3rd-party enrollment

Create, update, or delete an enrollment for a third-party certificate. To delete an enrollment, run terraform destroy.

With domain-validated (DV) certificate enrollments, you can treat a third-party enrollment as a core container for all the operations you perform within CPS.

You can use this resource with:

The akamai_dns_record resource or other third-party DNS provider to create DNS records.
The akamai_cps_upload_certificate resource to complete the validation and activate the certificate on the staging and production networks.

To test and view certificates on the staging network before deploying to production, set the change_management argument to true in this resource.

resource "akamai_cps_third_party_enrollment" "my-enrollment" {
  contract_id           = "C-0N7RAC7"
  common_name           = "my-site.com"
  secure_network        = "enhanced-tls"
  sni_only              = true
  auto_approve_warnings = [
    "DNS_NAME_LONGER_THEN_255_CHARS",
    "CERTIFICATE_EXPIRATION_DATE_BEYOND_MAX_DAYS",
    "TRUST_CHAIN_EMPTY_AND_CERTIFICATE_SIGNED_BY_NON_STANDARD_ROOT"
  ]
  signature_algorithm   = "SHA-256"
  admin_contact {
    first_name       = "John"
    last_name        = "Smith"
    phone            = "1-617-555-6789"
    email            = "jsmith@example.com"
    address_line_one = "1234 Main St."
    address_line_two = "Suite 123"
    city             = "Cambridge"
    country_code     = "US"
    organization     = "Main Street Corporation"
    postal_code      = "02142"
    region           = "MA"
    title            = "Director of Operations"
  }
  tech_contact {
    first_name       = "Janet"
    last_name        = "Smithson"
    phone            = "1-617-555-6789"
    email            = "jsmithson@example.com"
    address_line_one = "1234 Main St."
    address_line_two = "Suite 123"
    city             = "Cambridge"
    country_code     = "US"
    organization     = "Main Street Corporation"
    postal_code      = "02142"
    region           = "MA"
    title            = "Director of Platform Services"
  }
  csr {
    country_code        = "US"
    city                = "Cambridge"
    organization        = "Main Street Corporation"
    organizational_unit = "IT"
    state               = "MA"
  }
  network_configuration {
    disallowed_tls_versions = ["TLSv1", "TLSv1_1"]
    clone_dns_names         = false
    geography               = "core"
    ocsp_stapling           = "on"
    preferred_ciphers       = "ak-akamai-2020q1"
    must_have_ciphers       = "ak-akamai-2020q1"
    quic_enabled            = false
  }
  organization {
    name             = "Main Street Corporation"
    phone            = "1-617-555-6789"
    address_line_one = "1234 Main St."
    address_line_two = "Suite 123"
    city             = "Cambridge"
    country_code     = "US"
    postal_code      = "02142"
    region           = "MA"
  }
}

variable "enrollment_id" {
  type        = number
  description = "The ID for my Akamai third-party enrollment"
  default     = 12345
}

// local
enrollment_id = akamai_cps_third_party_enrollment.my-enrollment.id

// tvars
enrollment_id = var.enrollment_id

Arguments

Send all the required arguments to create a third-party certificate enrollment.

Argument	Required	Description
`contract_id`	✔	Your contract's ID.
`common_name`	✔	A fully qualified domain name used for the certification.
`secure_network`	✔	The type of security on a deployment network. Possible values: `standard-tls`. Not PCI compliant. `enhanced-tls`. PCI compliant.
`admin_contact`	✔	Contact information of a certificate administrator at your organization. Requires these additional arguments: `first_name`. Required. The certificate administrator's first name. `last_name`. Required. The certificate administrator's last name. `email`. Required. The certificate administrator's email address. `phone`. Required. Your organization's phone number. `title`. The certificate administrator's job title. `organization`. The name of your business, organization, or company. `address_line_one`. Your organization's address. `address_line_two`. Your organization's address. `city`. The city where your organization resides. `country_code`. The code for the country where your organization resides. `postal_code`. Your organization's postal code. `region`. Your organization's region, typically a state or province.
`csr`	✔	Data used for generating the certificate signing request (CSR) when you create an enrollment. CPS signs the CSR with the private key. The CSR contains all the information the certificate authority (CA) needs to issue your certificate.Requires these additional arguments: `organization`. Required. The name of your business, organization, or company as it appears in all legal documents and the legal entity filing. `city`. Required. The city in which your organization is. `country_code`. Required. The country code for your organization. `organizational_unit`. The unit of your business, organization, or company. `preferred_trust_chain`. The Let's Encrypt trust chain option chosen at the time the certificate was created. If one wasn't chosen, the value represents the default Akamai option. `state`. The state or province in which your organization is.
`network_configuration`	✔	The network settings, information, and TLS metadata you want the CPS to use to push the completed certificate to the network. Requires these additional arguments: `geography`. Required. Your enrollment's deployment location. Possible values: `core`. To specify worldwide deployment, including China and Russia. `china+core`. To specify worldwide deployment and China. `russia+core`. To specify worldwide deployment and Russia. Any non-core deployment must be enabled on your Akamai contract based on approval from the Chinese or Russian governments. `client_mutual_authentication`. The configuration for client mutual authentication, specifying the trust chain used to verify client certificates among other options. Requires these additional arguments: `send_ca_list_to_client`. Indicates whether the server sends the certificate authority (CA) list to the client. `true` to enable it. `ocsp_enabled`. Indicates whether to enable the online certificate status protocol (OCSP) stapling for client certificates. `true` to enable it. `set_id`. The trust chain set ID, created in mTLS Edge Truststore. `clone_dns_names`. Denotes whether the certificate provisioning system directs traffic using all the SANs listed at the time of enrollment creation. `true` to enable CPS to provision this. `disallowed_tls_versions`. A list of TLS versions not trusted. `must_have_ciphers`. Ciphers to include in the enrollment when deployed on the network. Defaults to `ak-akamai-2020q1` when it isn't set. For more information on cipher profiles, see Update SSL/TLS cipher profiles. `ocsp_stapling`. The status of an enrollment's use of the online certificate status protocol (OCSP) stapling, either `on`, `off`, or `not-set`. The OCSP stapling improves performance by including a valid OCSP response in every TLS handshake. This option allows the visitors on your site to query the OCSP server at regular intervals to obtain a signed time-stamped OCSP response. This response must be signed by the CA, not the server, therefore, ensuring security. Disable the OCSP stapling if you want your site visitors to contact the certificate authority (CA) directly for an OCSP response. The OCSP allows you to obtain the revocation status of a certificate. `preferred_ciphers`. Ciphers you preferably want to include in the enrollment when deployed on the network. Defaults to `ak-akamai-2020q1` when it isn't set. For more information on cipher profiles, see Update SSL/TLS cipher profiles. `quic_enabled`. Denotes the use of the QUIC transport layer network protocol. `true` to enable the protocol.
`tech_contact`	✔	Details of your technical contact within Akamai. This is the person you work closest with at Akamai and who can verify the certificate request. The CA calls this contact if there are any issues with the certificate and they can't reach the `admin_contact`. Requires these additional arguments: `first_name`. Required. The technical contact's first name. `last_name`. Required. The technical contact's last name. `email`. Required. The technical contact's email address, accessible at the `akamai.com` domain. `phone`. Required. The technical contact's phone number. `title`. The technical contact's job title. `organization`. The name of the organization at Akamai where your technical contact works. `address_line_one`. The technical contact's address. `address_line_two`. The technical contact's address. `city`.The city of the technical contact at Akamai. `country_code`. The code for the country where the technical contact's organization resides. `postal_code`. The country code for the technical contact at Akamai. `region`. The region for the technical contact at Akamai.
`organization`	✔	A list detailing the address information of your organization. Requires these additional arguments: `name`. Required. The name of your business, organization, or company. `phone`. Required. The phone number of the administrator you want to use as a contact at your company. `city`. Required. The city where your organization resides. `country_code`. Required. The code for the country where your organization resides. `postal_code`. Required. The postal code of your organization. `region`. Required. The region of your organization, typically a state or province. `address_line_one`. Required. Your organization's address. `address_line_two`. Your organization's address.
`sni_only`	✔	Whether you want to use the Server Name Indication (SNI) for the enrollment. `true` to enable it. SNI is an extension of the Transport Layer Security (TLS) networking protocol. It allows a server to present multiple certificates on the same IP address. All modern web browsers support the SNI extension. If you have the same SAN on two or more certificates with the SNI-only option set, Akamai may serve traffic using any certificate that matches the requested SNI hostname. You should avoid multiple certificates with overlapping SAN names when using SNI-only. Note: You can't change this setting once an enrollment is created.
`signature_algorithm`		The SHA algorithm type. Value is one of: `SHA-1` for a 160-bit (20-byte) hash. `SHA-256` for a 256-bit (32-byte) hash.
`allow_duplicate_common_name`		Whether to allow to duplicate a common name. `true` to enable it.
`sans`		A list of the subject alternative names (SANS) secured by a certificate.
`acknowledge_pre_verification_warnings`		Whether to acknowledge warnings before certificate verification. `true` to acknowledge the warnings.
`auto_approve_warnings`		A list of warnings to be automatically approved.
`certificate_chain_type`		The certificate trust chain type. Defaults to`default` if not specified.
`exclude_sans`		Whether to exclude SANs. `true` to exclude them from CSR.
`change_management`		When set to `false`, the certificate will be deployed to both staging and production networks. Setting this to `true` stops the CPS from deploying the certificate to the network until you acknowledge you're ready to deploy the certificate.

Attributes

There is no default standard output. Upon creation, the last line of the process log contains a success message and your enrollment ID.

Adding an output block returns the enrollment details you provided on create and the computed id attribute.