vault.pkiSecret.SecretBackendRootCert

HashiCorp Vault v7.8.0, Mar 31 26

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const test = new vault.pkisecret.SecretBackendRootCert("test", {
    backend: pki.path,
    type: "internal",
    commonName: "Root CA",
    ttl: "315360000",
    format: "pem",
    privateKeyFormat: "der",
    keyType: "rsa",
    keyBits: 4096,
    excludeCnFromSans: true,
    ou: "My OU",
    organization: "My organization",
}, {
    dependsOn: [pki],
});

import pulumi
import pulumi_vault as vault

test = vault.pkisecret.SecretBackendRootCert("test",
    backend=pki["path"],
    type="internal",
    common_name="Root CA",
    ttl="315360000",
    format="pem",
    private_key_format="der",
    key_type="rsa",
    key_bits=4096,
    exclude_cn_from_sans=True,
    ou="My OU",
    organization="My organization",
    opts = pulumi.ResourceOptions(depends_on=[pki]))

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := pkisecret.NewSecretBackendRootCert(ctx, "test", &pkisecret.SecretBackendRootCertArgs{
			Backend:           pulumi.Any(pki.Path),
			Type:              pulumi.String("internal"),
			CommonName:        pulumi.String("Root CA"),
			Ttl:               pulumi.String("315360000"),
			Format:            pulumi.String("pem"),
			PrivateKeyFormat:  pulumi.String("der"),
			KeyType:           pulumi.String("rsa"),
			KeyBits:           pulumi.Int(4096),
			ExcludeCnFromSans: pulumi.Bool(true),
			Ou:                pulumi.String("My OU"),
			Organization:      pulumi.String("My organization"),
		}, pulumi.DependsOn([]pulumi.Resource{
			pki,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var test = new Vault.PkiSecret.SecretBackendRootCert("test", new()
    {
        Backend = pki.Path,
        Type = "internal",
        CommonName = "Root CA",
        Ttl = "315360000",
        Format = "pem",
        PrivateKeyFormat = "der",
        KeyType = "rsa",
        KeyBits = 4096,
        ExcludeCnFromSans = true,
        Ou = "My OU",
        Organization = "My organization",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            pki,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.pkiSecret.SecretBackendRootCert;
import com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new SecretBackendRootCert("test", SecretBackendRootCertArgs.builder()
            .backend(pki.path())
            .type("internal")
            .commonName("Root CA")
            .ttl("315360000")
            .format("pem")
            .privateKeyFormat("der")
            .keyType("rsa")
            .keyBits(4096)
            .excludeCnFromSans(true)
            .ou("My OU")
            .organization("My organization")
            .build(), CustomResourceOptions.builder()
                .dependsOn(pki)
                .build());

    }
}

resources:
  test:
    type: vault:pkiSecret:SecretBackendRootCert
    properties:
      backend: ${pki.path}
      type: internal
      commonName: Root CA
      ttl: '315360000'
      format: pem
      privateKeyFormat: der
      keyType: rsa
      keyBits: 4096
      excludeCnFromSans: true
      ou: My OU
      organization: My organization
    options:
      dependsOn:
        - ${pki}

Create SecretBackendRootCert Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendRootCert(name: string, args: SecretBackendRootCertArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendRootCert(resource_name: str,
                          args: SecretBackendRootCertArgs,
                          opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRootCert(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          type: Optional[str] = None,
                          backend: Optional[str] = None,
                          common_name: Optional[str] = None,
                          max_path_length: Optional[int] = None,
                          not_after: Optional[str] = None,
                          excluded_dns_domains: Optional[Sequence[str]] = None,
                          excluded_email_addresses: Optional[Sequence[str]] = None,
                          excluded_ip_ranges: Optional[Sequence[str]] = None,
                          not_before_duration: Optional[str] = None,
                          format: Optional[str] = None,
                          ip_sans: Optional[Sequence[str]] = None,
                          issuer_name: Optional[str] = None,
                          key_bits: Optional[int] = None,
                          key_name: Optional[str] = None,
                          key_ref: Optional[str] = None,
                          key_type: Optional[str] = None,
                          key_usages: Optional[Sequence[str]] = None,
                          locality: Optional[str] = None,
                          managed_key_id: Optional[str] = None,
                          managed_key_name: Optional[str] = None,
                          alt_names: Optional[Sequence[str]] = None,
                          exclude_cn_from_sans: Optional[bool] = None,
                          namespace: Optional[str] = None,
                          excluded_uri_domains: Optional[Sequence[str]] = None,
                          organization: Optional[str] = None,
                          other_sans: Optional[Sequence[str]] = None,
                          ou: Optional[str] = None,
                          permitted_dns_domains: Optional[Sequence[str]] = None,
                          permitted_email_addresses: Optional[Sequence[str]] = None,
                          permitted_ip_ranges: Optional[Sequence[str]] = None,
                          permitted_uri_domains: Optional[Sequence[str]] = None,
                          postal_code: Optional[str] = None,
                          private_key_format: Optional[str] = None,
                          province: Optional[str] = None,
                          signature_bits: Optional[int] = None,
                          street_address: Optional[str] = None,
                          ttl: Optional[str] = None,
                          country: Optional[str] = None,
                          uri_sans: Optional[Sequence[str]] = None,
                          use_pss: Optional[bool] = None)

func NewSecretBackendRootCert(ctx *Context, name string, args SecretBackendRootCertArgs, opts ...ResourceOption) (*SecretBackendRootCert, error)

public SecretBackendRootCert(string name, SecretBackendRootCertArgs args, CustomResourceOptions? opts = null)

public SecretBackendRootCert(String name, SecretBackendRootCertArgs args)
public SecretBackendRootCert(String name, SecretBackendRootCertArgs args, CustomResourceOptions options)

type: vault:pkiSecret:SecretBackendRootCert
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendRootCertArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendRootCertArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRootCertArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRootCertArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendRootCertArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

SecretBackendRootCert Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendRootCert resource accepts the following input properties:

Backend string: The PKI secret backend the resource belongs to.
CommonName string: CN of intermediate to create
Type string: Type of intermediate to create. Must be either "exported", "internal" or "kms"
AltNames List<string>: List of alternative names
Country string: The country
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains List<string>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses List<string>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges List<string>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains List<string>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans List<string>: List of alternative IPs
IssuerName string: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
KeyBits int: The number of bits to use
KeyName string: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
KeyRef string: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
KeyType string: The desired key type
KeyUsages List<string>: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
Locality string: The locality
ManagedKeyId string: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
ManagedKeyName string: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans List<string>: List of other SANs
Ou string: The organization unit
PermittedDnsDomains List<string>: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses List<string>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges List<string>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains List<string>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
PrivateKeyFormat string: The private key format
Province string: The province
SignatureBits int: The number of bits to use in the signature algorithm
StreetAddress string: The street address
Ttl string: Time to live
UriSans List<string>: List of alternative URIs
UsePss bool: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

Backend string: The PKI secret backend the resource belongs to.
CommonName string: CN of intermediate to create
Type string: Type of intermediate to create. Must be either "exported", "internal" or "kms"
AltNames []string: List of alternative names
Country string: The country
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains []string: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses []string: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges []string: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains []string: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans []string: List of alternative IPs
IssuerName string: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
KeyBits int: The number of bits to use
KeyName string: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
KeyRef string: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
KeyType string: The desired key type
KeyUsages []string: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
Locality string: The locality
ManagedKeyId string: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
ManagedKeyName string: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans []string: List of other SANs
Ou string: The organization unit
PermittedDnsDomains []string: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses []string: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges []string: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains []string: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
PrivateKeyFormat string: The private key format
Province string: The province
SignatureBits int: The number of bits to use in the signature algorithm
StreetAddress string: The street address
Ttl string: Time to live
UriSans []string: List of alternative URIs
UsePss bool: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

backend String: The PKI secret backend the resource belongs to.
commonName String: CN of intermediate to create
type String: Type of intermediate to create. Must be either "exported", "internal" or "kms"
altNames List<String>: List of alternative names
country String: The country
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerName String: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
keyBits Integer: The number of bits to use
keyName String: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
keyRef String: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
keyType String: The desired key type
keyUsages List<String>: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality String: The locality
managedKeyId String: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managedKeyName String: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
maxPathLength Integer: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
privateKeyFormat String: The private key format
province String: The province
signatureBits Integer: The number of bits to use in the signature algorithm
streetAddress String: The street address
ttl String: Time to live
uriSans List<String>: List of alternative URIs
usePss Boolean: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

backend string: The PKI secret backend the resource belongs to.
commonName string: CN of intermediate to create
type string: Type of intermediate to create. Must be either "exported", "internal" or "kms"
altNames string[]: List of alternative names
country string: The country
excludeCnFromSans boolean: Flag to exclude CN from SANs
excludedDnsDomains string[]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses string[]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges string[]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains string[]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format string: The format of data
ipSans string[]: List of alternative IPs
issuerName string: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
keyBits number: The number of bits to use
keyName string: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
keyRef string: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
keyType string: The desired key type
keyUsages string[]: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality string: The locality
managedKeyId string: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managedKeyName string: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
maxPathLength number: The maximum path length to encode in the generated certificate
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organization string: The organization
otherSans string[]: List of other SANs
ou string: The organization unit
permittedDnsDomains string[]: List of domains for which certificates are allowed to be issued
permittedEmailAddresses string[]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges string[]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains string[]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode string: The postal code
privateKeyFormat string: The private key format
province string: The province
signatureBits number: The number of bits to use in the signature algorithm
streetAddress string: The street address
ttl string: Time to live
uriSans string[]: List of alternative URIs
usePss boolean: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

backend str: The PKI secret backend the resource belongs to.
common_name str: CN of intermediate to create
type str: Type of intermediate to create. Must be either "exported", "internal" or "kms"
alt_names Sequence[str]: List of alternative names
country str: The country
exclude_cn_from_sans bool: Flag to exclude CN from SANs
excluded_dns_domains Sequence[str]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_email_addresses Sequence[str]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_ip_ranges Sequence[str]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_uri_domains Sequence[str]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format str: The format of data
ip_sans Sequence[str]: List of alternative IPs
issuer_name str: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
key_bits int: The number of bits to use
key_name str: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
key_ref str: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
key_type str: The desired key type
key_usages Sequence[str]: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality str: The locality
managed_key_id str: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managed_key_name str: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
max_path_length int: The maximum path length to encode in the generated certificate
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
not_after str: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization str: The organization
other_sans Sequence[str]: List of other SANs
ou str: The organization unit
permitted_dns_domains Sequence[str]: List of domains for which certificates are allowed to be issued
permitted_email_addresses Sequence[str]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_ip_ranges Sequence[str]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_uri_domains Sequence[str]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postal_code str: The postal code
private_key_format str: The private key format
province str: The province
signature_bits int: The number of bits to use in the signature algorithm
street_address str: The street address
ttl str: Time to live
uri_sans Sequence[str]: List of alternative URIs
use_pss bool: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

backend String: The PKI secret backend the resource belongs to.
commonName String: CN of intermediate to create
type String: Type of intermediate to create. Must be either "exported", "internal" or "kms"
altNames List<String>: List of alternative names
country String: The country
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerName String: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
keyBits Number: The number of bits to use
keyName String: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
keyRef String: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
keyType String: The desired key type
keyUsages List<String>: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality String: The locality
managedKeyId String: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managedKeyName String: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
maxPathLength Number: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
privateKeyFormat String: The private key format
province String: The province
signatureBits Number: The number of bits to use in the signature algorithm
streetAddress String: The street address
ttl String: Time to live
uriSans List<String>: List of alternative URIs
usePss Boolean: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRootCert resource produces the following output properties:

Certificate string: The certificate.
Id string: The provider-assigned unique ID for this managed resource.
IssuerId string: The ID of the generated issuer.
IssuingCa string: The issuing CA certificate.
KeyId string: The ID of the generated key.
SerialNumber string: The certificate's serial number, hex formatted.

Certificate string: The certificate.
Id string: The provider-assigned unique ID for this managed resource.
IssuerId string: The ID of the generated issuer.
IssuingCa string: The issuing CA certificate.
KeyId string: The ID of the generated key.
SerialNumber string: The certificate's serial number, hex formatted.

certificate String: The certificate.
id String: The provider-assigned unique ID for this managed resource.
issuerId String: The ID of the generated issuer.
issuingCa String: The issuing CA certificate.
keyId String: The ID of the generated key.
serialNumber String: The certificate's serial number, hex formatted.

certificate string: The certificate.
id string: The provider-assigned unique ID for this managed resource.
issuerId string: The ID of the generated issuer.
issuingCa string: The issuing CA certificate.
keyId string: The ID of the generated key.
serialNumber string: The certificate's serial number, hex formatted.

certificate str: The certificate.
id str: The provider-assigned unique ID for this managed resource.
issuer_id str: The ID of the generated issuer.
issuing_ca str: The issuing CA certificate.
key_id str: The ID of the generated key.
serial_number str: The certificate's serial number, hex formatted.

certificate String: The certificate.
id String: The provider-assigned unique ID for this managed resource.
issuerId String: The ID of the generated issuer.
issuingCa String: The issuing CA certificate.
keyId String: The ID of the generated key.
serialNumber String: The certificate's serial number, hex formatted.

Look up Existing SecretBackendRootCert Resource

Get an existing SecretBackendRootCert resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRootCertState, opts?: CustomResourceOptions): SecretBackendRootCert

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        alt_names: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        certificate: Optional[str] = None,
        common_name: Optional[str] = None,
        country: Optional[str] = None,
        exclude_cn_from_sans: Optional[bool] = None,
        excluded_dns_domains: Optional[Sequence[str]] = None,
        excluded_email_addresses: Optional[Sequence[str]] = None,
        excluded_ip_ranges: Optional[Sequence[str]] = None,
        excluded_uri_domains: Optional[Sequence[str]] = None,
        format: Optional[str] = None,
        ip_sans: Optional[Sequence[str]] = None,
        issuer_id: Optional[str] = None,
        issuer_name: Optional[str] = None,
        issuing_ca: Optional[str] = None,
        key_bits: Optional[int] = None,
        key_id: Optional[str] = None,
        key_name: Optional[str] = None,
        key_ref: Optional[str] = None,
        key_type: Optional[str] = None,
        key_usages: Optional[Sequence[str]] = None,
        locality: Optional[str] = None,
        managed_key_id: Optional[str] = None,
        managed_key_name: Optional[str] = None,
        max_path_length: Optional[int] = None,
        namespace: Optional[str] = None,
        not_after: Optional[str] = None,
        not_before_duration: Optional[str] = None,
        organization: Optional[str] = None,
        other_sans: Optional[Sequence[str]] = None,
        ou: Optional[str] = None,
        permitted_dns_domains: Optional[Sequence[str]] = None,
        permitted_email_addresses: Optional[Sequence[str]] = None,
        permitted_ip_ranges: Optional[Sequence[str]] = None,
        permitted_uri_domains: Optional[Sequence[str]] = None,
        postal_code: Optional[str] = None,
        private_key_format: Optional[str] = None,
        province: Optional[str] = None,
        serial_number: Optional[str] = None,
        signature_bits: Optional[int] = None,
        street_address: Optional[str] = None,
        ttl: Optional[str] = None,
        type: Optional[str] = None,
        uri_sans: Optional[Sequence[str]] = None,
        use_pss: Optional[bool] = None) -> SecretBackendRootCert

func GetSecretBackendRootCert(ctx *Context, name string, id IDInput, state *SecretBackendRootCertState, opts ...ResourceOption) (*SecretBackendRootCert, error)

public static SecretBackendRootCert Get(string name, Input<string> id, SecretBackendRootCertState? state, CustomResourceOptions? opts = null)

public static SecretBackendRootCert get(String name, Output<String> id, SecretBackendRootCertState state, CustomResourceOptions options)

resources:  _:    type: vault:pkiSecret:SecretBackendRootCert    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AltNames List<string>: List of alternative names
Backend string: The PKI secret backend the resource belongs to.
Certificate string: The certificate.
CommonName string: CN of intermediate to create
Country string: The country
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains List<string>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses List<string>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges List<string>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains List<string>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans List<string>: List of alternative IPs
IssuerId string: The ID of the generated issuer.
IssuerName string: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
IssuingCa string: The issuing CA certificate.
KeyBits int: The number of bits to use
KeyId string: The ID of the generated key.
KeyName string: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
KeyRef string: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
KeyType string: The desired key type
KeyUsages List<string>: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
Locality string: The locality
ManagedKeyId string: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
ManagedKeyName string: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans List<string>: List of other SANs
Ou string: The organization unit
PermittedDnsDomains List<string>: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses List<string>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges List<string>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains List<string>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
PrivateKeyFormat string: The private key format
Province string: The province
SerialNumber string: The certificate's serial number, hex formatted.
SignatureBits int: The number of bits to use in the signature algorithm
StreetAddress string: The street address
Ttl string: Time to live
Type string: Type of intermediate to create. Must be either "exported", "internal" or "kms"
UriSans List<string>: List of alternative URIs
UsePss bool: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

AltNames []string: List of alternative names
Backend string: The PKI secret backend the resource belongs to.
Certificate string: The certificate.
CommonName string: CN of intermediate to create
Country string: The country
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains []string: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses []string: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges []string: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains []string: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans []string: List of alternative IPs
IssuerId string: The ID of the generated issuer.
IssuerName string: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
IssuingCa string: The issuing CA certificate.
KeyBits int: The number of bits to use
KeyId string: The ID of the generated key.
KeyName string: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
KeyRef string: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
KeyType string: The desired key type
KeyUsages []string: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
Locality string: The locality
ManagedKeyId string: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
ManagedKeyName string: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans []string: List of other SANs
Ou string: The organization unit
PermittedDnsDomains []string: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses []string: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges []string: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains []string: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
PrivateKeyFormat string: The private key format
Province string: The province
SerialNumber string: The certificate's serial number, hex formatted.
SignatureBits int: The number of bits to use in the signature algorithm
StreetAddress string: The street address
Ttl string: Time to live
Type string: Type of intermediate to create. Must be either "exported", "internal" or "kms"
UriSans []string: List of alternative URIs
UsePss bool: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

altNames List<String>: List of alternative names
backend String: The PKI secret backend the resource belongs to.
certificate String: The certificate.
commonName String: CN of intermediate to create
country String: The country
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerId String: The ID of the generated issuer.
issuerName String: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
issuingCa String: The issuing CA certificate.
keyBits Integer: The number of bits to use
keyId String: The ID of the generated key.
keyName String: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
keyRef String: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
keyType String: The desired key type
keyUsages List<String>: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality String: The locality
managedKeyId String: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managedKeyName String: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
maxPathLength Integer: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
privateKeyFormat String: The private key format
province String: The province
serialNumber String: The certificate's serial number, hex formatted.
signatureBits Integer: The number of bits to use in the signature algorithm
streetAddress String: The street address
ttl String: Time to live
type String: Type of intermediate to create. Must be either "exported", "internal" or "kms"
uriSans List<String>: List of alternative URIs
usePss Boolean: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

altNames string[]: List of alternative names
backend string: The PKI secret backend the resource belongs to.
certificate string: The certificate.
commonName string: CN of intermediate to create
country string: The country
excludeCnFromSans boolean: Flag to exclude CN from SANs
excludedDnsDomains string[]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses string[]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges string[]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains string[]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format string: The format of data
ipSans string[]: List of alternative IPs
issuerId string: The ID of the generated issuer.
issuerName string: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
issuingCa string: The issuing CA certificate.
keyBits number: The number of bits to use
keyId string: The ID of the generated key.
keyName string: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
keyRef string: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
keyType string: The desired key type
keyUsages string[]: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality string: The locality
managedKeyId string: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managedKeyName string: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
maxPathLength number: The maximum path length to encode in the generated certificate
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organization string: The organization
otherSans string[]: List of other SANs
ou string: The organization unit
permittedDnsDomains string[]: List of domains for which certificates are allowed to be issued
permittedEmailAddresses string[]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges string[]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains string[]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode string: The postal code
privateKeyFormat string: The private key format
province string: The province
serialNumber string: The certificate's serial number, hex formatted.
signatureBits number: The number of bits to use in the signature algorithm
streetAddress string: The street address
ttl string: Time to live
type string: Type of intermediate to create. Must be either "exported", "internal" or "kms"
uriSans string[]: List of alternative URIs
usePss boolean: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

alt_names Sequence[str]: List of alternative names
backend str: The PKI secret backend the resource belongs to.
certificate str: The certificate.
common_name str: CN of intermediate to create
country str: The country
exclude_cn_from_sans bool: Flag to exclude CN from SANs
excluded_dns_domains Sequence[str]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_email_addresses Sequence[str]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_ip_ranges Sequence[str]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_uri_domains Sequence[str]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format str: The format of data
ip_sans Sequence[str]: List of alternative IPs
issuer_id str: The ID of the generated issuer.
issuer_name str: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
issuing_ca str: The issuing CA certificate.
key_bits int: The number of bits to use
key_id str: The ID of the generated key.
key_name str: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
key_ref str: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
key_type str: The desired key type
key_usages Sequence[str]: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality str: The locality
managed_key_id str: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managed_key_name str: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
max_path_length int: The maximum path length to encode in the generated certificate
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
not_after str: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization str: The organization
other_sans Sequence[str]: List of other SANs
ou str: The organization unit
permitted_dns_domains Sequence[str]: List of domains for which certificates are allowed to be issued
permitted_email_addresses Sequence[str]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_ip_ranges Sequence[str]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_uri_domains Sequence[str]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postal_code str: The postal code
private_key_format str: The private key format
province str: The province
serial_number str: The certificate's serial number, hex formatted.
signature_bits int: The number of bits to use in the signature algorithm
street_address str: The street address
ttl str: Time to live
type str: Type of intermediate to create. Must be either "exported", "internal" or "kms"
uri_sans Sequence[str]: List of alternative URIs
use_pss bool: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

altNames List<String>: List of alternative names
backend String: The PKI secret backend the resource belongs to.
certificate String: The certificate.
commonName String: CN of intermediate to create
country String: The country
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerId String: The ID of the generated issuer.
issuerName String: Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default
issuingCa String: The issuing CA certificate.
keyBits Number: The number of bits to use
keyId String: The ID of the generated key.
keyName String: When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name.
keyRef String: Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests.
keyType String: The desired key type
keyUsages List<String>: Specifies the allowed key usage constraints for the certificate. This list of key usages will be added to the existing set of key usages (CRLSign, CertSign) on the generated certificate. Defaults to ["CRLSign", "CertSign"] for root CA certificates. Requires Vault 1.19.2+.
locality String: The locality
managedKeyId String: The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyName
managedKeyName String: The name of the previously configured managed key. This field is required if type is kms and it conflicts with managedKeyId
maxPathLength Number: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
privateKeyFormat String: The private key format
province String: The province
serialNumber String: The certificate's serial number, hex formatted.
signatureBits Number: The number of bits to use in the signature algorithm
streetAddress String: The street address
ttl String: Time to live
type String: Type of intermediate to create. Must be either "exported", "internal" or "kms"
uriSans List<String>: List of alternative URIs
usePss Boolean: When true, uses PSS (Probabilistic Signature Scheme) for RSA signatures instead of PKCS#1 v1.5. PSS provides enhanced security but may have compatibility issues with older systems. Only applicable to RSA keys; ignored for ECDSA/Ed25519 keys. Defaults to false. Requires Vault 1.18.0+.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.pkiSecret.SecretBackendRootCert

On this page

On this page

Example Usage

Create SecretBackendRootCert Resource

Constructor syntax

Parameters

SecretBackendRootCert Resource Properties

Inputs

Outputs

Look up Existing SecretBackendRootCert Resource

Package Details

On this page

On this page