Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Adding a custom certificate

Written by
Updated at April 30, 2026

In this article, we will add a self-signed certificate as an example of a custom certificate. Check the custom certificate requirements in Custom certificate.

Creating a self-signed certificate file

To create a self-signed certificate using the OpenSSL library, run this command:

openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout key.pem \
  -out cert.pem \
  -days 365 \
  -subj '/CN=example.com'

openssl req -x509 -newkey rsa:4096 -nodes `
  -keyout key.pem `
  -out cert.pem `
  -days 365 `
  -subj '/CN=example.com'

Where:

  • -x509: To output a certificate file.
  • -newkey: To create a new private key file.
  • rsa:4096: Algorithm and key length.
  • -nodes: Do not encrypt the private key file.
  • -keyout: Name of the file to save the private key to.
  • -out: Certificate file name.
  • -days: Certificate validity period.
  • -subj: Certificate owner's Common Name value.

If you run the req command with the above parameters, it will issue a self-signed certificate and generate the associated private key.

Adding a self-signed custom certificate

To add a custom certificate to Certificate Manager:

  1. In the management console, select the folder to add a custom certificate to.
  2. Navigate to Certificate Manager.
  3. Click Add certificate.
  4. In the menu that opens, select User certificate.
  5. In the window that opens, in the Name field, enter a custom certificate name.
  6. Optionally, in the Description field, describe your custom certificate.
  7. In the Certificate field, click Add certificate.
    1. Choose how to add it: File.
    2. Click Attach file.
      1. In the window that opens, select the cert.pem self-signed certificate file.
    3. Click Add.
  8. In the Private key field, click Add private key.
    1. Choose how to add it: File.
    2. Click Attach file.
      1. In the window that opens, select the key.pem private key file.
    3. Click Add.
  9. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. View the command description:

    yc certificate-manager certificate create --help

  2. Run this command:

    yc certificate-manager certificate create \
  --name mycert \
  --chain mycert.pem \
  --key mykey.pem

    Where:

    • --name: Certificate name.
    • --chain: Path to the certificate chain file.
    • --key: Path to the certificate private key file.

    Result:

    id: fpqmg47avvim********
folder_id: b1g7gvsi89m3********
created_at: "2020-09-15T06:54:44.916325Z"
...
issued_at: "2020-09-15T06:54:44.916325Z"
not_after: "2021-09-15T06:48:26Z"
not_before: "2020-09-15T06:48:26Z"

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the configuration file, describe the resources you want to create:

    resource "yandex_cm_certificate" "user-certificate" {
  name    = "<certificate_name>"

  self_managed {
    certificate = <<-EOT
                  -----BEGIN CERTIFICATE-----
                  <certificate_contents>
                  -----END CERTIFICATE-----
                  EOT
    private_key = <<-EOT
                  -----BEGIN PRIVATE KEY-----
                  <contents_of_certificate_private_key>
                  -----END PRIVATE KEY-----
                  EOT
  }
}

    Where:

    • name: Certificate name.
    • certificate: Certificate file contents.
    • private_key: Private key file contents.

    For more information about the yandex_cm_certificate properties in Terraform, see this provider guide.

  2. Create the resources:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

This will add the certificate to the specified folder. You can check the new certificate and its settings using the management console or this CLI command:

 yc certificate-manager certificate get <certificate_name>

To add a certificate, use the create REST API method for the Certificate resource or the CertificateService/Create gRPC API call.

A new certificate with the Issued status will appear in the certificate list.

Storing a certificate's private key in Yandex Lockbox

To avoid storing a private key of the user certificate as plain text in the Terraform configuration file, write it to Yandex Lockbox:

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Create a secret and write the private key to it.

  2. In the configuration file, describe the resources you want to create:

    resource "yandex_cm_certificate" "example-lockbox" {
  name = "<secret_name>"

  self_managed {
    certificate = <<-EOT
                  -----BEGIN CERTIFICATE-----
                  <certificate_contents>
                  -----END CERTIFICATE-----
                  EOT
    private_key_lockbox_secret {
      id  = "<secret_ID>"
      key = "<secret_key>"
    }
  }
}

    Where:

    • name: Yandex Lockbox secret name.
    • certificate: Certificate file contents.
    • id: ID of the Yandex Lockbox secret containing the private key.
    • key: Key of the Yandex Lockbox secret containing the private key.

    For more information about the yandex_cm_certificate properties, see this provider guide.

  3. Create the resources:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

This will add the certificate to the specified folder. You can check the new certificate and its settings using the management console or this CLI command:

yc certificate-manager certificate get <certificate_name>

A new certificate with the Issued status will appear in the certificate list.

Previous
Deleting a certificate
Next
Getting the contents of a certificate