Generates a certificate from the PKI Secret Backend.
resource "vault_pki_secret_backend_cert" "app" {
depends_on = [vault_pki_secret_backend_role.admin]
backend = vault_mount.intermediate.path
name = vault_pki_secret_backend_role.test.name
common_name = "app.my.domain"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required) The PKI secret backend the resource belongs to.
name
- (Required) Name of the role to create the certificate against
common_name
- (Required) CN of certificate to create
alt_names
- (Optional) List of alternative names
ip_sans
- (Optional) List of alternative IPs
uri_sans
- (Optional) List of alternative URIs
other_sans
- (Optional) List of other SANs
user_ids
- (Optional) List of Subject User IDs
ttl
- (Optional) Time to live
format
- (Optional) The format of data
private_key_format
- (Optional) The private key format
exclude_cn_from_sans
- (Optional) Flag to exclude CN from SANs
min_seconds_remaining
- (Optional) Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
auto_renew
- (Optional) If set to true
, certs will be renewed if the expiration is within min_seconds_remaining
. Default false
revoke
- If set to true
, the certificate will be revoked on resource destruction.
In addition to the fields above, the following attributes are exported:
certificate
- The certificate
issuing_ca
- The issuing CA
ca_chain
- The CA chain
private_key
- The private key
private_key_type
- The private key type
serial_number
- The serial number
expiration
- The expiration date of the certificate in unix epoch format
renew_pending
- true
if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining
, and false
otherwise; if auto_renew
is set to true
then the provider will plan to replace the certificate once renewal is pending.