1. Packages
  2. ACME
  3. API Docs
  4. Certificate
ACME v0.4.0 published on Friday, Oct 4, 2024 by Pulumiverse

acme.Certificate

Explore with Pulumi AI

acme logo
ACME v0.4.0 published on Friday, Oct 4, 2024 by Pulumiverse

    Create Certificate Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);
    @overload
    def Certificate(resource_name: str,
                    args: CertificateArgs,
                    opts: Optional[ResourceOptions] = None)
    
    @overload
    def Certificate(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    account_key_pem: Optional[str] = None,
                    cert_timeout: Optional[int] = None,
                    certificate_p12_password: Optional[str] = None,
                    certificate_request_pem: Optional[str] = None,
                    common_name: Optional[str] = None,
                    disable_complete_propagation: Optional[bool] = None,
                    dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
                    http_challenge: Optional[CertificateHttpChallengeArgs] = None,
                    http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
                    http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
                    http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
                    key_type: Optional[str] = None,
                    min_days_remaining: Optional[int] = None,
                    must_staple: Optional[bool] = None,
                    pre_check_delay: Optional[int] = None,
                    preferred_chain: Optional[str] = None,
                    recursive_nameservers: Optional[Sequence[str]] = None,
                    revoke_certificate_on_destroy: Optional[bool] = None,
                    revoke_certificate_reason: Optional[str] = None,
                    subject_alternative_names: Optional[Sequence[str]] = None,
                    tls_challenge: Optional[CertificateTlsChallengeArgs] = None)
    func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)
    public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)
    public Certificate(String name, CertificateArgs args)
    public Certificate(String name, CertificateArgs args, CustomResourceOptions options)
    
    type: acme:Certificate
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var certificateResource = new Acme.Certificate("certificateResource", new()
    {
        AccountKeyPem = "string",
        CertTimeout = 0,
        CertificateP12Password = "string",
        CertificateRequestPem = "string",
        CommonName = "string",
        DisableCompletePropagation = false,
        DnsChallenges = new[]
        {
            new Acme.Inputs.CertificateDnsChallengeArgs
            {
                Provider = "string",
                Config = 
                {
                    { "string", "string" },
                },
            },
        },
        HttpChallenge = new Acme.Inputs.CertificateHttpChallengeArgs
        {
            Port = 0,
            ProxyHeader = "string",
        },
        HttpMemcachedChallenge = new Acme.Inputs.CertificateHttpMemcachedChallengeArgs
        {
            Hosts = new[]
            {
                "string",
            },
        },
        HttpS3Challenge = new Acme.Inputs.CertificateHttpS3ChallengeArgs
        {
            S3Bucket = "string",
        },
        HttpWebrootChallenge = new Acme.Inputs.CertificateHttpWebrootChallengeArgs
        {
            Directory = "string",
        },
        KeyType = "string",
        MinDaysRemaining = 0,
        MustStaple = false,
        PreCheckDelay = 0,
        PreferredChain = "string",
        RecursiveNameservers = new[]
        {
            "string",
        },
        RevokeCertificateOnDestroy = false,
        RevokeCertificateReason = "string",
        SubjectAlternativeNames = new[]
        {
            "string",
        },
        TlsChallenge = new Acme.Inputs.CertificateTlsChallengeArgs
        {
            Port = 0,
        },
    });
    
    example, err := acme.NewCertificate(ctx, "certificateResource", &acme.CertificateArgs{
    	AccountKeyPem:              pulumi.String("string"),
    	CertTimeout:                pulumi.Int(0),
    	CertificateP12Password:     pulumi.String("string"),
    	CertificateRequestPem:      pulumi.String("string"),
    	CommonName:                 pulumi.String("string"),
    	DisableCompletePropagation: pulumi.Bool(false),
    	DnsChallenges: acme.CertificateDnsChallengeArray{
    		&acme.CertificateDnsChallengeArgs{
    			Provider: pulumi.String("string"),
    			Config: pulumi.StringMap{
    				"string": pulumi.String("string"),
    			},
    		},
    	},
    	HttpChallenge: &acme.CertificateHttpChallengeArgs{
    		Port:        pulumi.Int(0),
    		ProxyHeader: pulumi.String("string"),
    	},
    	HttpMemcachedChallenge: &acme.CertificateHttpMemcachedChallengeArgs{
    		Hosts: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	HttpS3Challenge: &acme.CertificateHttpS3ChallengeArgs{
    		S3Bucket: pulumi.String("string"),
    	},
    	HttpWebrootChallenge: &acme.CertificateHttpWebrootChallengeArgs{
    		Directory: pulumi.String("string"),
    	},
    	KeyType:          pulumi.String("string"),
    	MinDaysRemaining: pulumi.Int(0),
    	MustStaple:       pulumi.Bool(false),
    	PreCheckDelay:    pulumi.Int(0),
    	PreferredChain:   pulumi.String("string"),
    	RecursiveNameservers: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	RevokeCertificateOnDestroy: pulumi.Bool(false),
    	RevokeCertificateReason:    pulumi.String("string"),
    	SubjectAlternativeNames: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TlsChallenge: &acme.CertificateTlsChallengeArgs{
    		Port: pulumi.Int(0),
    	},
    })
    
    var certificateResource = new Certificate("certificateResource", CertificateArgs.builder()
        .accountKeyPem("string")
        .certTimeout(0)
        .certificateP12Password("string")
        .certificateRequestPem("string")
        .commonName("string")
        .disableCompletePropagation(false)
        .dnsChallenges(CertificateDnsChallengeArgs.builder()
            .provider("string")
            .config(Map.of("string", "string"))
            .build())
        .httpChallenge(CertificateHttpChallengeArgs.builder()
            .port(0)
            .proxyHeader("string")
            .build())
        .httpMemcachedChallenge(CertificateHttpMemcachedChallengeArgs.builder()
            .hosts("string")
            .build())
        .httpS3Challenge(CertificateHttpS3ChallengeArgs.builder()
            .s3Bucket("string")
            .build())
        .httpWebrootChallenge(CertificateHttpWebrootChallengeArgs.builder()
            .directory("string")
            .build())
        .keyType("string")
        .minDaysRemaining(0)
        .mustStaple(false)
        .preCheckDelay(0)
        .preferredChain("string")
        .recursiveNameservers("string")
        .revokeCertificateOnDestroy(false)
        .revokeCertificateReason("string")
        .subjectAlternativeNames("string")
        .tlsChallenge(CertificateTlsChallengeArgs.builder()
            .port(0)
            .build())
        .build());
    
    certificate_resource = acme.Certificate("certificateResource",
        account_key_pem="string",
        cert_timeout=0,
        certificate_p12_password="string",
        certificate_request_pem="string",
        common_name="string",
        disable_complete_propagation=False,
        dns_challenges=[acme.CertificateDnsChallengeArgs(
            provider="string",
            config={
                "string": "string",
            },
        )],
        http_challenge=acme.CertificateHttpChallengeArgs(
            port=0,
            proxy_header="string",
        ),
        http_memcached_challenge=acme.CertificateHttpMemcachedChallengeArgs(
            hosts=["string"],
        ),
        http_s3_challenge=acme.CertificateHttpS3ChallengeArgs(
            s3_bucket="string",
        ),
        http_webroot_challenge=acme.CertificateHttpWebrootChallengeArgs(
            directory="string",
        ),
        key_type="string",
        min_days_remaining=0,
        must_staple=False,
        pre_check_delay=0,
        preferred_chain="string",
        recursive_nameservers=["string"],
        revoke_certificate_on_destroy=False,
        revoke_certificate_reason="string",
        subject_alternative_names=["string"],
        tls_challenge=acme.CertificateTlsChallengeArgs(
            port=0,
        ))
    
    const certificateResource = new acme.Certificate("certificateResource", {
        accountKeyPem: "string",
        certTimeout: 0,
        certificateP12Password: "string",
        certificateRequestPem: "string",
        commonName: "string",
        disableCompletePropagation: false,
        dnsChallenges: [{
            provider: "string",
            config: {
                string: "string",
            },
        }],
        httpChallenge: {
            port: 0,
            proxyHeader: "string",
        },
        httpMemcachedChallenge: {
            hosts: ["string"],
        },
        httpS3Challenge: {
            s3Bucket: "string",
        },
        httpWebrootChallenge: {
            directory: "string",
        },
        keyType: "string",
        minDaysRemaining: 0,
        mustStaple: false,
        preCheckDelay: 0,
        preferredChain: "string",
        recursiveNameservers: ["string"],
        revokeCertificateOnDestroy: false,
        revokeCertificateReason: "string",
        subjectAlternativeNames: ["string"],
        tlsChallenge: {
            port: 0,
        },
    });
    
    type: acme:Certificate
    properties:
        accountKeyPem: string
        certTimeout: 0
        certificateP12Password: string
        certificateRequestPem: string
        commonName: string
        disableCompletePropagation: false
        dnsChallenges:
            - config:
                string: string
              provider: string
        httpChallenge:
            port: 0
            proxyHeader: string
        httpMemcachedChallenge:
            hosts:
                - string
        httpS3Challenge:
            s3Bucket: string
        httpWebrootChallenge:
            directory: string
        keyType: string
        minDaysRemaining: 0
        mustStaple: false
        preCheckDelay: 0
        preferredChain: string
        recursiveNameservers:
            - string
        revokeCertificateOnDestroy: false
        revokeCertificateReason: string
        subjectAlternativeNames:
            - string
        tlsChallenge:
            port: 0
    

    Certificate Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Certificate resource accepts the following input properties:

    AccountKeyPem string
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    CertTimeout int

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    CertificateP12Password string
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    CertificateRequestPem string
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    CommonName string
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    DisableCompletePropagation bool

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>
    The DNS challenges to use in fulfilling the request.
    HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge
    Defines an HTTP challenge to use in fulfilling the request.
    HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    KeyType string
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    MinDaysRemaining int
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    MustStaple bool

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    PreCheckDelay int

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    PreferredChain string

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    RecursiveNameservers List<string>
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    RevokeCertificateOnDestroy bool
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    RevokeCertificateReason string
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    SubjectAlternativeNames List<string>
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    AccountKeyPem string
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    CertTimeout int

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    CertificateP12Password string
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    CertificateRequestPem string
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    CommonName string
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    DisableCompletePropagation bool

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    DnsChallenges []CertificateDnsChallengeArgs
    The DNS challenges to use in fulfilling the request.
    HttpChallenge CertificateHttpChallengeArgs
    Defines an HTTP challenge to use in fulfilling the request.
    HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    HttpS3Challenge CertificateHttpS3ChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    HttpWebrootChallenge CertificateHttpWebrootChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    KeyType string
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    MinDaysRemaining int
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    MustStaple bool

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    PreCheckDelay int

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    PreferredChain string

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    RecursiveNameservers []string
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    RevokeCertificateOnDestroy bool
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    RevokeCertificateReason string
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    SubjectAlternativeNames []string
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    TlsChallenge CertificateTlsChallengeArgs

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    accountKeyPem String
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    certTimeout Integer

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificateP12Password String
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificateRequestPem String
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    commonName String
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disableCompletePropagation Boolean

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dnsChallenges List<CertificateDnsChallenge>
    The DNS challenges to use in fulfilling the request.
    httpChallenge CertificateHttpChallenge
    Defines an HTTP challenge to use in fulfilling the request.
    httpMemcachedChallenge CertificateHttpMemcachedChallenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    httpS3Challenge CertificateHttpS3Challenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    httpWebrootChallenge CertificateHttpWebrootChallenge
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    keyType String
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    minDaysRemaining Integer
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    mustStaple Boolean

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    preCheckDelay Integer

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferredChain String

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    recursiveNameservers List<String>
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revokeCertificateOnDestroy Boolean
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revokeCertificateReason String
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subjectAlternativeNames List<String>
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tlsChallenge CertificateTlsChallenge

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    accountKeyPem string
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    certTimeout number

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificateP12Password string
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificateRequestPem string
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    commonName string
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disableCompletePropagation boolean

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dnsChallenges CertificateDnsChallenge[]
    The DNS challenges to use in fulfilling the request.
    httpChallenge CertificateHttpChallenge
    Defines an HTTP challenge to use in fulfilling the request.
    httpMemcachedChallenge CertificateHttpMemcachedChallenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    httpS3Challenge CertificateHttpS3Challenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    httpWebrootChallenge CertificateHttpWebrootChallenge
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    keyType string
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    minDaysRemaining number
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    mustStaple boolean

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    preCheckDelay number

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferredChain string

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    recursiveNameservers string[]
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revokeCertificateOnDestroy boolean
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revokeCertificateReason string
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subjectAlternativeNames string[]
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tlsChallenge CertificateTlsChallenge

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    account_key_pem str
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    cert_timeout int

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificate_p12_password str
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificate_request_pem str
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    common_name str
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disable_complete_propagation bool

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dns_challenges Sequence[CertificateDnsChallengeArgs]
    The DNS challenges to use in fulfilling the request.
    http_challenge CertificateHttpChallengeArgs
    Defines an HTTP challenge to use in fulfilling the request.
    http_memcached_challenge CertificateHttpMemcachedChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    http_s3_challenge CertificateHttpS3ChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    http_webroot_challenge CertificateHttpWebrootChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    key_type str
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    min_days_remaining int
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    must_staple bool

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    pre_check_delay int

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferred_chain str

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    recursive_nameservers Sequence[str]
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revoke_certificate_on_destroy bool
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revoke_certificate_reason str
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subject_alternative_names Sequence[str]
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tls_challenge CertificateTlsChallengeArgs

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    accountKeyPem String
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    certTimeout Number

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificateP12Password String
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificateRequestPem String
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    commonName String
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disableCompletePropagation Boolean

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dnsChallenges List<Property Map>
    The DNS challenges to use in fulfilling the request.
    httpChallenge Property Map
    Defines an HTTP challenge to use in fulfilling the request.
    httpMemcachedChallenge Property Map
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    httpS3Challenge Property Map
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    httpWebrootChallenge Property Map
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    keyType String
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    minDaysRemaining Number
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    mustStaple Boolean

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    preCheckDelay Number

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferredChain String

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    recursiveNameservers List<String>
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revokeCertificateOnDestroy Boolean
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revokeCertificateReason String
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subjectAlternativeNames List<String>
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tlsChallenge Property Map

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

    CertificateDomain string
    The common name of the certificate.
    CertificateNotAfter string
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    CertificateP12 string
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    CertificatePem string
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    CertificateSerial string
    The serial number, in string format, as reported by the CA.
    CertificateUrl string
    The full URL of the certificate within the ACME CA.
    Id string
    The provider-assigned unique ID for this managed resource.
    IssuerPem string
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    PrivateKeyPem string
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    CertificateDomain string
    The common name of the certificate.
    CertificateNotAfter string
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    CertificateP12 string
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    CertificatePem string
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    CertificateSerial string
    The serial number, in string format, as reported by the CA.
    CertificateUrl string
    The full URL of the certificate within the ACME CA.
    Id string
    The provider-assigned unique ID for this managed resource.
    IssuerPem string
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    PrivateKeyPem string
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    certificateDomain String
    The common name of the certificate.
    certificateNotAfter String
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificateP12 String
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificatePem String
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificateSerial String
    The serial number, in string format, as reported by the CA.
    certificateUrl String
    The full URL of the certificate within the ACME CA.
    id String
    The provider-assigned unique ID for this managed resource.
    issuerPem String
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    privateKeyPem String
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    certificateDomain string
    The common name of the certificate.
    certificateNotAfter string
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificateP12 string
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificatePem string
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificateSerial string
    The serial number, in string format, as reported by the CA.
    certificateUrl string
    The full URL of the certificate within the ACME CA.
    id string
    The provider-assigned unique ID for this managed resource.
    issuerPem string
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    privateKeyPem string
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    certificate_domain str
    The common name of the certificate.
    certificate_not_after str
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificate_p12 str
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificate_pem str
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificate_serial str
    The serial number, in string format, as reported by the CA.
    certificate_url str
    The full URL of the certificate within the ACME CA.
    id str
    The provider-assigned unique ID for this managed resource.
    issuer_pem str
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    private_key_pem str
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    certificateDomain String
    The common name of the certificate.
    certificateNotAfter String
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificateP12 String
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificatePem String
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificateSerial String
    The serial number, in string format, as reported by the CA.
    certificateUrl String
    The full URL of the certificate within the ACME CA.
    id String
    The provider-assigned unique ID for this managed resource.
    issuerPem String
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    privateKeyPem String
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

    Look up Existing Certificate Resource

    Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            account_key_pem: Optional[str] = None,
            cert_timeout: Optional[int] = None,
            certificate_domain: Optional[str] = None,
            certificate_not_after: Optional[str] = None,
            certificate_p12: Optional[str] = None,
            certificate_p12_password: Optional[str] = None,
            certificate_pem: Optional[str] = None,
            certificate_request_pem: Optional[str] = None,
            certificate_serial: Optional[str] = None,
            certificate_url: Optional[str] = None,
            common_name: Optional[str] = None,
            disable_complete_propagation: Optional[bool] = None,
            dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
            http_challenge: Optional[CertificateHttpChallengeArgs] = None,
            http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
            http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
            http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
            issuer_pem: Optional[str] = None,
            key_type: Optional[str] = None,
            min_days_remaining: Optional[int] = None,
            must_staple: Optional[bool] = None,
            pre_check_delay: Optional[int] = None,
            preferred_chain: Optional[str] = None,
            private_key_pem: Optional[str] = None,
            recursive_nameservers: Optional[Sequence[str]] = None,
            revoke_certificate_on_destroy: Optional[bool] = None,
            revoke_certificate_reason: Optional[str] = None,
            subject_alternative_names: Optional[Sequence[str]] = None,
            tls_challenge: Optional[CertificateTlsChallengeArgs] = None) -> Certificate
    func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)
    public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)
    public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccountKeyPem string
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    CertTimeout int

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    CertificateDomain string
    The common name of the certificate.
    CertificateNotAfter string
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    CertificateP12 string
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    CertificateP12Password string
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    CertificatePem string
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    CertificateRequestPem string
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    CertificateSerial string
    The serial number, in string format, as reported by the CA.
    CertificateUrl string
    The full URL of the certificate within the ACME CA.
    CommonName string
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    DisableCompletePropagation bool

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>
    The DNS challenges to use in fulfilling the request.
    HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge
    Defines an HTTP challenge to use in fulfilling the request.
    HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    IssuerPem string
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    KeyType string
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    MinDaysRemaining int
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    MustStaple bool

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    PreCheckDelay int

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    PreferredChain string

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    PrivateKeyPem string
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    RecursiveNameservers List<string>
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    RevokeCertificateOnDestroy bool
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    RevokeCertificateReason string
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    SubjectAlternativeNames List<string>
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    AccountKeyPem string
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    CertTimeout int

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    CertificateDomain string
    The common name of the certificate.
    CertificateNotAfter string
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    CertificateP12 string
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    CertificateP12Password string
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    CertificatePem string
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    CertificateRequestPem string
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    CertificateSerial string
    The serial number, in string format, as reported by the CA.
    CertificateUrl string
    The full URL of the certificate within the ACME CA.
    CommonName string
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    DisableCompletePropagation bool

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    DnsChallenges []CertificateDnsChallengeArgs
    The DNS challenges to use in fulfilling the request.
    HttpChallenge CertificateHttpChallengeArgs
    Defines an HTTP challenge to use in fulfilling the request.
    HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    HttpS3Challenge CertificateHttpS3ChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    HttpWebrootChallenge CertificateHttpWebrootChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    IssuerPem string
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    KeyType string
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    MinDaysRemaining int
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    MustStaple bool

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    PreCheckDelay int

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    PreferredChain string

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    PrivateKeyPem string
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    RecursiveNameservers []string
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    RevokeCertificateOnDestroy bool
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    RevokeCertificateReason string
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    SubjectAlternativeNames []string
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    TlsChallenge CertificateTlsChallengeArgs

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    accountKeyPem String
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    certTimeout Integer

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificateDomain String
    The common name of the certificate.
    certificateNotAfter String
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificateP12 String
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificateP12Password String
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificatePem String
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificateRequestPem String
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    certificateSerial String
    The serial number, in string format, as reported by the CA.
    certificateUrl String
    The full URL of the certificate within the ACME CA.
    commonName String
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disableCompletePropagation Boolean

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dnsChallenges List<CertificateDnsChallenge>
    The DNS challenges to use in fulfilling the request.
    httpChallenge CertificateHttpChallenge
    Defines an HTTP challenge to use in fulfilling the request.
    httpMemcachedChallenge CertificateHttpMemcachedChallenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    httpS3Challenge CertificateHttpS3Challenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    httpWebrootChallenge CertificateHttpWebrootChallenge
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    issuerPem String
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    keyType String
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    minDaysRemaining Integer
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    mustStaple Boolean

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    preCheckDelay Integer

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferredChain String

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    privateKeyPem String
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    recursiveNameservers List<String>
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revokeCertificateOnDestroy Boolean
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revokeCertificateReason String
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subjectAlternativeNames List<String>
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tlsChallenge CertificateTlsChallenge

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    accountKeyPem string
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    certTimeout number

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificateDomain string
    The common name of the certificate.
    certificateNotAfter string
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificateP12 string
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificateP12Password string
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificatePem string
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificateRequestPem string
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    certificateSerial string
    The serial number, in string format, as reported by the CA.
    certificateUrl string
    The full URL of the certificate within the ACME CA.
    commonName string
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disableCompletePropagation boolean

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dnsChallenges CertificateDnsChallenge[]
    The DNS challenges to use in fulfilling the request.
    httpChallenge CertificateHttpChallenge
    Defines an HTTP challenge to use in fulfilling the request.
    httpMemcachedChallenge CertificateHttpMemcachedChallenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    httpS3Challenge CertificateHttpS3Challenge
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    httpWebrootChallenge CertificateHttpWebrootChallenge
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    issuerPem string
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    keyType string
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    minDaysRemaining number
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    mustStaple boolean

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    preCheckDelay number

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferredChain string

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    privateKeyPem string
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    recursiveNameservers string[]
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revokeCertificateOnDestroy boolean
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revokeCertificateReason string
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subjectAlternativeNames string[]
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tlsChallenge CertificateTlsChallenge

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    account_key_pem str
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    cert_timeout int

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificate_domain str
    The common name of the certificate.
    certificate_not_after str
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificate_p12 str
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificate_p12_password str
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificate_pem str
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificate_request_pem str
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    certificate_serial str
    The serial number, in string format, as reported by the CA.
    certificate_url str
    The full URL of the certificate within the ACME CA.
    common_name str
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disable_complete_propagation bool

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dns_challenges Sequence[CertificateDnsChallengeArgs]
    The DNS challenges to use in fulfilling the request.
    http_challenge CertificateHttpChallengeArgs
    Defines an HTTP challenge to use in fulfilling the request.
    http_memcached_challenge CertificateHttpMemcachedChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    http_s3_challenge CertificateHttpS3ChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    http_webroot_challenge CertificateHttpWebrootChallengeArgs
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    issuer_pem str
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    key_type str
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    min_days_remaining int
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    must_staple bool

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    pre_check_delay int

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferred_chain str

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    private_key_pem str
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    recursive_nameservers Sequence[str]
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revoke_certificate_on_destroy bool
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revoke_certificate_reason str
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subject_alternative_names Sequence[str]
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tls_challenge CertificateTlsChallengeArgs

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    accountKeyPem String
    The private key of the account that is requesting the certificate. Forces a new resource when changed.
    certTimeout Number

    Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

    As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

    certificateDomain String
    The common name of the certificate.
    certificateNotAfter String
    The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
    certificateP12 String
    The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
    certificateP12Password String
    Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
    certificatePem String
    The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
    certificateRequestPem String
    A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
    certificateSerial String
    The serial number, in string format, as reported by the CA.
    certificateUrl String
    The full URL of the certificate within the ACME CA.
    commonName String
    The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
    disableCompletePropagation Boolean

    Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

    See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

    dnsChallenges List<Property Map>
    The DNS challenges to use in fulfilling the request.
    httpChallenge Property Map
    Defines an HTTP challenge to use in fulfilling the request.
    httpMemcachedChallenge Property Map
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
    httpS3Challenge Property Map
    Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
    httpWebrootChallenge Property Map
    Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
    issuerPem String
    The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
    keyType String
    The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
    minDaysRemaining Number
    The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
    mustStaple Boolean

    Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

    OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

    preCheckDelay Number

    Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

    Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

    preferredChain String

    The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

    preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

    privateKeyPem String
    The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
    recursiveNameservers List<String>
    The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
    revokeCertificateOnDestroy Boolean
    Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
    revokeCertificateReason String
    Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

    • unspecified
    • key-compromise
    • ca-compromise
    • affiliation-changed
    • superseded
    • cessation-of-operation
    • certificate-hold
    • remove-from-crl
    • privilege-withdrawn
    • aa-compromise
    subjectAlternativeNames List<String>
    The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
    tlsChallenge Property Map

    Defines a TLS challenge to use in fulfilling the request.

    Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

    Supporting Types

    CertificateDnsChallenge, CertificateDnsChallengeArgs

    Provider string
    Config Dictionary<string, string>
    Provider string
    Config map[string]string
    provider String
    config Map<String,String>
    provider string
    config {[key: string]: string}
    provider str
    config Mapping[str, str]
    provider String
    config Map<String>

    CertificateHttpChallenge, CertificateHttpChallengeArgs

    Port int
    The port that the challenge server listens on. Default: 80.
    ProxyHeader string

    The proxy header to match against. Default: Host.

    The proxy_header option behaves differently depending on its definition:

    • When set to Host, standard host header validation is used.
    • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
    • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
    Port int
    The port that the challenge server listens on. Default: 80.
    ProxyHeader string

    The proxy header to match against. Default: Host.

    The proxy_header option behaves differently depending on its definition:

    • When set to Host, standard host header validation is used.
    • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
    • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
    port Integer
    The port that the challenge server listens on. Default: 80.
    proxyHeader String

    The proxy header to match against. Default: Host.

    The proxy_header option behaves differently depending on its definition:

    • When set to Host, standard host header validation is used.
    • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
    • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
    port number
    The port that the challenge server listens on. Default: 80.
    proxyHeader string

    The proxy header to match against. Default: Host.

    The proxy_header option behaves differently depending on its definition:

    • When set to Host, standard host header validation is used.
    • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
    • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
    port int
    The port that the challenge server listens on. Default: 80.
    proxy_header str

    The proxy header to match against. Default: Host.

    The proxy_header option behaves differently depending on its definition:

    • When set to Host, standard host header validation is used.
    • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
    • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
    port Number
    The port that the challenge server listens on. Default: 80.
    proxyHeader String

    The proxy header to match against. Default: Host.

    The proxy_header option behaves differently depending on its definition:

    • When set to Host, standard host header validation is used.
    • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
    • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

    CertificateHttpMemcachedChallenge, CertificateHttpMemcachedChallengeArgs

    Hosts List<string>
    Hosts []string
    hosts List<String>
    hosts string[]
    hosts Sequence[str]
    hosts List<String>

    CertificateHttpS3Challenge, CertificateHttpS3ChallengeArgs

    S3Bucket string
    The s3_bucket to publish the record to.
    S3Bucket string
    The s3_bucket to publish the record to.
    s3Bucket String
    The s3_bucket to publish the record to.
    s3Bucket string
    The s3_bucket to publish the record to.
    s3_bucket str
    The s3_bucket to publish the record to.
    s3Bucket String
    The s3_bucket to publish the record to.

    CertificateHttpWebrootChallenge, CertificateHttpWebrootChallengeArgs

    Directory string
    The directory to publish the record to.
    Directory string
    The directory to publish the record to.
    directory String
    The directory to publish the record to.
    directory string
    The directory to publish the record to.
    directory str
    The directory to publish the record to.
    directory String
    The directory to publish the record to.

    CertificateTlsChallenge, CertificateTlsChallengeArgs

    Port int
    The port that the challenge server listens on. Default: 443.
    Port int
    The port that the challenge server listens on. Default: 443.
    port Integer
    The port that the challenge server listens on. Default: 443.
    port number
    The port that the challenge server listens on. Default: 443.
    port int
    The port that the challenge server listens on. Default: 443.
    port Number
    The port that the challenge server listens on. Default: 443.

    Package Details

    Repository
    acme pulumiverse/pulumi-acme
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the acme Terraform Provider.
    acme logo
    ACME v0.4.0 published on Friday, Oct 4, 2024 by Pulumiverse