ACME v0.0.1, Sep 25 23

ACME v0.0.1 published on Monday, Sep 25, 2023 by Pulumiverse

acme.Certificate

Explore with Pulumi AI

ACME v0.0.1 published on Monday, Sep 25, 2023 by Pulumiverse

Create Certificate Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);

@overload
def Certificate(resource_name: str,
                args: CertificateArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def Certificate(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                account_key_pem: Optional[str] = None,
                certificate_p12_password: Optional[str] = None,
                certificate_request_pem: Optional[str] = None,
                common_name: Optional[str] = None,
                disable_complete_propagation: Optional[bool] = None,
                dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
                http_challenge: Optional[CertificateHttpChallengeArgs] = None,
                http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
                http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
                http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
                key_type: Optional[str] = None,
                min_days_remaining: Optional[int] = None,
                must_staple: Optional[bool] = None,
                pre_check_delay: Optional[int] = None,
                preferred_chain: Optional[str] = None,
                recursive_nameservers: Optional[Sequence[str]] = None,
                revoke_certificate_on_destroy: Optional[bool] = None,
                subject_alternative_names: Optional[Sequence[str]] = None,
                tls_challenge: Optional[CertificateTlsChallengeArgs] = None)

func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)

public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)

public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)

type: acme:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Example

The following reference example uses placeholder values for all input properties.

var certificateResource = new Acme.Certificate("certificateResource", new()
{
    AccountKeyPem = "string",
    CertificateP12Password = "string",
    CertificateRequestPem = "string",
    CommonName = "string",
    DisableCompletePropagation = false,
    DnsChallenges = new[]
    {
        new Acme.Inputs.CertificateDnsChallengeArgs
        {
            Provider = "string",
            Config = 
            {
                { "string", "any" },
            },
        },
    },
    HttpChallenge = new Acme.Inputs.CertificateHttpChallengeArgs
    {
        Port = 0,
        ProxyHeader = "string",
    },
    HttpMemcachedChallenge = new Acme.Inputs.CertificateHttpMemcachedChallengeArgs
    {
        Hosts = new[]
        {
            "string",
        },
    },
    HttpS3Challenge = new Acme.Inputs.CertificateHttpS3ChallengeArgs
    {
        S3Bucket = "string",
    },
    HttpWebrootChallenge = new Acme.Inputs.CertificateHttpWebrootChallengeArgs
    {
        Directory = "string",
    },
    KeyType = "string",
    MinDaysRemaining = 0,
    MustStaple = false,
    PreCheckDelay = 0,
    PreferredChain = "string",
    RecursiveNameservers = new[]
    {
        "string",
    },
    RevokeCertificateOnDestroy = false,
    SubjectAlternativeNames = new[]
    {
        "string",
    },
    TlsChallenge = new Acme.Inputs.CertificateTlsChallengeArgs
    {
        Port = 0,
    },
});

example, err := acme.NewCertificate(ctx, "certificateResource", &acme.CertificateArgs{
	AccountKeyPem:              pulumi.String("string"),
	CertificateP12Password:     pulumi.String("string"),
	CertificateRequestPem:      pulumi.String("string"),
	CommonName:                 pulumi.String("string"),
	DisableCompletePropagation: pulumi.Bool(false),
	DnsChallenges: acme.CertificateDnsChallengeArray{
		&acme.CertificateDnsChallengeArgs{
			Provider: pulumi.String("string"),
			Config: pulumi.Map{
				"string": pulumi.Any("any"),
			},
		},
	},
	HttpChallenge: &acme.CertificateHttpChallengeArgs{
		Port:        pulumi.Int(0),
		ProxyHeader: pulumi.String("string"),
	},
	HttpMemcachedChallenge: &acme.CertificateHttpMemcachedChallengeArgs{
		Hosts: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	HttpS3Challenge: &acme.CertificateHttpS3ChallengeArgs{
		S3Bucket: pulumi.String("string"),
	},
	HttpWebrootChallenge: &acme.CertificateHttpWebrootChallengeArgs{
		Directory: pulumi.String("string"),
	},
	KeyType:          pulumi.String("string"),
	MinDaysRemaining: pulumi.Int(0),
	MustStaple:       pulumi.Bool(false),
	PreCheckDelay:    pulumi.Int(0),
	PreferredChain:   pulumi.String("string"),
	RecursiveNameservers: pulumi.StringArray{
		pulumi.String("string"),
	},
	RevokeCertificateOnDestroy: pulumi.Bool(false),
	SubjectAlternativeNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	TlsChallenge: &acme.CertificateTlsChallengeArgs{
		Port: pulumi.Int(0),
	},
})

var certificateResource = new Certificate("certificateResource", CertificateArgs.builder()        
    .accountKeyPem("string")
    .certificateP12Password("string")
    .certificateRequestPem("string")
    .commonName("string")
    .disableCompletePropagation(false)
    .dnsChallenges(CertificateDnsChallengeArgs.builder()
        .provider("string")
        .config(Map.of("string", "any"))
        .build())
    .httpChallenge(CertificateHttpChallengeArgs.builder()
        .port(0)
        .proxyHeader("string")
        .build())
    .httpMemcachedChallenge(CertificateHttpMemcachedChallengeArgs.builder()
        .hosts("string")
        .build())
    .httpS3Challenge(CertificateHttpS3ChallengeArgs.builder()
        .s3Bucket("string")
        .build())
    .httpWebrootChallenge(CertificateHttpWebrootChallengeArgs.builder()
        .directory("string")
        .build())
    .keyType("string")
    .minDaysRemaining(0)
    .mustStaple(false)
    .preCheckDelay(0)
    .preferredChain("string")
    .recursiveNameservers("string")
    .revokeCertificateOnDestroy(false)
    .subjectAlternativeNames("string")
    .tlsChallenge(CertificateTlsChallengeArgs.builder()
        .port(0)
        .build())
    .build());

certificate_resource = acme.Certificate("certificateResource",
    account_key_pem="string",
    certificate_p12_password="string",
    certificate_request_pem="string",
    common_name="string",
    disable_complete_propagation=False,
    dns_challenges=[acme.CertificateDnsChallengeArgs(
        provider="string",
        config={
            "string": "any",
        },
    )],
    http_challenge=acme.CertificateHttpChallengeArgs(
        port=0,
        proxy_header="string",
    ),
    http_memcached_challenge=acme.CertificateHttpMemcachedChallengeArgs(
        hosts=["string"],
    ),
    http_s3_challenge=acme.CertificateHttpS3ChallengeArgs(
        s3_bucket="string",
    ),
    http_webroot_challenge=acme.CertificateHttpWebrootChallengeArgs(
        directory="string",
    ),
    key_type="string",
    min_days_remaining=0,
    must_staple=False,
    pre_check_delay=0,
    preferred_chain="string",
    recursive_nameservers=["string"],
    revoke_certificate_on_destroy=False,
    subject_alternative_names=["string"],
    tls_challenge=acme.CertificateTlsChallengeArgs(
        port=0,
    ))

const certificateResource = new acme.Certificate("certificateResource", {
    accountKeyPem: "string",
    certificateP12Password: "string",
    certificateRequestPem: "string",
    commonName: "string",
    disableCompletePropagation: false,
    dnsChallenges: [{
        provider: "string",
        config: {
            string: "any",
        },
    }],
    httpChallenge: {
        port: 0,
        proxyHeader: "string",
    },
    httpMemcachedChallenge: {
        hosts: ["string"],
    },
    httpS3Challenge: {
        s3Bucket: "string",
    },
    httpWebrootChallenge: {
        directory: "string",
    },
    keyType: "string",
    minDaysRemaining: 0,
    mustStaple: false,
    preCheckDelay: 0,
    preferredChain: "string",
    recursiveNameservers: ["string"],
    revokeCertificateOnDestroy: false,
    subjectAlternativeNames: ["string"],
    tlsChallenge: {
        port: 0,
    },
});

type: acme:Certificate
properties:
    accountKeyPem: string
    certificateP12Password: string
    certificateRequestPem: string
    commonName: string
    disableCompletePropagation: false
    dnsChallenges:
        - config:
            string: any
          provider: string
    httpChallenge:
        port: 0
        proxyHeader: string
    httpMemcachedChallenge:
        hosts:
            - string
    httpS3Challenge:
        s3Bucket: string
    httpWebrootChallenge:
        directory: string
    keyType: string
    minDaysRemaining: 0
    mustStaple: false
    preCheckDelay: 0
    preferredChain: string
    recursiveNameservers:
        - string
    revokeCertificateOnDestroy: false
    subjectAlternativeNames:
        - string
    tlsChallenge:
        port: 0

Certificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Certificate resource accepts the following input properties:

AccountKeyPem string: The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertificateP12Password string: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificateRequestPem string: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
CommonName string: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
DisableCompletePropagation bool: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>: The DNS challenges to use in fulfilling the request.
HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge: Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
KeyType string: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple bool: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
PreCheckDelay int: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
PreferredChain string: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
RecursiveNameservers List<string>: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
SubjectAlternativeNames List<string>: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

AccountKeyPem string: The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertificateP12Password string: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificateRequestPem string: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
CommonName string: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
DisableCompletePropagation bool: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
DnsChallenges []CertificateDnsChallengeArgs: The DNS challenges to use in fulfilling the request.
HttpChallenge CertificateHttpChallengeArgs: Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge CertificateHttpS3ChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge CertificateHttpWebrootChallengeArgs: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
KeyType string: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple bool: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
PreCheckDelay int: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
PreferredChain string: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
RecursiveNameservers []string: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
SubjectAlternativeNames []string: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
TlsChallenge CertificateTlsChallengeArgs: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificateP12Password String: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificateRequestPem String: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
commonName String: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disableCompletePropagation Boolean: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dnsChallenges List<CertificateDnsChallenge>: The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge: Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
keyType String: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Integer: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Boolean: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
preCheckDelay Integer: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferredChain String: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
recursiveNameservers List<String>: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subjectAlternativeNames List<String>: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem string: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificateP12Password string: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificateRequestPem string: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
commonName string: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disableCompletePropagation boolean: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dnsChallenges CertificateDnsChallenge[]: The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge: Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
keyType string: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining number: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple boolean: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
preCheckDelay number: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferredChain string: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
recursiveNameservers string[]: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy boolean: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subjectAlternativeNames string[]: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

account_key_pem str: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificate_p12_password str: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificate_request_pem str: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
common_name str: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disable_complete_propagation bool: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dns_challenges Sequence[CertificateDnsChallengeArgs]: The DNS challenges to use in fulfilling the request.
http_challenge CertificateHttpChallengeArgs: Defines an HTTP challenge to use in fulfilling the request.
http_memcached_challenge CertificateHttpMemcachedChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
http_s3_challenge CertificateHttpS3ChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
http_webroot_challenge CertificateHttpWebrootChallengeArgs: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
key_type str: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
min_days_remaining int: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
must_staple bool: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
pre_check_delay int: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferred_chain str: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
recursive_nameservers Sequence[str]: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revoke_certificate_on_destroy bool: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subject_alternative_names Sequence[str]: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tls_challenge CertificateTlsChallengeArgs: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificateP12Password String: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificateRequestPem String: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
commonName String: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disableCompletePropagation Boolean: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dnsChallenges List<Property Map>: The DNS challenges to use in fulfilling the request.
httpChallenge Property Map: Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge Property Map: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge Property Map: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge Property Map: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
keyType String: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Number: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Boolean: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
preCheckDelay Number: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferredChain String: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
recursiveNameservers List<String>: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subjectAlternativeNames List<String>: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tlsChallenge Property Map: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

Outputs

All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

CertificateDomain string: The common name of the certificate.
CertificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateUrl string: The full URL of the certificate within the ACME CA.
Id string: The provider-assigned unique ID for this managed resource.
IssuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
PrivateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

CertificateDomain string: The common name of the certificate.
CertificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateUrl string: The full URL of the certificate within the ACME CA.
Id string: The provider-assigned unique ID for this managed resource.
IssuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
PrivateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificateDomain String: The common name of the certificate.
certificateNotAfter String: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem String: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateUrl String: The full URL of the certificate within the ACME CA.
id String: The provider-assigned unique ID for this managed resource.
issuerPem String: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem String: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificateDomain string: The common name of the certificate.
certificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateUrl string: The full URL of the certificate within the ACME CA.
id string: The provider-assigned unique ID for this managed resource.
issuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificate_domain str: The common name of the certificate.
certificate_not_after str: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificate_p12 str: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificate_pem str: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificate_url str: The full URL of the certificate within the ACME CA.
id str: The provider-assigned unique ID for this managed resource.
issuer_pem str: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
private_key_pem str: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificateDomain String: The common name of the certificate.
certificateNotAfter String: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem String: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateUrl String: The full URL of the certificate within the ACME CA.
id String: The provider-assigned unique ID for this managed resource.
issuerPem String: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem String: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

Look up Existing Certificate Resource

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_key_pem: Optional[str] = None,
        certificate_domain: Optional[str] = None,
        certificate_not_after: Optional[str] = None,
        certificate_p12: Optional[str] = None,
        certificate_p12_password: Optional[str] = None,
        certificate_pem: Optional[str] = None,
        certificate_request_pem: Optional[str] = None,
        certificate_url: Optional[str] = None,
        common_name: Optional[str] = None,
        disable_complete_propagation: Optional[bool] = None,
        dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
        http_challenge: Optional[CertificateHttpChallengeArgs] = None,
        http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
        http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
        http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
        issuer_pem: Optional[str] = None,
        key_type: Optional[str] = None,
        min_days_remaining: Optional[int] = None,
        must_staple: Optional[bool] = None,
        pre_check_delay: Optional[int] = None,
        preferred_chain: Optional[str] = None,
        private_key_pem: Optional[str] = None,
        recursive_nameservers: Optional[Sequence[str]] = None,
        revoke_certificate_on_destroy: Optional[bool] = None,
        subject_alternative_names: Optional[Sequence[str]] = None,
        tls_challenge: Optional[CertificateTlsChallengeArgs] = None) -> Certificate

func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)

public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)

public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountKeyPem string: The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertificateDomain string: The common name of the certificate.
CertificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificateP12Password string: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateRequestPem string: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
CertificateUrl string: The full URL of the certificate within the ACME CA.
CommonName string: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
DisableCompletePropagation bool: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>: The DNS challenges to use in fulfilling the request.
HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge: Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
IssuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
KeyType string: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple bool: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
PreCheckDelay int: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
PreferredChain string: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
PrivateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
RecursiveNameservers List<string>: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
SubjectAlternativeNames List<string>: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

AccountKeyPem string: The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertificateDomain string: The common name of the certificate.
CertificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificateP12Password string: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateRequestPem string: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
CertificateUrl string: The full URL of the certificate within the ACME CA.
CommonName string: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
DisableCompletePropagation bool: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
DnsChallenges []CertificateDnsChallengeArgs: The DNS challenges to use in fulfilling the request.
HttpChallenge CertificateHttpChallengeArgs: Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge CertificateHttpS3ChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge CertificateHttpWebrootChallengeArgs: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
IssuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
KeyType string: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple bool: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
PreCheckDelay int: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
PreferredChain string: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
PrivateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
RecursiveNameservers []string: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
SubjectAlternativeNames []string: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
TlsChallenge CertificateTlsChallengeArgs: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificateDomain String: The common name of the certificate.
certificateNotAfter String: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificateP12Password String: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificatePem String: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateRequestPem String: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
certificateUrl String: The full URL of the certificate within the ACME CA.
commonName String: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disableCompletePropagation Boolean: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dnsChallenges List<CertificateDnsChallenge>: The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge: Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuerPem String: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
keyType String: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Integer: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Boolean: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
preCheckDelay Integer: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferredChain String: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
privateKeyPem String: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
recursiveNameservers List<String>: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subjectAlternativeNames List<String>: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem string: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificateDomain string: The common name of the certificate.
certificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificateP12Password string: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateRequestPem string: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
certificateUrl string: The full URL of the certificate within the ACME CA.
commonName string: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disableCompletePropagation boolean: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dnsChallenges CertificateDnsChallenge[]: The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge: Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
keyType string: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining number: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple boolean: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
preCheckDelay number: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferredChain string: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
privateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
recursiveNameservers string[]: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy boolean: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subjectAlternativeNames string[]: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

account_key_pem str: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificate_domain str: The common name of the certificate.
certificate_not_after str: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificate_p12 str: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificate_p12_password str: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificate_pem str: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificate_request_pem str: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
certificate_url str: The full URL of the certificate within the ACME CA.
common_name str: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disable_complete_propagation bool: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dns_challenges Sequence[CertificateDnsChallengeArgs]: The DNS challenges to use in fulfilling the request.
http_challenge CertificateHttpChallengeArgs: Defines an HTTP challenge to use in fulfilling the request.
http_memcached_challenge CertificateHttpMemcachedChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
http_s3_challenge CertificateHttpS3ChallengeArgs: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
http_webroot_challenge CertificateHttpWebrootChallengeArgs: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuer_pem str: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
key_type str: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
min_days_remaining int: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
must_staple bool: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
pre_check_delay int: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferred_chain str: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
private_key_pem str: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
recursive_nameservers Sequence[str]: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revoke_certificate_on_destroy bool: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subject_alternative_names Sequence[str]: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tls_challenge CertificateTlsChallengeArgs: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String: The private key of the account that is requesting the certificate. Forces a new resource when changed.
certificateDomain String: The common name of the certificate.
certificateNotAfter String: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificateP12Password String: Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificatePem String: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateRequestPem String: A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.
certificateUrl String: The full URL of the certificate within the ACME CA.
commonName String: The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.
disableCompletePropagation Boolean: Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.
See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.
dnsChallenges List<Property Map>: The DNS challenges to use in fulfilling the request.
httpChallenge Property Map: Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge Property Map: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge Property Map: Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge Property Map: Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuerPem String: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
keyType String: The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Number: The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Boolean: Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.
OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.
preCheckDelay Number: Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).
preferredChain String: The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.
preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.
privateKeyPem String: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
recursiveNameservers List<String>: The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean: Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
subjectAlternativeNames List<String>: The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.
tlsChallenge Property Map: Defines a TLS challenge to use in fulfilling the request.
Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

Supporting Types

CertificateDnsChallenge, CertificateDnsChallengeArgs

Provider string
Config Dictionary<string, object>

Provider string
Config map[string]interface{}

provider String
config Map<String,Object>

provider string
config {[key: string]: any}

provider str
config Mapping[str, Any]

provider String
config Map<Any>

CertificateHttpChallenge, CertificateHttpChallengeArgs

Port int

The port that the challenge server listens on. Default: 80.

ProxyHeader string

The proxy header to match against. Default: Host.