ACME v0.8.3, Mar 22 25

ACME v0.8.3 published on Saturday, Mar 22, 2025 by Pulumiverse

acme.Certificate

Explore with Pulumi AI

ACME v0.8.3 published on Saturday, Mar 22, 2025 by Pulumiverse

Create Certificate Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);

@overload
def Certificate(resource_name: str,
                args: CertificateArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def Certificate(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                account_key_pem: Optional[str] = None,
                cert_timeout: Optional[int] = None,
                certificate_p12_password: Optional[str] = None,
                certificate_request_pem: Optional[str] = None,
                common_name: Optional[str] = None,
                disable_complete_propagation: Optional[bool] = None,
                dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
                http_challenge: Optional[CertificateHttpChallengeArgs] = None,
                http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
                http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
                http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
                key_type: Optional[str] = None,
                min_days_remaining: Optional[int] = None,
                must_staple: Optional[bool] = None,
                pre_check_delay: Optional[int] = None,
                preferred_chain: Optional[str] = None,
                recursive_nameservers: Optional[Sequence[str]] = None,
                revoke_certificate_on_destroy: Optional[bool] = None,
                revoke_certificate_reason: Optional[str] = None,
                subject_alternative_names: Optional[Sequence[str]] = None,
                tls_challenge: Optional[CertificateTlsChallengeArgs] = None)

func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)

public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)

public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)

type: acme:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var certificateResource = new Acme.Certificate("certificateResource", new()
{
    AccountKeyPem = "string",
    CertTimeout = 0,
    CertificateP12Password = "string",
    CertificateRequestPem = "string",
    CommonName = "string",
    DisableCompletePropagation = false,
    DnsChallenges = new[]
    {
        new Acme.Inputs.CertificateDnsChallengeArgs
        {
            Provider = "string",
            Config = 
            {
                { "string", "string" },
            },
        },
    },
    HttpChallenge = new Acme.Inputs.CertificateHttpChallengeArgs
    {
        Port = 0,
        ProxyHeader = "string",
    },
    HttpMemcachedChallenge = new Acme.Inputs.CertificateHttpMemcachedChallengeArgs
    {
        Hosts = new[]
        {
            "string",
        },
    },
    HttpS3Challenge = new Acme.Inputs.CertificateHttpS3ChallengeArgs
    {
        S3Bucket = "string",
    },
    HttpWebrootChallenge = new Acme.Inputs.CertificateHttpWebrootChallengeArgs
    {
        Directory = "string",
    },
    KeyType = "string",
    MinDaysRemaining = 0,
    MustStaple = false,
    PreCheckDelay = 0,
    PreferredChain = "string",
    RecursiveNameservers = new[]
    {
        "string",
    },
    RevokeCertificateOnDestroy = false,
    RevokeCertificateReason = "string",
    SubjectAlternativeNames = new[]
    {
        "string",
    },
    TlsChallenge = new Acme.Inputs.CertificateTlsChallengeArgs
    {
        Port = 0,
    },
});

example, err := acme.NewCertificate(ctx, "certificateResource", &acme.CertificateArgs{
	AccountKeyPem:              pulumi.String("string"),
	CertTimeout:                pulumi.Int(0),
	CertificateP12Password:     pulumi.String("string"),
	CertificateRequestPem:      pulumi.String("string"),
	CommonName:                 pulumi.String("string"),
	DisableCompletePropagation: pulumi.Bool(false),
	DnsChallenges: acme.CertificateDnsChallengeArray{
		&acme.CertificateDnsChallengeArgs{
			Provider: pulumi.String("string"),
			Config: pulumi.StringMap{
				"string": pulumi.String("string"),
			},
		},
	},
	HttpChallenge: &acme.CertificateHttpChallengeArgs{
		Port:        pulumi.Int(0),
		ProxyHeader: pulumi.String("string"),
	},
	HttpMemcachedChallenge: &acme.CertificateHttpMemcachedChallengeArgs{
		Hosts: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	HttpS3Challenge: &acme.CertificateHttpS3ChallengeArgs{
		S3Bucket: pulumi.String("string"),
	},
	HttpWebrootChallenge: &acme.CertificateHttpWebrootChallengeArgs{
		Directory: pulumi.String("string"),
	},
	KeyType:          pulumi.String("string"),
	MinDaysRemaining: pulumi.Int(0),
	MustStaple:       pulumi.Bool(false),
	PreCheckDelay:    pulumi.Int(0),
	PreferredChain:   pulumi.String("string"),
	RecursiveNameservers: pulumi.StringArray{
		pulumi.String("string"),
	},
	RevokeCertificateOnDestroy: pulumi.Bool(false),
	RevokeCertificateReason:    pulumi.String("string"),
	SubjectAlternativeNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	TlsChallenge: &acme.CertificateTlsChallengeArgs{
		Port: pulumi.Int(0),
	},
})

var certificateResource = new Certificate("certificateResource", CertificateArgs.builder()
    .accountKeyPem("string")
    .certTimeout(0)
    .certificateP12Password("string")
    .certificateRequestPem("string")
    .commonName("string")
    .disableCompletePropagation(false)
    .dnsChallenges(CertificateDnsChallengeArgs.builder()
        .provider("string")
        .config(Map.of("string", "string"))
        .build())
    .httpChallenge(CertificateHttpChallengeArgs.builder()
        .port(0)
        .proxyHeader("string")
        .build())
    .httpMemcachedChallenge(CertificateHttpMemcachedChallengeArgs.builder()
        .hosts("string")
        .build())
    .httpS3Challenge(CertificateHttpS3ChallengeArgs.builder()
        .s3Bucket("string")
        .build())
    .httpWebrootChallenge(CertificateHttpWebrootChallengeArgs.builder()
        .directory("string")
        .build())
    .keyType("string")
    .minDaysRemaining(0)
    .mustStaple(false)
    .preCheckDelay(0)
    .preferredChain("string")
    .recursiveNameservers("string")
    .revokeCertificateOnDestroy(false)
    .revokeCertificateReason("string")
    .subjectAlternativeNames("string")
    .tlsChallenge(CertificateTlsChallengeArgs.builder()
        .port(0)
        .build())
    .build());

certificate_resource = acme.Certificate("certificateResource",
    account_key_pem="string",
    cert_timeout=0,
    certificate_p12_password="string",
    certificate_request_pem="string",
    common_name="string",
    disable_complete_propagation=False,
    dns_challenges=[{
        "provider": "string",
        "config": {
            "string": "string",
        },
    }],
    http_challenge={
        "port": 0,
        "proxy_header": "string",
    },
    http_memcached_challenge={
        "hosts": ["string"],
    },
    http_s3_challenge={
        "s3_bucket": "string",
    },
    http_webroot_challenge={
        "directory": "string",
    },
    key_type="string",
    min_days_remaining=0,
    must_staple=False,
    pre_check_delay=0,
    preferred_chain="string",
    recursive_nameservers=["string"],
    revoke_certificate_on_destroy=False,
    revoke_certificate_reason="string",
    subject_alternative_names=["string"],
    tls_challenge={
        "port": 0,
    })

const certificateResource = new acme.Certificate("certificateResource", {
    accountKeyPem: "string",
    certTimeout: 0,
    certificateP12Password: "string",
    certificateRequestPem: "string",
    commonName: "string",
    disableCompletePropagation: false,
    dnsChallenges: [{
        provider: "string",
        config: {
            string: "string",
        },
    }],
    httpChallenge: {
        port: 0,
        proxyHeader: "string",
    },
    httpMemcachedChallenge: {
        hosts: ["string"],
    },
    httpS3Challenge: {
        s3Bucket: "string",
    },
    httpWebrootChallenge: {
        directory: "string",
    },
    keyType: "string",
    minDaysRemaining: 0,
    mustStaple: false,
    preCheckDelay: 0,
    preferredChain: "string",
    recursiveNameservers: ["string"],
    revokeCertificateOnDestroy: false,
    revokeCertificateReason: "string",
    subjectAlternativeNames: ["string"],
    tlsChallenge: {
        port: 0,
    },
});

type: acme:Certificate
properties:
    accountKeyPem: string
    certTimeout: 0
    certificateP12Password: string
    certificateRequestPem: string
    commonName: string
    disableCompletePropagation: false
    dnsChallenges:
        - config:
            string: string
          provider: string
    httpChallenge:
        port: 0
        proxyHeader: string
    httpMemcachedChallenge:
        hosts:
            - string
    httpS3Challenge:
        s3Bucket: string
    httpWebrootChallenge:
        directory: string
    keyType: string
    minDaysRemaining: 0
    mustStaple: false
    preCheckDelay: 0
    preferredChain: string
    recursiveNameservers:
        - string
    revokeCertificateOnDestroy: false
    revokeCertificateReason: string
    subjectAlternativeNames:
        - string
    tlsChallenge:
        port: 0

Certificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Certificate resource accepts the following input properties:

AccountKeyPem string

The private key of the account that is requesting the certificate. Forces a new resource when changed.

CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateP12Password string

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

CertificateRequestPem string

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Either this, or the in-resource request options (common_name, key_type, and optionally subject_alternative_names) need to be specified. Forces a new resource when changed.

CommonName string

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>

The DNS challenges to use in fulfilling the request.

HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge

Defines an HTTP challenge to use in fulfilling the request.

HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

KeyType string

The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.

MinDaysRemaining int

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

MustStaple bool

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain string

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

RecursiveNameservers List<string>

The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.

RevokeCertificateOnDestroy bool

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

RevokeCertificateReason string

Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

SubjectAlternativeNames List<string>

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

AccountKeyPem string

The private key of the account that is requesting the certificate. Forces a new resource when changed.

CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateP12Password string

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

CertificateRequestPem string

CommonName string

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges []CertificateDnsChallengeArgs

The DNS challenges to use in fulfilling the request.

HttpChallenge CertificateHttpChallengeArgs

Defines an HTTP challenge to use in fulfilling the request.

HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

HttpS3Challenge CertificateHttpS3ChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

HttpWebrootChallenge CertificateHttpWebrootChallengeArgs

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

KeyType string

MinDaysRemaining int

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

MustStaple bool

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain string

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

RecursiveNameservers []string

RevokeCertificateOnDestroy bool

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

RevokeCertificateReason string

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

SubjectAlternativeNames []string

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

TlsChallenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String

The private key of the account that is requesting the certificate. Forces a new resource when changed.

certTimeout Integer

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateP12Password String

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificateRequestPem String

commonName String

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<CertificateDnsChallenge>

The DNS challenges to use in fulfilling the request.

httpChallenge CertificateHttpChallenge

Defines an HTTP challenge to use in fulfilling the request.

httpMemcachedChallenge CertificateHttpMemcachedChallenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

httpS3Challenge CertificateHttpS3Challenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

httpWebrootChallenge CertificateHttpWebrootChallenge

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

keyType String

minDaysRemaining Integer

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

mustStaple Boolean

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Integer

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain String

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

recursiveNameservers List<String>

revokeCertificateOnDestroy Boolean

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revokeCertificateReason String

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subjectAlternativeNames List<String>

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem string

The private key of the account that is requesting the certificate. Forces a new resource when changed.

certTimeout number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateP12Password string

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificateRequestPem string

commonName string

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disableCompletePropagation boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges CertificateDnsChallenge[]

The DNS challenges to use in fulfilling the request.

httpChallenge CertificateHttpChallenge

Defines an HTTP challenge to use in fulfilling the request.

httpMemcachedChallenge CertificateHttpMemcachedChallenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

httpS3Challenge CertificateHttpS3Challenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

httpWebrootChallenge CertificateHttpWebrootChallenge

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

keyType string

minDaysRemaining number

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

mustStaple boolean

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay number

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain string

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

recursiveNameservers string[]

revokeCertificateOnDestroy boolean

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revokeCertificateReason string

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subjectAlternativeNames string[]

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

account_key_pem str

The private key of the account that is requesting the certificate. Forces a new resource when changed.

cert_timeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificate_p12_password str

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificate_request_pem str

common_name str

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disable_complete_propagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dns_challenges Sequence[CertificateDnsChallengeArgs]

The DNS challenges to use in fulfilling the request.

http_challenge CertificateHttpChallengeArgs

Defines an HTTP challenge to use in fulfilling the request.

http_memcached_challenge CertificateHttpMemcachedChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

http_s3_challenge CertificateHttpS3ChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

http_webroot_challenge CertificateHttpWebrootChallengeArgs

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

key_type str

min_days_remaining int

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

must_staple bool

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

pre_check_delay int

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferred_chain str

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

recursive_nameservers Sequence[str]

revoke_certificate_on_destroy bool

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revoke_certificate_reason str

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subject_alternative_names Sequence[str]

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tls_challenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String

The private key of the account that is requesting the certificate. Forces a new resource when changed.

certTimeout Number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateP12Password String

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificateRequestPem String

commonName String

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<Property Map>

The DNS challenges to use in fulfilling the request.

httpChallenge Property Map

Defines an HTTP challenge to use in fulfilling the request.

httpMemcachedChallenge Property Map

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

httpS3Challenge Property Map

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

httpWebrootChallenge Property Map

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

keyType String

minDaysRemaining Number

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

mustStaple Boolean

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Number

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain String

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

recursiveNameservers List<String>

revokeCertificateOnDestroy Boolean

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revokeCertificateReason String

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subjectAlternativeNames List<String>

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tlsChallenge Property Map

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

Outputs

All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

CertificateDomain string: The common name of the certificate.
CertificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateSerial string: The serial number, in string format, as reported by the CA.
CertificateUrl string: The full URL of the certificate within the ACME CA.
Id string: The provider-assigned unique ID for this managed resource.
IssuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
PrivateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

CertificateDomain string: The common name of the certificate.
CertificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateSerial string: The serial number, in string format, as reported by the CA.
CertificateUrl string: The full URL of the certificate within the ACME CA.
Id string: The provider-assigned unique ID for this managed resource.
IssuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
PrivateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificateDomain String: The common name of the certificate.
certificateNotAfter String: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem String: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateSerial String: The serial number, in string format, as reported by the CA.
certificateUrl String: The full URL of the certificate within the ACME CA.
id String: The provider-assigned unique ID for this managed resource.
issuerPem String: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem String: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificateDomain string: The common name of the certificate.
certificateNotAfter string: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 string: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem string: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateSerial string: The serial number, in string format, as reported by the CA.
certificateUrl string: The full URL of the certificate within the ACME CA.
id string: The provider-assigned unique ID for this managed resource.
issuerPem string: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem string: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificate_domain str: The common name of the certificate.
certificate_not_after str: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificate_p12 str: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificate_pem str: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificate_serial str: The serial number, in string format, as reported by the CA.
certificate_url str: The full URL of the certificate within the ACME CA.
id str: The provider-assigned unique ID for this managed resource.
issuer_pem str: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
private_key_pem str: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

certificateDomain String: The common name of the certificate.
certificateNotAfter String: The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String: The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem String: The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateSerial String: The serial number, in string format, as reported by the CA.
certificateUrl String: The full URL of the certificate within the ACME CA.
id String: The provider-assigned unique ID for this managed resource.
issuerPem String: The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem String: The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

Look up Existing Certificate Resource

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_key_pem: Optional[str] = None,
        cert_timeout: Optional[int] = None,
        certificate_domain: Optional[str] = None,
        certificate_not_after: Optional[str] = None,
        certificate_p12: Optional[str] = None,
        certificate_p12_password: Optional[str] = None,
        certificate_pem: Optional[str] = None,
        certificate_request_pem: Optional[str] = None,
        certificate_serial: Optional[str] = None,
        certificate_url: Optional[str] = None,
        common_name: Optional[str] = None,
        disable_complete_propagation: Optional[bool] = None,
        dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
        http_challenge: Optional[CertificateHttpChallengeArgs] = None,
        http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
        http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
        http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
        issuer_pem: Optional[str] = None,
        key_type: Optional[str] = None,
        min_days_remaining: Optional[int] = None,
        must_staple: Optional[bool] = None,
        pre_check_delay: Optional[int] = None,
        preferred_chain: Optional[str] = None,
        private_key_pem: Optional[str] = None,
        recursive_nameservers: Optional[Sequence[str]] = None,
        revoke_certificate_on_destroy: Optional[bool] = None,
        revoke_certificate_reason: Optional[str] = None,
        subject_alternative_names: Optional[Sequence[str]] = None,
        tls_challenge: Optional[CertificateTlsChallengeArgs] = None) -> Certificate

func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)

public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)

public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)

resources:  _:    type: acme:Certificate    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountKeyPem string

The private key of the account that is requesting the certificate. Forces a new resource when changed.

CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateDomain string

The common name of the certificate.

CertificateNotAfter string

The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).

CertificateP12 string

The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.

CertificateP12Password string

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

CertificatePem string

The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"

CertificateRequestPem string

CertificateSerial string

The serial number, in string format, as reported by the CA.

CertificateUrl string

The full URL of the certificate within the ACME CA.

CommonName string

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>

The DNS challenges to use in fulfilling the request.

HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge

Defines an HTTP challenge to use in fulfilling the request.

HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

IssuerPem string

The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.

KeyType string

MinDaysRemaining int

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

MustStaple bool

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain string

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

PrivateKeyPem string

The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

RecursiveNameservers List<string>

RevokeCertificateOnDestroy bool

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

RevokeCertificateReason string

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

SubjectAlternativeNames List<string>

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

AccountKeyPem string

The private key of the account that is requesting the certificate. Forces a new resource when changed.

CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateDomain string

The common name of the certificate.

CertificateNotAfter string

The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).

CertificateP12 string

CertificateP12Password string

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

CertificatePem string

CertificateRequestPem string

CertificateSerial string

The serial number, in string format, as reported by the CA.

CertificateUrl string

The full URL of the certificate within the ACME CA.

CommonName string

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges []CertificateDnsChallengeArgs

The DNS challenges to use in fulfilling the request.

HttpChallenge CertificateHttpChallengeArgs

Defines an HTTP challenge to use in fulfilling the request.

HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

HttpS3Challenge CertificateHttpS3ChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

HttpWebrootChallenge CertificateHttpWebrootChallengeArgs

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

IssuerPem string

The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.

KeyType string

MinDaysRemaining int

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

MustStaple bool

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain string

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

PrivateKeyPem string

The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

RecursiveNameservers []string

RevokeCertificateOnDestroy bool

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

RevokeCertificateReason string

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

SubjectAlternativeNames []string

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

TlsChallenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String

The private key of the account that is requesting the certificate. Forces a new resource when changed.

certTimeout Integer

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateDomain String

The common name of the certificate.

certificateNotAfter String

The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).

certificateP12 String

certificateP12Password String

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificatePem String

certificateRequestPem String

certificateSerial String

The serial number, in string format, as reported by the CA.

certificateUrl String

The full URL of the certificate within the ACME CA.

commonName String

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<CertificateDnsChallenge>

The DNS challenges to use in fulfilling the request.

httpChallenge CertificateHttpChallenge

Defines an HTTP challenge to use in fulfilling the request.

httpMemcachedChallenge CertificateHttpMemcachedChallenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

httpS3Challenge CertificateHttpS3Challenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

httpWebrootChallenge CertificateHttpWebrootChallenge

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

issuerPem String

The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.

keyType String

minDaysRemaining Integer

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

mustStaple Boolean

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Integer

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain String

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

privateKeyPem String

The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

recursiveNameservers List<String>

revokeCertificateOnDestroy Boolean

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revokeCertificateReason String

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subjectAlternativeNames List<String>

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem string

The private key of the account that is requesting the certificate. Forces a new resource when changed.

certTimeout number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateDomain string

The common name of the certificate.

certificateNotAfter string

The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).

certificateP12 string

certificateP12Password string

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificatePem string

certificateRequestPem string

certificateSerial string

The serial number, in string format, as reported by the CA.

certificateUrl string

The full URL of the certificate within the ACME CA.

commonName string

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disableCompletePropagation boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges CertificateDnsChallenge[]

The DNS challenges to use in fulfilling the request.

httpChallenge CertificateHttpChallenge

Defines an HTTP challenge to use in fulfilling the request.

httpMemcachedChallenge CertificateHttpMemcachedChallenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

httpS3Challenge CertificateHttpS3Challenge

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

httpWebrootChallenge CertificateHttpWebrootChallenge

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

issuerPem string

The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.

keyType string

minDaysRemaining number

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

mustStaple boolean

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay number

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain string

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

privateKeyPem string

The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

recursiveNameservers string[]

revokeCertificateOnDestroy boolean

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revokeCertificateReason string

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subjectAlternativeNames string[]

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

account_key_pem str

The private key of the account that is requesting the certificate. Forces a new resource when changed.

cert_timeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificate_domain str

The common name of the certificate.

certificate_not_after str

The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).

certificate_p12 str

certificate_p12_password str

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificate_pem str

certificate_request_pem str

certificate_serial str

The serial number, in string format, as reported by the CA.

certificate_url str

The full URL of the certificate within the ACME CA.

common_name str

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disable_complete_propagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dns_challenges Sequence[CertificateDnsChallengeArgs]

The DNS challenges to use in fulfilling the request.

http_challenge CertificateHttpChallengeArgs

Defines an HTTP challenge to use in fulfilling the request.

http_memcached_challenge CertificateHttpMemcachedChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

http_s3_challenge CertificateHttpS3ChallengeArgs

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

http_webroot_challenge CertificateHttpWebrootChallengeArgs

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

issuer_pem str

The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.

key_type str

min_days_remaining int

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

must_staple bool

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

pre_check_delay int

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferred_chain str

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

private_key_pem str

The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

recursive_nameservers Sequence[str]

revoke_certificate_on_destroy bool

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revoke_certificate_reason str

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subject_alternative_names Sequence[str]

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tls_challenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem String

The private key of the account that is requesting the certificate. Forces a new resource when changed.

certTimeout Number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateDomain String

The common name of the certificate.

certificateNotAfter String

The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).

certificateP12 String

certificateP12Password String

Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.

certificatePem String

certificateRequestPem String

certificateSerial String

The serial number, in string format, as reported by the CA.

certificateUrl String

The full URL of the certificate within the ACME CA.

commonName String

The certificate's common name, the primary domain that the certificate will be recognized for. Required when not specifying a CSR. Forces a new resource when changed.

disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<Property Map>

The DNS challenges to use in fulfilling the request.

httpChallenge Property Map

Defines an HTTP challenge to use in fulfilling the request.

httpMemcachedChallenge Property Map

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.

httpS3Challenge Property Map

Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.

httpWebrootChallenge Property Map

Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.

issuerPem String

The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.

keyType String

minDaysRemaining Number

The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.

mustStaple Boolean

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Number

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain String

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

privateKeyPem String

The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

recursiveNameservers List<String>

revokeCertificateOnDestroy Boolean

Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.

revokeCertificateReason String

unspecified
key-compromise
ca-compromise
affiliation-changed
superseded
cessation-of-operation
certificate-hold
remove-from-crl
privilege-withdrawn
aa-compromise

subjectAlternativeNames List<String>

The certificate's subject alternative names, domains that this certificate will also be recognized for. Only valid when not specifying a CSR. Forces a new resource when changed.

tlsChallenge Property Map

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

Supporting Types

CertificateDnsChallenge, CertificateDnsChallengeArgs

Provider string
Config Dictionary<string, string>

Provider string
Config map[string]string

provider String
config Map<String,String>

provider string
config {[key: string]: string}

provider str
config Mapping[str, str]

provider String
config Map<String>

CertificateHttpChallenge, CertificateHttpChallengeArgs

Port int

The port that the challenge server listens on. Default: 80.

ProxyHeader string

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

When set to Host, standard host header validation is used.
When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

Port int

The port that the challenge server listens on. Default: 80.

ProxyHeader string

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

When set to Host, standard host header validation is used.
When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

port Integer

The port that the challenge server listens on. Default: 80.

proxyHeader String

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

When set to Host, standard host header validation is used.
When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

port number

The port that the challenge server listens on. Default: 80.

proxyHeader string

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

When set to Host, standard host header validation is used.
When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

port int

The port that the challenge server listens on. Default: 80.

proxy_header str

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

When set to Host, standard host header validation is used.
When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

port Number

The port that the challenge server listens on. Default: 80.

proxyHeader String

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

When set to Host, standard host header validation is used.
When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

CertificateHttpMemcachedChallenge, CertificateHttpMemcachedChallengeArgs

Hosts List<string>

Hosts []string

hosts List<String>

hosts string[]

hosts Sequence[str]

hosts List<String>

CertificateHttpS3Challenge, CertificateHttpS3ChallengeArgs

S3Bucket string: The s3_bucket to publish the record to.

S3Bucket string: The s3_bucket to publish the record to.

s3Bucket String: The s3_bucket to publish the record to.

s3Bucket string: The s3_bucket to publish the record to.

s3_bucket str: The s3_bucket to publish the record to.

s3Bucket String: The s3_bucket to publish the record to.

CertificateHttpWebrootChallenge, CertificateHttpWebrootChallengeArgs

Directory string: The directory to publish the record to.

Directory string: The directory to publish the record to.

directory String: The directory to publish the record to.

directory string: The directory to publish the record to.

directory str: The directory to publish the record to.

directory String: The directory to publish the record to.

CertificateTlsChallenge, CertificateTlsChallengeArgs

Port int: The port that the challenge server listens on. Default: 443.

Port int: The port that the challenge server listens on. Default: 443.

port Integer: The port that the challenge server listens on. Default: 443.

port number: The port that the challenge server listens on. Default: 443.

port int: The port that the challenge server listens on. Default: 443.

port Number: The port that the challenge server listens on. Default: 443.

Package Details

Repository: acme pulumiverse/pulumi-acme
License: Apache-2.0
Notes: This Pulumi package is based on the acme Terraform Provider.

ACME v0.8.3 published on Saturday, Mar 22, 2025 by Pulumiverse

pulumiverse/pulumi-acme

acme.Certificate

On this page

On this page

Create Certificate Resource

Constructor syntax

Parameters

Constructor example

Certificate Resource Properties

Inputs

Outputs

Look up Existing Certificate Resource

Supporting Types

CertificateDnsChallenge, CertificateDnsChallengeArgs

CertificateHttpChallenge, CertificateHttpChallengeArgs

CertificateHttpMemcachedChallenge, CertificateHttpMemcachedChallengeArgs

CertificateHttpS3Challenge, CertificateHttpS3ChallengeArgs

CertificateHttpWebrootChallenge, CertificateHttpWebrootChallengeArgs

CertificateTlsChallenge, CertificateTlsChallengeArgs

Package Details

On this page

On this page