tls-self-signed-cert logo
Self Signed Certificate v0.1.3, Jan 9 23

Self Signed Certificate

Pulumi’s Self Signed Certificate Package makes it simple for you to quickly create a self signed certificate. The guide below will quickly you through how to provision a self signed certificate with the minimal set of inputs. Please refer to the API Docs for more detailed information on this Packages’s usage.

Quick Start

The following steps will get you started with a self signed certificate.

Configure Environment

Before you get started using Pulumi, let’s run through a few quick steps to ensure your environment is set up correctly.

Install Pulumi

Install Pulumi on macOS through Homebrew:

$ brew install pulumi/tap/pulumi

Install Pulumi on Linux by running the installation script:

$ curl -fsSL https://get.pulumi.com | sh

Install Pulumi on Windows using elevated permissions through the Chocolatey package manager:

> choco install pulumi

For alternative installation instructions (e.g. script-based installation, binaries, etc.) or troubleshooting, see Download and Install.

Next, install the required language runtime, if you have not already.

Install Language Runtime

Choose Your Language

Install Node.js.

Install Python version 3.7 or later. To reduce potential issues with setting up your Python environment on Windows or macOS, you should install Python through the official Python installer.

Install Go.

Install .NET SDK.

Good news! You don't have to install anything else to write Pulumi programs in YAML.

Create New Project

Now that you have set up your environment by installing Pulumi and installing your preferred language runtime, let’s create your Pulumi program.

$ mkdir tls-self-signed-cert-quickstart && cd tls-self-signed-cert-quickstart
$ pulumi new typescript
$ mkdir tls-self-signed-cert-quickstart && cd tls-self-signed-cert-quickstart
$ pulumi new python
# from within your $GOPATH
$ mkdir tls-self-signed-cert-quickstart && cd tls-self-signed-cert-quickstart
$ pulumi new go
$ mkdir tls-self-signed-cert-quickstart && cd tls-self-signed-cert-quickstart
$ pulumi new csharp
$ mkdir tls-self-signed-cert-quickstart && cd tls-self-signed-cert-quickstart
$ pulumi new yaml

The pulumi new command creates a new Pulumi project with some basic scaffolding based on the cloud and language specified.

Note

If this is your first time running pulumi new or other pulumi commands, you may be prompted to log in to the Pulumi Service. The Pulumi CLI and Pulumi Service work in tandem to deliver a reliable experience. It's free for individual use, with features available for teams, and self-managed options are also available. Hitting Enter at the prompt opens a browser for you to sign in or sign up.

After logging in, the CLI will proceed with walking you through creating a new project.

First, you will be asked for a project name and description. Hit ENTER to accept the default values or specify new values.

Next, you will be asked for the name of a stack. Hit ENTER to accept the default value of dev.

What are projects and stacks? Pulumi projects and stacks let you organize Pulumi code. Consider a Pulumi project to be analogous to a GitHub repo—a single place for code—and a stack to be an instance of that code with a separate configuration. For instance, Project Foo may have multiple stacks for different development environments (Dev, Test, or Prod), or perhaps for different cloud configurations (geographic region for example). See Organizing Projects and Stacks for some best practices on organizing your Pulumi projects and stacks.

After some dependency installations from npm, your project and stack will be ready.

Install the Self Signed Certificate Package

Next you will need to install the Self Signed Certificate Package so you can use it in your program.

Yarn
$ yarn add @pulumi/tls-self-signed-cert
NPM
$ npm install @pulumi/tls-self-signed-cert

After the command completes, the project and stack will be ready.

Install the Self Signed Certificate Package

Next you will need to install the Self Signed Certificate Package so you can use it in your program.

$ pip3 install pulumi_tls_self_signed_cert

After the command completes, the project and stack will be ready.

Install the Self Signed Certificate Package

Next you will need to install the Self Signed Certificate Package so you can use it in your program.

$ go get -u github.com/pulumi/pulumi-tls-self-signed-cert/sdk

After the command completes, the project and stack will be ready.

Install the Self Signed Certificate Package

Next you will need to install the Self Signed Certificate Package so you can use it in your program.

$ dotnet add package Pulumi.TlsSelfSignedCert

Update Code

Now that you have all your dependencies installed and your project configured, you can now add the code that will provision your self signed certificate.

Replace your index.ts with the following:

import * as pulumi from "@pulumi/pulumi";
import * as tls_self_signed_cert from "@pulumi/tls-self-signed-cert";

const cert = new tls_self_signed_cert.SelfSignedCertificate("cert", {
    dnsName: "cert.example.com",
    validityPeriodHours: 807660,
    localValidityPeriodHours: 17520,
    subject: {
        commonName: "example-cert",
        organization: "example-cert LLC",
    },
});
export const pem = cert.pem;
export const privateKey = cert.privateKey;
export const caCert = cert.caCert;

Replace your __main__.py with the following:

import pulumi
import pulumi_tls_self_signed_cert as tls_self_signed_cert

cert = tls_self_signed_cert.SelfSignedCertificate("cert",
    dns_name="cert.example.com",
    validity_period_hours=807660,
    local_validity_period_hours=17520,
    subject=%!v(PANIC=Format method: interface conversion: interface {} is json.RawMessage, not python.PackageInfo))
pulumi.export("pem", cert.pem)
pulumi.export("privateKey", cert.private_key)
pulumi.export("caCert", cert.ca_cert)

Replace your main.go with the following:

package main

import (
	selfSignedCert "github.com/pulumi/pulumi-tls-self-signed-cert/sdk/go/tls-self-signed-cert"
	"github.com/pulumi/pulumi-tls/sdk/v4/go/tls"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cert, err := selfSignedCert.NewSelfSignedCertificate(ctx, "cert", &selfSignedCert.SelfSignedCertificateArgs{
			DnsName:                  pulumi.String("cert.example.com"),
			ValidityPeriodHours:      pulumi.Int(807660),
			LocalValidityPeriodHours: pulumi.Int(17520),
			Subject: tls.SelfSignedCertSubjectArgs{
				CommonName:   pulumi.String("example-cert"),
				Organization: pulumi.String("example-cert LLC"),
			},
		})
		if err != nil {
			return err
		}

		ctx.Export("pem", cert.Pem)
		ctx.Export("privateKey", cert.PrivateKey)
		ctx.Export("caCert", cert.CaCert)
	})
}

Replace your Program.cs with the following:

using System.Collections.Generic;
using Pulumi;
using TlsSelfSignedCert = Pulumi.TlsSelfSignedCert;

return await Deployment.RunAsync(() =>
{
    var cert = new TlsSelfSignedCert.SelfSignedCertificate("cert", new()
    {
        DnsName = "cert.example.com",
        ValidityPeriodHours = 807660,
        LocalValidityPeriodHours = 17520,
        Subject = %!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference),
    });

    return new Dictionary<string, object?>
    {
        ["pem"] = cert.Pem,
        ["privateKey"] = cert.PrivateKey,
        ["caCert"] = cert.CaCert,
    };
});

Replace your Pulumi.yaml with the following:

name: tls-self-signed-cert
runtime: yaml
resources:
    cert:
        type: "tls-self-signed-cert:index:SelfSignedCertificate"
        properties:
            dnsName: "cert.example.com"
            validityPeriodHours: 807660
            localValidityPeriodHours: 17520
            subject:
                commonName: "example-cert"
                organization: "example-cert LLC"
outputs:
    pem: ${cert.pem}
    privateKey: ${cert.privateKey}
    caCert: ${cert.caCert}

Deploy

Once you have updated your code you are ready to create your Self Signed Certificate. To do so, run the the following command:

$ pulumi up

First Pulumi will perform a preview showing you exactly what will be created. Once the preview is complete Pulumi will ask you if you want to continue. Select yes to proceed to actually provisioning the service.

All the different resources need to create a self signed certificate will be created.

(Optional) Destroy

You can destroy all the resources by running pulumi destroy.