terraform/website/source/docs/providers/tls/r/locally_signed_cert.html.md

---
layout: "tls"
page_title: "TLS: tls_locally_signed_cert"
sidebar_current: "docs-tls-resource-locally-signed-cert"
description: |-
  Creates a locally-signed TLS certificate in PEM format.
---

# tls\_locally\_signed\_cert

Generates a TLS certificate using a *Certificate Signing Request* (CSR) and
signs it with a provided certificate authority (CA) private key.

Locally-signed certificates are generally only trusted by client software when
setup to use the provided CA. They are normally used in development environments
or when deployed internally to an organization.

## Example Usage

```hcl
resource "tls_locally_signed_cert" "example" {
  cert_request_pem   = "${file("cert_request.pem")}"
  ca_key_algorithm   = "ECDSA"
  ca_private_key_pem = "${file("ca_private_key.pem")}"
  ca_cert_pem        = "${file("ca_cert.pem")}"

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}
```

## Argument Reference

The following arguments are supported:

* `cert_request_pem` - (Required) PEM-encoded request certificate data.

* `ca_key_algorithm` - (Required) The name of the algorithm for the key provided
  in `ca_private_key_pem`.

* `ca_private_key_pem` - (Required) PEM-encoded private key data for the CA.
  This can be read from a separate file using the ``file`` interpolation
  function.

* `ca_cert_pem` - (Required) PEM-encoded certificate data for the CA.

* `validity_period_hours` - (Required) The number of hours after initial issuing that the
  certificate will become invalid.

* `allowed_uses` - (Required) List of keywords each describing a use that is permitted
  for the issued certificate. The valid keywords are listed below.

* `early_renewal_hours` - (Optional) If set, the resource will consider the certificate to
  have expired the given number of hours before its actual expiry time. This can be useful
  to deploy an updated certificate in advance of the expiration of the current certificate.
  Note however that the old certificate remains valid until its true expiration time, since
  this resource does not (and cannot) support certificate revocation. Note also that this
  advance update can only be performed should the Terraform configuration be applied during the
  early renewal period.

* `is_ca_certificate` - (Optional) Boolean controlling whether the CA flag will be set in the
  generated certificate. Defaults to `false`, meaning that the certificate does not represent
  a certificate authority.

The `allowed_uses` list accepts the following keywords, combining the set of flags defined by
both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and
[Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in
[RFC5280](https://tools.ietf.org/html/rfc5280):

* `digital_signature`
* `content_commitment`
* `key_encipherment`
* `data_encipherment`
* `key_agreement`
* `cert_signing`
* `crl_signing`
* `encipher_only`
* `decipher_only`
* `any_extended`
* `server_auth`
* `client_auth`
* `code_signing`
* `email_protection`
* `ipsec_end_system`
* `ipsec_tunnel`
* `ipsec_user`
* `timestamping`
* `ocsp_signing`
* `microsoft_server_gated_crypto`
* `netscape_server_gated_crypto`

## Attributes Reference

The following attributes are exported:

* `cert_pem` - The certificate data in PEM format.
* `validity_start_time` - The time after which the certificate is valid, as an
  [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
* `validity_end_time` - The time until which the certificate is invalid, as an
  [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.

## Automatic Renewal

This resource considers its instances to have been deleted after either their validity
periods ends or the early renewal period is reached. At this time, applying the
Terraform configuration will cause a new certificate to be generated for the instance.

Therefore in a development environment with frequent deployments it may be convenient
to set a relatively-short expiration time and use early renewal to automatically provision
a new certificate when the current one is about to expire.

The creation of a new certificate may of course cause dependent resources to be updated
or replaced, depending on the lifecycle rules applying to those resources.
provider/tls: add locally signed certificates This allows you to generate and sign certificates using a local CA. 2015-11-15 17:45:05 +01:00			`---`
			`layout: "tls"`
			`page_title: "TLS: tls_locally_signed_cert"`
docs: Fix misspelled words 2016-09-12 08:04:04 +02:00			`sidebar_current: "docs-tls-resource-locally-signed-cert"`
provider/tls: add locally signed certificates This allows you to generate and sign certificates using a local CA. 2015-11-15 17:45:05 +01:00			`description: \|-`
			`Creates a locally-signed TLS certificate in PEM format.`
			`---`

			`# tls\_locally\_signed\_cert`

Correct spelling of the word certificate. 2016-08-18 22:38:00 +02:00			`Generates a TLS certificate using a Certificate Signing Request (CSR) and`
provider/tls: add locally signed certificates This allows you to generate and sign certificates using a local CA. 2015-11-15 17:45:05 +01:00			`signs it with a provided certificate authority (CA) private key.`

			`Locally-signed certificates are generally only trusted by client software when`
			`setup to use the provided CA. They are normally used in development environments`
			`or when deployed internally to an organization.`

			`## Example Usage`

website: syntax highlighting and hclfmt layout for TLS provider 2017-04-08 01:54:00 +02:00			```hcl
provider/tls: add locally signed certificates This allows you to generate and sign certificates using a local CA. 2015-11-15 17:45:05 +01:00			`resource "tls_locally_signed_cert" "example" {`
website: syntax highlighting and hclfmt layout for TLS provider 2017-04-08 01:54:00 +02:00			`cert_request_pem = "${file("cert_request.pem")}"`
			`ca_key_algorithm = "ECDSA"`
			`ca_private_key_pem = "${file("ca_private_key.pem")}"`
			`ca_cert_pem = "${file("ca_cert.pem")}"`

			`validity_period_hours = 12`

			`allowed_uses = [`
			`"key_encipherment",`
			`"digital_signature",`
			`"server_auth",`
			`]`
provider/tls: add locally signed certificates This allows you to generate and sign certificates using a local CA. 2015-11-15 17:45:05 +01:00			`}`
			```

			`## Argument Reference`

			`The following arguments are supported:`

			* `cert_request_pem` - (Required) PEM-encoded request certificate data.

			* `ca_key_algorithm` - (Required) The name of the algorithm for the key provided
			in `ca_private_key_pem`.

			* `ca_private_key_pem` - (Required) PEM-encoded private key data for the CA.
			This can be read from a separate file using the ``file`` interpolation
			`function.`

			* `ca_cert_pem` - (Required) PEM-encoded certificate data for the CA.

			* `validity_period_hours` - (Required) The number of hours after initial issuing that the
			`certificate will become invalid.`

			* `allowed_uses` - (Required) List of keywords each describing a use that is permitted
			`for the issued certificate. The valid keywords are listed below.`

			* `early_renewal_hours` - (Optional) If set, the resource will consider the certificate to
			`have expired the given number of hours before its actual expiry time. This can be useful`
			`to deploy an updated certificate in advance of the expiration of the current certificate.`
			`Note however that the old certificate remains valid until its true expiration time, since`
			`this resource does not (and cannot) support certificate revocation. Note also that this`
			`advance update can only be performed should the Terraform configuration be applied during the`
			`early renewal period.`

			* `is_ca_certificate` - (Optional) Boolean controlling whether the CA flag will be set in the
			generated certificate. Defaults to `false`, meaning that the certificate does not represent
			`a certificate authority.`

			The `allowed_uses` list accepts the following keywords, combining the set of flags defined by
			`both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and`
			`[Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in`
			`[RFC5280](https://tools.ietf.org/html/rfc5280):`

			* `digital_signature`
			* `content_commitment`
			* `key_encipherment`
			* `data_encipherment`
			* `key_agreement`
			* `cert_signing`
Add missing crl_signing 2017-02-16 16:34:42 +01:00			* `crl_signing`
provider/tls: add locally signed certificates This allows you to generate and sign certificates using a local CA. 2015-11-15 17:45:05 +01:00			* `encipher_only`
			* `decipher_only`
			* `any_extended`
			* `server_auth`
			* `client_auth`
			* `code_signing`
			* `email_protection`
			* `ipsec_end_system`
			* `ipsec_tunnel`
			* `ipsec_user`
			* `timestamping`
			* `ocsp_signing`
			* `microsoft_server_gated_crypto`
			* `netscape_server_gated_crypto`

			`## Attributes Reference`

			`The following attributes are exported:`

			* `cert_pem` - The certificate data in PEM format.
			* `validity_start_time` - The time after which the certificate is valid, as an
			`[RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.`
			* `validity_end_time` - The time until which the certificate is invalid, as an
			`[RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.`

			`## Automatic Renewal`

			`This resource considers its instances to have been deleted after either their validity`
			`periods ends or the early renewal period is reached. At this time, applying the`
			`Terraform configuration will cause a new certificate to be generated for the instance.`

			`Therefore in a development environment with frequent deployments it may be convenient`
			`to set a relatively-short expiration time and use early renewal to automatically provision`
			`a new certificate when the current one is about to expire.`

			`The creation of a new certificate may of course cause dependent resources to be updated`
			`or replaced, depending on the lifecycle rules applying to those resources.`