Generates a new private key and a CSR for signing the PKI Secret Backend.
resource "vault_pki_secret_backend_intermediate_cert_request" "test" {
depends_on = [vault_mount.pki]
backend = vault_mount.pki.path
type = "internal"
common_name = "app.my.domain"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required) The PKI secret backend the resource belongs to.
type
- (Required) Type of intermediate to create. Must be either \"exported\" or \"internal\"
or \"kms\"
common_name
- (Required) CN of intermediate to create
alt_names
- (Optional) List of alternative names
ip_sans
- (Optional) List of alternative IPs
uri_sans
- (Optional) List of alternative URIs
other_sans
- (Optional) List of other SANs
format
- (Optional) The format of data
private_key_format
- (Optional) The private key format
key_type
- (Optional) The desired key type
key_bits
- (Optional) The number of bits to use
exclude_cn_from_sans
- (Optional) Flag to exclude CN from SANs
ou
- (Optional) The organization unit
organization
- (Optional) The organization
country
- (Optional) The country
locality
- (Optional) The locality
province
- (Optional) The province
street_address
- (Optional) The street address
postal_code
- (Optional) The postal code
managed_key_name
- (Optional) The name of the previously configured managed key. This field is
required if type
is kms
and it conflicts with managed_key_id
managed_key_id
- (Optional) The ID of the previously configured managed key. This field is
required if type
is kms
and it conflicts with managed_key_name
add_basic_constraints
- (Optional) Adds a Basic Constraints extension with 'CA: true'.
Only needed as a workaround in some compatibility scenarios with Active Directory
Certificate Services
key_name
- (Optional) When a new key is created with this request, optionally specifies
the name for this. The global ref default
may not be used as a name.
key_ref
- (Optional) Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for type=existing
requests.
In addition to the fields above, the following attributes are exported:
csr
- The CSR
private_key
- The private key
private_key_type
- The private key type
serial_number
- The serial number
key_id
- The ID of the generated key.