Generates a new self-signed CA certificate and private keys for the PKI Secret Backend.
resource "vault_pki_secret_backend_root_cert" "test" {
depends_on = [vault_mount.pki]
backend = vault_mount.pki.path
type = "internal"
common_name = "Root CA"
ttl = "315360000"
format = "pem"
private_key_format = "der"
key_type = "rsa"
key_bits = 4096
exclude_cn_from_sans = true
ou = "My OU"
organization = "My organization"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required) The PKI secret backend the resource belongs to.
type
- (Required) Type of intermediate to create. Must be either \"exported\", \"internal\"
or \"kms\"
common_name
- (Required) CN of intermediate to create
alt_names
- (Optional) List of alternative names
ip_sans
- (Optional) List of alternative IPs
uri_sans
- (Optional) List of alternative URIs
other_sans
- (Optional) List of other SANs
ttl
- (Optional) Time to live
format
- (Optional) The format of data
private_key_format
- (Optional) The private key format
key_type
- (Optional) The desired key type
key_bits
- (Optional) The number of bits to use
max_path_length
- (Optional) The maximum path length to encode in the generated certificate
exclude_cn_from_sans
- (Optional) Flag to exclude CN from SANs
permitted_dns_domains
- (Optional) List of domains for which certificates are allowed to be issued
ou
- (Optional) The organization unit
organization
- (Optional) The organization
country
- (Optional) The country
locality
- (Optional) The locality
province
- (Optional) The province
street_address
- (Optional) The street address
postal_code
- (Optional) The postal code
managed_key_name
- (Optional) The name of the previously configured managed key. This field is
required if type
is kms
and it conflicts with managed_key_id
managed_key_id
- (Optional) The ID of the previously configured managed key. This field is
required if type
is kms
and it conflicts with managed_key_name
issuer_name
- (Optional) Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value default
key_name
- (Optional) When a new key is created with this request, optionally specifies
the name for this. The global ref default
may not be used as a name.
key_ref
- (Optional) Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for type=existing
requests.
In addition to the fields above, the following attributes are exported:
certificate
- The certificate.
issuing_ca
- The issuing CA certificate.
serial_number
- The certificate's serial number, hex formatted.
issuer_id
- The ID of the generated issuer.
key_id
- The ID of the generated key.