Using the Terraform provider

This page describes how to issue and manage certificates using the Sectigo Terraform provider.

Request an SSL certificate

To request an SSL certificate, add the following resource block to your Terraform configuration file (for example, main.tf) and run terraform apply.

resource "sectigo_ssl_certificate" "example" {
  org_id          = 123
  cert_profile_id = 456

  csr_params = {
    common_name           = "example.com"
    country               = "US"
    province              = "California"
    locality              = "San Francisco"
    organization          = "My Company"
    organizational_unit   = "IT"
    email                 = "[email protected]"
    private_key_algorithm = "RSA"
    private_key_size      = "2048"
  }

  subject_alt_names  = ["www.example.com", "api.example.com"]
  validity           = 365
  external_requester = "[email protected]"
}

output "certificate" {
  value     = sectigo_ssl_certificate.example.certificate_body
  sensitive = true
}

output "private_key" {
  value     = sectigo_ssl_certificate.example.csr_params.private_key_pem
  sensitive = true
}

SSL certificate parameters

Parameter Type Requirement Description

org_id

Number

Mandatory

Sectigo organization ID

cert_profile_id

Number

Mandatory

Certificate profile ID

csr_params

Object

Mandatory

CSR parameters (see below)

external_requester

String

Mandatory

Requester email address

subject_alt_names

List (string)

Subject Alternative Names

validity

Number

Validity period in days

comments

String

Certificate comments

custom_fields

List (object)

Custom field key-value pairs

renew_options

Object

Renewal configuration

revocation_check

Object

Revocation check configuration

external_csr

String

External CSR in PEM format. When provided, csr_params is ignored and the provider does not generate a private key.

ssl_id

Number

Computed

Sectigo certificate ID

renew_id

String

Computed

Renewal tracking ID

certificate_body

String

Computed

PEM-encoded certificate chain

Request a client certificate

To request a client certificate, add the following resource block to your Terraform configuration file (for example, main.tf) and run terraform apply.

resource "sectigo_client_certificate" "example" {
  org_id          = 123
  cert_profile_id = 789

  csr_params = {
    common_name           = "John Doe"
    country               = "US"
    province              = "California"
    locality              = "San Francisco"
    organization          = "My Company"
    organizational_unit   = "Engineering"
    email                 = "[email protected]"
    private_key_algorithm = "RSA"
    private_key_size      = "2048"
  }

  first_name = "John"
  last_name  = "Doe"
  validity   = 365
}

Client certificate parameters

Parameter Type Requirement Description

org_id

Number

Mandatory

Sectigo organization ID

cert_profile_id

Number

Mandatory

Certificate profile ID

csr_params

Object

Mandatory

CSR parameters (see below)

first_name

String

Mandatory

Certificate holder’s first name

last_name

String

Mandatory

Certificate holder’s last name

middle_name

String

Certificate holder’s middle name

phone

String

Phone number

secondary_emails

List (string)

Additional email addresses

validity

Number

Validity period in days

comments

String

Certificate comments

custom_fields

List (object)

Custom field key-value pairs

renew_options

Object

Renewal configuration

revocation_check

Object

Revocation check configuration

external_csr

String

External CSR in PEM format. When provided, csr_params is ignored and the provider does not generate a private key.

order_number

Number

Computed

Sectigo order number

backend_cert_id

String

Computed

Backend certificate ID

certificate_body

String

Computed

PEM-encoded certificate chain

Request a CSR

CSR parameters are specified inside the csr_params block of an SSL or client certificate resource. The provider generates a private key and CSR automatically based on these parameters. Alternatively, you can provide your own pre-signed CSR using the external_csr attribute instead of csr_params.

CSR parameters

Parameter Type Requirement Description

common_name

String

Mandatory

Domain (SSL) or name (Client)

country

String

Mandatory

Two-letter country code

province

String

Mandatory

State or province

locality

String

Mandatory

City

organization

String

Mandatory

Organization name

organizational_unit

String

Mandatory

Department

email

String

Mandatory

Email address

private_key_algorithm

String

Mandatory

RSA or ECDSA

private_key_size

String

Mandatory

Key size. The options are:

  • RSA: 1024, 2048, 3072, 4096

  • ECDSA: P224, P256, P384, P521

private_key_pem

String

Computed

Generated private key (sensitive)

Configure auto-renewal

Configure automatic certificate renewal before expiry (see example below).

  • When you run terraform plan, the provider checks if the certificate is within the expiry window. If renewal is needed, the plan shows the computed attributes (ssl_id, renew_id, certificate_body) as (known after apply). No API calls are made during plan.

  • When you run terraform apply, the actual renewal is performed via the Sectigo API.

  • If auto_renew = true, and the certificate is within the expiry window, the certificate is renewed.

  • If force_renew = true, the certificate is always renewed regardless of the expiry window.

force_renew must be manually reset to false after renewal, otherwise every terraform plan will show pending changes and every terraform apply will renew the certificate. 
resource "sectigo_ssl_certificate" "auto_renew" {
  # ... required fields ...

  renew_options = {
    auto_renew    = true   # Enable auto-renewal
    expiry_window = 30     # Renew 30 days before expiry
    force_renew   = false  # Set true to force immediate renewal
  }
}

Auto-renewal parameters

Parameter Type Default Description

auto_renew

Bool

false

Enable automatic renewal. Options are true and false, default is false.

expiry_window

Number

15

Number of days before expiry to trigger renewal.

force_renew

Bool

false

Force renewal on next apply. Options are true and false, default is false.

Validate revocation status before renewal

Before renewal or replacement, the provider checks the certificate revocation status using first OCSP, with CRL as a fallback.

  • If the certificate is not revoked, the operation proceeds normally.

  • If the certificate is revoked:

    • If fail_on_revoked = true, the operation is blocked with an error.

    • If fail_on_revoked = false, a warning is displayed and the provider auto-enrolls a fresh certificate, skipping the Renew/Replace APIs which would fail on a revoked certificate.

resource "sectigo_ssl_certificate" "with_revocation" {
  # ... required fields ...

  revocation_check = {
    enabled         = true   # Enable checking
    check_ocsp      = true   # Try OCSP first
    check_crl       = true   # Fall back to CRL
    fail_on_revoked = true   # Fail or warn on revoked
    timeout_seconds = 10     # HTTP timeout
  }
}

Check revocation status parameters

Parameter Type Default Description

enabled

Bool

false

Enable revocation checking

check_ocsp

Bool

true

Attempt OCSP check

check_crl

Bool

true

Fall back to CRL

fail_on_revoked

Bool

false

true = error, false = auto-enroll new cert

timeout_seconds

Number

10

HTTP request timeout

Revoke certificate

Once you perform 'terraform destroy' command, previously enrolled certificate (SSL or Client) will be revoked.