL). encipherOnly: The key is used only for encryption. decipherOnly: The key is used only for decryption. NOTE: The default values are as follows: Root CA certificates: [digitalSignature, keyCertSign, cRLSign], which cannot be changed. The value you specified is ignored. Subordinate CA certificates: [digitalSignature, keyCertSign, cRLSign], which can be customized.
crl_configuration	No	CrlConfiguration object	Certificate CRL. For details, see data structure of the CrlConfiguration field.
enterprise_project_id	No	String	Enterprise project ID. If the enterprise project function is not enabled, you do not need to set this parameter. If the enterprise project function is enabled, you can set this parameter when querying a resource. If this parameter is not specified, the system searches for the required resource in all the enterprise projects that you have permissions for. In this case, the value of enterprise_project_id is all. The parameter value must meet one of the following requirements: Is all Is 0 Matches the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$.

**Table 4** Validity
Parameter	Mandatory	Type	Description
type	Yes	String	Validity period type, which is mandatory. The options are as follows: YEAR: by the year (12 months) MONTH:by the month (31 days) DAY: by the day HOUR: by the hour
value	Yes	Integer	The certificate validity period. The value of this parameter varies depending on the value of type: Root CAs: The validity period is less than or equal to 30 years. Subordinate CAs and private certificates: The validity period is less than or equal to 20 years.
start_from	No	Integer	Start time. The options are as follows: The format is a timestamp in milliseconds. For example, 1645146939688 indicates 2022-02-18 09:15:39. The start time can begin no more than five minutes earlier than the current time. It means the value of start_from must be larger than the value of current_time minus 5 minutes.

**Table 5** HsmClusterInfo
Parameter	Mandatory	Type	Description
hsm_project	Yes	String	Project information. For example, cn-north-7
hsm_cluster_id	Yes	String	HSM cluster identifier. For example, 54d8301b-b859-4c55-a628-21fcf90e609e
hsm_ca_cert	Yes	String	String following base64 of the certificate in PEM format MXXXXX

**Table 6** DistinguishedName
Parameter	Mandatory	Type	Description
common_name	Yes	String	Common name (CN) of a certificate. The value can contain a maximum of 64 characters, including only letters, digits, spaces, Chinese characters, hyphens (-), underscores (_), periods (.), commas (,), and asterisks (*). Minimum: 1 Maximum: 64
country	Yes	String	Country code. The value is a string of two characters and can contain only letters. Minimum: 2 Maximum: 2
state	Yes	String	Name of a province or city. The value can contain a maximum of 128 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 128
locality	Yes	String	Region name. The value can contain a maximum of 128 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 128
organization	Yes	String	Organization name. The value can contain a maximum of 64 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 64
organizational_unit	Yes	String	Organization unit name. The value can contain a maximum of 64 characters, including only letters, digits, Chinese characters, spaces, hyphens (-), underscores (_), periods (.), and commas (,). Minimum: 1 Maximum: 64

**Table 7** CrlConfiguration
Parameter	Mandatory	Type	Description
enabled	Yes	Boolean	Whether to enable the gray release function of CRL. true false
crl_name	No	String	Name of the certificate revocation list. NOTE: If you do not specify this parameter, the system uses the ID of the parent CA that issues the current certificate by default.
obs_bucket_name	No	String	Specifies the OBS bucket name. NOTE: To enable the CRL release function: This parameter is mandatory. You must have created an agency and assigned PCA permissions on OBS to it. For details, see Certificate Revocation > Checking Permissions of an Agency and Certificate Revocation > Creating an Agency . The specified OBS bucket must exist. Otherwise, an error will be reported.
valid_days	No	Integer	CRL update interval, in days. This parameter is mandatory when the CRL release function is enabled. Minimum: 7 Maximum: 30

Response Parameters

Status code: 204

Request succeeded, but no response body returned.

Status code: 400

**Table 8** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 401

**Table 9** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 403

**Table 10** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 404

**Table 11** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Status code: 500

**Table 12** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 3 Maximum: 36
error_msg	String	Error message Minimum: 0 Maximum: 1024

Example Requests

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

POST https://ccm.cn-north-4.myhuaweicloud.com/v1/private-certificate-authorities/4c0e772e-a30c-4029-b929-b7acb04143f7/activate

{
  "signature_algorithm" : "SHA256",
  "validity" : {
    "type" : "YEAR",
    "value" : 1
  },
  "path_length" : 3,
  "issuer_id" : "c718fe5f-d44a-467f-80f1-948348ff4132"
}

Example Responses

Status code: 400

Invalid request parameters.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 401

Token required for the requested page.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 403

Authentication failed.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 404

No resources available or found.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

Status code: 500

Internal service error.

{
  "error_code" : "PCA.XXX",
  "error_msg" : "XXX"
}

SDK Sample Code

The SDK sample code is as follows.

Java

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

    
     
       
       
         package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.ccm.v1.region.CcmRegion;
import com.huaweicloud.sdk.ccm.v1.*;
import com.huaweicloud.sdk.ccm.v1.model.*;


public class IssueCertificateAuthorityCertificateSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new GlobalCredentials()
                .withAk(ak)
                .withSk(sk);

        CcmClient client = CcmClient.newBuilder()
                .withCredential(auth)
                .withRegion(CcmRegion.valueOf("<YOUR REGION>"))
                .build();
        IssueCertificateAuthorityCertificateRequest request = new IssueCertificateAuthorityCertificateRequest();
        request.withCaId("{ca_id}");
        IssueCertificateAuthorityCertificateRequestBody body = new IssueCertificateAuthorityCertificateRequestBody();
        Validity validitybody = new Validity();
        validitybody.withType("YEAR")
            .withValue(1);
        body.withValidity(validitybody);
        body.withSignatureAlgorithm("SHA256");
        body.withPathLength(3);
        body.withIssuerId("c718fe5f-d44a-467f-80f1-948348ff4132");
        request.withBody(body);
        try {
            IssueCertificateAuthorityCertificateResponse response = client.issueCertificateAuthorityCertificate(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

        

      

    
   

Python

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

    
     
       
       
         # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkccm.v1.region.ccm_region import CcmRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkccm.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = GlobalCredentials(ak, sk)

    client = CcmClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CcmRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = IssueCertificateAuthorityCertificateRequest()
        request.ca_id = "{ca_id}"
        validitybody = Validity(
            type="YEAR",
            value=1
        )
        request.body = IssueCertificateAuthorityCertificateRequestBody(
            validity=validitybody,
            signature_algorithm="SHA256",
            path_length=3,
            issuer_id="c718fe5f-d44a-467f-80f1-948348ff4132"
        )
        response = client.issue_certificate_authority_certificate(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

        

      

    
   

Go

When you call this API, a token with the permission to use this API is mandatory for the X-Auth-Token field.

    
     
       
       
         package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
    ccm "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/ccm/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := global.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := ccm.NewCcmClient(
        ccm.CcmClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.IssueCertificateAuthorityCertificateRequest{}
	request.CaId = "{ca_id}"
	validitybody := &model.Validity{
		Type: "YEAR",
		Value: int32(1),
	}
	pathLengthIssueCertificateAuthorityCertificateRequestBody:= int32(3)
	request.Body = &model.IssueCertificateAuthorityCertificateRequestBody{
		Validity: validitybody,
		SignatureAlgorithm: "SHA256",
		PathLength: &pathLengthIssueCertificateAuthorityCertificateRequestBody,
		IssuerId: "c718fe5f-d44a-467f-80f1-948348ff4132",
	}
	response, err := client.IssueCertificateAuthorityCertificate(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

        

      

    
   

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code	Description
204	Request succeeded, but no response body returned.
400	Invalid request parameters.
401	Token required for the requested page.
403	Authentication failed.
404	No resources available or found.
500	Internal service error.

Error Codes

See Error Codes.

Activating a CA

Function

Debugging

Authorization Information

URI

Request Parameters

Response Parameters

Example Requests

Example Responses

SDK Sample Code

Java

Python

Go

More

Status Codes

Error Codes

Feedback

Was this page helpful?