No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey guys, are there any good examples out there for using the pulumi.tls package?  The examples in the docs are very sparse.  I'm basically looking to replicate <https://github.com/uselagoon/lagoon-charts/blob/main/charts/lagoon-logs-concentrator/README.md|this>, but automate it with Pulumi.  Any pointers would be appreciated

Just an example from me on using TLS:

```	selfSignedKey, err := tls.NewPrivateKey(ctx, "self-signed-key", &amp;tls.PrivateKeyArgs{
		Algorithm: pulumi.String("RSA"),
		RsaBits:   <http://pulumi.Int|pulumi.Int>(2048),
	})
	if err != nil {
		return err
	}

	selfSignedCert, err := tls.NewSelfSignedCert(ctx, "self-signed-cert", &amp;tls.SelfSignedCertArgs{
		Subjects: tls.SelfSignedCertSubjectArray{
			tls.SelfSignedCertSubjectArgs{CommonName: pulumi.String("cluster.local")},
		},
		KeyAlgorithm:        selfSignedKey.Algorithm,
		PrivateKeyPem:       selfSignedKey.PrivateKeyPem,
		IsCaCertificate:     pulumi.Bool(false),
		ValidityPeriodHours: <http://pulumi.Int|pulumi.Int>(24 * 365 * 10),
		AllowedUses:         pulumi.StringArray{},
	})
	if err != nil {
		return err
	}```

And then I get the key file using `selfSignedKey.PrivateKeyPem` and the cert file as `selfSignedCert.CertPem`

Thanks!  So I guess if set the IsCaCertificate = true, that will give me the CA certificate.  And then I would use the tls.LocallySignedCert to create the server and client certificates (passing in the `selfSignedKey.PrivateKeyPem` and `selfSignedCert.CertPem`)?

I haven’t used LocallySignedCert, so not 100% sure

In the above example, I’m creating what is essentially a self-signed cert, though without a specific CA (since I don’t really need to do verification)

But what you said sounds about right - you’d likely need to use tls.CertRequest as well, to generate the CSR, and pass that into LocallySignedCert

That makes sense, thanks so much for your help

No worries - I was also struggling to figure it out so thought I could share :slightly_smiling_face:

If you do figure it out, it would be great to update the thread, so if someone else finds it in the future they get the answer.