Adding a custom certificate
As an example, let's look at how to add a custom certificate using a self-signed certificate. You can see the custom certificate requirements on the Custom certificate page.
Creating a self-signed certificate file
To create a self-signed certificate using the OpenSSL
library, run the command below:
openssl req -x509 -newkey rsa:4096 -nodes \
-keyout key.pem \
-out cert.pem \
-days 365 \
-subj '/CN=example.com'
openssl req -x509 -newkey rsa:4096 -nodes `
-keyout key.pem `
-out cert.pem `
-days 365 `
-subj '/CN=example.com'
Where:
-x509
: Command will output a certificate file.-newkey
: New private key file will be created.rsa:4096
: Algorithm and key length.-nodes
: Do not encrypt the private key file.-keyout
: Name of the file the private key is saved to.-out
: Certificate file name.-days
: Certificate validity period.-subj
: Certificate owner's Common Name value.
The req
command launched with the above parameters will issue a self-signed certificate and generate the associated private key.
Adding a self-signed custom certificate
To add a custom certificate to Certificate Manager:
- In the management console
, select the folder where you want to add a custom certificate. - In the list of services, select Certificate Manager.
- Click Add certificate.
- In the menu that opens, select User certificate.
- In the window that opens, in the Name field, enter a custom certificate name.
- (Optional) Enter your custom certificate description in the Description field.
- In the Certificate field, click Add certificate.
- Choose how to add a certificate:
File
. - Click Attach file.
- In the window that opens, select the
cert.pem
self-signed certificate file.
- In the window that opens, select the
- Click Add.
- Choose how to add a certificate:
- In the Private key field, click Add private key.
- Choose how to add a certificate:
File
. - Click Attach file.
- In the window that opens, select the
key.pem
private key file.
- In the window that opens, select the
- Click Add.
- Choose how to add a certificate:
- Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the command:
yc certificate-manager certificate create --help
-
Run this command:
yc certificate-manager certificate create \ --name mycert \ --chain mycert.pem \ --key mykey.pem
Where:
--name
: Certificate name.--chain
: Path to the certificate chain file.--key
: Path to the file of the certificate private key.
Result:
id: fpqmg47avvim******** folder_id: b1g7gvsi89m3******** created_at: "2020-09-15T06:54:44.916325Z" ... issued_at: "2020-09-15T06:54:44.916325Z" not_after: "2021-09-15T06:48:26Z" not_before: "2020-09-15T06:48:26Z"
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_cm_certificate" "user-certificate" { name = "<certificate_name>" self_managed { certificate = <<-EOT -----BEGIN CERTIFICATE----- <certificate_contents> -----END CERTIFICATE----- EOT private_key = <<-EOT -----BEGIN PRIVATE KEY----- <certificate_private_key_contents> -----END PRIVATE KEY----- EOT } }
Where:
name
: Certificate name.certificate
: Contents of the certificate file.private_key
: Contents of the private key file.
For more information about the
yandex_cm_certificate
resource parameters in Terraform, see the provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
This will add the certificate to the specified folder. You can check the new certificate and its configuration using the management console
yc certificate-manager certificate get <certificate_name>
To add a certificate, use the create REST API method for the Certificate resource or the CertificateService/Create gRPC API call.
The new certificate with the Issued
status will appear in the certificate list.
Storing a certificate's public part in Yandex Lockbox
You can store a Certificate Manager user certificate's public part in Yandex Lockbox. To add a certificate:
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_cm_certificate" "example-lockbox" { name = "<secret_name>" self_managed { certificate = <<-EOT -----BEGIN CERTIFICATE----- <certificate_contents> -----END CERTIFICATE----- EOT private_key_lockbox_secret { id = "<secret_ID>" key = "<secret_key>" } } }
Where:
name
: Yandex Lockbox secret name.certificate
: Contents of the certificate file.id
: Yandex Lockbox secret ID.key
: Yandex Lockbox secret key whose value is contained in the certificate private key.
For more information about the
yandex_cm_certificate
resource parameters, see the provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
The certificate will then be added to the specified folder. You can check the new certificate and its configuration using the management console
yc certificate-manager certificate get <certificate_name>
The new certificate with the Issued
status will appear in the certificate list.