Skip to content
Instruqt Lab Documentation

Certificate Leaf

The certificate_leaf resource generates leaf certificates signed by a Certificate Authority (CA). These are end-entity certificates used for servers, clients, or other applications that need TLS/SSL certificates.

Basic Syntax

Section titled “Basic Syntax”
resource "certificate_leaf" "server" {
  ca_key  = resource.certificate_ca.root.private_key.path
  ca_cert = resource.certificate_ca.root.certificate.path
  output  = "./server-certs"
}

Full Syntax

Section titled “Full Syntax”
resource "certificate_leaf" "server" {
  ca_key  = resource.certificate_ca.root.private_key.path
  ca_cert = resource.certificate_ca.root.certificate.path
  output  = "./server-certs"


  dns_names = [
    "localhost",
    "server.local",
    "api.example.com"
  ]


  ip_addresses = [
    "127.0.0.1",
    "192.168.1.100",
    "10.0.0.5"
  ]
}

Fields

Section titled “Fields”
FieldTypeRequiredDescription
ca_keystringPath to the CA private key file
ca_certstringPath to the CA certificate file
outputstringOutput directory to write the certificate and key files
dns_names[]stringDNS names to include in the certificate’s Subject Alternative Names
ip_addresses[]stringIP addresses to include in the certificate’s Subject Alternative Names

Computed Fields

Section titled “Computed Fields”
FieldTypeDescription
meta.idstringFull resource identifier
meta.typestringResource type (always "certificate_leaf")
meta.namestringResource name
private_keyFileThe private key of the generated certificate
public_key_pemFileThe PEM-formatted public key
public_key_sshFileThe SSH-formatted public key
certificateFileThe generated leaf certificate

File Object

Section titled “File Object”

The File object contains information about generated certificate files:

FieldTypeDescription
filenamestringThe name of the file
directorystringThe directory where the file is written
pathstringThe full path to the file
contentsstringThe contents of the file

Examples

Section titled “Examples”

Simple Server Certificate

Section titled “Simple Server Certificate”
resource "certificate_ca" "root" {
  output = "./ca"
}


resource "certificate_leaf" "server" {
  ca_key  = resource.certificate_ca.root.private_key.path
  ca_cert = resource.certificate_ca.root.certificate.path
  output  = "./server-certs"


  dns_names = ["localhost"]
  ip_addresses = ["127.0.0.1"]
}

Multi-Domain Certificate

Section titled “Multi-Domain Certificate”
resource "certificate_leaf" "web" {
  ca_key  = resource.certificate_ca.root.private_key.path
  ca_cert = resource.certificate_ca.root.certificate.path
  output  = "./web-certs"


  dns_names = [
    "example.com",
    "www.example.com",
    "api.example.com",
    "admin.example.com"
  ]


  ip_addresses = [
    "192.168.1.10",
    "10.0.0.100"
  ]
}

Client Certificate

Section titled “Client Certificate”
resource "certificate_leaf" "client" {
  ca_key  = resource.certificate_ca.root.private_key.path
  ca_cert = resource.certificate_ca.root.certificate.path
  output  = "./client-certs"


  dns_names = ["client.internal"]
}