1e41f4b71Sopenharmony_ci# Certificate Management Development
2e41f4b71Sopenharmony_ci
3e41f4b71Sopenharmony_ci> **NOTE**
4e41f4b71Sopenharmony_ci>
5e41f4b71Sopenharmony_ci> The SDK of API version 11 or later must be used.
6e41f4b71Sopenharmony_ci
7e41f4b71Sopenharmony_ci## Scenarios
8e41f4b71Sopenharmony_ci
9e41f4b71Sopenharmony_ci**Typical scenarios**
10e41f4b71Sopenharmony_ci
11e41f4b71Sopenharmony_ci   - Install an application certificate and its private credential.
12e41f4b71Sopenharmony_ci
13e41f4b71Sopenharmony_ci   - Obtain the application certificate and private credential.
14e41f4b71Sopenharmony_ci
15e41f4b71Sopenharmony_ci   - Perform signing and signature verification using an application certificate and its private credential.
16e41f4b71Sopenharmony_ci
17e41f4b71Sopenharmony_ci   - Uninstall an application certificate and its private credential.
18e41f4b71Sopenharmony_ci
19e41f4b71Sopenharmony_ciBefore you get started, you need to know the combinations of the algorithm and the signing/signature verification parameters supported by certificate management.
20e41f4b71Sopenharmony_ci
21e41f4b71Sopenharmony_ci   The credential installation, signing, and signature verification in certificate management depends on [HUKS](../UniversalKeystoreKit/huks-overview.md). The algorithms supported by certificate management are a subset of HUKS. Currently, only private credentials using the RSA or ECC algorithm can be installed and used. For details about the parameter combinations supported by signing and signature verification, see the description of RSA and ECC in [Signing and Signature Verification Overview and Algorithm Specifications](../UniversalKeystoreKit/huks-signing-signature-verification-overview.md).
22e41f4b71Sopenharmony_ci
23e41f4b71Sopenharmony_ci
24e41f4b71Sopenharmony_ci## Available APIs
25e41f4b71Sopenharmony_ci
26e41f4b71Sopenharmony_ciFor details about the APIs, see [Certificate Management](../../reference/apis-device-certificate-kit/js-apis-certManager.md).
27e41f4b71Sopenharmony_ci
28e41f4b71Sopenharmony_ciThe following table describes the APIs used in the typical scenarios mentioned above.
29e41f4b71Sopenharmony_ci
30e41f4b71Sopenharmony_ci| Instance         | API                                                      | Description                                        |
31e41f4b71Sopenharmony_ci| --------------- | ------------------------------------------------------------ | -------------------------------------------- |
32e41f4b71Sopenharmony_ci| certificateManager        | installPrivateCertificate(keystore: Uint8Array, keystorePwd: string, certAlias: string, callback: AsyncCallback\<CMResult>) : void  | Installs a private credential. This API uses an asynchronous callback to return the result.                |
33e41f4b71Sopenharmony_ci| certificateManager        | installPrivateCertificate(keystore: Uint8Array, keystorePwd: string, certAlias: string) : Promise\<CMResult> | Installs a private credential. This API uses a promise to return the result.                 |
34e41f4b71Sopenharmony_ci| certificateManager        | getPrivateCertificate(keyUri: string, callback: AsyncCallback\<CMResult>) : void    | Obtains a private credential. This API uses an asynchronous callback to return the result.         |
35e41f4b71Sopenharmony_ci| certificateManager        | getPrivateCertificate(keyUri: string) : Promise\<CMResult>                         | Obtains a private credential. This API uses a promise to return the result.          |
36e41f4b71Sopenharmony_ci| certificateManager        | uninstallPrivateCertificate(keyUri: string, callback: AsyncCallback\<void>) : void  | Uninstalls a private credential. This API uses an asynchronous callback to return the result.        |
37e41f4b71Sopenharmony_ci| certificateManager        | uninstallPrivateCertificate(keyUri: string) : Promise\<void> | Uninstalls a private credential. This API uses a promise to return the result. |
38e41f4b71Sopenharmony_ci| certificateManager | init(authUri: string, spec: CMSignatureSpec, callback: AsyncCallback\<CMHandle>) : void | Initializes the signing or signature verification operation. This API uses an asynchronous callback to return the result. |
39e41f4b71Sopenharmony_ci| certificateManager | init(authUri: string, spec: CMSignatureSpec) : Promise\<CMHandle>  | Initializes the signing or signature verification operation. This API uses a promise to return the result. |
40e41f4b71Sopenharmony_ci| certificateManager        | update(handle: Uint8Array, data: Uint8Array, callback: AsyncCallback\<void>) : void         | Updates the data to be signed or verified. This API uses an asynchronous callback to return the result.        |
41e41f4b71Sopenharmony_ci| certificateManager        | update(handle: Uint8Array, data: Uint8Array) : Promise\<void> | Updates the data to be signed or verified. This API uses a promise to return the result. |
42e41f4b71Sopenharmony_ci| certificateManager        | finish(handle: Uint8Array, callback: AsyncCallback\<CMResult>) : void         | Finishes the signing operation. This API uses an asynchronous callback to return the result.        |
43e41f4b71Sopenharmony_ci| certificateManager        | finish(handle: Uint8Array, signature: Uint8Array, callback: AsyncCallback\<CMResult>) : void     | Finishes the signing operation. This API uses an asynchronous callback to return the result.        |
44e41f4b71Sopenharmony_ci| certificateManager        | finish(handle: Uint8Array, signature?: Uint8Array) : Promise\<CMResult> | Finishes the signing or signature verification operation. This API uses a promise to return the result. |
45e41f4b71Sopenharmony_ci| certificateManager        | abort(handle: Uint8Array, callback: AsyncCallback\<void>) : void         | Aborts the signing or signature verification operation. This API uses an asynchronous callback to return the result.        |
46e41f4b71Sopenharmony_ci| certificateManager        | abort(handle: Uint8Array) : Promise\<void> | Aborts the signing or signature verification operation. This API uses a promise to return the result. |
47e41f4b71Sopenharmony_ci
48e41f4b71Sopenharmony_ci## How to Develop
49e41f4b71Sopenharmony_ci
50e41f4b71Sopenharmony_ci1. Request permissions.<br> To call **certManager** APIs, declare the ohos.permission.ACCESS_CERT_MANAGER permission in the **requestPermissions** field in the **module.json5** file. For more information, see [module.json5](../../quick-start/module-configuration-file.md).
51e41f4b71Sopenharmony_ci
52e41f4b71Sopenharmony_ci2. Import modules.
53e41f4b71Sopenharmony_ci
54e41f4b71Sopenharmony_ci   ```ts
55e41f4b71Sopenharmony_ci   import { certificateManager } from '@kit.DeviceCertificateKit';
56e41f4b71Sopenharmony_ci   import { BusinessError } from '@kit.BasicServicesKit';
57e41f4b71Sopenharmony_ci   ```
58e41f4b71Sopenharmony_ci3. Install a private credential, obtain the private credential, use it to sign and verify data. Then, uninstall the private credential.
59e41f4b71Sopenharmony_ci
60e41f4b71Sopenharmony_ci   ```ts
61e41f4b71Sopenharmony_ci   async function certificateManagerSample() {
62e41f4b71Sopenharmony_ci     /* The data of the credential to be installed must be assigned based on the service. The data in this example is not the real credential data. */
63e41f4b71Sopenharmony_ci     let keystore: Uint8Array = new Uint8Array([
64e41f4b71Sopenharmony_ci       0x30, 0x82, 0x04, 0x6a, 0x02, 0x01,
65e41f4b71Sopenharmony_ci     ]);
66e41f4b71Sopenharmony_ci
67e41f4b71Sopenharmony_ci     /* Keystore password of the credential to be installed. */
68e41f4b71Sopenharmony_ci     let keystorePwd: string = '123456';
69e41f4b71Sopenharmony_ci     let appKeyUri: string = '';
70e41f4b71Sopenharmony_ci     try {
71e41f4b71Sopenharmony_ci       /* Install a private credential. */
72e41f4b71Sopenharmony_ci       const res = await certificateManager.installPrivateCertificate(keystore, keystorePwd, "testPriCredential");
73e41f4b71Sopenharmony_ci       appKeyUri = (res.uri != undefined) ? res.uri : '';
74e41f4b71Sopenharmony_ci     } catch (err) {
75e41f4b71Sopenharmony_ci       let e: BusinessError = err as BusinessError;
76e41f4b71Sopenharmony_ci       console.error(`Failed to install private certificate. Code: ${e.code}, message: ${e.message}`);
77e41f4b71Sopenharmony_ci     }
78e41f4b71Sopenharmony_ci
79e41f4b71Sopenharmony_ci     try {
80e41f4b71Sopenharmony_ci       /* srcData is the data to be signed and verified. */
81e41f4b71Sopenharmony_ci       let srcData: Uint8Array = new Uint8Array([
82e41f4b71Sopenharmony_ci         0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
83e41f4b71Sopenharmony_ci     ]);
84e41f4b71Sopenharmony_ci
85e41f4b71Sopenharmony_ci       /* Construct the parameters used for signing. */
86e41f4b71Sopenharmony_ci       const signSpec: certificateManager.CMSignatureSpec = {
87e41f4b71Sopenharmony_ci         purpose: certificateManager.CmKeyPurpose.CM_KEY_PURPOSE_SIGN,
88e41f4b71Sopenharmony_ci         padding: certificateManager.CmKeyPadding.CM_PADDING_PSS,
89e41f4b71Sopenharmony_ci         digest: certificateManager.CmKeyDigest.CM_DIGEST_SHA256
90e41f4b71Sopenharmony_ci       };
91e41f4b71Sopenharmony_ci
92e41f4b71Sopenharmony_ci       /* Generate a signature. */
93e41f4b71Sopenharmony_ci       const signHandle: certificateManager.CMHandle = await certificateManager.init(appKeyUri, signSpec);
94e41f4b71Sopenharmony_ci       await certificateManager.update(signHandle.handle, srcData);
95e41f4b71Sopenharmony_ci       const signResult: certificateManager.CMResult = await certificateManager.finish(signHandle.handle);
96e41f4b71Sopenharmony_ci
97e41f4b71Sopenharmony_ci       /* Construct the parameters for signature verification. */
98e41f4b71Sopenharmony_ci       const verifySpec: certificateManager.CMSignatureSpec = {
99e41f4b71Sopenharmony_ci         purpose: certificateManager.CmKeyPurpose.CM_KEY_PURPOSE_VERIFY,
100e41f4b71Sopenharmony_ci         padding: certificateManager.CmKeyPadding.CM_PADDING_PSS,
101e41f4b71Sopenharmony_ci         digest: certificateManager.CmKeyDigest.CM_DIGEST_SHA256
102e41f4b71Sopenharmony_ci       };
103e41f4b71Sopenharmony_ci
104e41f4b71Sopenharmony_ci       /** Verify the signature. */
105e41f4b71Sopenharmony_ci       const verifyHandle: certificateManager.CMHandle = await certificateManager.init(appKeyUri, verifySpec);
106e41f4b71Sopenharmony_ci       await certificateManager.update(verifyHandle.handle, srcData);
107e41f4b71Sopenharmony_ci       const verifyResult = await certificateManager.finish(verifyHandle.handle, signResult.outData);
108e41f4b71Sopenharmony_ci       console.info('Succeeded in signing and verifying.');
109e41f4b71Sopenharmony_ci     } catch (err) {
110e41f4b71Sopenharmony_ci       let e: BusinessError = err as BusinessError;
111e41f4b71Sopenharmony_ci       console.error(`Failed to sign or verify. Code: ${e.code}, message: ${e.message}`);
112e41f4b71Sopenharmony_ci     }
113e41f4b71Sopenharmony_ci
114e41f4b71Sopenharmony_ci     try {
115e41f4b71Sopenharmony_ci       /* Uninstall a private credential. */
116e41f4b71Sopenharmony_ci       await certificateManager.uninstallPrivateCertificate(appKeyUri);
117e41f4b71Sopenharmony_ci     } catch (err) {
118e41f4b71Sopenharmony_ci       let e: BusinessError = err as BusinessError;
119e41f4b71Sopenharmony_ci       console.error(`Failed to uninstall private certificate. Code: ${e.code}, message: ${e.message}`);
120e41f4b71Sopenharmony_ci     }
121e41f4b71Sopenharmony_ci   }
122e41f4b71Sopenharmony_ci   ```
123