Resource: azuread_application_certificate

Manages a certificate associated with an application within Azure Active Directory. These are also referred to as client certificates during authentication.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy or Application.ReadWrite.All

When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator or Global Administrator

Example Usage

Using a PEM certificate

resource "azuread_application_registration" "example" {
  display_name = "example"
}

resource "azuread_application_certificate" "example" {
  application_id = azuread_application_registration.example.id
  type           = "AsymmetricX509Cert"
  value          = file("cert.pem")
  end_date       = "2021-05-01T01:02:03Z"
}

Using a DER certificate

resource "azuread_application_registration" "example" {
  display_name = "example"
}

resource "azuread_application_certificate" "example" {
  application_id = azuread_application_registration.example.id
  type           = "AsymmetricX509Cert"
  encoding       = "base64"
  value          = base64encode(file("cert.der"))
  end_date       = "2021-05-01T01:02:03Z"
}

Using a certificate from Azure Key Vault

resource "azurerm_key_vault_certificate" "example" {
  name         = "generated-cert"
  key_vault_id = azurerm_key_vault.example.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      extended_key_usage = ["1.3.6.1.5.5.7.3.2"]

      key_usage = [
        "dataEncipherment",
        "digitalSignature",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["internal.contoso.com", "domain.hello.world"]
      }

      subject            = "CN=${azuread_application.example.name}"
      validity_in_months = 12
    }
  }
}

resource "azuread_application" "example" {
  display_name = "example"
}

resource "azuread_application_certificate" "example" {
  application_id = azuread_application.example.id
  type           = "AsymmetricX509Cert"
  encoding       = "hex"
  value          = azurerm_key_vault_certificate.example.certificate_data
  end_date       = azurerm_key_vault_certificate.example.certificate_attribute[0].expires
  start_date     = azurerm_key_vault_certificate.example.certificate_attribute[0].not_before
}

Argument Reference

The following arguments are supported:

Attributes Reference

No additional attributes are exported.

Import

Certificates can be imported using the object ID of the associated application and the key ID of the certificate credential, e.g.

terraform import azuread_application_certificate.example 00000000-0000-0000-0000-000000000000/certificate/11111111-1111-1111-1111-111111111111