更新时间:2024-12-17 GMT+08:00
创建CA
每个用户可以创建1000个CA。
创建私有CA相关参数详情请参见创建CA参数说明。
import com.huaweicloud.sdk.ccm.v1.CcmClient; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequest; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequestBody; import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityResponse; import com.huaweicloud.sdk.ccm.v1.model.CrlConfiguration; import com.huaweicloud.sdk.ccm.v1.model.DistinguishedName; import com.huaweicloud.sdk.ccm.v1.model.Validity; import com.huaweicloud.sdk.core.auth.GlobalCredentials; /** * 创建CA */ public class CreateCertificateAuthorityExample { /** * 基础认证信息: * - ACCESS_KEY: 华为云账号Access Key * - SECRET_ACCESS_KEY: 华为云账号Secret Access Key * - DOMAIN_ID: 华为云账号ID * - CCM_ENDPOINT: 华为云CCM服务(PCA属于CCM下的微服务)访问终端地址 * 认证使用的ak和sk硬编到代码中或明文存储存在较大安全风险,建议在配置文件或环境变量中密文存放,使用时解密,确保安全; * 本示例ak和sk保存在环境变量中为例,运行本示例前请先在本地环境中设置环境变量HUAWEICLOUD_SDK_AK和HUAWEICLOUD_SDK_SK。 */ private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK"); private static final String SECRET_ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_SK"); private static final String DOMAIN_ID = "<DomainID>"; private static final String CCM_ENDPOINT = "<CcmEndpoint>"; public static void main(String[] args) { // 1.准备访问华为云的认证信息,PCA为全局服务 final GlobalCredentials auth = new GlobalCredentials() .withAk(ACCESS_KEY) .withSk(SECRET_ACCESS_KEY) .withDomainId(DOMAIN_ID); // 2.初始化SDK,传入认证信息及CCM服务的访问终端地址 final CcmClient ccmClient = CcmClient.newBuilder() .withCredential(auth) .withEndpoint(CCM_ENDPOINT).build(); // 3、构造请求参数 // (1)需要创建的CA证书类型:ROOT(根CA)、SUBORDINATE(从属CA) String CAType = "ROOT"; // (2)CA密钥算法 String keyAlgorithm = "RSA2048"; // (3)签名哈希算法 String signatureAlgorithm = "SHA512"; /* * (4)CA有效期定义 * - type: 时间类型,可选:"YEAR"、"MONTH"、"DAY"、"HOUR" * - value: 对应的值 */ Validity validity = new Validity(); validity.setType("YEAR"); validity.setValue(20); /* * (5)定义CA的唯一标识信息 * - organization: 组织名称 * - organizationalUnit: 部门名称 * - country: 国家缩写,仅限两个字符,如中国-CN * - state: 省市名称 * - locality: 城市名称 * - commonName: CA名称(CN) */ DistinguishedName subjectInfo = new DistinguishedName(); subjectInfo.setOrganization("your organization"); subjectInfo.setOrganizationalUnit("your organizational unit"); subjectInfo.setCountry("CN"); subjectInfo.setState("your state"); subjectInfo.setLocality("your locality"); subjectInfo.setCommonName("your CA name"); /* * (6)吊销列表配置信息 * - enabled: 是否启用CRL配置 * - obsBucketName: OBS桶名称,用于发布CRL,需要已授权!!! * - crlName: 证书吊销列表文件名,不传入时默认取CA ID作为文件名 * - validDays: 证书吊销列表更新周期 */ CrlConfiguration crlConfiguration = new CrlConfiguration(); crlConfiguration.setEnabled(false); crlConfiguration.setObsBucketName("your OBS buck name"); crlConfiguration.setCrlName("your CRL file name"); crlConfiguration.setValidDays(7); // (7)请求体各属性赋值 CreateCertificateAuthorityRequestBody requestBody = new CreateCertificateAuthorityRequestBody(); requestBody.setType(CAType); requestBody.setKeyAlgorithm(keyAlgorithm); requestBody.setSignatureAlgorithm(signatureAlgorithm); requestBody.setValidity(validity); requestBody.setDistinguishedName(subjectInfo); requestBody.setCrlConfiguration(crlConfiguration); // 4、构造请求体 CreateCertificateAuthorityRequest request = new CreateCertificateAuthorityRequest().withBody(requestBody); // 5、开始发起请求 CreateCertificateAuthorityResponse response; try { response = ccmClient.createCertificateAuthority(request); } catch (Exception e) { throw new RuntimeException(e.getMessage()); } // 6、获取创建成功的CA的ID String caId = response.getCaId(); System.out.println(caId); } }
父主题: 私有CA管理代码示例