更新时间:2024-12-17 GMT+08:00

创建CA

每个用户可以创建1000个CA。

创建私有CA相关参数详情请参见创建CA参数说明

import com.huaweicloud.sdk.ccm.v1.CcmClient;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequest;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequestBody;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityResponse;
import com.huaweicloud.sdk.ccm.v1.model.CrlConfiguration;
import com.huaweicloud.sdk.ccm.v1.model.DistinguishedName;
import com.huaweicloud.sdk.ccm.v1.model.Validity;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;

/**
 * 创建CA
 */
public class CreateCertificateAuthorityExample {
    /**
     * 基础认证信息:
     * - ACCESS_KEY: 华为云账号Access Key
     * - SECRET_ACCESS_KEY: 华为云账号Secret Access Key
     * - DOMAIN_ID: 华为云账号ID
     * - CCM_ENDPOINT: 华为云CCM服务(PCA属于CCM下的微服务)访问终端地址
     * 认证使用的ak和sk硬编到代码中或明文存储存在较大安全风险,建议在配置文件或环境变量中密文存放,使用时解密,确保安全;
     * 本示例ak和sk保存在环境变量中为例,运行本示例前请先在本地环境中设置环境变量HUAWEICLOUD_SDK_AK和HUAWEICLOUD_SDK_SK。
     */
    private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK");
    private static final String SECRET_ACCESS_KEY =  System.getenv("HUAWEICLOUD_SDK_SK");
    private static final String DOMAIN_ID = "<DomainID>";
    private static final String CCM_ENDPOINT = "<CcmEndpoint>";

    public static void main(String[] args) {
        // 1.准备访问华为云的认证信息,PCA为全局服务
        final GlobalCredentials auth = new GlobalCredentials()
                .withAk(ACCESS_KEY)
                .withSk(SECRET_ACCESS_KEY)
                .withDomainId(DOMAIN_ID);

        // 2.初始化SDK,传入认证信息及CCM服务的访问终端地址
        final CcmClient ccmClient = CcmClient.newBuilder()
                .withCredential(auth)
                .withEndpoint(CCM_ENDPOINT).build();

        // 3、构造请求参数
        // (1)需要创建的CA证书类型:ROOT(根CA)、SUBORDINATE(从属CA)
        String CAType = "ROOT";
        // (2)CA密钥算法
        String keyAlgorithm = "RSA2048";
        // (3)签名哈希算法
        String signatureAlgorithm = "SHA512";

        /*
         * (4)CA有效期定义
         * - type: 时间类型,可选:"YEAR"、"MONTH"、"DAY"、"HOUR"
         * - value: 对应的值
         */
        Validity validity = new Validity();
        validity.setType("YEAR");
        validity.setValue(20);

        /*
         * (5)定义CA的唯一标识信息
         * - organization: 组织名称
         * - organizationalUnit: 部门名称
         * - country: 国家缩写,仅限两个字符,如中国-CN
         * - state: 省市名称
         * - locality: 城市名称
         * - commonName: CA名称(CN)
         */
        DistinguishedName subjectInfo = new DistinguishedName();
        subjectInfo.setOrganization("your organization");
        subjectInfo.setOrganizationalUnit("your organizational unit");
        subjectInfo.setCountry("CN");
        subjectInfo.setState("your state");
        subjectInfo.setLocality("your locality");
        subjectInfo.setCommonName("your CA name");

        /*
         * (6)吊销列表配置信息
         * - enabled: 是否启用CRL配置
         * - obsBucketName: OBS桶名称,用于发布CRL,需要已授权!!!
         * - crlName: 证书吊销列表文件名,不传入时默认取CA ID作为文件名
         * - validDays: 证书吊销列表更新周期
         */
        CrlConfiguration crlConfiguration = new CrlConfiguration();
        crlConfiguration.setEnabled(false);
        crlConfiguration.setObsBucketName("your OBS buck name");
        crlConfiguration.setCrlName("your CRL file name");
        crlConfiguration.setValidDays(7);

        // (7)请求体各属性赋值
        CreateCertificateAuthorityRequestBody requestBody = new CreateCertificateAuthorityRequestBody();
        requestBody.setType(CAType);
        requestBody.setKeyAlgorithm(keyAlgorithm);
        requestBody.setSignatureAlgorithm(signatureAlgorithm);
        requestBody.setValidity(validity);
        requestBody.setDistinguishedName(subjectInfo);
        requestBody.setCrlConfiguration(crlConfiguration);

        // 4、构造请求体
        CreateCertificateAuthorityRequest request = new CreateCertificateAuthorityRequest().withBody(requestBody);

        // 5、开始发起请求
        CreateCertificateAuthorityResponse response;
        try {
            response = ccmClient.createCertificateAuthority(request);
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }

        // 6、获取创建成功的CA的ID
        String caId = response.getCaId();

        System.out.println(caId);
    }

}