Docs Home
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
vault.pkiSecret.SecretBackendRootCert
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const test = new vault.pkisecret.SecretBackendRootCert("test", {
backend: pki.path,
type: "internal",
commonName: "Root CA",
ttl: "315360000",
format: "pem",
privateKeyFormat: "der",
keyType: "rsa",
keyBits: 4096,
excludeCnFromSans: true,
ou: "My OU",
organization: "My organization",
}, {
dependsOn: [pki],
});
import pulumi
import pulumi_vault as vault
test = vault.pki_secret.SecretBackendRootCert("test",
backend=pki["path"],
type="internal",
common_name="Root CA",
ttl="315360000",
format="pem",
private_key_format="der",
key_type="rsa",
key_bits=4096,
exclude_cn_from_sans=True,
ou="My OU",
organization="My organization",
opts = pulumi.ResourceOptions(depends_on=[pki]))
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := pkisecret.NewSecretBackendRootCert(ctx, "test", &pkisecret.SecretBackendRootCertArgs{
Backend: pulumi.Any(pki.Path),
Type: pulumi.String("internal"),
CommonName: pulumi.String("Root CA"),
Ttl: pulumi.String("315360000"),
Format: pulumi.String("pem"),
PrivateKeyFormat: pulumi.String("der"),
KeyType: pulumi.String("rsa"),
KeyBits: pulumi.Int(4096),
ExcludeCnFromSans: pulumi.Bool(true),
Ou: pulumi.String("My OU"),
Organization: pulumi.String("My organization"),
}, pulumi.DependsOn([]pulumi.Resource{
pki,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var test = new Vault.PkiSecret.SecretBackendRootCert("test", new()
{
Backend = pki.Path,
Type = "internal",
CommonName = "Root CA",
Ttl = "315360000",
Format = "pem",
PrivateKeyFormat = "der",
KeyType = "rsa",
KeyBits = 4096,
ExcludeCnFromSans = true,
Ou = "My OU",
Organization = "My organization",
}, new CustomResourceOptions
{
DependsOn =
{
pki,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.pkiSecret.SecretBackendRootCert;
import com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new SecretBackendRootCert("test", SecretBackendRootCertArgs.builder()
.backend(pki.path())
.type("internal")
.commonName("Root CA")
.ttl("315360000")
.format("pem")
.privateKeyFormat("der")
.keyType("rsa")
.keyBits(4096)
.excludeCnFromSans(true)
.ou("My OU")
.organization("My organization")
.build(), CustomResourceOptions.builder()
.dependsOn(pki)
.build());
}
}
resources:
test:
type: vault:pkiSecret:SecretBackendRootCert
properties:
backend: ${pki.path}
type: internal
commonName: Root CA
ttl: '315360000'
format: pem
privateKeyFormat: der
keyType: rsa
keyBits: 4096
excludeCnFromSans: true
ou: My OU
organization: My organization
options:
dependsOn:
- ${pki}
Create SecretBackendRootCert Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackendRootCert(name: string, args: SecretBackendRootCertArgs, opts?: CustomResourceOptions);@overload
def SecretBackendRootCert(resource_name: str,
args: SecretBackendRootCertArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackendRootCert(resource_name: str,
opts: Optional[ResourceOptions] = None,
type: Optional[str] = None,
backend: Optional[str] = None,
common_name: Optional[str] = None,
managed_key_name: Optional[str] = None,
ip_sans: Optional[Sequence[str]] = None,
excluded_dns_domains: Optional[Sequence[str]] = None,
excluded_email_addresses: Optional[Sequence[str]] = None,
max_path_length: Optional[int] = None,
excluded_uri_domains: Optional[Sequence[str]] = None,
format: Optional[str] = None,
namespace: Optional[str] = None,
issuer_name: Optional[str] = None,
not_after: Optional[str] = None,
key_name: Optional[str] = None,
key_ref: Optional[str] = None,
key_type: Optional[str] = None,
locality: Optional[str] = None,
managed_key_id: Optional[str] = None,
alt_names: Optional[Sequence[str]] = None,
excluded_ip_ranges: Optional[Sequence[str]] = None,
exclude_cn_from_sans: Optional[bool] = None,
key_bits: Optional[int] = None,
organization: Optional[str] = None,
other_sans: Optional[Sequence[str]] = None,
ou: Optional[str] = None,
permitted_dns_domains: Optional[Sequence[str]] = None,
permitted_email_addresses: Optional[Sequence[str]] = None,
permitted_ip_ranges: Optional[Sequence[str]] = None,
permitted_uri_domains: Optional[Sequence[str]] = None,
postal_code: Optional[str] = None,
private_key_format: Optional[str] = None,
province: Optional[str] = None,
signature_bits: Optional[int] = None,
street_address: Optional[str] = None,
ttl: Optional[str] = None,
country: Optional[str] = None,
uri_sans: Optional[Sequence[str]] = None)func NewSecretBackendRootCert(ctx *Context, name string, args SecretBackendRootCertArgs, opts ...ResourceOption) (*SecretBackendRootCert, error)public SecretBackendRootCert(string name, SecretBackendRootCertArgs args, CustomResourceOptions? opts = null)public SecretBackendRootCert(String name, SecretBackendRootCertArgs args)
public SecretBackendRootCert(String name, SecretBackendRootCertArgs args, CustomResourceOptions options)
type: vault:pkiSecret:SecretBackendRootCert
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. SecretBackendRootCertArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. SecretBackendRootCertArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. SecretBackendRootCertArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. SecretBackendRootCertArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. SecretBackendRootCertArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var secretBackendRootCertResource = new Vault.PkiSecret.SecretBackendRootCert("secretBackendRootCertResource", new()
{
Type = "string",
Backend = "string",
CommonName = "string",
ManagedKeyName = "string",
IpSans = new[]
{
"string",
},
ExcludedDnsDomains = new[]
{
"string",
},
ExcludedEmailAddresses = new[]
{
"string",
},
MaxPathLength = 0,
ExcludedUriDomains = new[]
{
"string",
},
Format = "string",
Namespace = "string",
IssuerName = "string",
NotAfter = "string",
KeyName = "string",
KeyRef = "string",
KeyType = "string",
Locality = "string",
ManagedKeyId = "string",
AltNames = new[]
{
"string",
},
ExcludedIpRanges = new[]
{
"string",
},
ExcludeCnFromSans = false,
KeyBits = 0,
Organization = "string",
OtherSans = new[]
{
"string",
},
Ou = "string",
PermittedDnsDomains = new[]
{
"string",
},
PermittedEmailAddresses = new[]
{
"string",
},
PermittedIpRanges = new[]
{
"string",
},
PermittedUriDomains = new[]
{
"string",
},
PostalCode = "string",
PrivateKeyFormat = "string",
Province = "string",
SignatureBits = 0,
StreetAddress = "string",
Ttl = "string",
Country = "string",
UriSans = new[]
{
"string",
},
});
example, err := pkiSecret.NewSecretBackendRootCert(ctx, "secretBackendRootCertResource", &pkiSecret.SecretBackendRootCertArgs{
Type: pulumi.String("string"),
Backend: pulumi.String("string"),
CommonName: pulumi.String("string"),
ManagedKeyName: pulumi.String("string"),
IpSans: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedDnsDomains: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
MaxPathLength: pulumi.Int(0),
ExcludedUriDomains: pulumi.StringArray{
pulumi.String("string"),
},
Format: pulumi.String("string"),
Namespace: pulumi.String("string"),
IssuerName: pulumi.String("string"),
NotAfter: pulumi.String("string"),
KeyName: pulumi.String("string"),
KeyRef: pulumi.String("string"),
KeyType: pulumi.String("string"),
Locality: pulumi.String("string"),
ManagedKeyId: pulumi.String("string"),
AltNames: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
ExcludeCnFromSans: pulumi.Bool(false),
KeyBits: pulumi.Int(0),
Organization: pulumi.String("string"),
OtherSans: pulumi.StringArray{
pulumi.String("string"),
},
Ou: pulumi.String("string"),
PermittedDnsDomains: pulumi.StringArray{
pulumi.String("string"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
PermittedUriDomains: pulumi.StringArray{
pulumi.String("string"),
},
PostalCode: pulumi.String("string"),
PrivateKeyFormat: pulumi.String("string"),
Province: pulumi.String("string"),
SignatureBits: pulumi.Int(0),
StreetAddress: pulumi.String("string"),
Ttl: pulumi.String("string"),
Country: pulumi.String("string"),
UriSans: pulumi.StringArray{
pulumi.String("string"),
},
})
var secretBackendRootCertResource = new SecretBackendRootCert("secretBackendRootCertResource", SecretBackendRootCertArgs.builder()
.type("string")
.backend("string")
.commonName("string")
.managedKeyName("string")
.ipSans("string")
.excludedDnsDomains("string")
.excludedEmailAddresses("string")
.maxPathLength(0)
.excludedUriDomains("string")
.format("string")
.namespace("string")
.issuerName("string")
.notAfter("string")
.keyName("string")
.keyRef("string")
.keyType("string")
.locality("string")
.managedKeyId("string")
.altNames("string")
.excludedIpRanges("string")
.excludeCnFromSans(false)
.keyBits(0)
.organization("string")
.otherSans("string")
.ou("string")
.permittedDnsDomains("string")
.permittedEmailAddresses("string")
.permittedIpRanges("string")
.permittedUriDomains("string")
.postalCode("string")
.privateKeyFormat("string")
.province("string")
.signatureBits(0)
.streetAddress("string")
.ttl("string")
.country("string")
.uriSans("string")
.build());
secret_backend_root_cert_resource = vault.pki_secret.SecretBackendRootCert("secretBackendRootCertResource",
type="string",
backend="string",
common_name="string",
managed_key_name="string",
ip_sans=["string"],
excluded_dns_domains=["string"],
excluded_email_addresses=["string"],
max_path_length=0,
excluded_uri_domains=["string"],
format="string",
namespace="string",
issuer_name="string",
not_after="string",
key_name="string",
key_ref="string",
key_type="string",
locality="string",
managed_key_id="string",
alt_names=["string"],
excluded_ip_ranges=["string"],
exclude_cn_from_sans=False,
key_bits=0,
organization="string",
other_sans=["string"],
ou="string",
permitted_dns_domains=["string"],
permitted_email_addresses=["string"],
permitted_ip_ranges=["string"],
permitted_uri_domains=["string"],
postal_code="string",
private_key_format="string",
province="string",
signature_bits=0,
street_address="string",
ttl="string",
country="string",
uri_sans=["string"])
const secretBackendRootCertResource = new vault.pkisecret.SecretBackendRootCert("secretBackendRootCertResource", {
type: "string",
backend: "string",
commonName: "string",
managedKeyName: "string",
ipSans: ["string"],
excludedDnsDomains: ["string"],
excludedEmailAddresses: ["string"],
maxPathLength: 0,
excludedUriDomains: ["string"],
format: "string",
namespace: "string",
issuerName: "string",
notAfter: "string",
keyName: "string",
keyRef: "string",
keyType: "string",
locality: "string",
managedKeyId: "string",
altNames: ["string"],
excludedIpRanges: ["string"],
excludeCnFromSans: false,
keyBits: 0,
organization: "string",
otherSans: ["string"],
ou: "string",
permittedDnsDomains: ["string"],
permittedEmailAddresses: ["string"],
permittedIpRanges: ["string"],
permittedUriDomains: ["string"],
postalCode: "string",
privateKeyFormat: "string",
province: "string",
signatureBits: 0,
streetAddress: "string",
ttl: "string",
country: "string",
uriSans: ["string"],
});
type: vault:pkiSecret:SecretBackendRootCert
properties:
altNames:
- string
backend: string
commonName: string
country: string
excludeCnFromSans: false
excludedDnsDomains:
- string
excludedEmailAddresses:
- string
excludedIpRanges:
- string
excludedUriDomains:
- string
format: string
ipSans:
- string
issuerName: string
keyBits: 0
keyName: string
keyRef: string
keyType: string
locality: string
managedKeyId: string
managedKeyName: string
maxPathLength: 0
namespace: string
notAfter: string
organization: string
otherSans:
- string
ou: string
permittedDnsDomains:
- string
permittedEmailAddresses:
- string
permittedIpRanges:
- string
permittedUriDomains:
- string
postalCode: string
privateKeyFormat: string
province: string
signatureBits: 0
streetAddress: string
ttl: string
type: string
uriSans:
- string
SecretBackendRootCert Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecretBackendRootCert resource accepts the following input properties:
- Backend
string
This property is required. 
Changes to this property will trigger replacement. - The PKI secret backend the resource belongs to.
- Common
Name stringThis property is required. Changes to this property will trigger replacement. - CN of intermediate to create
- Type
string
This property is required. Changes to this property will trigger replacement. - Type of intermediate to create. Must be either "exported", "internal" or "kms"
- Alt
Names - List of alternative names
- Country
- The country
- Exclude
Cn From Sans - Flag to exclude CN from SANs
- Excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Format
- The format of data
- Ip
Sans - List of alternative IPs
- Issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - Key
Bits - The number of bits to use
- Key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - Key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - Key
Type - The desired key type
- Locality
- The locality
- Managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - Managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - Max
Path Length - The maximum path length to encode in the generated certificate
- Namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Organization
- The organization
- Other
Sans - List of other SANs
- Ou
- The organization unit
- Permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- Permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Postal
Code - The postal code
- Private
Key Format - The private key format
- Province
- The province
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Address - The street address
- Ttl string
- Time to live
- Uri
Sans - List of alternative URIs
- Backend
string
This property is required. Changes to this property will trigger replacement. - The PKI secret backend the resource belongs to.
- Common
Name stringThis property is required. Changes to this property will trigger replacement. - CN of intermediate to create
- Type
string
This property is required. Changes to this property will trigger replacement. - Type of intermediate to create. Must be either "exported", "internal" or "kms"
- Alt
Names - List of alternative names
- Country
- The country
- Exclude
Cn From Sans - Flag to exclude CN from SANs
- Excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Format
- The format of data
- Ip
Sans - List of alternative IPs
- Issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - Key
Bits - The number of bits to use
- Key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - Key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - Key
Type - The desired key type
- Locality
- The locality
- Managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - Managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - Max
Path Length - The maximum path length to encode in the generated certificate
- Namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Organization
- The organization
- Other
Sans - List of other SANs
- Ou
- The organization unit
- Permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- Permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Postal
Code - The postal code
- Private
Key Format - The private key format
- Province
- The province
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Address - The street address
- Ttl string
- Time to live
- Uri
Sans - List of alternative URIs
- backend
String
This property is required. Changes to this property will trigger replacement. - The PKI secret backend the resource belongs to.
- common
Name StringThis property is required. Changes to this property will trigger replacement. - CN of intermediate to create
- type
String
This property is required. Changes to this property will trigger replacement. - Type of intermediate to create. Must be either "exported", "internal" or "kms"
- alt
Names - List of alternative names
- country
- The country
- exclude
Cn From Sans - Flag to exclude CN from SANs
- excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip
Sans - List of alternative IPs
- issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - key
Bits - The number of bits to use
- key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key
Type - The desired key type
- locality
- The locality
- managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max
Path Length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other
Sans - List of other SANs
- ou
- The organization unit
- permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal
Code - The postal code
- private
Key Format - The private key format
- province
- The province
- signature
Bits Integer - The number of bits to use in the signature algorithm
- street
Address - The street address
- ttl String
- Time to live
- uri
Sans - List of alternative URIs
- backend
string
This property is required. Changes to this property will trigger replacement. - The PKI secret backend the resource belongs to.
- common
Name stringThis property is required. Changes to this property will trigger replacement. - CN of intermediate to create
- type
string
This property is required. Changes to this property will trigger replacement. - Type of intermediate to create. Must be either "exported", "internal" or "kms"
- alt
Names - List of alternative names
- country
- The country
- exclude
Cn From Sans - Flag to exclude CN from SANs
- excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip
Sans - List of alternative IPs
- issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - key
Bits - The number of bits to use
- key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key
Type - The desired key type
- locality
- The locality
- managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max
Path Length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other
Sans - List of other SANs
- ou
- The organization unit
- permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal
Code - The postal code
- private
Key Format - The private key format
- province
- The province
- signature
Bits number - The number of bits to use in the signature algorithm
- street
Address - The street address
- ttl string
- Time to live
- uri
Sans - List of alternative URIs
- backend
str
This property is required. Changes to this property will trigger replacement. - The PKI secret backend the resource belongs to.
- common_
name strThis property is required. Changes to this property will trigger replacement. - CN of intermediate to create
- type
str
This property is required. Changes to this property will trigger replacement. - Type of intermediate to create. Must be either "exported", "internal" or "kms"
- alt_
names - List of alternative names
- country
- The country
- exclude_
cn_ from_ sans - Flag to exclude CN from SANs
- excluded_
dns_ domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded_
email_ addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded_
ip_ ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded_
uri_ domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip_
sans - List of alternative IPs
- issuer_
name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - key_
bits - The number of bits to use
- key_
name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key_
ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key_
type - The desired key type
- locality
- The locality
- managed_
key_ id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed_
key_ name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max_
path_ length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not_
after str - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other_
sans - List of other SANs
- ou
- The organization unit
- permitted_
dns_ domains - List of domains for which certificates are allowed to be issued
- permitted_
email_ addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted_
ip_ ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted_
uri_ domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal_
code - The postal code
- private_
key_ format - The private key format
- province
- The province
- signature_
bits int - The number of bits to use in the signature algorithm
- street_
address - The street address
- ttl str
- Time to live
- uri_
sans - List of alternative URIs
- backend
String
This property is required. Changes to this property will trigger replacement. - The PKI secret backend the resource belongs to.
- common
Name StringThis property is required. Changes to this property will trigger replacement. - CN of intermediate to create
- type
String
This property is required. Changes to this property will trigger replacement. - Type of intermediate to create. Must be either "exported", "internal" or "kms"
- alt
Names - List of alternative names
- country
- The country
- exclude
Cn From Sans - Flag to exclude CN from SANs
- excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip
Sans - List of alternative IPs
- issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - key
Bits - The number of bits to use
- key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key
Type - The desired key type
- locality
- The locality
- managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max
Path Length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other
Sans - List of other SANs
- ou
- The organization unit
- permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal
Code - The postal code
- private
Key Format - The private key format
- province
- The province
- signature
Bits Number - The number of bits to use in the signature algorithm
- street
Address - The street address
- ttl String
- Time to live
- uri
Sans - List of alternative URIs
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackendRootCert resource produces the following output properties:
- Certificate string
- The certificate.
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Id string - The ID of the generated issuer.
- Issuing
Ca string - The issuing CA certificate.
- Key
Id string - The ID of the generated key.
- Serial
Number string - The certificate's serial number, hex formatted.
- Certificate string
- The certificate.
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Id string - The ID of the generated issuer.
- Issuing
Ca string - The issuing CA certificate.
- Key
Id string - The ID of the generated key.
- Serial
Number string - The certificate's serial number, hex formatted.
- certificate String
- The certificate.
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Id String - The ID of the generated issuer.
- issuing
Ca String - The issuing CA certificate.
- key
Id String - The ID of the generated key.
- serial
Number String - The certificate's serial number, hex formatted.
- certificate string
- The certificate.
- id string
- The provider-assigned unique ID for this managed resource.
- issuer
Id string - The ID of the generated issuer.
- issuing
Ca string - The issuing CA certificate.
- key
Id string - The ID of the generated key.
- serial
Number string - The certificate's serial number, hex formatted.
- certificate str
- The certificate.
- id str
- The provider-assigned unique ID for this managed resource.
- issuer_
id str - The ID of the generated issuer.
- issuing_
ca str - The issuing CA certificate.
- key_
id str - The ID of the generated key.
- serial_
number str - The certificate's serial number, hex formatted.
- certificate String
- The certificate.
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Id String - The ID of the generated issuer.
- issuing
Ca String - The issuing CA certificate.
- key
Id String - The ID of the generated key.
- serial
Number String - The certificate's serial number, hex formatted.
Look up Existing SecretBackendRootCert Resource
Get an existing SecretBackendRootCert resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendRootCertState, opts?: CustomResourceOptions): SecretBackendRootCert@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
alt_names: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
certificate: Optional[str] = None,
common_name: Optional[str] = None,
country: Optional[str] = None,
exclude_cn_from_sans: Optional[bool] = None,
excluded_dns_domains: Optional[Sequence[str]] = None,
excluded_email_addresses: Optional[Sequence[str]] = None,
excluded_ip_ranges: Optional[Sequence[str]] = None,
excluded_uri_domains: Optional[Sequence[str]] = None,
format: Optional[str] = None,
ip_sans: Optional[Sequence[str]] = None,
issuer_id: Optional[str] = None,
issuer_name: Optional[str] = None,
issuing_ca: Optional[str] = None,
key_bits: Optional[int] = None,
key_id: Optional[str] = None,
key_name: Optional[str] = None,
key_ref: Optional[str] = None,
key_type: Optional[str] = None,
locality: Optional[str] = None,
managed_key_id: Optional[str] = None,
managed_key_name: Optional[str] = None,
max_path_length: Optional[int] = None,
namespace: Optional[str] = None,
not_after: Optional[str] = None,
organization: Optional[str] = None,
other_sans: Optional[Sequence[str]] = None,
ou: Optional[str] = None,
permitted_dns_domains: Optional[Sequence[str]] = None,
permitted_email_addresses: Optional[Sequence[str]] = None,
permitted_ip_ranges: Optional[Sequence[str]] = None,
permitted_uri_domains: Optional[Sequence[str]] = None,
postal_code: Optional[str] = None,
private_key_format: Optional[str] = None,
province: Optional[str] = None,
serial_number: Optional[str] = None,
signature_bits: Optional[int] = None,
street_address: Optional[str] = None,
ttl: Optional[str] = None,
type: Optional[str] = None,
uri_sans: Optional[Sequence[str]] = None) -> SecretBackendRootCertfunc GetSecretBackendRootCert(ctx *Context, name string, id IDInput, state *SecretBackendRootCertState, opts ...ResourceOption) (*SecretBackendRootCert, error)public static SecretBackendRootCert Get(string name, Input<string> id, SecretBackendRootCertState? state, CustomResourceOptions? opts = null)public static SecretBackendRootCert get(String name, Output<String> id, SecretBackendRootCertState state, CustomResourceOptions options)resources: _: type: vault:pkiSecret:SecretBackendRootCert get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Alt
Names - List of alternative names
- Backend
- The PKI secret backend the resource belongs to.
- Certificate string
- The certificate.
- Common
Name - CN of intermediate to create
- Country
- The country
- Exclude
Cn From Sans - Flag to exclude CN from SANs
- Excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Format
- The format of data
- Ip
Sans - List of alternative IPs
- Issuer
Id - The ID of the generated issuer.
- Issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - Issuing
Ca string - The issuing CA certificate.
- Key
Bits - The number of bits to use
- Key
Id - The ID of the generated key.
- Key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - Key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - Key
Type - The desired key type
- Locality
- The locality
- Managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - Managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - Max
Path Length - The maximum path length to encode in the generated certificate
- Namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Organization
- The organization
- Other
Sans - List of other SANs
- Ou
- The organization unit
- Permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- Permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Postal
Code - The postal code
- Private
Key Format - The private key format
- Province
- The province
- Serial
Number string - The certificate's serial number, hex formatted.
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Address - The street address
- Ttl string
- Time to live
- Type
- Type of intermediate to create. Must be either "exported", "internal" or "kms"
- Uri
Sans - List of alternative URIs
- Alt
Names - List of alternative names
- Backend
- The PKI secret backend the resource belongs to.
- Certificate string
- The certificate.
- Common
Name - CN of intermediate to create
- Country
- The country
- Exclude
Cn From Sans - Flag to exclude CN from SANs
- Excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- Format
- The format of data
- Ip
Sans - List of alternative IPs
- Issuer
Id - The ID of the generated issuer.
- Issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - Issuing
Ca string - The issuing CA certificate.
- Key
Bits - The number of bits to use
- Key
Id - The ID of the generated key.
- Key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - Key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - Key
Type - The desired key type
- Locality
- The locality
- Managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - Managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - Max
Path Length - The maximum path length to encode in the generated certificate
- Namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Organization
- The organization
- Other
Sans - List of other SANs
- Ou
- The organization unit
- Permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- Permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- Postal
Code - The postal code
- Private
Key Format - The private key format
- Province
- The province
- Serial
Number string - The certificate's serial number, hex formatted.
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Address - The street address
- Ttl string
- Time to live
- Type
- Type of intermediate to create. Must be either "exported", "internal" or "kms"
- Uri
Sans - List of alternative URIs
- alt
Names - List of alternative names
- backend
- The PKI secret backend the resource belongs to.
- certificate String
- The certificate.
- common
Name - CN of intermediate to create
- country
- The country
- exclude
Cn From Sans - Flag to exclude CN from SANs
- excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip
Sans - List of alternative IPs
- issuer
Id - The ID of the generated issuer.
- issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - issuing
Ca String - The issuing CA certificate.
- key
Bits - The number of bits to use
- key
Id - The ID of the generated key.
- key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key
Type - The desired key type
- locality
- The locality
- managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max
Path Length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other
Sans - List of other SANs
- ou
- The organization unit
- permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal
Code - The postal code
- private
Key Format - The private key format
- province
- The province
- serial
Number String - The certificate's serial number, hex formatted.
- signature
Bits Integer - The number of bits to use in the signature algorithm
- street
Address - The street address
- ttl String
- Time to live
- type
- Type of intermediate to create. Must be either "exported", "internal" or "kms"
- uri
Sans - List of alternative URIs
- alt
Names - List of alternative names
- backend
- The PKI secret backend the resource belongs to.
- certificate string
- The certificate.
- common
Name - CN of intermediate to create
- country
- The country
- exclude
Cn From Sans - Flag to exclude CN from SANs
- excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip
Sans - List of alternative IPs
- issuer
Id - The ID of the generated issuer.
- issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - issuing
Ca string - The issuing CA certificate.
- key
Bits - The number of bits to use
- key
Id - The ID of the generated key.
- key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key
Type - The desired key type
- locality
- The locality
- managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max
Path Length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other
Sans - List of other SANs
- ou
- The organization unit
- permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal
Code - The postal code
- private
Key Format - The private key format
- province
- The province
- serial
Number string - The certificate's serial number, hex formatted.
- signature
Bits number - The number of bits to use in the signature algorithm
- street
Address - The street address
- ttl string
- Time to live
- type
- Type of intermediate to create. Must be either "exported", "internal" or "kms"
- uri
Sans - List of alternative URIs
- alt_
names - List of alternative names
- backend
- The PKI secret backend the resource belongs to.
- certificate str
- The certificate.
- common_
name - CN of intermediate to create
- country
- The country
- exclude_
cn_ from_ sans - Flag to exclude CN from SANs
- excluded_
dns_ domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded_
email_ addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded_
ip_ ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded_
uri_ domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip_
sans - List of alternative IPs
- issuer_
id - The ID of the generated issuer.
- issuer_
name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - issuing_
ca str - The issuing CA certificate.
- key_
bits - The number of bits to use
- key_
id - The ID of the generated key.
- key_
name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key_
ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key_
type - The desired key type
- locality
- The locality
- managed_
key_ id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed_
key_ name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max_
path_ length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not_
after str - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other_
sans - List of other SANs
- ou
- The organization unit
- permitted_
dns_ domains - List of domains for which certificates are allowed to be issued
- permitted_
email_ addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted_
ip_ ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted_
uri_ domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal_
code - The postal code
- private_
key_ format - The private key format
- province
- The province
- serial_
number str - The certificate's serial number, hex formatted.
- signature_
bits int - The number of bits to use in the signature algorithm
- street_
address - The street address
- ttl str
- Time to live
- type
- Type of intermediate to create. Must be either "exported", "internal" or "kms"
- uri_
sans - List of alternative URIs
- alt
Names - List of alternative names
- backend
- The PKI secret backend the resource belongs to.
- certificate String
- The certificate.
- common
Name - CN of intermediate to create
- country
- The country
- exclude
Cn From Sans - Flag to exclude CN from SANs
- excluded
Dns Domains - List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Email Addresses - List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Ip Ranges - List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- excluded
Uri Domains - List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.
- format
- The format of data
- ip
Sans - List of alternative IPs
- issuer
Id - The ID of the generated issuer.
- issuer
Name - Provides a name to the specified issuer. The name must be unique
across all issuers and not be the reserved value
default - issuing
Ca String - The issuing CA certificate.
- key
Bits - The number of bits to use
- key
Id - The ID of the generated key.
- key
Name - When a new key is created with this request, optionally specifies
the name for this. The global ref
defaultmay not be used as a name. - key
Ref - Specifies the key (either default, by name, or by identifier) to use
for generating this request. Only suitable for
type=existingrequests. - key
Type - The desired key type
- locality
- The locality
- managed
Key Id - The ID of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_name - managed
Key Name - The name of the previously configured managed key. This field is
required if
typeiskmsand it conflicts withmanaged_key_id - max
Path Length - The maximum path length to encode in the generated certificate
- namespace
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- organization
- The organization
- other
Sans - List of other SANs
- ou
- The organization unit
- permitted
Dns Domains - List of domains for which certificates are allowed to be issued
- permitted
Email Addresses - List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Ip Ranges - List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.
- permitted
Uri Domains - List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.
- postal
Code - The postal code
- private
Key Format - The private key format
- province
- The province
- serial
Number String - The certificate's serial number, hex formatted.
- signature
Bits Number - The number of bits to use in the signature algorithm
- street
Address - The street address
- ttl String
- Time to live
- type
- Type of intermediate to create. Must be either "exported", "internal" or "kms"
- uri
Sans - List of alternative URIs
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.