Certificate Manager Private CA API, REST: PrivateCa.GenerateCertificateAuthority
Generates a new Certificate Authority (CA).
This endpoint creates a new CA with given properties and cryptographic settings.
HTTP request
POST https://private-ca.certificate-manager.api.cloud.yandex.net/privateca/v1/certificateAuthorities:generate
Body parameters
{
"folderId": "string",
"parentCertificateAuthorityId": "string",
"name": "string",
"description": "string",
"subjectSpec": {
"baseRdn": {
"country": "string",
"organization": "string",
"organizationalUnit": "string",
"distinguishedNameQualifier": "string",
"stateOrProvince": "string",
"commonName": "string",
"emailAddress": "string"
},
"additionalRdn": {
"serialNumber": "string",
"locality": "string",
"title": "string",
"surname": "string",
"givenName": "string",
"initials": "string",
"generationQualifier": "string"
}
},
"algorithm": "string",
"pathLen": "string",
"keyUsage": [
"string"
],
"extendedKeyUsage": [
"string"
],
"ttlDays": "string",
"endEntitiesTtlLimitDays": "string",
"templateId": "string",
"enableCrl": "boolean",
"enableOcsp": "boolean",
"deletionProtection": "boolean"
}
Request to generate a new Certificate Authority (CA).
Field |
Description |
folderId |
string Required field. Folder ID where the CA is being created. |
parentCertificateAuthorityId |
string Optional. If set intermediate CA would be generated and signed on parent CA |
name |
string Required field. The name of the Certificate Authority. |
description |
string An optional description of the Certificate Authority. |
subjectSpec |
Required field. The subject (e.g., common name, organization, etc.) for the CA. |
algorithm |
enum (Algorithm) Required field. The algorithm for the asymmetric key generation (e.g., RSA, ECC).
|
pathLen |
string (int64) The maximum length of the certificate chain. |
keyUsage[] |
enum (KeyUsageExtension) Key usage (e.g., keyEncipherment, digitalSignature).
|
extendedKeyUsage[] |
enum (ExtendedKeyUsageExtension) Extended key usage (e.g., serverAuth, clientAuth).
|
ttlDays |
string (int64) The Time-To-Live (TTL) in days for the CA. |
endEntitiesTtlLimitDays |
string (int64) TTL limit in days for end-entities signed by the CA. |
templateId |
string Optional template ID to fill certificate fields with template data. Explicitly defined parameters is preferred |
enableCrl |
boolean Enable Certificate Revocation List (CRL) support. |
enableOcsp |
boolean Enable Online Certificate Status Protocol (OCSP) support. |
deletionProtection |
boolean Protect the CA from accidental deletion. Deny deletion of ca if set |
Subject
Subject field of certificate https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
Field |
Description |
baseRdn |
Required field. Most used field of subject |
additionalRdn |
Additional fields of subject |
BaseRDN
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
Field |
Description |
country |
string Two letter county code |
organization |
string Organization name in arbitrary form |
organizationalUnit |
string Organizational unit name in arbitrary form |
distinguishedNameQualifier |
string Distinguished name qualifier |
stateOrProvince |
string State or province name in arbitrary form |
commonName |
string Common name. For tls certificates it is domain usually. |
emailAddress |
string Email address of certificate owner |
AdditionalRDN
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
Field |
Description |
serialNumber |
string Serial number of certificate subject in arbitrary form. Don't confuse with certificate serial number. |
locality |
string Locality of certificate subject in arbitrary form. |
title |
string Title of certificate subject in arbitrary form. |
surname |
string Surname of certificate subject in arbitrary form. |
givenName |
string Given name of certificate subject in arbitrary form. |
initials |
string Initials of certificate subject in arbitrary form. |
generationQualifier |
string Generation qualifier of certificate subject in arbitrary form. |
Response
HTTP Code: 200 - OK
{
"id": "string",
"description": "string",
"createdAt": "string",
"createdBy": "string",
"modifiedAt": "string",
"done": "boolean",
"metadata": {
"certificateAuthorityId": "string"
},
// Includes only one of the fields `error`, `response`
"error": {
"code": "integer",
"message": "string",
"details": [
"object"
]
},
"response": {
"id": "string",
"folderId": "string",
"name": "string",
"description": "string",
"parentCertificateAuthorityId": "string",
"status": "string",
"issuedAt": "string",
"notAfter": "string",
"notBefore": "string",
"crlEndpoint": "string",
"endEntitiesTtlLimitDays": "string",
"deletionProtection": "boolean",
"createdAt": "string",
"updatedAt": "string"
}
// end of the list of possible fields
}
An Operation resource. For more information, see Operation.
Field |
Description |
id |
string ID of the operation. |
description |
string Description of the operation. 0-256 characters long. |
createdAt |
string (date-time) Creation timestamp. String in RFC3339 To work with values in this field, use the APIs described in the |
createdBy |
string ID of the user or service account who initiated the operation. |
modifiedAt |
string (date-time) The time when the Operation resource was last modified. String in RFC3339 To work with values in this field, use the APIs described in the |
done |
boolean If the value is |
metadata |
GenerateCertificateAuthorityMetadata Service-specific metadata associated with the operation. |
error |
The error result of the operation in case of failure or cancellation. Includes only one of the fields The operation result. |
response |
The normal response of the operation in case of success. Includes only one of the fields The operation result. |
GenerateCertificateAuthorityMetadata
Metadata for the GenerateCertificateAuthority operation.
Field |
Description |
certificateAuthorityId |
string ID of the Certificate Authority being created. |
Status
The error result of the operation in case of failure or cancellation.
Field |
Description |
code |
integer (int32) Error code. An enum value of google.rpc.Code |
message |
string An error message. |
details[] |
object A list of messages that carry the error details. |
CertificateAuthority
A certificate authority (CA) used to sign certificates.
Field |
Description |
id |
string ID of the certificate authority. |
folderId |
string ID of the folder that the certificate authority belongs to. |
name |
string Name of the certificate authority. |
description |
string Description of the certificate authority. |
parentCertificateAuthorityId |
string ID of the parent certificate authority that signed this certificate authority if any. |
status |
enum (Status) Status of the certificate authority.
|
issuedAt |
string (date-time) Time when the certificate authority was issued. String in RFC3339 To work with values in this field, use the APIs described in the |
notAfter |
string (date-time) Time after which the certificate authority is not valid. String in RFC3339 To work with values in this field, use the APIs described in the |
notBefore |
string (date-time) Time before which the certificate authority is not valid. String in RFC3339 To work with values in this field, use the APIs described in the |
crlEndpoint |
string Endpoint of the certificate revocation list (CRL) for the certificate authority. |
endEntitiesTtlLimitDays |
string (int64) Maximum allowed TTL (in days) for end-entity certificates issued by this CA. |
deletionProtection |
boolean Flag that protects deletion of the certificate authority. |
createdAt |
string (date-time) Time when the certificate authority was created. String in RFC3339 To work with values in this field, use the APIs described in the |
updatedAt |
string (date-time) Time when the certificate authority was last updated. String in RFC3339 To work with values in this field, use the APIs described in the |