SelfSignedCert

TLS v5.4.0, May 14 26

Viewing docs for TLS v5.4.0
published on Thursday, May 14, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tls

Viewing docs for TLS v5.4.0
published on Thursday, May 14, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tls

Warning Self-signed certificates are usually used only in development environments or applications deployed internally to an organization. Certificates of this type are generally not trusted by client software such as web browsers. Therefore clients are likely to generate trust warnings when connecting to a server that has a self-signed certificate.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as tls from "@pulumi/tls";

const example = new tls.SelfSignedCert("example", {
    privateKeyPem: std.file({
        input: "private_key.pem",
    }).then(invoke => invoke.result),
    subject: {
        commonName: "example.com",
        organization: "ACME Examples, Inc",
    },
    validityPeriodHours: 12,
    allowedUses: [
        "key_encipherment",
        "digital_signature",
        "server_auth",
    ],
});

import pulumi
import pulumi_std as std
import pulumi_tls as tls

example = tls.SelfSignedCert("example",
    private_key_pem=std.file(input="private_key.pem").result,
    subject={
        "common_name": "example.com",
        "organization": "ACME Examples, Inc",
    },
    validity_period_hours=12,
    allowed_uses=[
        "key_encipherment",
        "digital_signature",
        "server_auth",
    ])

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "private_key.pem",
		}, nil)
		if err != nil {
			return err
		}
		_, err = tls.NewSelfSignedCert(ctx, "example", &tls.SelfSignedCertArgs{
			PrivateKeyPem: pulumi.String(invokeFile.Result),
			Subject: &tls.SelfSignedCertSubjectArgs{
				CommonName:   pulumi.String("example.com"),
				Organization: pulumi.String("ACME Examples, Inc"),
			},
			ValidityPeriodHours: pulumi.Int(12),
			AllowedUses: pulumi.StringArray{
				pulumi.String("key_encipherment"),
				pulumi.String("digital_signature"),
				pulumi.String("server_auth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Tls = Pulumi.Tls;

return await Deployment.RunAsync(() => 
{
    var example = new Tls.SelfSignedCert("example", new()
    {
        PrivateKeyPem = Std.File.Invoke(new()
        {
            Input = "private_key.pem",
        }).Apply(invoke => invoke.Result),
        Subject = new Tls.Inputs.SelfSignedCertSubjectArgs
        {
            CommonName = "example.com",
            Organization = "ACME Examples, Inc",
        },
        ValidityPeriodHours = 12,
        AllowedUses = new[]
        {
            "key_encipherment",
            "digital_signature",
            "server_auth",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.tls.SelfSignedCert;
import com.pulumi.tls.SelfSignedCertArgs;
import com.pulumi.tls.inputs.SelfSignedCertSubjectArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SelfSignedCert("example", SelfSignedCertArgs.builder()
            .privateKeyPem(StdFunctions.file(FileArgs.builder()
                .input("private_key.pem")
                .build()).result())
            .subject(SelfSignedCertSubjectArgs.builder()
                .commonName("example.com")
                .organization("ACME Examples, Inc")
                .build())
            .validityPeriodHours(12)
            .allowedUses(            
                "key_encipherment",
                "digital_signature",
                "server_auth")
            .build());

    }
}

resources:
  example:
    type: tls:SelfSignedCert
    properties:
      privateKeyPem:
        fn::invoke:
          function: std:file
          arguments:
            input: private_key.pem
          return: result
      subject:
        commonName: example.com
        organization: ACME Examples, Inc
      validityPeriodHours: 12
      allowedUses:
        - key_encipherment
        - digital_signature
        - server_auth

Example coming soon!

Automatic Renewal

This resource considers its instances to have been deleted after either their validity periods ends (i.e. beyond the validityPeriodHours) or the early renewal period is reached (i.e. within the earlyRenewalHours): when this happens, the readyForRenewal attribute will be true. At this time, applying the Terraform configuration will cause a new certificate to be generated for the instance.

Therefore in a development environment with frequent deployments it may be convenient to set a relatively-short expiration time and use early renewal to automatically provision a new certificate when the current one is about to expire.

The creation of a new certificate may of course cause dependent resources to be updated or replaced, depending on the lifecycle rules applying to those resources.

Create SelfSignedCert Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SelfSignedCert(name: string, args: SelfSignedCertArgs, opts?: CustomResourceOptions);

@overload
def SelfSignedCert(resource_name: str,
                   args: SelfSignedCertArgs,
                   opts: Optional[ResourceOptions] = None)

@overload
def SelfSignedCert(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   allowed_uses: Optional[Sequence[str]] = None,
                   private_key_pem: Optional[str] = None,
                   validity_period_hours: Optional[int] = None,
                   dns_names: Optional[Sequence[str]] = None,
                   early_renewal_hours: Optional[int] = None,
                   ip_addresses: Optional[Sequence[str]] = None,
                   is_ca_certificate: Optional[bool] = None,
                   max_path_length: Optional[int] = None,
                   set_authority_key_id: Optional[bool] = None,
                   set_subject_key_id: Optional[bool] = None,
                   subject: Optional[SelfSignedCertSubjectArgs] = None,
                   uris: Optional[Sequence[str]] = None)

func NewSelfSignedCert(ctx *Context, name string, args SelfSignedCertArgs, opts ...ResourceOption) (*SelfSignedCert, error)

public SelfSignedCert(string name, SelfSignedCertArgs args, CustomResourceOptions? opts = null)

public SelfSignedCert(String name, SelfSignedCertArgs args)
public SelfSignedCert(String name, SelfSignedCertArgs args, CustomResourceOptions options)

type: tls:SelfSignedCert
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

resource "tls_selfsignedcert" "name" {
    # resource properties
}

Parameters

name string: The unique name of the resource.
args SelfSignedCertArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SelfSignedCertArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SelfSignedCertArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SelfSignedCertArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SelfSignedCertArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var selfSignedCertResource = new Tls.SelfSignedCert("selfSignedCertResource", new()
{
    AllowedUses = new[]
    {
        "string",
    },
    PrivateKeyPem = "string",
    ValidityPeriodHours = 0,
    DnsNames = new[]
    {
        "string",
    },
    EarlyRenewalHours = 0,
    IpAddresses = new[]
    {
        "string",
    },
    IsCaCertificate = false,
    MaxPathLength = 0,
    SetAuthorityKeyId = false,
    SetSubjectKeyId = false,
    Subject = new Tls.Inputs.SelfSignedCertSubjectArgs
    {
        CommonName = "string",
        Country = "string",
        EmailAddress = "string",
        Locality = "string",
        Organization = "string",
        OrganizationalUnit = "string",
        PostalCode = "string",
        Province = "string",
        SerialNumber = "string",
        StreetAddresses = new[]
        {
            "string",
        },
    },
    Uris = new[]
    {
        "string",
    },
});

example, err := tls.NewSelfSignedCert(ctx, "selfSignedCertResource", &tls.SelfSignedCertArgs{
	AllowedUses: pulumi.StringArray{
		pulumi.String("string"),
	},
	PrivateKeyPem:       pulumi.String("string"),
	ValidityPeriodHours: pulumi.Int(0),
	DnsNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	EarlyRenewalHours: pulumi.Int(0),
	IpAddresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	IsCaCertificate:   pulumi.Bool(false),
	MaxPathLength:     pulumi.Int(0),
	SetAuthorityKeyId: pulumi.Bool(false),
	SetSubjectKeyId:   pulumi.Bool(false),
	Subject: &tls.SelfSignedCertSubjectArgs{
		CommonName:         pulumi.String("string"),
		Country:            pulumi.String("string"),
		EmailAddress:       pulumi.String("string"),
		Locality:           pulumi.String("string"),
		Organization:       pulumi.String("string"),
		OrganizationalUnit: pulumi.String("string"),
		PostalCode:         pulumi.String("string"),
		Province:           pulumi.String("string"),
		SerialNumber:       pulumi.String("string"),
		StreetAddresses: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	Uris: pulumi.StringArray{
		pulumi.String("string"),
	},
})

resource "tls_selfsignedcert" "selfSignedCertResource" {
  allowed_uses          = ["string"]
  private_key_pem       = "string"
  validity_period_hours = 0
  dns_names             = ["string"]
  early_renewal_hours   = 0
  ip_addresses          = ["string"]
  is_ca_certificate     = false
  max_path_length       = 0
  set_authority_key_id  = false
  set_subject_key_id    = false
  subject = {
    common_name         = "string"
    country             = "string"
    email_address       = "string"
    locality            = "string"
    organization        = "string"
    organizational_unit = "string"
    postal_code         = "string"
    province            = "string"
    serial_number       = "string"
    street_addresses    = ["string"]
  }
  uris = ["string"]
}

var selfSignedCertResource = new SelfSignedCert("selfSignedCertResource", SelfSignedCertArgs.builder()
    .allowedUses("string")
    .privateKeyPem("string")
    .validityPeriodHours(0)
    .dnsNames("string")
    .earlyRenewalHours(0)
    .ipAddresses("string")
    .isCaCertificate(false)
    .maxPathLength(0)
    .setAuthorityKeyId(false)
    .setSubjectKeyId(false)
    .subject(SelfSignedCertSubjectArgs.builder()
        .commonName("string")
        .country("string")
        .emailAddress("string")
        .locality("string")
        .organization("string")
        .organizationalUnit("string")
        .postalCode("string")
        .province("string")
        .serialNumber("string")
        .streetAddresses("string")
        .build())
    .uris("string")
    .build());

self_signed_cert_resource = tls.SelfSignedCert("selfSignedCertResource",
    allowed_uses=["string"],
    private_key_pem="string",
    validity_period_hours=0,
    dns_names=["string"],
    early_renewal_hours=0,
    ip_addresses=["string"],
    is_ca_certificate=False,
    max_path_length=0,
    set_authority_key_id=False,
    set_subject_key_id=False,
    subject={
        "common_name": "string",
        "country": "string",
        "email_address": "string",
        "locality": "string",
        "organization": "string",
        "organizational_unit": "string",
        "postal_code": "string",
        "province": "string",
        "serial_number": "string",
        "street_addresses": ["string"],
    },
    uris=["string"])

const selfSignedCertResource = new tls.SelfSignedCert("selfSignedCertResource", {
    allowedUses: ["string"],
    privateKeyPem: "string",
    validityPeriodHours: 0,
    dnsNames: ["string"],
    earlyRenewalHours: 0,
    ipAddresses: ["string"],
    isCaCertificate: false,
    maxPathLength: 0,
    setAuthorityKeyId: false,
    setSubjectKeyId: false,
    subject: {
        commonName: "string",
        country: "string",
        emailAddress: "string",
        locality: "string",
        organization: "string",
        organizationalUnit: "string",
        postalCode: "string",
        province: "string",
        serialNumber: "string",
        streetAddresses: ["string"],
    },
    uris: ["string"],
});

type: tls:SelfSignedCert
properties:
    allowedUses:
        - string
    dnsNames:
        - string
    earlyRenewalHours: 0
    ipAddresses:
        - string
    isCaCertificate: false
    maxPathLength: 0
    privateKeyPem: string
    setAuthorityKeyId: false
    setSubjectKeyId: false
    subject:
        commonName: string
        country: string
        emailAddress: string
        locality: string
        organization: string
        organizationalUnit: string
        postalCode: string
        province: string
        serialNumber: string
        streetAddresses:
            - string
    uris:
        - string
    validityPeriodHours: 0

SelfSignedCert Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SelfSignedCert resource accepts the following input properties:

AllowedUses List<string>: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
PrivateKeyPem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
ValidityPeriodHours int: Number of hours, after initial issuing, that the certificate will remain valid for.
DnsNames List<string>: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
EarlyRenewalHours int: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
IpAddresses List<string>: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
IsCaCertificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
MaxPathLength int: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
SetAuthorityKeyId bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
SetSubjectKeyId bool: Should the generated certificate include a subject key identifier (default: false).
Subject SelfSignedCertSubject: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
Uris List<string>: List of URIs for which a certificate is being requested (i.e. certificate subjects).

AllowedUses []string: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
PrivateKeyPem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
ValidityPeriodHours int: Number of hours, after initial issuing, that the certificate will remain valid for.
DnsNames []string: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
EarlyRenewalHours int: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
IpAddresses []string: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
IsCaCertificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
MaxPathLength int: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
SetAuthorityKeyId bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
SetSubjectKeyId bool: Should the generated certificate include a subject key identifier (default: false).
Subject SelfSignedCertSubjectArgs: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
Uris []string: List of URIs for which a certificate is being requested (i.e. certificate subjects).

allowed_uses list(string): List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
private_key_pem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
validity_period_hours number: Number of hours, after initial issuing, that the certificate will remain valid for.
dns_names list(string): List of DNS names for which a certificate is being requested (i.e. certificate subjects).
early_renewal_hours number: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ip_addresses list(string): List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
is_ca_certificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
max_path_length number: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
set_authority_key_id bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
set_subject_key_id bool: Should the generated certificate include a subject key identifier (default: false).
subject object: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris list(string): List of URIs for which a certificate is being requested (i.e. certificate subjects).

allowedUses List<String>: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
privateKeyPem String: Private key in PEM (RFC 1421) format, that the certificate will belong to.
validityPeriodHours Integer: Number of hours, after initial issuing, that the certificate will remain valid for.
dnsNames List<String>: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
earlyRenewalHours Integer: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ipAddresses List<String>: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
isCaCertificate Boolean: Is the generated certificate representing a Certificate Authority (CA) (default: false).
maxPathLength Integer: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
setAuthorityKeyId Boolean: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
setSubjectKeyId Boolean: Should the generated certificate include a subject key identifier (default: false).
subject SelfSignedCertSubject: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris List<String>: List of URIs for which a certificate is being requested (i.e. certificate subjects).

allowedUses string[]: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
privateKeyPem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
validityPeriodHours number: Number of hours, after initial issuing, that the certificate will remain valid for.
dnsNames string[]: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
earlyRenewalHours number: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ipAddresses string[]: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
isCaCertificate boolean: Is the generated certificate representing a Certificate Authority (CA) (default: false).
maxPathLength number: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
setAuthorityKeyId boolean: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
setSubjectKeyId boolean: Should the generated certificate include a subject key identifier (default: false).
subject SelfSignedCertSubject: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris string[]: List of URIs for which a certificate is being requested (i.e. certificate subjects).

allowed_uses Sequence[str]: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
private_key_pem str: Private key in PEM (RFC 1421) format, that the certificate will belong to.
validity_period_hours int: Number of hours, after initial issuing, that the certificate will remain valid for.
dns_names Sequence[str]: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
early_renewal_hours int: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ip_addresses Sequence[str]: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
is_ca_certificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
max_path_length int: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
set_authority_key_id bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
set_subject_key_id bool: Should the generated certificate include a subject key identifier (default: false).
subject SelfSignedCertSubjectArgs: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris Sequence[str]: List of URIs for which a certificate is being requested (i.e. certificate subjects).

allowedUses List<String>: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
privateKeyPem String: Private key in PEM (RFC 1421) format, that the certificate will belong to.
validityPeriodHours Number: Number of hours, after initial issuing, that the certificate will remain valid for.
dnsNames List<String>: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
earlyRenewalHours Number: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ipAddresses List<String>: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
isCaCertificate Boolean: Is the generated certificate representing a Certificate Authority (CA) (default: false).
maxPathLength Number: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
setAuthorityKeyId Boolean: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
setSubjectKeyId Boolean: Should the generated certificate include a subject key identifier (default: false).
subject Property Map: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris List<String>: List of URIs for which a certificate is being requested (i.e. certificate subjects).

Outputs

All input properties are implicitly available as output properties. Additionally, the SelfSignedCert resource produces the following output properties:

CertPem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
Id string: The provider-assigned unique ID for this managed resource.
KeyAlgorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
ReadyForRenewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
ValidityEndTime string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
ValidityStartTime string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

CertPem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
Id string: The provider-assigned unique ID for this managed resource.
KeyAlgorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
ReadyForRenewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
ValidityEndTime string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
ValidityStartTime string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

cert_pem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
id string: The provider-assigned unique ID for this managed resource.
key_algorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
ready_for_renewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
validity_end_time string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validity_start_time string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

certPem String: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
id String: The provider-assigned unique ID for this managed resource.
keyAlgorithm String: Name of the algorithm used when generating the private key provided in privateKeyPem.
readyForRenewal Boolean: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
validityEndTime String: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validityStartTime String: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

certPem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
id string: The provider-assigned unique ID for this managed resource.
keyAlgorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
readyForRenewal boolean: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
validityEndTime string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validityStartTime string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

cert_pem str: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
id str: The provider-assigned unique ID for this managed resource.
key_algorithm str: Name of the algorithm used when generating the private key provided in privateKeyPem.
ready_for_renewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
validity_end_time str: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validity_start_time str: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

certPem String: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
id String: The provider-assigned unique ID for this managed resource.
keyAlgorithm String: Name of the algorithm used when generating the private key provided in privateKeyPem.
readyForRenewal Boolean: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
validityEndTime String: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validityStartTime String: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

Look up Existing SelfSignedCert Resource

Get an existing SelfSignedCert resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SelfSignedCertState, opts?: CustomResourceOptions): SelfSignedCert

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_uses: Optional[Sequence[str]] = None,
        cert_pem: Optional[str] = None,
        dns_names: Optional[Sequence[str]] = None,
        early_renewal_hours: Optional[int] = None,
        ip_addresses: Optional[Sequence[str]] = None,
        is_ca_certificate: Optional[bool] = None,
        key_algorithm: Optional[str] = None,
        max_path_length: Optional[int] = None,
        private_key_pem: Optional[str] = None,
        ready_for_renewal: Optional[bool] = None,
        set_authority_key_id: Optional[bool] = None,
        set_subject_key_id: Optional[bool] = None,
        subject: Optional[SelfSignedCertSubjectArgs] = None,
        uris: Optional[Sequence[str]] = None,
        validity_end_time: Optional[str] = None,
        validity_period_hours: Optional[int] = None,
        validity_start_time: Optional[str] = None) -> SelfSignedCert

func GetSelfSignedCert(ctx *Context, name string, id IDInput, state *SelfSignedCertState, opts ...ResourceOption) (*SelfSignedCert, error)

public static SelfSignedCert Get(string name, Input<string> id, SelfSignedCertState? state, CustomResourceOptions? opts = null)

public static SelfSignedCert get(String name, Output<String> id, SelfSignedCertState state, CustomResourceOptions options)

resources:  _:    type: tls:SelfSignedCert    get:      id: ${id}

import {
  to = tls_selfsignedcert.example
  id = "${id}"
}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowedUses List<string>: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
CertPem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
DnsNames List<string>: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
EarlyRenewalHours int: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
IpAddresses List<string>: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
IsCaCertificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
KeyAlgorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
MaxPathLength int: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
PrivateKeyPem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
ReadyForRenewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
SetAuthorityKeyId bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
SetSubjectKeyId bool: Should the generated certificate include a subject key identifier (default: false).
Subject SelfSignedCertSubject: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
Uris List<string>: List of URIs for which a certificate is being requested (i.e. certificate subjects).
ValidityEndTime string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
ValidityPeriodHours int: Number of hours, after initial issuing, that the certificate will remain valid for.
ValidityStartTime string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

AllowedUses []string: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
CertPem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
DnsNames []string: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
EarlyRenewalHours int: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
IpAddresses []string: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
IsCaCertificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
KeyAlgorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
MaxPathLength int: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
PrivateKeyPem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
ReadyForRenewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
SetAuthorityKeyId bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
SetSubjectKeyId bool: Should the generated certificate include a subject key identifier (default: false).
Subject SelfSignedCertSubjectArgs: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
Uris []string: List of URIs for which a certificate is being requested (i.e. certificate subjects).
ValidityEndTime string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
ValidityPeriodHours int: Number of hours, after initial issuing, that the certificate will remain valid for.
ValidityStartTime string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

allowed_uses list(string): List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
cert_pem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
dns_names list(string): List of DNS names for which a certificate is being requested (i.e. certificate subjects).
early_renewal_hours number: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ip_addresses list(string): List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
is_ca_certificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
key_algorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
max_path_length number: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
private_key_pem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
ready_for_renewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
set_authority_key_id bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
set_subject_key_id bool: Should the generated certificate include a subject key identifier (default: false).
subject object: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris list(string): List of URIs for which a certificate is being requested (i.e. certificate subjects).
validity_end_time string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validity_period_hours number: Number of hours, after initial issuing, that the certificate will remain valid for.
validity_start_time string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

allowedUses List<String>: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
certPem String: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
dnsNames List<String>: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
earlyRenewalHours Integer: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ipAddresses List<String>: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
isCaCertificate Boolean: Is the generated certificate representing a Certificate Authority (CA) (default: false).
keyAlgorithm String: Name of the algorithm used when generating the private key provided in privateKeyPem.
maxPathLength Integer: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
privateKeyPem String: Private key in PEM (RFC 1421) format, that the certificate will belong to.
readyForRenewal Boolean: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
setAuthorityKeyId Boolean: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
setSubjectKeyId Boolean: Should the generated certificate include a subject key identifier (default: false).
subject SelfSignedCertSubject: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris List<String>: List of URIs for which a certificate is being requested (i.e. certificate subjects).
validityEndTime String: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validityPeriodHours Integer: Number of hours, after initial issuing, that the certificate will remain valid for.
validityStartTime String: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

allowedUses string[]: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
certPem string: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
dnsNames string[]: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
earlyRenewalHours number: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ipAddresses string[]: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
isCaCertificate boolean: Is the generated certificate representing a Certificate Authority (CA) (default: false).
keyAlgorithm string: Name of the algorithm used when generating the private key provided in privateKeyPem.
maxPathLength number: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
privateKeyPem string: Private key in PEM (RFC 1421) format, that the certificate will belong to.
readyForRenewal boolean: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
setAuthorityKeyId boolean: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
setSubjectKeyId boolean: Should the generated certificate include a subject key identifier (default: false).
subject SelfSignedCertSubject: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris string[]: List of URIs for which a certificate is being requested (i.e. certificate subjects).
validityEndTime string: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validityPeriodHours number: Number of hours, after initial issuing, that the certificate will remain valid for.
validityStartTime string: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

allowed_uses Sequence[str]: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
cert_pem str: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
dns_names Sequence[str]: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
early_renewal_hours int: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ip_addresses Sequence[str]: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
is_ca_certificate bool: Is the generated certificate representing a Certificate Authority (CA) (default: false).
key_algorithm str: Name of the algorithm used when generating the private key provided in privateKeyPem.
max_path_length int: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
private_key_pem str: Private key in PEM (RFC 1421) format, that the certificate will belong to.
ready_for_renewal bool: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
set_authority_key_id bool: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
set_subject_key_id bool: Should the generated certificate include a subject key identifier (default: false).
subject SelfSignedCertSubjectArgs: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris Sequence[str]: List of URIs for which a certificate is being requested (i.e. certificate subjects).
validity_end_time str: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validity_period_hours int: Number of hours, after initial issuing, that the certificate will remain valid for.
validity_start_time str: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

allowedUses List<String>: List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: anyExtended, certSigning, clientAuth, codeSigning, contentCommitment, crlSigning, dataEncipherment, decipherOnly, digitalSignature, emailProtection, encipherOnly, ipsecEndSystem, ipsecTunnel, ipsecUser, keyAgreement, keyEncipherment, microsoftCommercialCodeSigning, microsoftKernelCodeSigning, microsoftServerGatedCrypto, netscapeServerGatedCrypto, ocspSigning, serverAuth, timestamping.
certPem String: Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n at the end of the PEM. In case this disrupts your use case, we recommend using trimspace().
dnsNames List<String>: List of DNS names for which a certificate is being requested (i.e. certificate subjects).
earlyRenewalHours Number: The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0)
ipAddresses List<String>: List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
isCaCertificate Boolean: Is the generated certificate representing a Certificate Authority (CA) (default: false).
keyAlgorithm String: Name of the algorithm used when generating the private key provided in privateKeyPem.
maxPathLength Number: Maximum number of intermediate certificates that may follow this certificate in a valid certification path. If isCaCertificate is false, this value is ignored.
privateKeyPem String: Private key in PEM (RFC 1421) format, that the certificate will belong to.
readyForRenewal Boolean: Is the certificate either expired (i.e. beyond the validityPeriodHours) or ready for an early renewal (i.e. within the earlyRenewalHours)?
setAuthorityKeyId Boolean: Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false).
setSubjectKeyId Boolean: Should the generated certificate include a subject key identifier (default: false).
subject Property Map: The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section.
uris List<String>: List of URIs for which a certificate is being requested (i.e. certificate subjects).
validityEndTime String: The time until which the certificate is invalid, expressed as an RFC3339 timestamp.
validityPeriodHours Number: Number of hours, after initial issuing, that the certificate will remain valid for.
validityStartTime String: The time after which the certificate is valid, expressed as an RFC3339 timestamp.

Supporting Types

SelfSignedCertSubject, SelfSignedCertSubjectArgs

CommonName string: Distinguished name: CN
Country string: Distinguished name: C
EmailAddress string: ASN.1 Object Identifier (OID): 1.2.840.113549.1.9.1
Locality string: Distinguished name: L
Organization string: Distinguished name: O
OrganizationalUnit string: Distinguished name: OU
PostalCode string: Distinguished name: PC
Province string: Distinguished name: ST
SerialNumber string: Distinguished name: SERIALNUMBER
StreetAddresses List<string>: Distinguished name: STREET

CommonName string: Distinguished name: CN
Country string: Distinguished name: C
EmailAddress string: ASN.1 Object Identifier (OID): 1.2.840.113549.1.9.1
Locality string: Distinguished name: L
Organization string: Distinguished name: O
OrganizationalUnit string: Distinguished name: OU
PostalCode string: Distinguished name: PC
Province string: Distinguished name: ST
SerialNumber string: Distinguished name: SERIALNUMBER
StreetAddresses []string: Distinguished name: STREET

common_name string: Distinguished name: CN
country string: Distinguished name: C
email_address string: ASN.1 Object Identifier (OID): 1.2.840.113549.1.9.1
locality string: Distinguished name: L
organization string: Distinguished name: O
organizational_unit string: Distinguished name: OU
postal_code string: Distinguished name: PC
province string: Distinguished name: ST
serial_number string: Distinguished name: SERIALNUMBER
street_addresses list(string): Distinguished name: STREET

commonName String: Distinguished name: CN
country String: Distinguished name: C
emailAddress String: ASN.1 Object Identifier (OID): 1.2.840.113549.1.9.1
locality String: Distinguished name: L
organization String: Distinguished name: O
organizationalUnit String: Distinguished name: OU
postalCode String: Distinguished name: PC
province String: Distinguished name: ST
serialNumber String: Distinguished name: SERIALNUMBER
streetAddresses List<String>: Distinguished name: STREET

commonName string: Distinguished name: CN
country string: Distinguished name: C
emailAddress string: ASN.1 Object Identifier (OID): 1.2.840.113549.1.9.1
locality string: Distinguished name: L
organization string: Distinguished name: O
organizationalUnit string: Distinguished name: OU
postalCode string: Distinguished name: PC
province string: Distinguished name: ST
serialNumber string: Distinguished name: SERIALNUMBER
streetAddresses string[]: Distinguished name: STREET

common_name str: Distinguished name: CN
country str: Distinguished name: C
email_address str: ASN.1 Object Identifier (OID): 1.2.840.113549.1.9.1
locality str: Distinguished name: L
organization str: Distinguished name: O
organizational_unit str: Distinguished name: OU
postal_code str: Distinguished name: PC
province str: Distinguished name: ST
serial_number str: Distinguished name: SERIALNUMBER
street_addresses Sequence[str]: Distinguished name: STREET

commonName String: Distinguished name: CN
country String: Distinguished name: C
emailAddress String: ASN.1 Object Identifier (OID): 1.2.840.113549.1.9.1
locality String: Distinguished name: L
organization String: Distinguished name: O
organizationalUnit String: Distinguished name: OU
postalCode String: Distinguished name: PC
province String: Distinguished name: ST
serialNumber String: Distinguished name: SERIALNUMBER
streetAddresses List<String>: Distinguished name: STREET

Package Details

Repository: TLS pulumi/pulumi-tls
License: Apache-2.0
Notes: This Pulumi package is based on the tls Terraform Provider.

Viewing docs for TLS v5.4.0
published on Thursday, May 14, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tls

tls.SelfSignedCert

On this page

On this page

Example Usage

Automatic Renewal

Create SelfSignedCert Resource

Constructor syntax

Parameters

Constructor example

SelfSignedCert Resource Properties

Inputs

Outputs

Look up Existing SelfSignedCert Resource

Supporting Types

SelfSignedCertSubject, SelfSignedCertSubjectArgs

Package Details

On this page

On this page