HashiCorp Vault v7.3.1, Oct 21 25

HashiCorp Vault v7.3.1 published on Tuesday, Oct 21, 2025 by Pulumi

vault.pkiSecret.SecretBackendRootSignIntermediate

HashiCorp Vault v7.3.1 published on Tuesday, Oct 21, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const root = new vault.pkisecret.SecretBackendRootSignIntermediate("root", {
    backend: rootVaultMount.path,
    csr: intermediate.csr,
    commonName: "Intermediate CA",
    excludeCnFromSans: true,
    ou: "My OU",
    organization: "My organization",
}, {
    dependsOn: [intermediate],
});

import pulumi
import pulumi_vault as vault

root = vault.pkisecret.SecretBackendRootSignIntermediate("root",
    backend=root_vault_mount["path"],
    csr=intermediate["csr"],
    common_name="Intermediate CA",
    exclude_cn_from_sans=True,
    ou="My OU",
    organization="My organization",
    opts = pulumi.ResourceOptions(depends_on=[intermediate]))

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := pkisecret.NewSecretBackendRootSignIntermediate(ctx, "root", &pkisecret.SecretBackendRootSignIntermediateArgs{
			Backend:           pulumi.Any(rootVaultMount.Path),
			Csr:               pulumi.Any(intermediate.Csr),
			CommonName:        pulumi.String("Intermediate CA"),
			ExcludeCnFromSans: pulumi.Bool(true),
			Ou:                pulumi.String("My OU"),
			Organization:      pulumi.String("My organization"),
		}, pulumi.DependsOn([]pulumi.Resource{
			intermediate,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var root = new Vault.PkiSecret.SecretBackendRootSignIntermediate("root", new()
    {
        Backend = rootVaultMount.Path,
        Csr = intermediate.Csr,
        CommonName = "Intermediate CA",
        ExcludeCnFromSans = true,
        Ou = "My OU",
        Organization = "My organization",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            intermediate,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.pkiSecret.SecretBackendRootSignIntermediate;
import com.pulumi.vault.pkiSecret.SecretBackendRootSignIntermediateArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var root = new SecretBackendRootSignIntermediate("root", SecretBackendRootSignIntermediateArgs.builder()
            .backend(rootVaultMount.path())
            .csr(intermediate.csr())
            .commonName("Intermediate CA")
            .excludeCnFromSans(true)
            .ou("My OU")
            .organization("My organization")
            .build(), CustomResourceOptions.builder()
                .dependsOn(intermediate)
                .build());

    }
}

resources:
  root:
    type: vault:pkiSecret:SecretBackendRootSignIntermediate
    properties:
      backend: ${rootVaultMount.path}
      csr: ${intermediate.csr}
      commonName: Intermediate CA
      excludeCnFromSans: true
      ou: My OU
      organization: My organization
    options:
      dependsOn:
        - ${intermediate}

Create SecretBackendRootSignIntermediate Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendRootSignIntermediate(name: string, args: SecretBackendRootSignIntermediateArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendRootSignIntermediate(resource_name: str,
                                      args: SecretBackendRootSignIntermediateArgs,
                                      opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRootSignIntermediate(resource_name: str,
                                      opts: Optional[ResourceOptions] = None,
                                      csr: Optional[str] = None,
                                      backend: Optional[str] = None,
                                      common_name: Optional[str] = None,
                                      not_before_duration: Optional[str] = None,
                                      other_sans: Optional[Sequence[str]] = None,
                                      exclude_cn_from_sans: Optional[bool] = None,
                                      excluded_dns_domains: Optional[Sequence[str]] = None,
                                      excluded_email_addresses: Optional[Sequence[str]] = None,
                                      excluded_ip_ranges: Optional[Sequence[str]] = None,
                                      excluded_uri_domains: Optional[Sequence[str]] = None,
                                      format: Optional[str] = None,
                                      ip_sans: Optional[Sequence[str]] = None,
                                      issuer_ref: Optional[str] = None,
                                      key_usages: Optional[Sequence[str]] = None,
                                      locality: Optional[str] = None,
                                      max_path_length: Optional[int] = None,
                                      namespace: Optional[str] = None,
                                      not_after: Optional[str] = None,
                                      alt_names: Optional[Sequence[str]] = None,
                                      country: Optional[str] = None,
                                      ou: Optional[str] = None,
                                      organization: Optional[str] = None,
                                      permitted_dns_domains: Optional[Sequence[str]] = None,
                                      permitted_email_addresses: Optional[Sequence[str]] = None,
                                      permitted_ip_ranges: Optional[Sequence[str]] = None,
                                      permitted_uri_domains: Optional[Sequence[str]] = None,
                                      postal_code: Optional[str] = None,
                                      province: Optional[str] = None,
                                      revoke: Optional[bool] = None,
                                      signature_bits: Optional[int] = None,
                                      skid: Optional[str] = None,
                                      street_address: Optional[str] = None,
                                      ttl: Optional[str] = None,
                                      uri_sans: Optional[Sequence[str]] = None,
                                      use_csr_values: Optional[bool] = None,
                                      use_pss: Optional[bool] = None)

func NewSecretBackendRootSignIntermediate(ctx *Context, name string, args SecretBackendRootSignIntermediateArgs, opts ...ResourceOption) (*SecretBackendRootSignIntermediate, error)

public SecretBackendRootSignIntermediate(string name, SecretBackendRootSignIntermediateArgs args, CustomResourceOptions? opts = null)

public SecretBackendRootSignIntermediate(String name, SecretBackendRootSignIntermediateArgs args)
public SecretBackendRootSignIntermediate(String name, SecretBackendRootSignIntermediateArgs args, CustomResourceOptions options)

type: vault:pkiSecret:SecretBackendRootSignIntermediate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendRootSignIntermediateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendRootSignIntermediateArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRootSignIntermediateArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRootSignIntermediateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendRootSignIntermediateArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var secretBackendRootSignIntermediateResource = new Vault.PkiSecret.SecretBackendRootSignIntermediate("secretBackendRootSignIntermediateResource", new()
{
    Csr = "string",
    Backend = "string",
    CommonName = "string",
    NotBeforeDuration = "string",
    OtherSans = new[]
    {
        "string",
    },
    ExcludeCnFromSans = false,
    ExcludedDnsDomains = new[]
    {
        "string",
    },
    ExcludedEmailAddresses = new[]
    {
        "string",
    },
    ExcludedIpRanges = new[]
    {
        "string",
    },
    ExcludedUriDomains = new[]
    {
        "string",
    },
    Format = "string",
    IpSans = new[]
    {
        "string",
    },
    IssuerRef = "string",
    KeyUsages = new[]
    {
        "string",
    },
    Locality = "string",
    MaxPathLength = 0,
    Namespace = "string",
    NotAfter = "string",
    AltNames = new[]
    {
        "string",
    },
    Country = "string",
    Ou = "string",
    Organization = "string",
    PermittedDnsDomains = new[]
    {
        "string",
    },
    PermittedEmailAddresses = new[]
    {
        "string",
    },
    PermittedIpRanges = new[]
    {
        "string",
    },
    PermittedUriDomains = new[]
    {
        "string",
    },
    PostalCode = "string",
    Province = "string",
    Revoke = false,
    SignatureBits = 0,
    Skid = "string",
    StreetAddress = "string",
    Ttl = "string",
    UriSans = new[]
    {
        "string",
    },
    UseCsrValues = false,
    UsePss = false,
});

example, err := pkisecret.NewSecretBackendRootSignIntermediate(ctx, "secretBackendRootSignIntermediateResource", &pkisecret.SecretBackendRootSignIntermediateArgs{
	Csr:               pulumi.String("string"),
	Backend:           pulumi.String("string"),
	CommonName:        pulumi.String("string"),
	NotBeforeDuration: pulumi.String("string"),
	OtherSans: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExcludeCnFromSans: pulumi.Bool(false),
	ExcludedDnsDomains: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExcludedEmailAddresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExcludedIpRanges: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExcludedUriDomains: pulumi.StringArray{
		pulumi.String("string"),
	},
	Format: pulumi.String("string"),
	IpSans: pulumi.StringArray{
		pulumi.String("string"),
	},
	IssuerRef: pulumi.String("string"),
	KeyUsages: pulumi.StringArray{
		pulumi.String("string"),
	},
	Locality:      pulumi.String("string"),
	MaxPathLength: pulumi.Int(0),
	Namespace:     pulumi.String("string"),
	NotAfter:      pulumi.String("string"),
	AltNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	Country:      pulumi.String("string"),
	Ou:           pulumi.String("string"),
	Organization: pulumi.String("string"),
	PermittedDnsDomains: pulumi.StringArray{
		pulumi.String("string"),
	},
	PermittedEmailAddresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	PermittedIpRanges: pulumi.StringArray{
		pulumi.String("string"),
	},
	PermittedUriDomains: pulumi.StringArray{
		pulumi.String("string"),
	},
	PostalCode:    pulumi.String("string"),
	Province:      pulumi.String("string"),
	Revoke:        pulumi.Bool(false),
	SignatureBits: pulumi.Int(0),
	Skid:          pulumi.String("string"),
	StreetAddress: pulumi.String("string"),
	Ttl:           pulumi.String("string"),
	UriSans: pulumi.StringArray{
		pulumi.String("string"),
	},
	UseCsrValues: pulumi.Bool(false),
	UsePss:       pulumi.Bool(false),
})

var secretBackendRootSignIntermediateResource = new SecretBackendRootSignIntermediate("secretBackendRootSignIntermediateResource", SecretBackendRootSignIntermediateArgs.builder()
    .csr("string")
    .backend("string")
    .commonName("string")
    .notBeforeDuration("string")
    .otherSans("string")
    .excludeCnFromSans(false)
    .excludedDnsDomains("string")
    .excludedEmailAddresses("string")
    .excludedIpRanges("string")
    .excludedUriDomains("string")
    .format("string")
    .ipSans("string")
    .issuerRef("string")
    .keyUsages("string")
    .locality("string")
    .maxPathLength(0)
    .namespace("string")
    .notAfter("string")
    .altNames("string")
    .country("string")
    .ou("string")
    .organization("string")
    .permittedDnsDomains("string")
    .permittedEmailAddresses("string")
    .permittedIpRanges("string")
    .permittedUriDomains("string")
    .postalCode("string")
    .province("string")
    .revoke(false)
    .signatureBits(0)
    .skid("string")
    .streetAddress("string")
    .ttl("string")
    .uriSans("string")
    .useCsrValues(false)
    .usePss(false)
    .build());

secret_backend_root_sign_intermediate_resource = vault.pkisecret.SecretBackendRootSignIntermediate("secretBackendRootSignIntermediateResource",
    csr="string",
    backend="string",
    common_name="string",
    not_before_duration="string",
    other_sans=["string"],
    exclude_cn_from_sans=False,
    excluded_dns_domains=["string"],
    excluded_email_addresses=["string"],
    excluded_ip_ranges=["string"],
    excluded_uri_domains=["string"],
    format="string",
    ip_sans=["string"],
    issuer_ref="string",
    key_usages=["string"],
    locality="string",
    max_path_length=0,
    namespace="string",
    not_after="string",
    alt_names=["string"],
    country="string",
    ou="string",
    organization="string",
    permitted_dns_domains=["string"],
    permitted_email_addresses=["string"],
    permitted_ip_ranges=["string"],
    permitted_uri_domains=["string"],
    postal_code="string",
    province="string",
    revoke=False,
    signature_bits=0,
    skid="string",
    street_address="string",
    ttl="string",
    uri_sans=["string"],
    use_csr_values=False,
    use_pss=False)

const secretBackendRootSignIntermediateResource = new vault.pkisecret.SecretBackendRootSignIntermediate("secretBackendRootSignIntermediateResource", {
    csr: "string",
    backend: "string",
    commonName: "string",
    notBeforeDuration: "string",
    otherSans: ["string"],
    excludeCnFromSans: false,
    excludedDnsDomains: ["string"],
    excludedEmailAddresses: ["string"],
    excludedIpRanges: ["string"],
    excludedUriDomains: ["string"],
    format: "string",
    ipSans: ["string"],
    issuerRef: "string",
    keyUsages: ["string"],
    locality: "string",
    maxPathLength: 0,
    namespace: "string",
    notAfter: "string",
    altNames: ["string"],
    country: "string",
    ou: "string",
    organization: "string",
    permittedDnsDomains: ["string"],
    permittedEmailAddresses: ["string"],
    permittedIpRanges: ["string"],
    permittedUriDomains: ["string"],
    postalCode: "string",
    province: "string",
    revoke: false,
    signatureBits: 0,
    skid: "string",
    streetAddress: "string",
    ttl: "string",
    uriSans: ["string"],
    useCsrValues: false,
    usePss: false,
});

type: vault:pkiSecret:SecretBackendRootSignIntermediate
properties:
    altNames:
        - string
    backend: string
    commonName: string
    country: string
    csr: string
    excludeCnFromSans: false
    excludedDnsDomains:
        - string
    excludedEmailAddresses:
        - string
    excludedIpRanges:
        - string
    excludedUriDomains:
        - string
    format: string
    ipSans:
        - string
    issuerRef: string
    keyUsages:
        - string
    locality: string
    maxPathLength: 0
    namespace: string
    notAfter: string
    notBeforeDuration: string
    organization: string
    otherSans:
        - string
    ou: string
    permittedDnsDomains:
        - string
    permittedEmailAddresses:
        - string
    permittedIpRanges:
        - string
    permittedUriDomains:
        - string
    postalCode: string
    province: string
    revoke: false
    signatureBits: 0
    skid: string
    streetAddress: string
    ttl: string
    uriSans:
        - string
    useCsrValues: false
    usePss: false

SecretBackendRootSignIntermediate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendRootSignIntermediate resource accepts the following input properties:

Backend string: The PKI secret backend the resource belongs to.
CommonName string: CN of intermediate to create
Csr string: The CSR
AltNames List<string>: List of alternative names
Country string: The country
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains List<string>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses List<string>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges List<string>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains List<string>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans List<string>: List of alternative IPs
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
KeyUsages List<string>: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
Locality string: The locality
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans List<string>: List of other SANs
Ou string: The organization unit
PermittedDnsDomains List<string>: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses List<string>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges List<string>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains List<string>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
Province string: The province
Revoke bool: If set to true, the certificate will be revoked on resource destruction.
SignatureBits int: The number of bits to use in the signature algorithm
Skid string: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
StreetAddress string: The street address
Ttl string: Time to live
UriSans List<string>: List of alternative URIs
UseCsrValues bool: Preserve CSR values
UsePss bool: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

Backend string: The PKI secret backend the resource belongs to.
CommonName string: CN of intermediate to create
Csr string: The CSR
AltNames []string: List of alternative names
Country string: The country
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains []string: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses []string: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges []string: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains []string: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans []string: List of alternative IPs
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
KeyUsages []string: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
Locality string: The locality
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans []string: List of other SANs
Ou string: The organization unit
PermittedDnsDomains []string: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses []string: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges []string: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains []string: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
Province string: The province
Revoke bool: If set to true, the certificate will be revoked on resource destruction.
SignatureBits int: The number of bits to use in the signature algorithm
Skid string: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
StreetAddress string: The street address
Ttl string: Time to live
UriSans []string: List of alternative URIs
UseCsrValues bool: Preserve CSR values
UsePss bool: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

backend String: The PKI secret backend the resource belongs to.
commonName String: CN of intermediate to create
csr String: The CSR
altNames List<String>: List of alternative names
country String: The country
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyUsages List<String>: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality String: The locality
maxPathLength Integer: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
province String: The province
revoke Boolean: If set to true, the certificate will be revoked on resource destruction.
signatureBits Integer: The number of bits to use in the signature algorithm
skid String: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
streetAddress String: The street address
ttl String: Time to live
uriSans List<String>: List of alternative URIs
useCsrValues Boolean: Preserve CSR values
usePss Boolean: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

backend string: The PKI secret backend the resource belongs to.
commonName string: CN of intermediate to create
csr string: The CSR
altNames string[]: List of alternative names
country string: The country
excludeCnFromSans boolean: Flag to exclude CN from SANs
excludedDnsDomains string[]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses string[]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges string[]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains string[]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format string: The format of data
ipSans string[]: List of alternative IPs
issuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyUsages string[]: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality string: The locality
maxPathLength number: The maximum path length to encode in the generated certificate
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organization string: The organization
otherSans string[]: List of other SANs
ou string: The organization unit
permittedDnsDomains string[]: List of domains for which certificates are allowed to be issued
permittedEmailAddresses string[]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges string[]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains string[]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode string: The postal code
province string: The province
revoke boolean: If set to true, the certificate will be revoked on resource destruction.
signatureBits number: The number of bits to use in the signature algorithm
skid string: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
streetAddress string: The street address
ttl string: Time to live
uriSans string[]: List of alternative URIs
useCsrValues boolean: Preserve CSR values
usePss boolean: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

backend str: The PKI secret backend the resource belongs to.
common_name str: CN of intermediate to create
csr str: The CSR
alt_names Sequence[str]: List of alternative names
country str: The country
exclude_cn_from_sans bool: Flag to exclude CN from SANs
excluded_dns_domains Sequence[str]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_email_addresses Sequence[str]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_ip_ranges Sequence[str]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_uri_domains Sequence[str]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format str: The format of data
ip_sans Sequence[str]: List of alternative IPs
issuer_ref str: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
key_usages Sequence[str]: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality str: The locality
max_path_length int: The maximum path length to encode in the generated certificate
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
not_after str: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization str: The organization
other_sans Sequence[str]: List of other SANs
ou str: The organization unit
permitted_dns_domains Sequence[str]: List of domains for which certificates are allowed to be issued
permitted_email_addresses Sequence[str]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_ip_ranges Sequence[str]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_uri_domains Sequence[str]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postal_code str: The postal code
province str: The province
revoke bool: If set to true, the certificate will be revoked on resource destruction.
signature_bits int: The number of bits to use in the signature algorithm
skid str: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
street_address str: The street address
ttl str: Time to live
uri_sans Sequence[str]: List of alternative URIs
use_csr_values bool: Preserve CSR values
use_pss bool: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

backend String: The PKI secret backend the resource belongs to.
commonName String: CN of intermediate to create
csr String: The CSR
altNames List<String>: List of alternative names
country String: The country
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyUsages List<String>: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality String: The locality
maxPathLength Number: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
province String: The province
revoke Boolean: If set to true, the certificate will be revoked on resource destruction.
signatureBits Number: The number of bits to use in the signature algorithm
skid String: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
streetAddress String: The street address
ttl String: Time to live
uriSans List<String>: List of alternative URIs
useCsrValues Boolean: Preserve CSR values
usePss Boolean: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRootSignIntermediate resource produces the following output properties:

CaChains List<string>: A list of the issuing and intermediate CA certificates in the format specified.
Certificate string: The intermediate CA certificate in the format specified.
CertificateBundle string: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
Id string: The provider-assigned unique ID for this managed resource.
IssuingCa string: The issuing CA certificate in the format specified.
SerialNumber string: The certificate's serial number, hex formatted.

CaChains []string: A list of the issuing and intermediate CA certificates in the format specified.
Certificate string: The intermediate CA certificate in the format specified.
CertificateBundle string: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
Id string: The provider-assigned unique ID for this managed resource.
IssuingCa string: The issuing CA certificate in the format specified.
SerialNumber string: The certificate's serial number, hex formatted.

caChains List<String>: A list of the issuing and intermediate CA certificates in the format specified.
certificate String: The intermediate CA certificate in the format specified.
certificateBundle String: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
id String: The provider-assigned unique ID for this managed resource.
issuingCa String: The issuing CA certificate in the format specified.
serialNumber String: The certificate's serial number, hex formatted.

caChains string[]: A list of the issuing and intermediate CA certificates in the format specified.
certificate string: The intermediate CA certificate in the format specified.
certificateBundle string: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
id string: The provider-assigned unique ID for this managed resource.
issuingCa string: The issuing CA certificate in the format specified.
serialNumber string: The certificate's serial number, hex formatted.

ca_chains Sequence[str]: A list of the issuing and intermediate CA certificates in the format specified.
certificate str: The intermediate CA certificate in the format specified.
certificate_bundle str: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
id str: The provider-assigned unique ID for this managed resource.
issuing_ca str: The issuing CA certificate in the format specified.
serial_number str: The certificate's serial number, hex formatted.

caChains List<String>: A list of the issuing and intermediate CA certificates in the format specified.
certificate String: The intermediate CA certificate in the format specified.
certificateBundle String: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
id String: The provider-assigned unique ID for this managed resource.
issuingCa String: The issuing CA certificate in the format specified.
serialNumber String: The certificate's serial number, hex formatted.

Look up Existing SecretBackendRootSignIntermediate Resource

Get an existing SecretBackendRootSignIntermediate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRootSignIntermediateState, opts?: CustomResourceOptions): SecretBackendRootSignIntermediate

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        alt_names: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        ca_chains: Optional[Sequence[str]] = None,
        certificate: Optional[str] = None,
        certificate_bundle: Optional[str] = None,
        common_name: Optional[str] = None,
        country: Optional[str] = None,
        csr: Optional[str] = None,
        exclude_cn_from_sans: Optional[bool] = None,
        excluded_dns_domains: Optional[Sequence[str]] = None,
        excluded_email_addresses: Optional[Sequence[str]] = None,
        excluded_ip_ranges: Optional[Sequence[str]] = None,
        excluded_uri_domains: Optional[Sequence[str]] = None,
        format: Optional[str] = None,
        ip_sans: Optional[Sequence[str]] = None,
        issuer_ref: Optional[str] = None,
        issuing_ca: Optional[str] = None,
        key_usages: Optional[Sequence[str]] = None,
        locality: Optional[str] = None,
        max_path_length: Optional[int] = None,
        namespace: Optional[str] = None,
        not_after: Optional[str] = None,
        not_before_duration: Optional[str] = None,
        organization: Optional[str] = None,
        other_sans: Optional[Sequence[str]] = None,
        ou: Optional[str] = None,
        permitted_dns_domains: Optional[Sequence[str]] = None,
        permitted_email_addresses: Optional[Sequence[str]] = None,
        permitted_ip_ranges: Optional[Sequence[str]] = None,
        permitted_uri_domains: Optional[Sequence[str]] = None,
        postal_code: Optional[str] = None,
        province: Optional[str] = None,
        revoke: Optional[bool] = None,
        serial_number: Optional[str] = None,
        signature_bits: Optional[int] = None,
        skid: Optional[str] = None,
        street_address: Optional[str] = None,
        ttl: Optional[str] = None,
        uri_sans: Optional[Sequence[str]] = None,
        use_csr_values: Optional[bool] = None,
        use_pss: Optional[bool] = None) -> SecretBackendRootSignIntermediate

func GetSecretBackendRootSignIntermediate(ctx *Context, name string, id IDInput, state *SecretBackendRootSignIntermediateState, opts ...ResourceOption) (*SecretBackendRootSignIntermediate, error)

public static SecretBackendRootSignIntermediate Get(string name, Input<string> id, SecretBackendRootSignIntermediateState? state, CustomResourceOptions? opts = null)

public static SecretBackendRootSignIntermediate get(String name, Output<String> id, SecretBackendRootSignIntermediateState state, CustomResourceOptions options)

resources:  _:    type: vault:pkiSecret:SecretBackendRootSignIntermediate    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AltNames List<string>: List of alternative names
Backend string: The PKI secret backend the resource belongs to.
CaChains List<string>: A list of the issuing and intermediate CA certificates in the format specified.
Certificate string: The intermediate CA certificate in the format specified.
CertificateBundle string: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
CommonName string: CN of intermediate to create
Country string: The country
Csr string: The CSR
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains List<string>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses List<string>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges List<string>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains List<string>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans List<string>: List of alternative IPs
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
IssuingCa string: The issuing CA certificate in the format specified.
KeyUsages List<string>: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
Locality string: The locality
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans List<string>: List of other SANs
Ou string: The organization unit
PermittedDnsDomains List<string>: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses List<string>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges List<string>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains List<string>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
Province string: The province
Revoke bool: If set to true, the certificate will be revoked on resource destruction.
SerialNumber string: The certificate's serial number, hex formatted.
SignatureBits int: The number of bits to use in the signature algorithm
Skid string: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
StreetAddress string: The street address
Ttl string: Time to live
UriSans List<string>: List of alternative URIs
UseCsrValues bool: Preserve CSR values
UsePss bool: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

AltNames []string: List of alternative names
Backend string: The PKI secret backend the resource belongs to.
CaChains []string: A list of the issuing and intermediate CA certificates in the format specified.
Certificate string: The intermediate CA certificate in the format specified.
CertificateBundle string: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
CommonName string: CN of intermediate to create
Country string: The country
Csr string: The CSR
ExcludeCnFromSans bool: Flag to exclude CN from SANs
ExcludedDnsDomains []string: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedEmailAddresses []string: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedIpRanges []string: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
ExcludedUriDomains []string: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
Format string: The format of data
IpSans []string: List of alternative IPs
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
IssuingCa string: The issuing CA certificate in the format specified.
KeyUsages []string: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
Locality string: The locality
MaxPathLength int: The maximum path length to encode in the generated certificate
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
Organization string: The organization
OtherSans []string: List of other SANs
Ou string: The organization unit
PermittedDnsDomains []string: List of domains for which certificates are allowed to be issued
PermittedEmailAddresses []string: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedIpRanges []string: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
PermittedUriDomains []string: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
PostalCode string: The postal code
Province string: The province
Revoke bool: If set to true, the certificate will be revoked on resource destruction.
SerialNumber string: The certificate's serial number, hex formatted.
SignatureBits int: The number of bits to use in the signature algorithm
Skid string: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
StreetAddress string: The street address
Ttl string: Time to live
UriSans []string: List of alternative URIs
UseCsrValues bool: Preserve CSR values
UsePss bool: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

altNames List<String>: List of alternative names
backend String: The PKI secret backend the resource belongs to.
caChains List<String>: A list of the issuing and intermediate CA certificates in the format specified.
certificate String: The intermediate CA certificate in the format specified.
certificateBundle String: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
commonName String: CN of intermediate to create
country String: The country
csr String: The CSR
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
issuingCa String: The issuing CA certificate in the format specified.
keyUsages List<String>: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality String: The locality
maxPathLength Integer: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
province String: The province
revoke Boolean: If set to true, the certificate will be revoked on resource destruction.
serialNumber String: The certificate's serial number, hex formatted.
signatureBits Integer: The number of bits to use in the signature algorithm
skid String: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
streetAddress String: The street address
ttl String: Time to live
uriSans List<String>: List of alternative URIs
useCsrValues Boolean: Preserve CSR values
usePss Boolean: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

altNames string[]: List of alternative names
backend string: The PKI secret backend the resource belongs to.
caChains string[]: A list of the issuing and intermediate CA certificates in the format specified.
certificate string: The intermediate CA certificate in the format specified.
certificateBundle string: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
commonName string: CN of intermediate to create
country string: The country
csr string: The CSR
excludeCnFromSans boolean: Flag to exclude CN from SANs
excludedDnsDomains string[]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses string[]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges string[]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains string[]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format string: The format of data
ipSans string[]: List of alternative IPs
issuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
issuingCa string: The issuing CA certificate in the format specified.
keyUsages string[]: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality string: The locality
maxPathLength number: The maximum path length to encode in the generated certificate
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter string: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organization string: The organization
otherSans string[]: List of other SANs
ou string: The organization unit
permittedDnsDomains string[]: List of domains for which certificates are allowed to be issued
permittedEmailAddresses string[]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges string[]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains string[]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode string: The postal code
province string: The province
revoke boolean: If set to true, the certificate will be revoked on resource destruction.
serialNumber string: The certificate's serial number, hex formatted.
signatureBits number: The number of bits to use in the signature algorithm
skid string: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
streetAddress string: The street address
ttl string: Time to live
uriSans string[]: List of alternative URIs
useCsrValues boolean: Preserve CSR values
usePss boolean: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

alt_names Sequence[str]: List of alternative names
backend str: The PKI secret backend the resource belongs to.
ca_chains Sequence[str]: A list of the issuing and intermediate CA certificates in the format specified.
certificate str: The intermediate CA certificate in the format specified.
certificate_bundle str: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
common_name str: CN of intermediate to create
country str: The country
csr str: The CSR
exclude_cn_from_sans bool: Flag to exclude CN from SANs
excluded_dns_domains Sequence[str]: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_email_addresses Sequence[str]: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_ip_ranges Sequence[str]: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excluded_uri_domains Sequence[str]: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format str: The format of data
ip_sans Sequence[str]: List of alternative IPs
issuer_ref str: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
issuing_ca str: The issuing CA certificate in the format specified.
key_usages Sequence[str]: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality str: The locality
max_path_length int: The maximum path length to encode in the generated certificate
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
not_after str: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization str: The organization
other_sans Sequence[str]: List of other SANs
ou str: The organization unit
permitted_dns_domains Sequence[str]: List of domains for which certificates are allowed to be issued
permitted_email_addresses Sequence[str]: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_ip_ranges Sequence[str]: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permitted_uri_domains Sequence[str]: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postal_code str: The postal code
province str: The province
revoke bool: If set to true, the certificate will be revoked on resource destruction.
serial_number str: The certificate's serial number, hex formatted.
signature_bits int: The number of bits to use in the signature algorithm
skid str: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
street_address str: The street address
ttl str: Time to live
uri_sans Sequence[str]: List of alternative URIs
use_csr_values bool: Preserve CSR values
use_pss bool: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

altNames List<String>: List of alternative names
backend String: The PKI secret backend the resource belongs to.
caChains List<String>: A list of the issuing and intermediate CA certificates in the format specified.
certificate String: The intermediate CA certificate in the format specified.
certificateBundle String: The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.
commonName String: CN of intermediate to create
country String: The country
csr String: The CSR
excludeCnFromSans Boolean: Flag to exclude CN from SANs
excludedDnsDomains List<String>: List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedEmailAddresses List<String>: List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedIpRanges List<String>: List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
excludedUriDomains List<String>: List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
format String: The format of data
ipSans List<String>: List of alternative IPs
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
issuingCa String: The issuing CA certificate in the format specified.
keyUsages List<String>: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
locality String: The locality
maxPathLength Number: The maximum path length to encode in the generated certificate
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notAfter String: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organization String: The organization
otherSans List<String>: List of other SANs
ou String: The organization unit
permittedDnsDomains List<String>: List of domains for which certificates are allowed to be issued
permittedEmailAddresses List<String>: List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedIpRanges List<String>: List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
permittedUriDomains List<String>: List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
postalCode String: The postal code
province String: The province
revoke Boolean: If set to true, the certificate will be revoked on resource destruction.
serialNumber String: The certificate's serial number, hex formatted.
signatureBits Number: The number of bits to use in the signature algorithm
skid String: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
streetAddress String: The street address
ttl String: Time to live
uriSans List<String>: List of alternative URIs
useCsrValues Boolean: Preserve CSR values
usePss Boolean: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v7.3.1 published on Tuesday, Oct 21, 2025 by Pulumi

pulumi/pulumi-vault

vault.pkiSecret.SecretBackendRootSignIntermediate

On this page

On this page

Example Usage

Create SecretBackendRootSignIntermediate Resource

Constructor syntax

Parameters

Constructor example

SecretBackendRootSignIntermediate Resource Properties

Inputs

Outputs

Look up Existing SecretBackendRootSignIntermediate Resource

Package Details

On this page

On this page