4.开始使用
4.1 导入依赖模块
Copied!
from huaweicloudsdkccm.v1 import CcmClient, model, CreateCertificateRequestBody, CreateCertificateRequest, \
SubjectAlternativeName
from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcore.http.http_config import HttpConfig
import os
4.2 初始化认证信息
Copied!
config = HttpConfig.get_default_config()
config.ignore_ssl_verification = True
credentials = GlobalCredentials(ak, sk, domain_id)
4.3 初始化云证书管理服务客户端
Copied!
ccm_client = CcmClient.new_builder()\
.with_http_config(config)\
.with_credentials(credentials)\
.with_endpoint(ccm_endpoint)\
.build()
4.4 示例代码
Copied!
from huaweicloudsdkccm.v1 import CcmClient, model, CreateCertificateRequestBody, CreateCertificateRequest, \
SubjectAlternativeName
from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcore.http.http_config import HttpConfig
def create_cert(client):
issuer_id = "b29cc3f9-4c6e-4ddc-85e3-67799df97038"
key_algorithm = "RSA2048"
signature_algorithm = "SHA512"
validity = model.Validity(type="YEAR", value=1)
subject_info = model.CertDistinguishedName(
organization="your organization",
organizational_unit="your unit",
country="CN",
state="your state",
locality="your locality",
common_name="common name")
key_usages = ["digitalSignature", "keyAgreement"]
alter_name_dns = SubjectAlternativeName(type="DNS", value="*.example.com")
alter_name_ip = SubjectAlternativeName(type="IP", value="192.168.9.1")
alter_name_email = SubjectAlternativeName(type="EMAIL", value="yourEmail")
subject_alternative_names = [alter_name_dns, alter_name_ip, alter_name_email]
extended_key_usage = model.ExtendedKeyUsage(server_auth=True, client_auth=True)
request_body = CreateCertificateRequestBody(
issuer_id=issuer_id,
key_algorithm=key_algorithm,
signature_algorithm=signature_algorithm,
validity=validity,
distinguished_name=subject_info,
key_usages=key_usages,
subject_alternative_names=subject_alternative_names,
extended_key_usage=extended_key_usage
)
try:
request = CreateCertificateRequest(request_body)
response = client.create_certificate(request=request)
print(response)
except exceptions.ClientRequestException as e:
print(e.status_code)
print(e.error_code)
print(e.error_msg)
if __name__ == "__main__":
ak = os.environ["HUAWEICLOUD_SDK_AK"]
sk = os.environ["HUAWEICLOUD_SDK_SK"]
domain_id = "your domainId"
ccm_endpoint = "ccm endpoint"
config = HttpConfig.get_default_config()
config.ignore_ssl_verification = True
credentials = GlobalCredentials(ak, sk, domain_id)
ccm_client = CcmClient.new_builder() \
.with_http_config(config) \
.with_credentials(credentials) \
.with_endpoint(ccm_endpoint) \
.build()
create_cert(ccm_client)
1.简介
本示例基于华为云SDK V3.0版本开发,华为云提供了CCM服务端SDK,您可以直接集成服务端SDK来调用CCM的相关API,从而实现对CCM的快速操作。 该示例展示如何通过CCM服务创建终端实体证书。
2.开发前准备
3.安装sdk
使用服务端SDK前,您需要安装ccm的SDK包,具体的SDK版本号请参见 SDK开发中心 。
4.开始使用
4.1 导入依赖模块
from huaweicloudsdkccm.v1 import CcmClient, model, CreateCertificateRequestBody, CreateCertificateRequest, \ SubjectAlternativeName from huaweicloudsdkcore.auth.credentials import GlobalCredentials from huaweicloudsdkcore.exceptions import exceptions from huaweicloudsdkcore.http.http_config import HttpConfig import os4.2 初始化认证信息
# 1.准备访问华为云的认证信息,PCA为全局服务 config = HttpConfig.get_default_config() # 可选择是否校验证书 config.ignore_ssl_verification = True credentials = GlobalCredentials(ak, sk, domain_id)4.3 初始化云证书管理服务客户端
# 2.初始化SDK,传入认证信息及CCM服务的访问终端地址 ccm_client = CcmClient.new_builder()\ .with_http_config(config)\ .with_credentials(credentials)\ .with_endpoint(ccm_endpoint)\ .build()4.4 示例代码
# coding: utf-8 from huaweicloudsdkccm.v1 import CcmClient, model, CreateCertificateRequestBody, CreateCertificateRequest, \ SubjectAlternativeName from huaweicloudsdkcore.auth.credentials import GlobalCredentials from huaweicloudsdkcore.exceptions import exceptions from huaweicloudsdkcore.http.http_config import HttpConfig def create_cert(client): # 组装请求体 # (1)签发CA的Id issuer_id = "b29cc3f9-4c6e-4ddc-85e3-67799df97038" # (2)证书密钥算法 key_algorithm = "RSA2048" # (3)签名哈希算法 signature_algorithm = "SHA512" # (4)证书有效期定义 # - type: 时间类型,可选:"YEAR"、"MONTH"、”DAY“、"HOUR" # - value: 对应的值 validity = model.Validity(type="YEAR", value=1) # (5)定义CA证书的唯一标识信息 # - organization: 组织名称 # - organizationalUnit: 部门名称 # - country: 国家缩写,仅限两个字符,如中国 - CN # - state: 省市名称 # - locality: 城市名称 # - commonName: 域名或者IP(CN) subject_info = model.CertDistinguishedName( organization="your organization", organizational_unit="your unit", country="CN", state="your state", locality="your locality", common_name="common name") # (6)密钥用法,服务器证书通常只赋予keyAgreement与digitalSignature,为可选值 # - digitalSignature: 数字签名; # - nonRepudiation: 不可抵赖; # - keyEncipherment: 密钥用于加密密钥数据; # - dataEncipherment: 用于加密数据; # - keyAgreement: 密钥协商; # - keyCertSign: 签发证书; # - cRLSign: 签发吊销列表; # - encipherOnly: 仅用于加密; # - decipherOnly: 仅用于解密。 key_usages = ["digitalSignature", "keyAgreement"] # (7)主体备用名称: 暂时支持DNS、IP、URI与EMAIL,为可选值 # SubjectAlternativeName: # type:类型 # value:对应值 alter_name_dns = SubjectAlternativeName(type="DNS", value="*.example.com") alter_name_ip = SubjectAlternativeName(type="IP", value="192.168.9.1") alter_name_email = SubjectAlternativeName(type="EMAIL", value="yourEmail") subject_alternative_names = [alter_name_dns, alter_name_ip, alter_name_email] # (8)增强型密钥用法: # - server_auth: 服务器身份验证,OID为:1.3.6.1.5.5.7.3.1,默认false # - client_auth: 客户端身份验证,OID为:1.3.6.1.5.5.7.3.2,默认false # - code_signing: 代码签名,OID为:1.3.6.1.5.5.7.3.3,默认false # - email_protection: 安全电子邮件,OID为:1.3.6.1.5.5.7.3.4,默认false # - time_stamping: 时间戳,OID为:1.3.6.1.5.5.7.3.8,默认false extended_key_usage = model.ExtendedKeyUsage(server_auth=True, client_auth=True) # (9)请求体各属性赋值 request_body = CreateCertificateRequestBody( issuer_id=issuer_id, key_algorithm=key_algorithm, signature_algorithm=signature_algorithm, validity=validity, distinguished_name=subject_info, key_usages=key_usages, subject_alternative_names=subject_alternative_names, extended_key_usage=extended_key_usage ) try: request = CreateCertificateRequest(request_body) response = client.create_certificate(request=request) print(response) except exceptions.ClientRequestException as e: print(e.status_code) print(e.error_code) print(e.error_msg) if __name__ == "__main__": # 1.基础认证信息: # ak: 华为云账号Access Key # sk: 华为云账号Secret Access Key # domain_id: 租户账号ID # ccm_endpoint: 华为云CCM服务(PCA属于CCM下的微服务)的访问终端地址 # 认证用的ak和sk直接写到代码中有很大的安全风险,建议在配置文件或者环境变量中密文存放,使用时解密,确保安全; # 本示例以ak和sk保存在环境变量中来实现身份验证为例,运行本示例前请先在本地环境中设置环境变量HUAWEICLOUD_SDK_AK和HUAWEICLOUD_SDK_SK。 ak = os.environ["HUAWEICLOUD_SDK_AK"] sk = os.environ["HUAWEICLOUD_SDK_SK"] domain_id = "your domainId" ccm_endpoint = "ccm endpoint" # 1.准备访问华为云的认证信息,PCA为全局服务 config = HttpConfig.get_default_config() # 可选择是否校验证书 config.ignore_ssl_verification = True credentials = GlobalCredentials(ak, sk, domain_id) # 2.初始化SDK,传入认证信息及CCM服务的访问终端地址 ccm_client = CcmClient.new_builder() \ .with_http_config(config) \ .with_credentials(credentials) \ .with_endpoint(ccm_endpoint) \ .build() # 申请证书 create_cert(ccm_client)5.参考
更多信息请参考API Explorer
6.修订记录