Signs a new certificate based upon the provided CSR and the supplied parameters by the PKI Secret Backend.
resource "vault_pki_secret_backend_sign" "test" {
depends_on = [vault_pki_secret_backend_role.admin]
backend = vault_mount.pki.path
name = vault_pki_secret_backend_role.admin.name
csr = <<EOT
-----BEGIN CERTIFICATE REQUEST-----
MIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy
dC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP
CW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt
Vonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy
X6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0
V+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01
te8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS
kVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw
kY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD
5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O
gIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I
1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG
9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL
It7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG
fnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN
77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN
vt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv
do5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1
OGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te
dBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf
UwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8
OTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0
o3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=
-----END CERTIFICATE REQUEST-----
EOT
common_name = "test.my.domain"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required) The PKI secret backend the resource belongs to.
name
- (Required) Name of the role to create the certificate against
csr
- (Required) The CSR
common_name
- (Required) CN of certificate to create
alt_names
- (Optional) List of alternative names
other_sans
- (Optional) List of other SANs
ip_sans
- (Optional) List of alternative IPs
uri_sans
- (Optional) List of alternative URIs
ttl
- (Optional) Time to live
format
- (Optional) The format of data
exclude_cn_from_sans
- (Optional) Flag to exclude CN from SANs
min_seconds_remaining
- (Optional) Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
auto_renew
- (Optional) If set to true
, certs will be renewed if the expiration is within min_seconds_remaining
. Default false
issuer_ref
- (Optional) Specifies the default issuer of this request. Can
be the value default
, a name, or an issuer ID. Use ACLs to prevent access to
the /pki/issuer/:issuer_ref/{issue,sign}/:name
paths to prevent users
overriding the role's issuer_ref
value.
In addition to the fields above, the following attributes are exported:
certificate
- The certificate
issuing_ca
- The issuing CA
ca_chain
- The CA chain
serial_number
- The certificate's serial number, hex formatted.
expiration
- The expiration date of the certificate in unix epoch format
renew_pending
- true
if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining
, and false
otherwise; if auto_renew
is set to true
then the provider will plan to replace the certificate once renewal is pending.