--- Title: Manage certificates URL Source: https://company-skill.com/p/cas/cas-manage-certificates Language: en Description: You want to create and manage your own private Certificate Authority (CA), issue private certificates for internal services (e.g., mTLS, service mesh), and control their lifecycle—including… --- # Manage certificates Part of **Certificate Management Service (CAS)**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You want to create and manage your own private Certificate Authority (CA), issue private certificates for internal services (e.g., mTLS, service mesh), and control their lifecycle—including deployment, revocation, and renewal—within your Alibaba Cloud environment. **Typical User Questions**: - Can I issue internal certificates with my own CA? - How to set up a private PKI hierarchy? ## Decision Tree Pick the best path for your situation: - **If** you need to integrate certificate management into CI/CD pipelines or programmatically issue >100 certificates/month → Use APICA (go to *cas/cas-certificate*) - **If** you are managing ≤20 test certificates per year and prefer a graphical interface → Use CA (go to *cas/cas-certificate*) - **If** your workflow requires cryptographic operations like signing or encryption via code → Use APICA (go to *cas/cas-certificate*) - **Otherwise (default)** → Start with **CA** if you're new to private PKI or only managing a few certificates; switch to the API path once automation or scale becomes necessary. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | APICA | PKI | high | Yes | Yes | 100–1000 | `cas/api/cas-certificate` | | CA | medium | No | No | 20 | `cas/guide/cas-certificate` | ## Path Details ### Path 1: APICA **Best For**: PKI **Brief Description**: Certificate Management Service OpenAPI provides RESTful interfaces to manage private CA certificates, client certificates, and certificate repositories. It supports creating CSRs, issuing certificates, and performing cryptographic operations like encryption and signing. Authentication uses **Bearer Token**, and SDKs are available for Python (`dashscope>=1.14.0`) and Java (`com.aliyun:cas20200407:1.0.13`). **Key technical facts**: - Billing: API100-1000/ - Auth method: Bearer TokenHeader: Authorization: Bearer $DASHSCOPE_API_KEY - Regions available: cn-hangzhou, cn-shanghai, cn-beijing, ap-southeast-1, eu-central-1 ### Path 2: CA **Brief Description**: The Certificate Management Service console offers a web UI to manage private CA certificates. Key actions include **Apply for Certificate**, **Deploy Certificate**, **Manage Private Certificates**, **Issue Private Certificate**, and **Revoke Private Certificate**. It requires an active Alibaba Cloud account, a purchased private CA, and a configured **VPC**. Compliance-related certificates may require a **USBKey** hardware token. **Key technical facts**: - Billing: - Auth method: SSO - Prerequisites: , CA, VPC ## FAQ Q: Which path should I start with? A: If you're experimenting or managing fewer than 20 certificates per year, start with the console (**CA**). If you're building production systems (e.g., service mesh with mTLS), start with the API. Q: What if I need to issue 500 internal certificates monthly but used the console? A: You’ll hit the free-tier limit (100 certificates/month for free users) and be unable to issue more without upgrading—but even then, the console doesn’t support bulk automation, making manual management impractical. Q: What if I chose the API path but don’t have RAM permissions configured? A: Your **Bearer Token**-authenticated requests will fail with access denied errors, as the API requires RAM users/roles with the `AliyunYundunCertFullAccess` policy. Q: Can I use SM2 certificates with USBKey in the API path? A: The fact cards don’t specify USBKey support for the API path. Since USBKey is only mentioned in the console limitations, assume hardware-bound SM2 certificates require the console. For pure software-based SM2, the API supports it. Q: Does the console work outside a VPC? A: No—**VPC** is listed as a prerequisite for the console path. Private CA certificates are intended for internal services, so they must be managed within a VPC. Q: What happens if I try to automate certificate renewal using the console? A: You’ll fail—**** is a stated limitation. Renewals must be done manually one-by-one in the UI. Q: Are there regional restrictions for either path? A: The API is available in `cn-hangzhou`, `cn-shanghai`, `cn-beijing`, `ap-southeast-1`, and `eu-central-1`. The console’s regions aren’t specified in the facts—assume it follows general CAS availability, but verify in the detail skill. ## Related queries manage private ca, issue private certificate, deploy private certificate, revoke private certificate, private pki hierarchy, internal mTLS certs, automate certificate issuance, private certificate automation, how to manage private ca, can i issue internal certificates, set up private pki, manage roo --- Part of [Certificate Management Service (CAS)](https://company-skill.com/p/cas.md) · https://company-skill.com/llms.txt