Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

yandex_cm_certificate (Resource)

Written by
Updated at September 11, 2025

Creates or requests a TLS certificate in the specified folder. For more information, see the official documentation.

Warning

At the moment, a resource may not work correctly if it declares the use of a DNS challenge, but the certificate is confirmed using an HTTP challenge. And vice versa.

In this case, the service does not provide the parameters of the required type of challenges.

Warning

Only one type managed or self_managed should be specified.

Example usage

//
// Create a new Certificate for specific Domain name.
//
resource "yandex_cm_certificate" "example" {
  name    = "example"
  domains = ["example.com"]

  managed {
    challenge_type = "DNS_CNAME"
  }
}

//
// Create a new Certificates for the set of domains
// with specific DNS challenge for each domain.
//
resource "yandex_cm_certificate" "example" {
  name    = "example"
  domains = ["one.example.com", "two.example.com"]

  managed {
    challenge_type  = "DNS_CNAME"
    challenge_count = 2 # for each domain
  }
}

resource "yandex_dns_recordset" "example" {
  count   = yandex_cm_certificate.example.managed[0].challenge_count
  zone_id = "example-zone-id"
  name    = yandex_cm_certificate.example.challenges[count.index].dns_name
  type    = yandex_cm_certificate.example.challenges[count.index].dns_type
  data    = [yandex_cm_certificate.example.challenges[count.index].dns_value]
  ttl     = 60
}

//
// Create a new Certificates for the set of domains
// with the same DNS challenge for both domains.
//
resource "yandex_cm_certificate" "example" {
  name    = "example"
  domains = ["example.com", "*.example.com"]

  managed {
    challenge_type  = "DNS_CNAME"
    challenge_count = 1 # "example.com" and "*.example.com" has the same DNS_CNAME challenge
  }
}

resource "yandex_dns_recordset" "example" {
  count   = yandex_cm_certificate.example.managed[0].challenge_count
  zone_id = "example-zone-id"
  name    = yandex_cm_certificate.example.challenges[count.index].dns_name
  type    = yandex_cm_certificate.example.challenges[count.index].dns_type
  data    = [yandex_cm_certificate.example.challenges[count.index].dns_value]
  ttl     = 60
}

//
// Create a new self-managed Certificate.
//
resource "yandex_cm_certificate" "example" {
  name = "example"

  self_managed {
    certificate = "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- \n -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----"
    private_key = "-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----"
  }
}

Schema

Required

  • name (String) The resource name.

Optional

  • deletion_protection (Boolean) The true value means that resource is protected from accidental deletion.
  • description (String) The resource description.
  • domains (List of String) Domains for this certificate. Should be specified for managed certificates.
  • folder_id (String) The folder identifier that resource belongs to. If it is not provided, the default provider folder-id is used.
  • labels (Map of String) A set of key/value label pairs which assigned to resource.
  • managed (Block List, Max: 1) Managed specification.

Warning

Resource creation awaits getting challenges from issue provider. (see below for nested schema)

  • self_managed (Block List, Max: 1) Self-managed specification.

Warning

Only one type private_key or private_key_lockbox_secret should be specified. (see below for nested schema)

Read-Only

  • challenges (List of Object) Array of challenges. (see below for nested schema)
  • created_at (String) The creation timestamp of the resource.
  • id (String) The ID of this resource.
  • issued_at (String) Certificate issue timestamp.
  • issuer (String) Certificate Issuer.
  • not_after (String) Certificate end valid period.
  • not_before (String) Certificate start valid period.
  • serial (String) Certificate Serial Number.
  • status (String) Certificate status: VALIDATING, INVALID, ISSUED, REVOKED, RENEWING or RENEWAL_FAILED.
  • subject (String) Certificate Subject.
  • type (String) Certificate type: MANAGED or IMPORTED.
  • updated_at (String) Certificate update timestamp.

Nested Schema for managed

Required:

  • challenge_type (String) Domain owner-check method. Possible values:
  • DNS_CNAME - you will need to create a CNAME dns record with the specified value. Recommended for fully automated certificate renewal.
  • DNS_TXT - you will need to create a TXT dns record with specified value.
  • HTTP - you will need to place specified value into specified url.

Optional:

  • challenge_count (Number) Expected number of challenge count needed to validate certificate. Resource creation will fail if the specified value does not match the actual number of challenges received from issue provider. This argument is helpful for safe automatic resource creation for passing challenges for multi-domain certificates.

Nested Schema for self_managed

Required:

  • certificate (String) Certificate with chain.

Optional:

  • private_key (String, Sensitive) Private key of certificate.
  • private_key_lockbox_secret (Block List, Max: 1) Lockbox secret specification for getting private key. (see below for nested schema)

Nested Schema for self_managed.private_key_lockbox_secret

Required:

  • id (String) Lockbox secret Id.
  • key (String) Key of the Lockbox secret, the value of which contains the private key of the certificate.

Nested Schema for timeouts

Optional:

  • create (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
  • delete (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
  • read (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Read operations occur during any refresh or planning operation when refresh is enabled.
  • update (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).

Nested Schema for challenges

Read-Only:

  • created_at (String)
  • dns_name (String)
  • dns_type (String)
  • dns_value (String)
  • domain (String)
  • http_content (String)
  • http_url (String)
  • message (String)
  • type (String)
  • updated_at (String)

Import

The resource can be imported by using their resource ID. For getting the resource ID you can use Yandex Cloud Web Console or YC CLI.

# terraform import yandex_cm_certificate.<resource Name> <resource Id>
terraform import yandex_cm_certificate.my_cm_cert fpqn8********** cg27q
Previous
cm_certificate_content
Next
cm_certificate_iam_binding