Viewing docs for TLS v5.3.1
published on Monday, Mar 30, 2026 by Pulumi
published on Monday, Mar 30, 2026 by Pulumi
Viewing docs for TLS v5.3.1
published on Monday, Mar 30, 2026 by Pulumi
published on Monday, Mar 30, 2026 by Pulumi
Creates a TLS certificate in PEM (RFC 1421) format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
Note Locally-signed certificates are generally only trusted by client software when setup to use the provided CA. They are normally used in development environments or when deployed internally to an organization.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as tls from "@pulumi/tls";
const example = new tls.LocallySignedCert("example", {
certRequestPem: std.file({
input: "cert_request.pem",
}).then(invoke => invoke.result),
caPrivateKeyPem: std.file({
input: "ca_private_key.pem",
}).then(invoke => invoke.result),
caCertPem: std.file({
input: "ca_cert.pem",
}).then(invoke => invoke.result),
validityPeriodHours: 12,
allowedUses: [
"key_encipherment",
"digital_signature",
"server_auth",
],
});
import pulumi
import pulumi_std as std
import pulumi_tls as tls
example = tls.LocallySignedCert("example",
cert_request_pem=std.file(input="cert_request.pem").result,
ca_private_key_pem=std.file(input="ca_private_key.pem").result,
ca_cert_pem=std.file(input="ca_cert.pem").result,
validity_period_hours=12,
allowed_uses=[
"key_encipherment",
"digital_signature",
"server_auth",
])
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "cert_request.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "ca_private_key.pem",
}, nil)
if err != nil {
return err
}
invokeFile2, err := std.File(ctx, &std.FileArgs{
Input: "ca_cert.pem",
}, nil)
if err != nil {
return err
}
_, err = tls.NewLocallySignedCert(ctx, "example", &tls.LocallySignedCertArgs{
CertRequestPem: pulumi.String(invokeFile.Result),
CaPrivateKeyPem: pulumi.String(invokeFile1.Result),
CaCertPem: pulumi.String(invokeFile2.Result),
ValidityPeriodHours: pulumi.Int(12),
AllowedUses: pulumi.StringArray{
pulumi.String("key_encipherment"),
pulumi.String("digital_signature"),
pulumi.String("server_auth"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Tls = Pulumi.Tls;
return await Deployment.RunAsync(() =>
{
var example = new Tls.LocallySignedCert("example", new()
{
CertRequestPem = Std.File.Invoke(new()
{
Input = "cert_request.pem",
}).Apply(invoke => invoke.Result),
CaPrivateKeyPem = Std.File.Invoke(new()
{
Input = "ca_private_key.pem",
}).Apply(invoke => invoke.Result),
CaCertPem = Std.File.Invoke(new()
{
Input = "ca_cert.pem",
}).Apply(invoke => invoke.Result),
ValidityPeriodHours = 12,
AllowedUses = new[]
{
"key_encipherment",
"digital_signature",
"server_auth",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.tls.LocallySignedCert;
import com.pulumi.tls.LocallySignedCertArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LocallySignedCert("example", LocallySignedCertArgs.builder()
.certRequestPem(StdFunctions.file(FileArgs.builder()
.input("cert_request.pem")
.build()).result())
.caPrivateKeyPem(StdFunctions.file(FileArgs.builder()
.input("ca_private_key.pem")
.build()).result())
.caCertPem(StdFunctions.file(FileArgs.builder()
.input("ca_cert.pem")
.build()).result())
.validityPeriodHours(12)
.allowedUses(
"key_encipherment",
"digital_signature",
"server_auth")
.build());
}
}
resources:
example:
type: tls:LocallySignedCert
properties:
certRequestPem:
fn::invoke:
function: std:file
arguments:
input: cert_request.pem
return: result
caPrivateKeyPem:
fn::invoke:
function: std:file
arguments:
input: ca_private_key.pem
return: result
caCertPem:
fn::invoke:
function: std:file
arguments:
input: ca_cert.pem
return: result
validityPeriodHours: 12
allowedUses:
- key_encipherment
- digital_signature
- server_auth
Automatic Renewal
This resource considers its instances to have been deleted after either their validity
periods ends (i.e. beyond the validityPeriodHours)
or the early renewal period is reached (i.e. within the earlyRenewalHours):
when this happens, the readyForRenewal attribute will be true.
At this time, applying the Terraform configuration will cause a new certificate to be
generated for the instance.
Therefore in a development environment with frequent deployments it may be convenient to set a relatively-short expiration time and use early renewal to automatically provision a new certificate when the current one is about to expire.
The creation of a new certificate may of course cause dependent resources to be updated or replaced, depending on the lifecycle rules applying to those resources.
Create LocallySignedCert Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new LocallySignedCert(name: string, args: LocallySignedCertArgs, opts?: CustomResourceOptions);@overload
def LocallySignedCert(resource_name: str,
args: LocallySignedCertArgs,
opts: Optional[ResourceOptions] = None)
@overload
def LocallySignedCert(resource_name: str,
opts: Optional[ResourceOptions] = None,
allowed_uses: Optional[Sequence[str]] = None,
ca_cert_pem: Optional[str] = None,
ca_private_key_pem: Optional[str] = None,
cert_request_pem: Optional[str] = None,
validity_period_hours: Optional[int] = None,
early_renewal_hours: Optional[int] = None,
is_ca_certificate: Optional[bool] = None,
max_path_length: Optional[int] = None,
set_subject_key_id: Optional[bool] = None)func NewLocallySignedCert(ctx *Context, name string, args LocallySignedCertArgs, opts ...ResourceOption) (*LocallySignedCert, error)public LocallySignedCert(string name, LocallySignedCertArgs args, CustomResourceOptions? opts = null)
public LocallySignedCert(String name, LocallySignedCertArgs args)
public LocallySignedCert(String name, LocallySignedCertArgs args, CustomResourceOptions options)
type: tls:LocallySignedCert
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args LocallySignedCertArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args LocallySignedCertArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args LocallySignedCertArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args LocallySignedCertArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args LocallySignedCertArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var locallySignedCertResource = new Tls.Index.LocallySignedCert("locallySignedCertResource", new()
{
AllowedUses = new[]
{
"string",
},
CaCertPem = "string",
CaPrivateKeyPem = "string",
CertRequestPem = "string",
ValidityPeriodHours = 0,
EarlyRenewalHours = 0,
IsCaCertificate = false,
MaxPathLength = 0,
SetSubjectKeyId = false,
});
example, err := tls.NewLocallySignedCert(ctx, "locallySignedCertResource", &tls.LocallySignedCertArgs{
AllowedUses: pulumi.StringArray{
pulumi.String("string"),
},
CaCertPem: pulumi.String("string"),
CaPrivateKeyPem: pulumi.String("string"),
CertRequestPem: pulumi.String("string"),
ValidityPeriodHours: pulumi.Int(0),
EarlyRenewalHours: pulumi.Int(0),
IsCaCertificate: pulumi.Bool(false),
MaxPathLength: pulumi.Int(0),
SetSubjectKeyId: pulumi.Bool(false),
})
var locallySignedCertResource = new LocallySignedCert("locallySignedCertResource", LocallySignedCertArgs.builder()
.allowedUses("string")
.caCertPem("string")
.caPrivateKeyPem("string")
.certRequestPem("string")
.validityPeriodHours(0)
.earlyRenewalHours(0)
.isCaCertificate(false)
.maxPathLength(0)
.setSubjectKeyId(false)
.build());
locally_signed_cert_resource = tls.LocallySignedCert("locallySignedCertResource",
allowed_uses=["string"],
ca_cert_pem="string",
ca_private_key_pem="string",
cert_request_pem="string",
validity_period_hours=0,
early_renewal_hours=0,
is_ca_certificate=False,
max_path_length=0,
set_subject_key_id=False)
const locallySignedCertResource = new tls.LocallySignedCert("locallySignedCertResource", {
allowedUses: ["string"],
caCertPem: "string",
caPrivateKeyPem: "string",
certRequestPem: "string",
validityPeriodHours: 0,
earlyRenewalHours: 0,
isCaCertificate: false,
maxPathLength: 0,
setSubjectKeyId: false,
});
type: tls:LocallySignedCert
properties:
allowedUses:
- string
caCertPem: string
caPrivateKeyPem: string
certRequestPem: string
earlyRenewalHours: 0
isCaCertificate: false
maxPathLength: 0
setSubjectKeyId: false
validityPeriodHours: 0
LocallySignedCert Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The LocallySignedCert resource accepts the following input properties:
- Allowed
Uses List<string> - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - Ca
Cert stringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- Ca
Private stringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- Cert
Request stringPem - Certificate request data in PEM (RFC 1421) format.
- Validity
Period intHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- Early
Renewal intHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - Is
Ca boolCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - Max
Path intLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - Set
Subject boolKey Id - Should the generated certificate include a subject key identifier (default:
false).
- Allowed
Uses []string - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - Ca
Cert stringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- Ca
Private stringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- Cert
Request stringPem - Certificate request data in PEM (RFC 1421) format.
- Validity
Period intHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- Early
Renewal intHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - Is
Ca boolCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - Max
Path intLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - Set
Subject boolKey Id - Should the generated certificate include a subject key identifier (default:
false).
- allowed
Uses List<String> - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca
Cert StringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca
Private StringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert
Request StringPem - Certificate request data in PEM (RFC 1421) format.
- validity
Period IntegerHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- early
Renewal IntegerHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is
Ca BooleanCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max
Path IntegerLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - set
Subject BooleanKey Id - Should the generated certificate include a subject key identifier (default:
false).
- allowed
Uses string[] - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca
Cert stringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca
Private stringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert
Request stringPem - Certificate request data in PEM (RFC 1421) format.
- validity
Period numberHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- early
Renewal numberHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is
Ca booleanCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max
Path numberLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - set
Subject booleanKey Id - Should the generated certificate include a subject key identifier (default:
false).
- allowed_
uses Sequence[str] - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca_
cert_ strpem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca_
private_ strkey_ pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert_
request_ strpem - Certificate request data in PEM (RFC 1421) format.
- validity_
period_ inthours - Number of hours, after initial issuing, that the certificate will remain valid for.
- early_
renewal_ inthours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is_
ca_ boolcertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max_
path_ intlength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - set_
subject_ boolkey_ id - Should the generated certificate include a subject key identifier (default:
false).
- allowed
Uses List<String> - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca
Cert StringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca
Private StringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert
Request StringPem - Certificate request data in PEM (RFC 1421) format.
- validity
Period NumberHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- early
Renewal NumberHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is
Ca BooleanCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max
Path NumberLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - set
Subject BooleanKey Id - Should the generated certificate include a subject key identifier (default:
false).
Outputs
All input properties are implicitly available as output properties. Additionally, the LocallySignedCert resource produces the following output properties:
- Ca
Key stringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - Cert
Pem string - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Id string
- The provider-assigned unique ID for this managed resource.
- Ready
For boolRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - Validity
End stringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- Validity
Start stringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- Ca
Key stringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - Cert
Pem string - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Id string
- The provider-assigned unique ID for this managed resource.
- Ready
For boolRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - Validity
End stringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- Validity
Start stringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- ca
Key StringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - cert
Pem String - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - id String
- The provider-assigned unique ID for this managed resource.
- ready
For BooleanRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - validity
End StringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity
Start StringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- ca
Key stringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - cert
Pem string - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - id string
- The provider-assigned unique ID for this managed resource.
- ready
For booleanRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - validity
End stringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity
Start stringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- ca_
key_ stralgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - cert_
pem str - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - id str
- The provider-assigned unique ID for this managed resource.
- ready_
for_ boolrenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - validity_
end_ strtime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity_
start_ strtime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- ca
Key StringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - cert
Pem String - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - id String
- The provider-assigned unique ID for this managed resource.
- ready
For BooleanRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - validity
End StringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity
Start StringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
Look up Existing LocallySignedCert Resource
Get an existing LocallySignedCert resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: LocallySignedCertState, opts?: CustomResourceOptions): LocallySignedCert@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_uses: Optional[Sequence[str]] = None,
ca_cert_pem: Optional[str] = None,
ca_key_algorithm: Optional[str] = None,
ca_private_key_pem: Optional[str] = None,
cert_pem: Optional[str] = None,
cert_request_pem: Optional[str] = None,
early_renewal_hours: Optional[int] = None,
is_ca_certificate: Optional[bool] = None,
max_path_length: Optional[int] = None,
ready_for_renewal: Optional[bool] = None,
set_subject_key_id: Optional[bool] = None,
validity_end_time: Optional[str] = None,
validity_period_hours: Optional[int] = None,
validity_start_time: Optional[str] = None) -> LocallySignedCertfunc GetLocallySignedCert(ctx *Context, name string, id IDInput, state *LocallySignedCertState, opts ...ResourceOption) (*LocallySignedCert, error)public static LocallySignedCert Get(string name, Input<string> id, LocallySignedCertState? state, CustomResourceOptions? opts = null)public static LocallySignedCert get(String name, Output<String> id, LocallySignedCertState state, CustomResourceOptions options)resources: _: type: tls:LocallySignedCert get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Uses List<string> - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - Ca
Cert stringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- Ca
Key stringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - Ca
Private stringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- Cert
Pem string - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Cert
Request stringPem - Certificate request data in PEM (RFC 1421) format.
- Early
Renewal intHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - Is
Ca boolCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - Max
Path intLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - Ready
For boolRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - Set
Subject boolKey Id - Should the generated certificate include a subject key identifier (default:
false). - Validity
End stringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- Validity
Period intHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- Validity
Start stringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- Allowed
Uses []string - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - Ca
Cert stringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- Ca
Key stringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - Ca
Private stringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- Cert
Pem string - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Cert
Request stringPem - Certificate request data in PEM (RFC 1421) format.
- Early
Renewal intHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - Is
Ca boolCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - Max
Path intLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - Ready
For boolRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - Set
Subject boolKey Id - Should the generated certificate include a subject key identifier (default:
false). - Validity
End stringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- Validity
Period intHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- Validity
Start stringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- allowed
Uses List<String> - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca
Cert StringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca
Key StringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - ca
Private StringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert
Pem String - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - cert
Request StringPem - Certificate request data in PEM (RFC 1421) format.
- early
Renewal IntegerHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is
Ca BooleanCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max
Path IntegerLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - ready
For BooleanRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - set
Subject BooleanKey Id - Should the generated certificate include a subject key identifier (default:
false). - validity
End StringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity
Period IntegerHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- validity
Start StringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- allowed
Uses string[] - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca
Cert stringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca
Key stringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - ca
Private stringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert
Pem string - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - cert
Request stringPem - Certificate request data in PEM (RFC 1421) format.
- early
Renewal numberHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is
Ca booleanCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max
Path numberLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - ready
For booleanRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - set
Subject booleanKey Id - Should the generated certificate include a subject key identifier (default:
false). - validity
End stringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity
Period numberHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- validity
Start stringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- allowed_
uses Sequence[str] - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca_
cert_ strpem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca_
key_ stralgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - ca_
private_ strkey_ pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert_
pem str - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - cert_
request_ strpem - Certificate request data in PEM (RFC 1421) format.
- early_
renewal_ inthours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is_
ca_ boolcertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max_
path_ intlength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - ready_
for_ boolrenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - set_
subject_ boolkey_ id - Should the generated certificate include a subject key identifier (default:
false). - validity_
end_ strtime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity_
period_ inthours - Number of hours, after initial issuing, that the certificate will remain valid for.
- validity_
start_ strtime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
- allowed
Uses List<String> - List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values:
anyExtended,certSigning,clientAuth,codeSigning,contentCommitment,crlSigning,dataEncipherment,decipherOnly,digitalSignature,emailProtection,encipherOnly,ipsecEndSystem,ipsecTunnel,ipsecUser,keyAgreement,keyEncipherment,microsoftCommercialCodeSigning,microsoftKernelCodeSigning,microsoftServerGatedCrypto,netscapeServerGatedCrypto,ocspSigning,serverAuth,timestamping. - ca
Cert StringPem - Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.
- ca
Key StringAlgorithm - Name of the algorithm used when generating the private key provided in
caPrivateKeyPem. - ca
Private StringKey Pem - Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.
- cert
Pem String - Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - cert
Request StringPem - Certificate request data in PEM (RFC 1421) format.
- early
Renewal NumberHours - The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default:
0) - is
Ca BooleanCertificate - Is the generated certificate representing a Certificate Authority (CA) (default:
false). - max
Path NumberLength - Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If
isCaCertificateisfalse, this value is ignored. - ready
For BooleanRenewal - Is the certificate either expired (i.e. beyond the
validityPeriodHours) or ready for an early renewal (i.e. within theearlyRenewalHours)? - set
Subject BooleanKey Id - Should the generated certificate include a subject key identifier (default:
false). - validity
End StringTime - The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
- validity
Period NumberHours - Number of hours, after initial issuing, that the certificate will remain valid for.
- validity
Start StringTime - The time after which the certificate is valid, expressed as an RFC3339 timestamp.
Package Details
- Repository
- TLS pulumi/pulumi-tls
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
tlsTerraform Provider.
Viewing docs for TLS v5.3.1
published on Monday, Mar 30, 2026 by Pulumi
published on Monday, Mar 30, 2026 by Pulumi
