{"id":2671,"library":"pulumi-tls","title":"Pulumi TLS","description":"Pulumi TLS is a Python package that provides an interface to create and manage TLS (Transport Layer Security) resources within Pulumi programs. It allows for the programmatic generation of private keys, certificate signing requests, and self-signed certificates, which can then be used with other cloud providers. The library is currently at version 5.3.1 and typically sees frequent updates to align with its upstream Terraform provider and Pulumi's core bridge updates.","status":"active","version":"5.3.1","language":"en","source_language":"en","source_url":"https://github.com/pulumi/pulumi-tls","tags":["pulumi","tls","certificates","security","infrastructure-as-code","iac"],"install":[{"cmd":"pip install pulumi_tls","lang":"bash","label":"Install pulumi-tls"}],"dependencies":[{"reason":"Core dependency for all Pulumi providers and programs.","package":"pulumi"}],"imports":[{"symbol":"PrivateKey","correct":"from pulumi_tls import PrivateKey"},{"symbol":"SelfSignedCert","correct":"from pulumi_tls import SelfSignedCert"}],"quickstart":{"code":"import pulumi\nimport pulumi_tls as tls\n\n# Create a new private key\nprivate_key = tls.PrivateKey(\"example-private-key\",\n    algorithm=\"RSA\",\n    rsa_bits=2048)\n\n# Create a self-signed certificate using the private key\nself_signed_cert = tls.SelfSignedCert(\"example-self-signed-cert\",\n    private_key_pem=private_key.private_key_pem,\n    validity_period_hours=8760, # 1 year\n    early_renewal_hours=240,    # 10 days\n    allowed_uses=[\n        \"key_encipherment\",\n        \"digital_signature\",\n        \"server_auth\"\n    ],\n    dns_names=[\n        \"example.com\",\n        \"www.example.com\"\n    ],\n    subject={\n        \"common_name\": \"example.com\",\n        \"organization\": \"Acme, Inc.\"\n    })\n\npulumi.export(\"private_key_pem\", private_key.private_key_pem)\npulumi.export(\"self_signed_certificate_pem\", self_signed_cert.cert_pem)","lang":"python","description":"This example demonstrates how to create an RSA private key and then use it to generate a self-signed TLS certificate with specified validity and allowed uses."},"warnings":[{"fix":"Consult the official Pulumi TLS provider changelog on GitHub and the Pulumi Registry for detailed migration guides or breaking changes specific to the versions you are upgrading between.","message":"Upgrading to a new major version (e.g., v4 to v5) may introduce breaking changes, even if not explicitly stated in patch notes, due to updates in the underlying Terraform provider or Pulumi's provider bridge. Always review the full changelog and test upgrades in a staging environment.","severity":"breaking","affected_versions":"All major version upgrades (e.g., from 4.x to 5.x)"},{"fix":"If OpenSSH compatibility is required, use ECDSA with `P256`, `P384`, or `P521` curves, or opt for the RSA algorithm.","message":"When using ECDSA with the P224 elliptic curve for PrivateKey, several OpenSSH-related attributes (e.g., `private_key_openssh`, `public_key_openssh`, `public_key_fingerprint_md5`, `public_key_fingerprint_sha256`) will be empty strings. This is due to restrictions in the SSH ECC Algorithm Integration (RFC 5656) which limits supported curves.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Always trim whitespace from PEM output strings using string methods like `.strip()` in Python before passing them to other tools or services if you encounter parsing issues.","message":"Output properties like `private_key_pem` or `cert_pem` might contain leading or trailing whitespace depending on the downstream system consuming the PEM string. This can lead to parsing errors in external applications.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}