PrivateKey

TLS v5.3.1, Mar 30 26

Viewing docs for TLS v5.3.1
published on Monday, Mar 30, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tls

Viewing docs for TLS v5.3.1
published on Monday, Mar 30, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tls

Security Notice The private key generated by this resource will be stored unencrypted in your Terraform state file. Use of this resource for production deployments is not recommended. Instead, generate a private key file outside of Terraform and distribute it securely to the system where Terraform will be run.

This is a logical resource, so it contributes only to the current Terraform state and does not create any external managed resources.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as tls from "@pulumi/tls";

// ECDSA key with P384 elliptic curve
const ecdsa_p384_example = new tls.PrivateKey("ecdsa-p384-example", {
    algorithm: "ECDSA",
    ecdsaCurve: "P384",
});
// RSA key of size 4096 bits
const rsa_4096_example = new tls.PrivateKey("rsa-4096-example", {
    algorithm: "RSA",
    rsaBits: 4096,
});
// ED25519 key
const ed25519_example = new tls.PrivateKey("ed25519-example", {algorithm: "ED25519"});

import pulumi
import pulumi_tls as tls

# ECDSA key with P384 elliptic curve
ecdsa_p384_example = tls.PrivateKey("ecdsa-p384-example",
    algorithm="ECDSA",
    ecdsa_curve="P384")
# RSA key of size 4096 bits
rsa_4096_example = tls.PrivateKey("rsa-4096-example",
    algorithm="RSA",
    rsa_bits=4096)
# ED25519 key
ed25519_example = tls.PrivateKey("ed25519-example", algorithm="ED25519")

package main

import (
	"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// ECDSA key with P384 elliptic curve
		_, err := tls.NewPrivateKey(ctx, "ecdsa-p384-example", &tls.PrivateKeyArgs{
			Algorithm:  pulumi.String("ECDSA"),
			EcdsaCurve: pulumi.String("P384"),
		})
		if err != nil {
			return err
		}
		// RSA key of size 4096 bits
		_, err = tls.NewPrivateKey(ctx, "rsa-4096-example", &tls.PrivateKeyArgs{
			Algorithm: pulumi.String("RSA"),
			RsaBits:   pulumi.Int(4096),
		})
		if err != nil {
			return err
		}
		// ED25519 key
		_, err = tls.NewPrivateKey(ctx, "ed25519-example", &tls.PrivateKeyArgs{
			Algorithm: pulumi.String("ED25519"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Tls = Pulumi.Tls;

return await Deployment.RunAsync(() => 
{
    // ECDSA key with P384 elliptic curve
    var ecdsa_p384_example = new Tls.PrivateKey("ecdsa-p384-example", new()
    {
        Algorithm = "ECDSA",
        EcdsaCurve = "P384",
    });

    // RSA key of size 4096 bits
    var rsa_4096_example = new Tls.PrivateKey("rsa-4096-example", new()
    {
        Algorithm = "RSA",
        RsaBits = 4096,
    });

    // ED25519 key
    var ed25519_example = new Tls.PrivateKey("ed25519-example", new()
    {
        Algorithm = "ED25519",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.tls.PrivateKey;
import com.pulumi.tls.PrivateKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // ECDSA key with P384 elliptic curve
        var ecdsa_p384_example = new PrivateKey("ecdsa-p384-example", PrivateKeyArgs.builder()
            .algorithm("ECDSA")
            .ecdsaCurve("P384")
            .build());

        // RSA key of size 4096 bits
        var rsa_4096_example = new PrivateKey("rsa-4096-example", PrivateKeyArgs.builder()
            .algorithm("RSA")
            .rsaBits(4096)
            .build());

        // ED25519 key
        var ed25519_example = new PrivateKey("ed25519-example", PrivateKeyArgs.builder()
            .algorithm("ED25519")
            .build());

    }
}

resources:
  # ECDSA key with P384 elliptic curve
  ecdsa-p384-example:
    type: tls:PrivateKey
    properties:
      algorithm: ECDSA
      ecdsaCurve: P384
  # RSA key of size 4096 bits
  rsa-4096-example:
    type: tls:PrivateKey
    properties:
      algorithm: RSA
      rsaBits: 4096
  # ED25519 key
  ed25519-example:
    type: tls:PrivateKey
    properties:
      algorithm: ED25519

Generating a New Key

Since a private key is a logical resource that lives only in the Terraform state, it will persist until it is explicitly destroyed by the user.

In order to force the generation of a new key within an existing state, the private key instance can be “tainted”:

terraform taint tls_private_key.example

A new key will then be generated on the next pulumi up.

Create PrivateKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new PrivateKey(name: string, args: PrivateKeyArgs, opts?: CustomResourceOptions);

@overload
def PrivateKey(resource_name: str,
               args: PrivateKeyArgs,
               opts: Optional[ResourceOptions] = None)

@overload
def PrivateKey(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               algorithm: Optional[str] = None,
               ecdsa_curve: Optional[str] = None,
               rsa_bits: Optional[int] = None)

func NewPrivateKey(ctx *Context, name string, args PrivateKeyArgs, opts ...ResourceOption) (*PrivateKey, error)

public PrivateKey(string name, PrivateKeyArgs args, CustomResourceOptions? opts = null)

public PrivateKey(String name, PrivateKeyArgs args)
public PrivateKey(String name, PrivateKeyArgs args, CustomResourceOptions options)

type: tls:PrivateKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args PrivateKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args PrivateKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PrivateKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PrivateKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args PrivateKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var privateKeyResource = new Tls.Index.PrivateKey("privateKeyResource", new()
{
    Algorithm = "string",
    EcdsaCurve = "string",
    RsaBits = 0,
});

example, err := tls.NewPrivateKey(ctx, "privateKeyResource", &tls.PrivateKeyArgs{
	Algorithm:  pulumi.String("string"),
	EcdsaCurve: pulumi.String("string"),
	RsaBits:    pulumi.Int(0),
})

var privateKeyResource = new PrivateKey("privateKeyResource", PrivateKeyArgs.builder()
    .algorithm("string")
    .ecdsaCurve("string")
    .rsaBits(0)
    .build());

private_key_resource = tls.PrivateKey("privateKeyResource",
    algorithm="string",
    ecdsa_curve="string",
    rsa_bits=0)

const privateKeyResource = new tls.PrivateKey("privateKeyResource", {
    algorithm: "string",
    ecdsaCurve: "string",
    rsaBits: 0,
});

type: tls:PrivateKey
properties:
    algorithm: string
    ecdsaCurve: string
    rsaBits: 0

PrivateKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The PrivateKey resource accepts the following input properties:

Algorithm string: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
EcdsaCurve string: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
RsaBits int: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

Algorithm string: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
EcdsaCurve string: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
RsaBits int: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm String: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsaCurve String: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
rsaBits Integer: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm string: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsaCurve string: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
rsaBits number: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm str: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsa_curve str: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
rsa_bits int: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm String: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsaCurve String: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
rsaBits Number: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

Outputs

All input properties are implicitly available as output properties. Additionally, the PrivateKey resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
PrivateKeyOpenssh string: Private key data in OpenSSH PEM (RFC 4716) format.
PrivateKeyPem string: Private key data in PEM (RFC 1421) format.
PrivateKeyPemPkcs8 string: Private key data in PKCS#8 PEM (RFC 5208) format.
PublicKeyFingerprintMd5 string: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyFingerprintSha256 string: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyOpenssh string: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
PublicKeyPem string: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().

Id string: The provider-assigned unique ID for this managed resource.
PrivateKeyOpenssh string: Private key data in OpenSSH PEM (RFC 4716) format.
PrivateKeyPem string: Private key data in PEM (RFC 1421) format.
PrivateKeyPemPkcs8 string: Private key data in PKCS#8 PEM (RFC 5208) format.
PublicKeyFingerprintMd5 string: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyFingerprintSha256 string: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyOpenssh string: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
PublicKeyPem string: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().

id String: The provider-assigned unique ID for this managed resource.
privateKeyOpenssh String: Private key data in OpenSSH PEM (RFC 4716) format.
privateKeyPem String: Private key data in PEM (RFC 1421) format.
privateKeyPemPkcs8 String: Private key data in PKCS#8 PEM (RFC 5208) format.
publicKeyFingerprintMd5 String: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyFingerprintSha256 String: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyOpenssh String: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
publicKeyPem String: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().

id string: The provider-assigned unique ID for this managed resource.
privateKeyOpenssh string: Private key data in OpenSSH PEM (RFC 4716) format.
privateKeyPem string: Private key data in PEM (RFC 1421) format.
privateKeyPemPkcs8 string: Private key data in PKCS#8 PEM (RFC 5208) format.
publicKeyFingerprintMd5 string: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyFingerprintSha256 string: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyOpenssh string: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
publicKeyPem string: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().

id str: The provider-assigned unique ID for this managed resource.
private_key_openssh str: Private key data in OpenSSH PEM (RFC 4716) format.
private_key_pem str: Private key data in PEM (RFC 1421) format.
private_key_pem_pkcs8 str: Private key data in PKCS#8 PEM (RFC 5208) format.
public_key_fingerprint_md5 str: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
public_key_fingerprint_sha256 str: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
public_key_openssh str: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
public_key_pem str: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().

id String: The provider-assigned unique ID for this managed resource.
privateKeyOpenssh String: Private key data in OpenSSH PEM (RFC 4716) format.
privateKeyPem String: Private key data in PEM (RFC 1421) format.
privateKeyPemPkcs8 String: Private key data in PKCS#8 PEM (RFC 5208) format.
publicKeyFingerprintMd5 String: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyFingerprintSha256 String: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyOpenssh String: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
publicKeyPem String: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().

Look up Existing PrivateKey Resource

Get an existing PrivateKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PrivateKeyState, opts?: CustomResourceOptions): PrivateKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        algorithm: Optional[str] = None,
        ecdsa_curve: Optional[str] = None,
        private_key_openssh: Optional[str] = None,
        private_key_pem: Optional[str] = None,
        private_key_pem_pkcs8: Optional[str] = None,
        public_key_fingerprint_md5: Optional[str] = None,
        public_key_fingerprint_sha256: Optional[str] = None,
        public_key_openssh: Optional[str] = None,
        public_key_pem: Optional[str] = None,
        rsa_bits: Optional[int] = None) -> PrivateKey

func GetPrivateKey(ctx *Context, name string, id IDInput, state *PrivateKeyState, opts ...ResourceOption) (*PrivateKey, error)

public static PrivateKey Get(string name, Input<string> id, PrivateKeyState? state, CustomResourceOptions? opts = null)

public static PrivateKey get(String name, Output<String> id, PrivateKeyState state, CustomResourceOptions options)

resources:  _:    type: tls:PrivateKey    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Algorithm string: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
EcdsaCurve string: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
PrivateKeyOpenssh string: Private key data in OpenSSH PEM (RFC 4716) format.
PrivateKeyPem string: Private key data in PEM (RFC 1421) format.
PrivateKeyPemPkcs8 string: Private key data in PKCS#8 PEM (RFC 5208) format.
PublicKeyFingerprintMd5 string: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyFingerprintSha256 string: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyOpenssh string: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
PublicKeyPem string: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
RsaBits int: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

Algorithm string: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
EcdsaCurve string: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
PrivateKeyOpenssh string: Private key data in OpenSSH PEM (RFC 4716) format.
PrivateKeyPem string: Private key data in PEM (RFC 1421) format.
PrivateKeyPemPkcs8 string: Private key data in PKCS#8 PEM (RFC 5208) format.
PublicKeyFingerprintMd5 string: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyFingerprintSha256 string: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
PublicKeyOpenssh string: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
PublicKeyPem string: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
RsaBits int: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm String: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsaCurve String: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
privateKeyOpenssh String: Private key data in OpenSSH PEM (RFC 4716) format.
privateKeyPem String: Private key data in PEM (RFC 1421) format.
privateKeyPemPkcs8 String: Private key data in PKCS#8 PEM (RFC 5208) format.
publicKeyFingerprintMd5 String: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyFingerprintSha256 String: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyOpenssh String: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
publicKeyPem String: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
rsaBits Integer: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm string: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsaCurve string: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
privateKeyOpenssh string: Private key data in OpenSSH PEM (RFC 4716) format.
privateKeyPem string: Private key data in PEM (RFC 1421) format.
privateKeyPemPkcs8 string: Private key data in PKCS#8 PEM (RFC 5208) format.
publicKeyFingerprintMd5 string: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyFingerprintSha256 string: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyOpenssh string: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
publicKeyPem string: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
rsaBits number: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm str: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsa_curve str: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
private_key_openssh str: Private key data in OpenSSH PEM (RFC 4716) format.
private_key_pem str: Private key data in PEM (RFC 1421) format.
private_key_pem_pkcs8 str: Private key data in PKCS#8 PEM (RFC 5208) format.
public_key_fingerprint_md5 str: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
public_key_fingerprint_sha256 str: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
public_key_openssh str: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
public_key_pem str: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
rsa_bits int: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

algorithm String: Name of the algorithm to use when generating the private key. Currently-supported values are: RSA, ECDSA, ED25519.
ecdsaCurve String: When algorithm is ECDSA, the name of the elliptic curve to use. Currently-supported values are: P224, P256, P384, P521. (default: P224).
privateKeyOpenssh String: Private key data in OpenSSH PEM (RFC 4716) format.
privateKeyPem String: Private key data in PEM (RFC 1421) format.
privateKeyPemPkcs8 String: Private key data in PKCS#8 PEM (RFC 5208) format.
publicKeyFingerprintMd5 String: The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyFingerprintSha256 String: The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:.... Only available if the selected private key format is compatible, similarly to publicKeyOpenssh and the ECDSA P224 limitations.
publicKeyOpenssh String: The public key data in "Authorized Keys" format. This is not populated for ECDSA with curve P224, as it is not supported. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
publicKeyPem String: Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
rsaBits Number: When algorithm is RSA, the size of the generated RSA key, in bits (default: 2048).

Package Details

Repository: TLS pulumi/pulumi-tls
License: Apache-2.0
Notes: This Pulumi package is based on the tls Terraform Provider.

Viewing docs for TLS v5.3.1
published on Monday, Mar 30, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tls

tls.PrivateKey

On this page

On this page

Example Usage

Generating a New Key

Create PrivateKey Resource

Constructor syntax

Parameters

Constructor example

PrivateKey Resource Properties

Inputs

Outputs

Look up Existing PrivateKey Resource

Package Details

On this page

On this page