DV enrollment

Create, update, or delete an enrollment for a domain-validated (DV) certificate. To delete an enrollment, run terraform destroy.

This resource includes all information about your certificate life cycle, from the time you request it, through removal or automatic renewal. You can treat an enrollment as a core container for all the operations you perform within CPS.

You can use this resource with:

The akamai_dns_record resource or other third-party DNS provider to create DNS records.
The akamai_cps_dv_validation resource to complete the certificate validation.

If you need to enroll a third-party certificate, use the akamai_cps_third_party_enrollment resource.

resource "akamai_cps_dv_enrollment" "my-enrollment" {
  contract_id                           = "C-0N7RAC7"
  acknowledge_pre_verification_warnings = true
  common_name                           = "my-site.com"
  sans                                  = ["san1.my-site.com", "san2.my-site.com"]
  secure_network                        = "enhanced-tls"
  sni_only                              = true
  admin_contact {
    first_name       = "John"
    last_name        = "Smith"
    phone            = "1-617-555-6789"
    email            = "jsmith@example.com"
    address_line_one = "1234 Main St."
    address_line_two = "Suite 123"
    city             = "Cambridge"
    country_code     = "US"
    organization     = "Main Street Corporation"
    postal_code      = "02142"
    region           = "MA"
    title            = "Director of Operations"
  }
  tech_contact {
    first_name       = "Janet"
    last_name        = "Smithson"
    phone            = "1-617-555-6789"
    email            = "jsmithson@example.com"
    address_line_one = "1234 Main St."
    address_line_two = "Suite 123"
    city             = "Cambridge"
    country_code     = "US"
    organization     = "Main Street Corporation"
    postal_code      = "02142"
    region           = "MA"
    title            = "Director of Platform Services"
  }
  certificate_chain_type = "default"
  csr {
    country_code        = "US"
    city                = "Cambridge"
    organization        = "Main Street Corporation"
    organizational_unit = "IT"
    state               = "MA"
  }
  network_configuration {
    disallowed_tls_versions = ["TLSv1", "TLSv1_1"]
    clone_dns_names   = true
    geography         = "core"
    ocsp_stapling     = "on"
    preferred_ciphers = "ak-akamai-2020q1"
    must_have_ciphers = "ak-akamai-2020q1"
    quic_enabled      = false
  }
  signature_algorithm = "SHA-256"
  organization {
    name             = "Main Street Corporation"
    phone            = "1-617-555-6789"
    address_line_one = "1234 Main St."
    address_line_two = "Suite 123"
    city             = "Cambridge"
    country_code     = "US"
    postal_code      = "02142"
    region           = "MA"
  }
}

variable "enrollment_id" {
  type        = number
  description = "The ID for my Akamai DV enrollment"
  default     = 12345
}

// local
enrollment_id = akamai_cps_dv_enrollment.my-enrollment.id

// tvars
enrollment_id = var.enrollment_id

Arguments

Send all the required arguments to create a DV certificate enrollment.

Argument	Required	Description
`contract_id`	✔	Your contract's ID.
`common_name`	✔	A fully qualified domain name used for the certification.
`secure_network`	✔	The type of security on a deployment network. `standard-tls`. Not PCI compliant. `enhanced-tls`. PCI compliant.
`admin_contact`	✔	Contact information of a certificate administrator at your organization. Requires these additional arguments: `first_name`. Required. The certificate administrator's first name. `last_name`. Required. The certificate administrator's last name. `email`. Required. The certificate administrator's email address. `phone`. Required. Your organization's phone number. `title`. The certificate administrator's job title. `organization`. The name of your business, organization, or company. `address_line_one`. Your organization's address. `address_line_two`. Your organization's address. `city`.The city where your organization resides. `country_code`. The code for the country where your organization resides. `postal_code`. Your organization's postal code. `region`. Your organization's region, typically a state or province.
`csr`	✔	Data used for generating the certificate signing request (CSR) when you create an enrollment. CPS signs the CSR with the private key. The CSR contains all the information the certificate authority (CA) needs to issue your certificate. Requires these additional arguments: `organization`. Required. The name of your business, organization, or company as it appears in all legal documents and the legal entity filing. `city`. Required. The city in which your organization is. `country_code`. Required. The country code for your organization. `organizational_unit`. The unit of your business, organization, or company. `preferred_trust_chain`. The Let's Encrypt trust chain option chosen at the time the certificate was created. For the Let's Encrypt domain-validated (DV) SAN certificates, a preferred trust chain isn't required. The default value is `null`. `state`. The state or province in which your organization is.
`network_configuration`	✔	The network settings, information, and TLS metadata you want the CPS to use to push the completed certificate to the network. Requires these additional arguments: `geography`. Required. The enrollment's deployment location. Possible values: `core`. To specify worldwide deployment, including China and Russia. `china+core`. To specify worldwide deployment and China. `russia+core`. To specify worldwide deployment and Russia. Any non-core deployment must be enabled on your Akamai contract based on approval from the Chinese or Russian government. `client_mutual_authentication`. The configuration for client mutual authentication, specifying the trust chain used to verify client certificates among other options. Requires these additional arguments: `send_ca_list_to_client`. Indicates whether the server sends the certificate authority (CA) list to the client. `true` to enable it. `ocsp_enabled`. Indicates whether to enable the online certificate status protocol (OCSP) stapling for client certificates. `true` to enable it. `set_id`. The trust chain set ID, created in mTLS Edge Truststore. `clone_dns_names`. Denotes whether the certificate provisioning system directs traffic using all the SANs listed at the time of enrollment creation. `true` to enable CPS to provision this. `disallowed_tls_versions`. A list of TLS versions not trusted. `must_have_ciphers`. Ciphers to include in the enrollment when deployed on the network. Defaults to `ak-akamai-2020q1` when it isn't set. For more information on cipher profiles, see Update SSL/TLS cipher profiles. `ocsp_stapling`. The status of an enrollment's use of the online certificate status protocol (OCSP) stapling, either `on`, `off`, or `not-set`. The OCSP stapling improves performance by including a valid OCSP response in every TLS handshake. This option allows the visitors on your site to query the OCSP server at regular intervals to obtain a signed time-stamped OCSP response. This response must be signed by the CA, not the server, therefore, ensuring security. Disable the OCSP stapling if you want your site visitors to contact the CA directly for an OCSP response. The OCSP allows you to obtain the revocation status of a certificate. `preferred_ciphers`. Ciphers you preferably want to include in the enrollment when deployed on the network. Defaults to `ak-akamai-2020q1` when it isn't set. For more information on cipher profiles, see Update SSL/TLS cipher profiles. `quic_enabled`. Denotes the use of the QUIC transport layer network protocol. `true` to enable the protocol.
`signature_algorithm`	✔	The SHA algorithm type. Value is one of: `SHA-1` for a 160-bit (20-byte) hash. `SHA-256` for a 256-bit (32-byte) hash.
`tech_contact`	✔	Details of a technical contact within Akamai. This is the person you work closest with at Akamai and who can verify the certificate request. The CA calls this contact if there are any issues with the certificate and they can't reach the `admin_contact`. Requires these additional arguments: `first_name`. Required. The technical contact's first name. `last_name`. Required. The technical contact's last name. `email`. Required. The technical contact's email address, accessible at the `akamai.com` domain. `phone`. Required. The technical contact's phone number. `title`. The technical contact's job title. `organization`. The name of the organization at Akamai where your technical contact works. `address_line_one`. The technical contact's address. `address_line_two`. The technical contact's address. `city`.The city of the technical contact at Akamai. `country_code`. The code for the country where the technical contact's organization resides. `postal_code`. The country code for the technical contact at Akamai. `region`. The region for the technical contact at Akamai.
`organization`	✔	A list detailing the address information of your organization. Requires these additional arguments: `name`. Required. The name of your business, organization, or company. `phone`. Required. The phone number of the administrator you want to use as a contact at your company. `city`. Required. The city where your organization resides. `country_code`. Required. The code for the country where your organization resides. `postal_code`. Required. The postal code of your organization. `region`. Required. The region of your organization, typically a state or province. `address_line_one`. Required. Your organization's address. `address_line_two`. Your organization's address.
`sni_only`	✔	Whether you want to use the Server Name Indication (SNI) for the enrollment. `true` to enable it. SNI is an extension of the Transport Layer Security (TLS) networking protocol. It allows a server to present multiple certificates on the same IP address. All modern web browsers support the SNI extension. If you have the same SAN on two or more certificates with the SNI-only option set, Akamai may serve traffic using any certificate that matches the requested SNI hostname. You should avoid multiple certificates with overlapping SAN names when using SNI-only. Note: You can't change this setting once an enrollment is created.
`allow_duplicate_common_name`		Whether to allow duplicating a common name. `true` to enable it.
`sans`		A list of the subject alternative names (SANS) secured by a certificate.
`acknowledge_pre_verification_warnings`		Whether to acknowledge warnings before certificate verification. `true` to acknowledge the warnings.
`certificate_chain_type`		The certificate trust chain type. Defaults to`default` if not specified.

Attributes

There is no default standard output. Upon creation, the last line of the process log contains a success message and your enrollment ID.

Adding an output block returns the enrollment details you provided on create along with the computed attributes.

Attribute	Description
`id`	The enrollment's ID.
`certificate_type`	The certification type. This attribute populates automatically with the `san` certificate type.
`validation_type`	The validation type. This attribute populates automatically with the `dv` validation type.
`registration_authority`	The registration authority or certificate authority (CA) used to obtain a certificate. This attribute populates automatically with the `lets-encrypt` certificate type.
`dns_challenges`	The DNS validation challenges for the domains listed in the certificate. To successfully perform the validation, only one challenge for each domain needs to be completed, either `dns_challenges` or `http_challenges`. Includes: `domain`. The domain to validate. `full_path`. The URL where Akamai publishes `response_body` for Let's Encrypt to validate. `response_body`. The data Let's Encrypt expects to find served at `full_path` URL.
`http_challenges`	The HTTP validation challenges for the domains listed in the certificate. To successfully perform the validation, only one challenge for each domain needs to be completed, either `dns_challenges` or `http_challenges`. Includes: `domain`. The domain to validate. `full_path`. The URL where Akamai publishes `response_body` for Let's Encrypt to validate. `response_body`. The data Let's Encrypt expects to find served at `full_path` URL.