github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/tls/r/self_signed_cert.html.md (about) 1 --- 2 layout: "tls" 3 page_title: "TLS: tls_self_signed_cert" 4 sidebar_current: "docs-tls-resource-self-signed-cert" 5 description: |- 6 Creates a self-signed TLS certificate in PEM format. 7 --- 8 9 # tls\_self\_signed\_cert 10 11 Generates a *self-signed* TLS certificate in PEM format, which is the typical 12 format used to configure TLS server software. 13 14 Self-signed certificates are generally not trusted by client software such 15 as web browsers. Therefore clients are likely to generate trust warnings when 16 connecting to a server that has a self-signed certificate. Self-signed certificates 17 are usually used only in development environments or apps deployed internally 18 to an organization. 19 20 This resource is intended to be used in conjunction with a Terraform provider 21 that has a resource that requires a TLS certificate, such as: 22 23 * ``aws_iam_server_certificate`` to register certificates for use with AWS *Elastic 24 Load Balancer*, *Elastic Beanstalk*, *CloudFront* or *OpsWorks*. 25 26 * ``heroku_cert`` to register certificates for applications deployed on Heroku. 27 28 ## Example Usage 29 30 ```hcl 31 resource "tls_self_signed_cert" "example" { 32 key_algorithm = "ECDSA" 33 private_key_pem = "${file(\"private_key.pem\")}" 34 35 subject { 36 common_name = "example.com" 37 organization = "ACME Examples, Inc" 38 } 39 40 validity_period_hours = 12 41 42 allowed_uses = [ 43 "key_encipherment", 44 "digital_signature", 45 "server_auth", 46 ] 47 } 48 ``` 49 50 ## Argument Reference 51 52 The following arguments are supported: 53 54 * `key_algorithm` - (Required) The name of the algorithm for the key provided 55 in `private_key_pem`. 56 57 * `private_key_pem` - (Required) PEM-encoded private key data. This can be 58 read from a separate file using the ``file`` interpolation function. If the 59 certificate is being generated to be used for a throwaway development 60 environment or other non-critical application, the `tls_private_key` resource 61 can be used to generate a TLS private key from within Terraform. Only 62 an irreversable secure hash of the private key will be stored in the Terraform 63 state. 64 65 * `subject` - (Required) The subject for which a certificate is being requested. 66 This is a nested configuration block whose structure matches the 67 corresponding block for [`tls_cert_request`](cert_request.html). 68 69 * `validity_period_hours` - (Required) The number of hours after initial issuing that the 70 certificate will become invalid. 71 72 * `allowed_uses` - (Required) List of keywords each describing a use that is permitted 73 for the issued certificate. The valid keywords are listed below. 74 75 * `dns_names` - (Optional) List of DNS names for which a certificate is being requested. 76 77 * `ip_addresses` - (Optional) List of IP addresses for which a certificate is being requested. 78 79 * `early_renewal_hours` - (Optional) If set, the resource will consider the certificate to 80 have expired the given number of hours before its actual expiry time. This can be useful 81 to deploy an updated certificate in advance of the expiration of the current certificate. 82 Note however that the old certificate remains valid until its true expiration time, since 83 this resource does not (and cannot) support certificate revocation. Note also that this 84 advance update can only be performed should the Terraform configuration be applied during the 85 early renewal period. 86 87 * `is_ca_certificate` - (Optional) Boolean controlling whether the CA flag will be set in the 88 generated certificate. Defaults to `false`, meaning that the certificate does not represent 89 a certificate authority. 90 91 The `allowed_uses` list accepts the following keywords, combining the set of flags defined by 92 both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and 93 [Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in 94 [RFC5280](https://tools.ietf.org/html/rfc5280): 95 96 * `digital_signature` 97 * `content_commitment` 98 * `key_encipherment` 99 * `data_encipherment` 100 * `key_agreement` 101 * `cert_signing` 102 * `crl_signing` 103 * `encipher_only` 104 * `decipher_only` 105 * `any_extended` 106 * `server_auth` 107 * `client_auth` 108 * `code_signing` 109 * `email_protection` 110 * `ipsec_end_system` 111 * `ipsec_tunnel` 112 * `ipsec_user` 113 * `timestamping` 114 * `ocsp_signing` 115 * `microsoft_server_gated_crypto` 116 * `netscape_server_gated_crypto` 117 118 ## Attributes Reference 119 120 The following attributes are exported: 121 122 * `cert_pem` - The certificate data in PEM format. 123 * `validity_start_time` - The time after which the certificate is valid, as an 124 [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp. 125 * `validity_end_time` - The time until which the certificate is invalid, as an 126 [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp. 127 128 ## Automatic Renewal 129 130 This resource considers its instances to have been deleted after either their validity 131 periods ends or the early renewal period is reached. At this time, applying the 132 Terraform configuration will cause a new certificate to be generated for the instance. 133 134 Therefore in a development environment with frequent deployments it may be convenient 135 to set a relatively-short expiration time and use early renewal to automatically provision 136 a new certificate when the current one is about to expire. 137 138 The creation of a new certificate may of course cause dependent resources to be updated 139 or replaced, depending on the lifecycle rules applying to those resources.