Certificate Manager Private CA API, REST: PrivateCa.GenerateCsrForCertificateAuthority
Generates a Certificate Signing Request (CSR) for a new CA.
This allows generating the CSR which can be used to receive the final certificate.
HTTP request
POST https://private-ca.certificate-manager.api.cloud.yandex.net/privateca/v1/certificateAuthorities/generateCsr
Body parameters
{
"folderId": "string",
"name": "string",
"description": "string",
"issuer": {
"baseRdn": {
"country": "string",
"organization": "string",
"organizationalUnit": "string",
"distinguishedNameQualifier": "string",
"stateOrProvince": "string",
"commonName": "string",
"emailAddress": "string"
},
"additionalRdn": {
"serialNumber": "string",
"locality": "string",
"title": "string",
"surname": "string",
"givenName": "string",
"initials": "string",
"generationQualifier": "string"
}
},
"subjectSpec": {
"baseRdn": {
"country": "string",
"organization": "string",
"organizationalUnit": "string",
"distinguishedNameQualifier": "string",
"stateOrProvince": "string",
"commonName": "string",
"emailAddress": "string"
},
"additionalRdn": {
"serialNumber": "string",
"locality": "string",
"title": "string",
"surname": "string",
"givenName": "string",
"initials": "string",
"generationQualifier": "string"
}
},
"algorithm": "string",
"pathLen": "string",
"keyUsage": [
"string"
],
"extendedKeyUsage": [
"string"
],
"ttlDays": "string",
"endEntitiesTtlLimitDays": "string",
"templateId": "string",
"enableCrl": "boolean",
"enableOcsp": "boolean",
"deletionProtection": "boolean"
}
Request to generate a CSR for an existing Certificate Authority (CA).
Request for generating a Certificate Signing Request (CSR) for a new Certificate Authority (CA).
|
Field |
Description |
|
folderId |
string Required field. Folder ID where the CA is being created. |
|
name |
string Required field. Unique name for the Certificate Authority. |
|
description |
string Optional description of the Certificate Authority for users to add additional context. |
|
issuer |
Required field. Specifies the Certificate Authority issuer. |
|
subjectSpec |
Required field. Subject specifies the distinguished name (DN) fields for the CA (e.g., CN, O, etc.). |
|
algorithm |
enum (Algorithm) Required field. The cryptographic algorithm to generate the CSR with (e.g., RSA, ECC).
|
|
pathLen |
string (int64) Path length constraint, defining the depth to which the CA can sign child certificates. |
|
keyUsage[] |
enum (KeyUsageExtension) Specifies the key usage extensions, such as digitalSignature, keyEncipherment, etc.
|
|
extendedKeyUsage[] |
enum (ExtendedKeyUsageExtension) Specifies the extended key usage extensions, such as serverAuth or clientAuth.
|
|
ttlDays |
string (int64) Time-to-Live (TTL) in days for the Certificate Authority. |
|
endEntitiesTtlLimitDays |
string (int64) TTL limit in days for end-entity certificates (e.g., server certs) issued by this CA. |
|
templateId |
string Optional template ID for applying predefined configurations for generating the keys. |
|
enableCrl |
boolean Enables support for Certificate Revocation Lists (CRL). |
|
enableOcsp |
boolean Enables support for the Online Certificate Status Protocol (OCSP). |
|
deletionProtection |
boolean Protection flag that prevents accidental deletion of the Certificate Authority. |
Issuer
Issuer field of certificate. Contains same inner field with subject. https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
|
Field |
Description |
|
baseRdn |
Required field. |
|
additionalRdn |
BaseRDN
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
|
Field |
Description |
|
country |
string Two letter county code |
|
organization |
string Organization name in arbitrary form |
|
organizationalUnit |
string Organizational unit name in arbitrary form |
|
distinguishedNameQualifier |
string Distinguished name qualifier |
|
stateOrProvince |
string State or province name in arbitrary form |
|
commonName |
string Common name. For tls certificates it is domain usually. |
|
emailAddress |
string Email address of certificate owner |
AdditionalRDN
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
|
Field |
Description |
|
serialNumber |
string Serial number of certificate subject in arbitrary form. Don't confuse with certificate serial number. |
|
locality |
string Locality of certificate subject in arbitrary form. |
|
title |
string Title of certificate subject in arbitrary form. |
|
surname |
string Surname of certificate subject in arbitrary form. |
|
givenName |
string Given name of certificate subject in arbitrary form. |
|
initials |
string Initials of certificate subject in arbitrary form. |
|
generationQualifier |
string Generation qualifier of certificate subject in arbitrary form. |
Subject
Subject field of certificate https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
|
Field |
Description |
|
baseRdn |
Required field. Most used field of subject |
|
additionalRdn |
Additional fields of subject |
Response
HTTP Code: 200 - OK
{
"id": "string",
"description": "string",
"createdAt": "string",
"createdBy": "string",
"modifiedAt": "string",
"done": "boolean",
"metadata": {
"certificateAuthorityId": "string"
},
// Includes only one of the fields `error`, `response`
"error": {
"code": "integer",
"message": "string",
"details": [
"object"
]
},
"response": {
"certificateAuthorityId": "string",
"pemContent": "string"
}
// end of the list of possible fields
}
An Operation resource. For more information, see Operation.
|
Field |
Description |
|
id |
string ID of the operation. |
|
description |
string Description of the operation. 0-256 characters long. |
|
createdAt |
string (date-time) Creation timestamp. String in RFC3339 text format. The range of possible values is from To work with values in this field, use the APIs described in the |
|
createdBy |
string ID of the user or service account who initiated the operation. |
|
modifiedAt |
string (date-time) The time when the Operation resource was last modified. String in RFC3339 text format. The range of possible values is from To work with values in this field, use the APIs described in the |
|
done |
boolean If the value is |
|
metadata |
GenerateCsrForCertificateAuthorityMetadata Service-specific metadata associated with the operation. |
|
error |
The error result of the operation in case of failure or cancellation. Includes only one of the fields The operation result. |
|
response |
CsrForSignCertificateAuthority The normal response of the operation in case of success. Includes only one of the fields The operation result. |
GenerateCsrForCertificateAuthorityMetadata
Metadata returned from the GenerateCsrForCertificateAuthority operation.
|
Field |
Description |
|
certificateAuthorityId |
string The ID of the Certificate Authority for which the CSR was generated. |
Status
The error result of the operation in case of failure or cancellation.
|
Field |
Description |
|
code |
integer (int32) Error code. An enum value of google.rpc.Code. |
|
message |
string An error message. |
|
details[] |
object A list of messages that carry the error details. |
CsrForSignCertificateAuthority
Certificate Signing Request (CSR) for signing a certificate authority.
|
Field |
Description |
|
certificateAuthorityId |
string ID of the certificate authority for which the CSR was generated. |
|
pemContent |
string PEM-encoded CSR content. |