# huaweicloud-CCM-PCA-CAManager-java
**Repository Path**: HuaweiCloudDeveloper/huaweicloud-ccm-pca-camanager-java
## Basic Information
- **Project Name**: huaweicloud-CCM-PCA-CAManager-java
- **Description**: 基于华为云java/go/python SDK,对云证书管理服务(CCM)服务下私有证书管理(PCA)的证书进行生命周期管理的代码示例。
- **Primary Language**: Unknown
- **License**: Apache-2.0
- **Default Branch**: master-dev
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 0
- **Created**: 2022-12-20
- **Last Updated**: 2025-06-16
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
## 1.简介
本示例基于华为云SDK V3.0版本开发,华为云提供了CCM服务端SDK,您可以直接集成服务端SDK来调用CCM的相关API,从而实现对CCM的快速操作。
该示例展示如何通过CCM服务申请CA证书,并通过API查询CA详情与导出CA证书体。
## 2.开发前准备
- 已 [注册](https://id1.cloud.huawei.com/UnifiedIDMPortal/portal/userRegister/regbyphone.html?themeName=red&access_type=offline&clientID=103493351&loginChannel=88000000&loginUrl=https%3A%2F%2Fauth.huaweicloud.com%2Fauthui%2Flogin.html%23&casLoginUrl=https%3A%2F%2Fauth.huaweicloud.com%2Fauthui%2FcasLogin&service=https%3A%2F%2Fauth.huaweicloud.com%2Fauthui%2FcasLogin&countryCode=cn&scope=https%3A%2F%2Fwww.huawei.com%2Fauth%2Faccount%2Funified.profile+https%3A%2F%2Fwww.huawei.com%2Fauth%2Faccount%2Frisk.idstate&reqClientType=88&state=94fc0f9f861b4f30a85ec1f463d35609&lang=zh-cn) 华为云,并完成 [实名认证](https://account.huaweicloud.com/usercenter/?region=cn-north-4#/accountindex/realNameAuth) 。
- 已具备开发环境 ,支持Java JDK 1.8及其以上版本。
- 已获取华为云账号对应的Access Key(AK)和Secret Access Key(SK)。请在华为云控制台“我的凭证 > 访问密钥”页面上创建和查看您的AK/SK。具体请参见 [访问秘钥](https://support.huaweicloud.com/usermanual-ca/zh-cn_topic_0046606340.html)
- 已获取帐号相关信息,请在华为云控制台“我的凭证 > API凭证 ”页面上查看帐号信息,如帐号id,即domainId。具体请参见 [API凭证](https://support.huaweicloud.com/usermanual-ca/ca_01_0002.html) 。
## 3.安装sdk
您可以通过Maven方式获取和安装SDK,首先需要在您的操作系统中下载并安装Maven ,安装完成后您只需要在Java项目的pom.xml文件中加入相应的依赖项即可。
使用服务端SDK前,您需要引入“huaweicloud-sdk-ccm”依赖,具体的SDK版本号请参见 [SDK开发中心](https://sdkcenter.developer.huaweicloud.com/?language=Java) 。
```xml
com.huaweicloud.sdk
huaweicloud-sdk-ccm
3.1.26
```
## 4.开始使用
### 4.1 导入依赖模块
```java
import com.huaweicloud.sdk.ccm.v1.CcmClient;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequest;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequestBody;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityResponse;
import com.huaweicloud.sdk.ccm.v1.model.CrlConfiguration;
import com.huaweicloud.sdk.ccm.v1.model.DistinguishedName;
import com.huaweicloud.sdk.ccm.v1.model.ExportCertificateAuthorityCertificateRequest;
import com.huaweicloud.sdk.ccm.v1.model.ExportCertificateAuthorityCertificateResponse;
import com.huaweicloud.sdk.ccm.v1.model.ShowCertificateAuthorityRequest;
import com.huaweicloud.sdk.ccm.v1.model.ShowCertificateAuthorityResponse;
import com.huaweicloud.sdk.ccm.v1.model.Validity;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
```
### 4.2 初始化认证信息
```java
// 1.准备访问华为云的认证信息,PCA为全局服务
/*
* 基础认证信息:
* - ak: 华为云账号Access Key
* - sk: 华为云账号Secret Access Key
* - domainId: 华为云账号ID 详情见https://support.huaweicloud.com/productdesc-iam/iam_01_0023.html
* 认证用的ak和sk直接写到代码中有很大的安全风险,建议在配置文件或者环境变量中密文存放,使用时解密,确保安全;
* 本示例以ak和sk保存在环境变量中为例,运行本示例前请先在本地环境中设置环境变量HUAWEICLOUD_SDK_AK和HUAWEICLOUD_SDK_SK。
*/
String ak = System.getenv("HUAWEICLOUD_SDK_AK");
String sk = System.getenv("HUAWEICLOUD_SDK_SK");
String domainId = "";
final GlobalCredentials auth = new GlobalCredentials()
.withAk(ak)
.withSk(sk)
.withDomainId(domainId);
```
### 4.3 初始化云证书管理服务客户端
```java
// 2.初始化SDK,传入认证信息及CCM服务的访问终端地址
final CcmClient ccmClient = CcmClient.newBuilder().withCredential(auth).withEndpoint(ccmEndpoint).build();
```
#### 4.4 示例代码
```java
package com.huawei.demo;
import com.huaweicloud.sdk.ccm.v1.CcmClient;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequest;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityRequestBody;
import com.huaweicloud.sdk.ccm.v1.model.CreateCertificateAuthorityResponse;
import com.huaweicloud.sdk.ccm.v1.model.CrlConfiguration;
import com.huaweicloud.sdk.ccm.v1.model.DistinguishedName;
import com.huaweicloud.sdk.ccm.v1.model.ExportCertificateAuthorityCertificateRequest;
import com.huaweicloud.sdk.ccm.v1.model.ExportCertificateAuthorityCertificateResponse;
import com.huaweicloud.sdk.ccm.v1.model.ShowCertificateAuthorityRequest;
import com.huaweicloud.sdk.ccm.v1.model.ShowCertificateAuthorityResponse;
import com.huaweicloud.sdk.ccm.v1.model.Validity;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
public class CertificateAuthorityManagerDemo {
public static void main(String[] args) {
/*
* 基础认证信息:
* - ak: 华为云账号Access Key
* - sk: 华为云账号Secret Access Key
* - domainId: 华为云账号ID 详情见https://support.huaweicloud.com/productdesc-iam/iam_01_0023.html
* - ccmEndpoint: 华为云CCM服务(PCA属于CCM下的微服务)的访问终端地址
* 认证用的ak和sk直接写到代码中有很大的安全风险,建议在配置文件或者环境变量中密文存放,使用时解密,确保安全;
* 本示例以ak和sk保存在环境变量中为例,运行本示例前请先在本地环境中设置环境变量HUAWEICLOUD_SDK_AK和HUAWEICLOUD_SDK_SK。
*/
String ak = System.getenv("HUAWEICLOUD_SDK_AK");
String sk = System.getenv("HUAWEICLOUD_SDK_SK");
String domainId = "";
String ccmEndpoint = "";
// 1.准备访问华为云的认证信息,PCA为全局服务
final GlobalCredentials auth = new GlobalCredentials()
.withAk(ak)
.withSk(sk)
.withDomainId(domainId);
// 2.初始化SDK,传入认证信息及CCM服务的访问终端地址
final CcmClient ccmClient = CcmClient.newBuilder()
.withCredential(auth)
.withEndpoint(ccmEndpoint).build();
// 3.创建CA
String caId = createCa(ccmClient);
if (caId == null) {
return;
}
// 4.查看CA详情
ShowCertificateAuthorityResponse response = showCa(ccmClient, caId);
if (response != null) {
// 查看CA的签名算法与状态
System.out.println(response.getKeyAlgorithm());
System.out.println(response.getStatus());
}
// 5.导出CA证书体
ExportCertificateAuthorityCertificateResponse resp = exportCa(ccmClient, caId);
if (resp != null) {
// 查看证书体与证书链,pem格式。根证书证书链为null
System.out.println(resp.getCertificate());
System.out.println(resp.getCertificateChain());
}
}
private static String createCa(CcmClient ccmClient) {
// 1、构造请求参数
// (1)需要创建的CA证书类型:ROOT(根CA)、SUBORDINATE(从属CA)
String CAType = "ROOT";
// (2)证书密钥算法
String keyAlgorithm = "RSA2048";
// (3)签名哈希算法
String signatureAlgorithm = "SHA512";
/*
* (4)证书有效期定义
* - type: 时间类型,可选:"YEAR"、"MONTH"、”DAY“、"HOUR"
* - value: 对应的值
*/
Validity validity = new Validity();
validity.setType("YEAR");
validity.setValue(20);
/*
* (5)定义CA证书的唯一标识信息
* - organization: 组织名称
* - organizationalUnit: 部门名称
* - country: 国家缩写,仅限两个字符,如中国-CN
* - state: 省市名称
* - locality: 城市名称
* - commonName: CA名称(CN)
*/
DistinguishedName subjectInfo = new DistinguishedName();
subjectInfo.setOrganization("your organization");
subjectInfo.setOrganizationalUnit("your organizational unit");
subjectInfo.setCountry("CN");
subjectInfo.setState("your state");
subjectInfo.setLocality("your locality");
subjectInfo.setCommonName("your CA name");
/*
* (6)吊销列表配置信息
* - enabled: 是否启用CRL配置
* - obsBucketName: OBS桶名称,用于发布CRL,需要已授权!!!,详情见
* https://support.huaweicloud.com/usermanual-ccm/ccm_01_0016.html
* - crlName: 证书吊销列表文件名,不传入时默认取CA ID作为文件名
* - validDays: 证书吊销列表更新周期
*/
CrlConfiguration crlConfiguration = new CrlConfiguration();
crlConfiguration.setEnabled(false);
crlConfiguration.setObsBucketName("your OBS buck name");
crlConfiguration.setCrlName("your CRL file name");
crlConfiguration.setValidDays(7);
// (7)请求体各属性赋值
CreateCertificateAuthorityRequestBody requestBody = new CreateCertificateAuthorityRequestBody();
requestBody.setType(CAType);
requestBody.setKeyAlgorithm(keyAlgorithm);
requestBody.setSignatureAlgorithm(signatureAlgorithm);
requestBody.setValidity(validity);
requestBody.setDistinguishedName(subjectInfo);
requestBody.setCrlConfiguration(crlConfiguration);
// 2、构造请求体
CreateCertificateAuthorityRequest request = new CreateCertificateAuthorityRequest().withBody(requestBody);
// 3、开始发起请求
CreateCertificateAuthorityResponse response;
try {
response = ccmClient.createCertificateAuthority(request);
} catch (Exception e) {
System.out.println("error info: " + e.getMessage());
return null;
}
// 4、获取创建成功的证书的ID
return response.getCaId();
}
private static ShowCertificateAuthorityResponse showCa(CcmClient ccmClient, String caId) {
ShowCertificateAuthorityRequest request = new ShowCertificateAuthorityRequest().withCaId(caId);
try {
return ccmClient.showCertificateAuthority(request);
} catch (Exception e) {
System.out.println("error info: " + e.getMessage());
return null;
}
}
private static ExportCertificateAuthorityCertificateResponse exportCa(CcmClient ccmClient, String caId) {
ExportCertificateAuthorityCertificateRequest request = new ExportCertificateAuthorityCertificateRequest()
.withCaId(caId);
try {
return ccmClient.exportCertificateAuthorityCertificate(request);
} catch (Exception e) {
System.out.println("error info: " + e.getMessage());
return null;
}
}
}
```
## 5.参考
更多信息请参考[API Explorer](https://apiexplorer.developer.huaweicloud.com/apiexplorer/doc?product=CCM&api=CreateCertificateAuthority)
## 6.修订记录
| 发布日期 | 文档版本 | 修订说明 |
| :--------: | :------: | :----------: |
| 2022-12-25 | 1.0 | 文档首次发布 |
| 2023-11-14 | 1.1 | 修改凭证获取及注释 |