Generates a self-signed TLS certificate in PEM format, which is the typical format used to configure TLS server software.

Self-signed certificates are generally not trusted by client software such as web browsers. Therefore clients are likely to generate trust warnings when connecting to a server that has a self-signed certificate. Self-signed certificates are usually used only in development environments or apps deployed internally to an organization.

This resource is intended to be used in conjunction with a Terraform provider that has a resource that requires a TLS certificate, such as:

Example Usage

resource "tls_self_signed_cert" "example" {
    key_algorithm = "ECDSA"
    private_key_pem = "${file(\"private_key.pem\")}"

    subject {
        common_name = "example.com"
        organization = "ACME Examples, Inc"

    validity_period_hours = 12

    allowed_uses = [

Argument Reference

The following arguments are supported:

The allowed_uses list accepts the following keywords, combining the set of flags defined by both Key Usage and Extended Key Usage in RFC5280:

Attributes Reference

The following attributes are exported:

Automatic Renewal

This resource considers its instances to have been deleted after either their validity periods ends or the early renewal period is reached. At this time, applying the Terraform configuration will cause a new certificate to be generated for the instance.

Therefore in a development environment with frequent deployments it may be convenient to set a relatively-short expiration time and use early renewal to automatically provision a new certificate when the current one is about to expire.

The creation of a new certificate may of course cause dependent resources to be updated or replaced, depending on the lifecycle rules applying to those resources.

See the source of this document at Terraform.io