pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl

pulumi_vault/pkisecret/secret_backend_role.py

@@ -2,6 +2,7 @@
 # *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
+import builtins
 import copy
 import warnings
 import sys
@@ -21,111 +22,123 @@ __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
 @pulumi.input_type
 class SecretBackendRoleArgs:
     def __init__(__self__, *,
-                 backend: pulumi.Input[str],
-                 allow_any_name: Optional[pulumi.Input[bool]] = None,
-                 allow_bare_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_glob_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_ip_sans: Optional[pulumi.Input[bool]] = None,
-                 allow_localhost: Optional[pulumi.Input[bool]] = None,
-                 allow_subdomains: Optional[pulumi.Input[bool]] = None,
-                 allow_wildcard_certificates: Optional[pulumi.Input[bool]] = None,
-                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_domains_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None,
-                 client_flag: Optional[pulumi.Input[bool]] = None,
-                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 code_signing_flag: Optional[pulumi.Input[bool]] = None,
-                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 email_protection_flag: Optional[pulumi.Input[bool]] = None,
-                 enforce_hostnames: Optional[pulumi.Input[bool]] = None,
-                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 generate_lease: Optional[pulumi.Input[bool]] = None,
-                 issuer_ref: Optional[pulumi.Input[str]] = None,
-                 key_bits: Optional[pulumi.Input[int]] = None,
-                 key_type: Optional[pulumi.Input[str]] = None,
-                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 no_store: Optional[pulumi.Input[bool]] = None,
-                 not_before_duration: Optional[pulumi.Input[str]] = None,
-                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 backend: pulumi.Input[builtins.str],
+                 allow_any_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_bare_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_glob_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_ip_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_localhost: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_subdomains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_wildcard_certificates: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_domains_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[builtins.bool]] = None,
+                 client_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 code_signing_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 email_protection_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 enforce_hostnames: Optional[pulumi.Input[builtins.bool]] = None,
+                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 generate_lease: Optional[pulumi.Input[builtins.bool]] = None,
+                 issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+                 key_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 key_type: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 no_store: Optional[pulumi.Input[builtins.bool]] = None,
+                 no_store_metadata: Optional[pulumi.Input[builtins.bool]] = None,
+                 not_after: Optional[pulumi.Input[builtins.str]] = None,
+                 not_before_duration: Optional[pulumi.Input[builtins.str]] = None,
+                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  policy_identifier: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRolePolicyIdentifierArgs']]]] = None,
-                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 require_cn: Optional[pulumi.Input[bool]] = None,
-                 server_flag: Optional[pulumi.Input[bool]] = None,
-                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None,
-                 use_csr_common_name: Optional[pulumi.Input[bool]] = None,
-                 use_csr_sans: Optional[pulumi.Input[bool]] = None):
+                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 require_cn: Optional[pulumi.Input[builtins.bool]] = None,
+                 serial_number_source: Optional[pulumi.Input[builtins.str]] = None,
+                 server_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 signature_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 use_csr_common_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_csr_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_pss: Optional[pulumi.Input[builtins.bool]] = None):
         """
         The set of arguments for constructing a SecretBackendRole resource.
-        :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] allow_any_name: Flag to allow any name
-        :param pulumi.Input[bool] allow_bare_domains: Flag to allow certificates matching the actual domain
-        :param pulumi.Input[bool] allow_glob_domains: Flag to allow names containing glob patterns.
-        :param pulumi.Input[bool] allow_ip_sans: Flag to allow IP SANs
-        :param pulumi.Input[bool] allow_localhost: Flag to allow certificates for localhost
-        :param pulumi.Input[bool] allow_subdomains: Flag to allow certificates matching subdomains
-        :param pulumi.Input[bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_domains: List of allowed domains for certificates
-        :param pulumi.Input[bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_other_sans: Defines allowed custom SANs
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Defines allowed URI SANs
-        :param pulumi.Input[bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_user_ids: Defines allowed User IDs
-        :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
-        :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
-        :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates
-        :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use
-        :param pulumi.Input[bool] enforce_hostnames: Flag to allow only valid host names
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
-        :param pulumi.Input[bool] generate_lease: Flag to generate leases with certificates
-        :param pulumi.Input[str] issuer_ref: Specifies the default issuer of this request. May
+        :param pulumi.Input[builtins.str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] allow_any_name: Flag to allow any name
+        :param pulumi.Input[builtins.bool] allow_bare_domains: Flag to allow certificates matching the actual domain
+        :param pulumi.Input[builtins.bool] allow_glob_domains: Flag to allow names containing glob patterns.
+        :param pulumi.Input[builtins.bool] allow_ip_sans: Flag to allow IP SANs
+        :param pulumi.Input[builtins.bool] allow_localhost: Flag to allow certificates for localhost
+        :param pulumi.Input[builtins.bool] allow_subdomains: Flag to allow certificates matching subdomains
+        :param pulumi.Input[builtins.bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_domains: List of allowed domains for certificates
+        :param pulumi.Input[builtins.bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_other_sans: Defines allowed custom SANs
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_uri_sans: Defines allowed URI SANs
+        :param pulumi.Input[builtins.bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_user_ids: Defines allowed User IDs
+        :param pulumi.Input[builtins.bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
+        :param pulumi.Input[builtins.bool] client_flag: Flag to specify certificates for client use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
+        :param pulumi.Input[builtins.bool] code_signing_flag: Flag to specify certificates for code signing use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] countries: The country of generated certificates
+        :param pulumi.Input[builtins.bool] email_protection_flag: Flag to specify certificates for email protection use
+        :param pulumi.Input[builtins.bool] enforce_hostnames: Flag to allow only valid host names
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
+        :param pulumi.Input[builtins.bool] generate_lease: Flag to generate leases with certificates
+        :param pulumi.Input[builtins.str] issuer_ref: Specifies the default issuer of this request. May
                be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
-        :param pulumi.Input[int] key_bits: The number of bits of generated keys
-        :param pulumi.Input[str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
+        :param pulumi.Input[builtins.int] key_bits: The number of bits of generated keys
+        :param pulumi.Input[builtins.str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
                Defaults to `rsa`
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] key_usages: Specify the allowed key usage constraint on issued
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the allowed key usage constraint on issued
                certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
                To specify no default key usage constraints, set this to an empty list `[]`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] localities: The locality of generated certificates
-        :param pulumi.Input[str] max_ttl: The maximum lease TTL, in seconds, for the role.
-        :param pulumi.Input[str] name: The name to identify this role within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] localities: The locality of generated certificates
+        :param pulumi.Input[builtins.str] max_ttl: The maximum lease TTL, in seconds, for the role.
+        :param pulumi.Input[builtins.str] name: The name to identify this role within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] no_store: Flag to not store certificates in the storage backend
-        :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organization_unit: The organization unit of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organizations: The organization of generated certificates
+        :param pulumi.Input[builtins.bool] no_store: Flag to not store certificates in the storage backend
+        :param pulumi.Input[builtins.bool] no_store_metadata: Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
+        :param pulumi.Input[builtins.str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        :param pulumi.Input[builtins.str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organization_unit: The organization unit of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organizations: The organization of generated certificates
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRolePolicyIdentifierArgs']]] policy_identifier: (Vault 1.11+ only) A block for specifying policy identifers. The `policy_identifier` block can be repeated, and supports the following arguments:
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] postal_codes: The postal code of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provinces: The province of generated certificates
-        :param pulumi.Input[bool] require_cn: Flag to force CN usage
-        :param pulumi.Input[bool] server_flag: Flag to specify certificates for server use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] street_addresses: The street address of generated certificates
-        :param pulumi.Input[str] ttl: The TTL, in seconds, for any certificate issued against this role.
-        :param pulumi.Input[bool] use_csr_common_name: Flag to use the CN in the CSR
-        :param pulumi.Input[bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] postal_codes: The postal code of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] provinces: The province of generated certificates
+        :param pulumi.Input[builtins.bool] require_cn: Flag to force CN usage
+        :param pulumi.Input[builtins.str] serial_number_source: Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
+               
+               Example usage:
+        :param pulumi.Input[builtins.bool] server_flag: Flag to specify certificates for server use
+        :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] street_addresses: The street address of generated certificates
+        :param pulumi.Input[builtins.str] ttl: The TTL, in seconds, for any certificate issued against this role.
+        :param pulumi.Input[builtins.bool] use_csr_common_name: Flag to use the CN in the CSR
+        :param pulumi.Input[builtins.bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         pulumi.set(__self__, "backend", backend)
         if allow_any_name is not None:
@@ -194,6 +207,10 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "namespace", namespace)
         if no_store is not None:
             pulumi.set(__self__, "no_store", no_store)
+        if no_store_metadata is not None:
+            pulumi.set(__self__, "no_store_metadata", no_store_metadata)
+        if not_after is not None:
+            pulumi.set(__self__, "not_after", not_after)
         if not_before_duration is not None:
             pulumi.set(__self__, "not_before_duration", not_before_duration)
         if organization_unit is not None:
@@ -210,8 +227,12 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "provinces", provinces)
         if require_cn is not None:
             pulumi.set(__self__, "require_cn", require_cn)
+        if serial_number_source is not None:
+            pulumi.set(__self__, "serial_number_source", serial_number_source)
         if server_flag is not None:
             pulumi.set(__self__, "server_flag", server_flag)
+        if signature_bits is not None:
+            pulumi.set(__self__, "signature_bits", signature_bits)
         if street_addresses is not None:
             pulumi.set(__self__, "street_addresses", street_addresses)
         if ttl is not None:
@@ -220,310 +241,312 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "use_csr_common_name", use_csr_common_name)
         if use_csr_sans is not None:
             pulumi.set(__self__, "use_csr_sans", use_csr_sans)
+        if use_pss is not None:
+            pulumi.set(__self__, "use_pss", use_pss)
 
     @property
     @pulumi.getter
-    def backend(self) -> pulumi.Input[str]:
+    def backend(self) -> pulumi.Input[builtins.str]:
         """
         The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
         """
         return pulumi.get(self, "backend")
 
     @backend.setter
-    def backend(self, value: pulumi.Input[str]):
+    def backend(self, value: pulumi.Input[builtins.str]):
         pulumi.set(self, "backend", value)
 
     @property
     @pulumi.getter(name="allowAnyName")
-    def allow_any_name(self) -> Optional[pulumi.Input[bool]]:
+    def allow_any_name(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow any name
         """
         return pulumi.get(self, "allow_any_name")
 
     @allow_any_name.setter
-    def allow_any_name(self, value: Optional[pulumi.Input[bool]]):
+    def allow_any_name(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_any_name", value)
 
     @property
     @pulumi.getter(name="allowBareDomains")
-    def allow_bare_domains(self) -> Optional[pulumi.Input[bool]]:
+    def allow_bare_domains(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow certificates matching the actual domain
         """
         return pulumi.get(self, "allow_bare_domains")
 
     @allow_bare_domains.setter
-    def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
+    def allow_bare_domains(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_bare_domains", value)
 
     @property
     @pulumi.getter(name="allowGlobDomains")
-    def allow_glob_domains(self) -> Optional[pulumi.Input[bool]]:
+    def allow_glob_domains(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow names containing glob patterns.
         """
         return pulumi.get(self, "allow_glob_domains")
 
     @allow_glob_domains.setter
-    def allow_glob_domains(self, value: Optional[pulumi.Input[bool]]):
+    def allow_glob_domains(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_glob_domains", value)
 
     @property
     @pulumi.getter(name="allowIpSans")
-    def allow_ip_sans(self) -> Optional[pulumi.Input[bool]]:
+    def allow_ip_sans(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow IP SANs
         """
         return pulumi.get(self, "allow_ip_sans")
 
     @allow_ip_sans.setter
-    def allow_ip_sans(self, value: Optional[pulumi.Input[bool]]):
+    def allow_ip_sans(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_ip_sans", value)
 
     @property
     @pulumi.getter(name="allowLocalhost")
-    def allow_localhost(self) -> Optional[pulumi.Input[bool]]:
+    def allow_localhost(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow certificates for localhost
         """
         return pulumi.get(self, "allow_localhost")
 
     @allow_localhost.setter
-    def allow_localhost(self, value: Optional[pulumi.Input[bool]]):
+    def allow_localhost(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_localhost", value)
 
     @property
     @pulumi.getter(name="allowSubdomains")
-    def allow_subdomains(self) -> Optional[pulumi.Input[bool]]:
+    def allow_subdomains(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow certificates matching subdomains
         """
         return pulumi.get(self, "allow_subdomains")
 
     @allow_subdomains.setter
-    def allow_subdomains(self, value: Optional[pulumi.Input[bool]]):
+    def allow_subdomains(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_subdomains", value)
 
     @property
     @pulumi.getter(name="allowWildcardCertificates")
-    def allow_wildcard_certificates(self) -> Optional[pulumi.Input[bool]]:
+    def allow_wildcard_certificates(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow wildcard certificates.
         """
         return pulumi.get(self, "allow_wildcard_certificates")
 
     @allow_wildcard_certificates.setter
-    def allow_wildcard_certificates(self, value: Optional[pulumi.Input[bool]]):
+    def allow_wildcard_certificates(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_wildcard_certificates", value)
 
     @property
     @pulumi.getter(name="allowedDomains")
-    def allowed_domains(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_domains(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of allowed domains for certificates
         """
         return pulumi.get(self, "allowed_domains")
 
     @allowed_domains.setter
-    def allowed_domains(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_domains(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_domains", value)
 
     @property
     @pulumi.getter(name="allowedDomainsTemplate")
-    def allowed_domains_template(self) -> Optional[pulumi.Input[bool]]:
+    def allowed_domains_template(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
         """
         return pulumi.get(self, "allowed_domains_template")
 
     @allowed_domains_template.setter
-    def allowed_domains_template(self, value: Optional[pulumi.Input[bool]]):
+    def allowed_domains_template(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allowed_domains_template", value)
 
     @property
     @pulumi.getter(name="allowedOtherSans")
-    def allowed_other_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_other_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Defines allowed custom SANs
         """
         return pulumi.get(self, "allowed_other_sans")
 
     @allowed_other_sans.setter
-    def allowed_other_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_other_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_other_sans", value)
 
     @property
     @pulumi.getter(name="allowedSerialNumbers")
-    def allowed_serial_numbers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_serial_numbers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         An array of allowed serial numbers to put in Subject
         """
         return pulumi.get(self, "allowed_serial_numbers")
 
     @allowed_serial_numbers.setter
-    def allowed_serial_numbers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_serial_numbers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_serial_numbers", value)
 
     @property
     @pulumi.getter(name="allowedUriSans")
-    def allowed_uri_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_uri_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Defines allowed URI SANs
         """
         return pulumi.get(self, "allowed_uri_sans")
 
     @allowed_uri_sans.setter
-    def allowed_uri_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_uri_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_uri_sans", value)
 
     @property
     @pulumi.getter(name="allowedUriSansTemplate")
-    def allowed_uri_sans_template(self) -> Optional[pulumi.Input[bool]]:
+    def allowed_uri_sans_template(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
         """
         return pulumi.get(self, "allowed_uri_sans_template")
 
     @allowed_uri_sans_template.setter
-    def allowed_uri_sans_template(self, value: Optional[pulumi.Input[bool]]):
+    def allowed_uri_sans_template(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allowed_uri_sans_template", value)
 
     @property
     @pulumi.getter(name="allowedUserIds")
-    def allowed_user_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_user_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Defines allowed User IDs
         """
         return pulumi.get(self, "allowed_user_ids")
 
     @allowed_user_ids.setter
-    def allowed_user_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_user_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_user_ids", value)
 
     @property
     @pulumi.getter(name="basicConstraintsValidForNonCa")
-    def basic_constraints_valid_for_non_ca(self) -> Optional[pulumi.Input[bool]]:
+    def basic_constraints_valid_for_non_ca(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to mark basic constraints valid when issuing non-CA certificates
         """
         return pulumi.get(self, "basic_constraints_valid_for_non_ca")
 
     @basic_constraints_valid_for_non_ca.setter
-    def basic_constraints_valid_for_non_ca(self, value: Optional[pulumi.Input[bool]]):
+    def basic_constraints_valid_for_non_ca(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "basic_constraints_valid_for_non_ca", value)
 
     @property
     @pulumi.getter(name="clientFlag")
-    def client_flag(self) -> Optional[pulumi.Input[bool]]:
+    def client_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for client use
         """
         return pulumi.get(self, "client_flag")
 
     @client_flag.setter
-    def client_flag(self, value: Optional[pulumi.Input[bool]]):
+    def client_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "client_flag", value)
 
     @property
     @pulumi.getter(name="cnValidations")
-    def cn_validations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def cn_validations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
         """
         return pulumi.get(self, "cn_validations")
 
     @cn_validations.setter
-    def cn_validations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def cn_validations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "cn_validations", value)
 
     @property
     @pulumi.getter(name="codeSigningFlag")
-    def code_signing_flag(self) -> Optional[pulumi.Input[bool]]:
+    def code_signing_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for code signing use
         """
         return pulumi.get(self, "code_signing_flag")
 
     @code_signing_flag.setter
-    def code_signing_flag(self, value: Optional[pulumi.Input[bool]]):
+    def code_signing_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "code_signing_flag", value)
 
     @property
     @pulumi.getter
-    def countries(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def countries(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The country of generated certificates
         """
         return pulumi.get(self, "countries")
 
     @countries.setter
-    def countries(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def countries(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "countries", value)
 
     @property
     @pulumi.getter(name="emailProtectionFlag")
-    def email_protection_flag(self) -> Optional[pulumi.Input[bool]]:
+    def email_protection_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for email protection use
         """
         return pulumi.get(self, "email_protection_flag")
 
     @email_protection_flag.setter
-    def email_protection_flag(self, value: Optional[pulumi.Input[bool]]):
+    def email_protection_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "email_protection_flag", value)
 
     @property
     @pulumi.getter(name="enforceHostnames")
-    def enforce_hostnames(self) -> Optional[pulumi.Input[bool]]:
+    def enforce_hostnames(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow only valid host names
         """
         return pulumi.get(self, "enforce_hostnames")
 
     @enforce_hostnames.setter
-    def enforce_hostnames(self, value: Optional[pulumi.Input[bool]]):
+    def enforce_hostnames(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "enforce_hostnames", value)
 
     @property
     @pulumi.getter(name="extKeyUsageOids")
-    def ext_key_usage_oids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def ext_key_usage_oids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the allowed extended key usage OIDs constraint on issued certificates
         """
         return pulumi.get(self, "ext_key_usage_oids")
 
     @ext_key_usage_oids.setter
-    def ext_key_usage_oids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def ext_key_usage_oids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "ext_key_usage_oids", value)
 
     @property
     @pulumi.getter(name="extKeyUsages")
-    def ext_key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def ext_key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the allowed extended key usage constraint on issued certificates
         """
         return pulumi.get(self, "ext_key_usages")
 
     @ext_key_usages.setter
-    def ext_key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def ext_key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "ext_key_usages", value)
 
     @property
     @pulumi.getter(name="generateLease")
-    def generate_lease(self) -> Optional[pulumi.Input[bool]]:
+    def generate_lease(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to generate leases with certificates
         """
         return pulumi.get(self, "generate_lease")
 
     @generate_lease.setter
-    def generate_lease(self, value: Optional[pulumi.Input[bool]]):
+    def generate_lease(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "generate_lease", value)
 
     @property
     @pulumi.getter(name="issuerRef")
-    def issuer_ref(self) -> Optional[pulumi.Input[str]]:
+    def issuer_ref(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the default issuer of this request. May
         be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
@@ -533,24 +556,24 @@ class SecretBackendRoleArgs:
         return pulumi.get(self, "issuer_ref")
 
     @issuer_ref.setter
-    def issuer_ref(self, value: Optional[pulumi.Input[str]]):
+    def issuer_ref(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "issuer_ref", value)
 
     @property
     @pulumi.getter(name="keyBits")
-    def key_bits(self) -> Optional[pulumi.Input[int]]:
+    def key_bits(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         The number of bits of generated keys
         """
         return pulumi.get(self, "key_bits")
 
     @key_bits.setter
-    def key_bits(self, value: Optional[pulumi.Input[int]]):
+    def key_bits(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "key_bits", value)
 
     @property
     @pulumi.getter(name="keyType")
-    def key_type(self) -> Optional[pulumi.Input[str]]:
+    def key_type(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
         Defaults to `rsa`
@@ -558,12 +581,12 @@ class SecretBackendRoleArgs:
         return pulumi.get(self, "key_type")
 
     @key_type.setter
-    def key_type(self, value: Optional[pulumi.Input[str]]):
+    def key_type(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "key_type", value)
 
     @property
     @pulumi.getter(name="keyUsages")
-    def key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the allowed key usage constraint on issued
         certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
@@ -572,48 +595,48 @@ class SecretBackendRoleArgs:
         return pulumi.get(self, "key_usages")
 
     @key_usages.setter
-    def key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "key_usages", value)
 
     @property
     @pulumi.getter
-    def localities(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def localities(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The locality of generated certificates
         """
         return pulumi.get(self, "localities")
 
     @localities.setter
-    def localities(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def localities(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "localities", value)
 
     @property
     @pulumi.getter(name="maxTtl")
-    def max_ttl(self) -> Optional[pulumi.Input[str]]:
+    def max_ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The maximum lease TTL, in seconds, for the role.
         """
         return pulumi.get(self, "max_ttl")
 
     @max_ttl.setter
-    def max_ttl(self, value: Optional[pulumi.Input[str]]):
+    def max_ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "max_ttl", value)
 
     @property
     @pulumi.getter
-    def name(self) -> Optional[pulumi.Input[str]]:
+    def name(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The name to identify this role within the backend. Must be unique within the backend.
         """
         return pulumi.get(self, "name")
 
     @name.setter
-    def name(self, value: Optional[pulumi.Input[str]]):
+    def name(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "name", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -623,55 +646,79 @@ class SecretBackendRoleArgs:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
     @property
     @pulumi.getter(name="noStore")
-    def no_store(self) -> Optional[pulumi.Input[bool]]:
+    def no_store(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to not store certificates in the storage backend
         """
         return pulumi.get(self, "no_store")
 
     @no_store.setter
-    def no_store(self, value: Optional[pulumi.Input[bool]]):
+    def no_store(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "no_store", value)
 
+    @property
+    @pulumi.getter(name="noStoreMetadata")
+    def no_store_metadata(self) -> Optional[pulumi.Input[builtins.bool]]:
+        """
+        Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
+        """
+        return pulumi.get(self, "no_store_metadata")
+
+    @no_store_metadata.setter
+    def no_store_metadata(self, value: Optional[pulumi.Input[builtins.bool]]):
+        pulumi.set(self, "no_store_metadata", value)
+
+    @property
+    @pulumi.getter(name="notAfter")
+    def not_after(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        """
+        return pulumi.get(self, "not_after")
+
+    @not_after.setter
+    def not_after(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "not_after", value)
+
     @property
     @pulumi.getter(name="notBeforeDuration")
-    def not_before_duration(self) -> Optional[pulumi.Input[str]]:
+    def not_before_duration(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the duration by which to backdate the NotBefore property.
         """
         return pulumi.get(self, "not_before_duration")
 
     @not_before_duration.setter
-    def not_before_duration(self, value: Optional[pulumi.Input[str]]):
+    def not_before_duration(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "not_before_duration", value)
 
     @property
     @pulumi.getter(name="organizationUnit")
-    def organization_unit(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def organization_unit(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The organization unit of generated certificates
         """
         return pulumi.get(self, "organization_unit")
 
     @organization_unit.setter
-    def organization_unit(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def organization_unit(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "organization_unit", value)
 
     @property
     @pulumi.getter
-    def organizations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def organizations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The organization of generated certificates
         """
         return pulumi.get(self, "organizations")
 
     @organizations.setter
-    def organizations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def organizations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "organizations", value)
 
     @property
@@ -688,221 +735,271 @@ class SecretBackendRoleArgs:
 
     @property
     @pulumi.getter(name="policyIdentifiers")
-    def policy_identifiers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def policy_identifiers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
         """
         return pulumi.get(self, "policy_identifiers")
 
     @policy_identifiers.setter
-    def policy_identifiers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def policy_identifiers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "policy_identifiers", value)
 
     @property
     @pulumi.getter(name="postalCodes")
-    def postal_codes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def postal_codes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The postal code of generated certificates
         """
         return pulumi.get(self, "postal_codes")
 
     @postal_codes.setter
-    def postal_codes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def postal_codes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "postal_codes", value)
 
     @property
     @pulumi.getter
-    def provinces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def provinces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The province of generated certificates
         """
         return pulumi.get(self, "provinces")
 
     @provinces.setter
-    def provinces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def provinces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "provinces", value)
 
     @property
     @pulumi.getter(name="requireCn")
-    def require_cn(self) -> Optional[pulumi.Input[bool]]:
+    def require_cn(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to force CN usage
         """
         return pulumi.get(self, "require_cn")
 
     @require_cn.setter
-    def require_cn(self, value: Optional[pulumi.Input[bool]]):
+    def require_cn(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "require_cn", value)
 
+    @property
+    @pulumi.getter(name="serialNumberSource")
+    def serial_number_source(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
+
+        Example usage:
+        """
+        return pulumi.get(self, "serial_number_source")
+
+    @serial_number_source.setter
+    def serial_number_source(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "serial_number_source", value)
+
     @property
     @pulumi.getter(name="serverFlag")
-    def server_flag(self) -> Optional[pulumi.Input[bool]]:
+    def server_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for server use
         """
         return pulumi.get(self, "server_flag")
 
     @server_flag.setter
-    def server_flag(self, value: Optional[pulumi.Input[bool]]):
+    def server_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "server_flag", value)
 
+    @property
+    @pulumi.getter(name="signatureBits")
+    def signature_bits(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The number of bits to use in the signature algorithm
+        """
+        return pulumi.get(self, "signature_bits")
+
+    @signature_bits.setter
+    def signature_bits(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "signature_bits", value)
+
     @property
     @pulumi.getter(name="streetAddresses")
-    def street_addresses(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def street_addresses(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The street address of generated certificates
         """
         return pulumi.get(self, "street_addresses")
 
     @street_addresses.setter
-    def street_addresses(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def street_addresses(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "street_addresses", value)
 
     @property
     @pulumi.getter
-    def ttl(self) -> Optional[pulumi.Input[str]]:
+    def ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The TTL, in seconds, for any certificate issued against this role.
         """
         return pulumi.get(self, "ttl")
 
     @ttl.setter
-    def ttl(self, value: Optional[pulumi.Input[str]]):
+    def ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "ttl", value)
 
     @property
     @pulumi.getter(name="useCsrCommonName")
-    def use_csr_common_name(self) -> Optional[pulumi.Input[bool]]:
+    def use_csr_common_name(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to use the CN in the CSR
         """
         return pulumi.get(self, "use_csr_common_name")
 
     @use_csr_common_name.setter
-    def use_csr_common_name(self, value: Optional[pulumi.Input[bool]]):
+    def use_csr_common_name(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "use_csr_common_name", value)
 
     @property
     @pulumi.getter(name="useCsrSans")
-    def use_csr_sans(self) -> Optional[pulumi.Input[bool]]:
+    def use_csr_sans(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to use the SANs in the CSR
         """
         return pulumi.get(self, "use_csr_sans")
 
     @use_csr_sans.setter
-    def use_csr_sans(self, value: Optional[pulumi.Input[bool]]):
+    def use_csr_sans(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "use_csr_sans", value)
 
+    @property
+    @pulumi.getter(name="usePss")
+    def use_pss(self) -> Optional[pulumi.Input[builtins.bool]]:
+        """
+        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
+        """
+        return pulumi.get(self, "use_pss")
+
+    @use_pss.setter
+    def use_pss(self, value: Optional[pulumi.Input[builtins.bool]]):
+        pulumi.set(self, "use_pss", value)
+
 
 @pulumi.input_type
 class _SecretBackendRoleState:
     def __init__(__self__, *,
-                 allow_any_name: Optional[pulumi.Input[bool]] = None,
-                 allow_bare_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_glob_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_ip_sans: Optional[pulumi.Input[bool]] = None,
-                 allow_localhost: Optional[pulumi.Input[bool]] = None,
-                 allow_subdomains: Optional[pulumi.Input[bool]] = None,
-                 allow_wildcard_certificates: Optional[pulumi.Input[bool]] = None,
-                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_domains_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None,
-                 client_flag: Optional[pulumi.Input[bool]] = None,
-                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 code_signing_flag: Optional[pulumi.Input[bool]] = None,
-                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 email_protection_flag: Optional[pulumi.Input[bool]] = None,
-                 enforce_hostnames: Optional[pulumi.Input[bool]] = None,
-                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 generate_lease: Optional[pulumi.Input[bool]] = None,
-                 issuer_ref: Optional[pulumi.Input[str]] = None,
-                 key_bits: Optional[pulumi.Input[int]] = None,
-                 key_type: Optional[pulumi.Input[str]] = None,
-                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 no_store: Optional[pulumi.Input[bool]] = None,
-                 not_before_duration: Optional[pulumi.Input[str]] = None,
-                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 allow_any_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_bare_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_glob_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_ip_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_localhost: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_subdomains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_wildcard_certificates: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_domains_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[builtins.bool]] = None,
+                 client_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 code_signing_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 email_protection_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 enforce_hostnames: Optional[pulumi.Input[builtins.bool]] = None,
+                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 generate_lease: Optional[pulumi.Input[builtins.bool]] = None,
+                 issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+                 key_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 key_type: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 no_store: Optional[pulumi.Input[builtins.bool]] = None,
+                 no_store_metadata: Optional[pulumi.Input[builtins.bool]] = None,
+                 not_after: Optional[pulumi.Input[builtins.str]] = None,
+                 not_before_duration: Optional[pulumi.Input[builtins.str]] = None,
+                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  policy_identifier: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRolePolicyIdentifierArgs']]]] = None,
-                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 require_cn: Optional[pulumi.Input[bool]] = None,
-                 server_flag: Optional[pulumi.Input[bool]] = None,
-                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None,
-                 use_csr_common_name: Optional[pulumi.Input[bool]] = None,
-                 use_csr_sans: Optional[pulumi.Input[bool]] = None):
+                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 require_cn: Optional[pulumi.Input[builtins.bool]] = None,
+                 serial_number_source: Optional[pulumi.Input[builtins.str]] = None,
+                 server_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 signature_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 use_csr_common_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_csr_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_pss: Optional[pulumi.Input[builtins.bool]] = None):
         """
         Input properties used for looking up and filtering SecretBackendRole resources.
-        :param pulumi.Input[bool] allow_any_name: Flag to allow any name
-        :param pulumi.Input[bool] allow_bare_domains: Flag to allow certificates matching the actual domain
-        :param pulumi.Input[bool] allow_glob_domains: Flag to allow names containing glob patterns.
-        :param pulumi.Input[bool] allow_ip_sans: Flag to allow IP SANs
-        :param pulumi.Input[bool] allow_localhost: Flag to allow certificates for localhost
-        :param pulumi.Input[bool] allow_subdomains: Flag to allow certificates matching subdomains
-        :param pulumi.Input[bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_domains: List of allowed domains for certificates
-        :param pulumi.Input[bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_other_sans: Defines allowed custom SANs
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Defines allowed URI SANs
-        :param pulumi.Input[bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_user_ids: Defines allowed User IDs
-        :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
-        :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
-        :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates
-        :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use
-        :param pulumi.Input[bool] enforce_hostnames: Flag to allow only valid host names
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
-        :param pulumi.Input[bool] generate_lease: Flag to generate leases with certificates
-        :param pulumi.Input[str] issuer_ref: Specifies the default issuer of this request. May
+        :param pulumi.Input[builtins.bool] allow_any_name: Flag to allow any name
+        :param pulumi.Input[builtins.bool] allow_bare_domains: Flag to allow certificates matching the actual domain
+        :param pulumi.Input[builtins.bool] allow_glob_domains: Flag to allow names containing glob patterns.
+        :param pulumi.Input[builtins.bool] allow_ip_sans: Flag to allow IP SANs
+        :param pulumi.Input[builtins.bool] allow_localhost: Flag to allow certificates for localhost
+        :param pulumi.Input[builtins.bool] allow_subdomains: Flag to allow certificates matching subdomains
+        :param pulumi.Input[builtins.bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_domains: List of allowed domains for certificates
+        :param pulumi.Input[builtins.bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_other_sans: Defines allowed custom SANs
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_uri_sans: Defines allowed URI SANs
+        :param pulumi.Input[builtins.bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_user_ids: Defines allowed User IDs
+        :param pulumi.Input[builtins.str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
+        :param pulumi.Input[builtins.bool] client_flag: Flag to specify certificates for client use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
+        :param pulumi.Input[builtins.bool] code_signing_flag: Flag to specify certificates for code signing use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] countries: The country of generated certificates
+        :param pulumi.Input[builtins.bool] email_protection_flag: Flag to specify certificates for email protection use
+        :param pulumi.Input[builtins.bool] enforce_hostnames: Flag to allow only valid host names
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
+        :param pulumi.Input[builtins.bool] generate_lease: Flag to generate leases with certificates
+        :param pulumi.Input[builtins.str] issuer_ref: Specifies the default issuer of this request. May
                be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
-        :param pulumi.Input[int] key_bits: The number of bits of generated keys
-        :param pulumi.Input[str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
+        :param pulumi.Input[builtins.int] key_bits: The number of bits of generated keys
+        :param pulumi.Input[builtins.str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
                Defaults to `rsa`
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] key_usages: Specify the allowed key usage constraint on issued
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the allowed key usage constraint on issued
                certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
                To specify no default key usage constraints, set this to an empty list `[]`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] localities: The locality of generated certificates
-        :param pulumi.Input[str] max_ttl: The maximum lease TTL, in seconds, for the role.
-        :param pulumi.Input[str] name: The name to identify this role within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] localities: The locality of generated certificates
+        :param pulumi.Input[builtins.str] max_ttl: The maximum lease TTL, in seconds, for the role.
+        :param pulumi.Input[builtins.str] name: The name to identify this role within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] no_store: Flag to not store certificates in the storage backend
-        :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organization_unit: The organization unit of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organizations: The organization of generated certificates
+        :param pulumi.Input[builtins.bool] no_store: Flag to not store certificates in the storage backend
+        :param pulumi.Input[builtins.bool] no_store_metadata: Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
+        :param pulumi.Input[builtins.str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        :param pulumi.Input[builtins.str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organization_unit: The organization unit of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organizations: The organization of generated certificates
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRolePolicyIdentifierArgs']]] policy_identifier: (Vault 1.11+ only) A block for specifying policy identifers. The `policy_identifier` block can be repeated, and supports the following arguments:
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] postal_codes: The postal code of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provinces: The province of generated certificates
-        :param pulumi.Input[bool] require_cn: Flag to force CN usage
-        :param pulumi.Input[bool] server_flag: Flag to specify certificates for server use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] street_addresses: The street address of generated certificates
-        :param pulumi.Input[str] ttl: The TTL, in seconds, for any certificate issued against this role.
-        :param pulumi.Input[bool] use_csr_common_name: Flag to use the CN in the CSR
-        :param pulumi.Input[bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] postal_codes: The postal code of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] provinces: The province of generated certificates
+        :param pulumi.Input[builtins.bool] require_cn: Flag to force CN usage
+        :param pulumi.Input[builtins.str] serial_number_source: Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
+               
+               Example usage:
+        :param pulumi.Input[builtins.bool] server_flag: Flag to specify certificates for server use
+        :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] street_addresses: The street address of generated certificates
+        :param pulumi.Input[builtins.str] ttl: The TTL, in seconds, for any certificate issued against this role.
+        :param pulumi.Input[builtins.bool] use_csr_common_name: Flag to use the CN in the CSR
+        :param pulumi.Input[builtins.bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         if allow_any_name is not None:
             pulumi.set(__self__, "allow_any_name", allow_any_name)
@@ -972,6 +1069,10 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "namespace", namespace)
         if no_store is not None:
             pulumi.set(__self__, "no_store", no_store)
+        if no_store_metadata is not None:
+            pulumi.set(__self__, "no_store_metadata", no_store_metadata)
+        if not_after is not None:
+            pulumi.set(__self__, "not_after", not_after)
         if not_before_duration is not None:
             pulumi.set(__self__, "not_before_duration", not_before_duration)
         if organization_unit is not None:
@@ -988,8 +1089,12 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "provinces", provinces)
         if require_cn is not None:
             pulumi.set(__self__, "require_cn", require_cn)
+        if serial_number_source is not None:
+            pulumi.set(__self__, "serial_number_source", serial_number_source)
         if server_flag is not None:
             pulumi.set(__self__, "server_flag", server_flag)
+        if signature_bits is not None:
+            pulumi.set(__self__, "signature_bits", signature_bits)
         if street_addresses is not None:
             pulumi.set(__self__, "street_addresses", street_addresses)
         if ttl is not None:
@@ -998,310 +1103,312 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "use_csr_common_name", use_csr_common_name)
         if use_csr_sans is not None:
             pulumi.set(__self__, "use_csr_sans", use_csr_sans)
+        if use_pss is not None:
+            pulumi.set(__self__, "use_pss", use_pss)
 
     @property
     @pulumi.getter(name="allowAnyName")
-    def allow_any_name(self) -> Optional[pulumi.Input[bool]]:
+    def allow_any_name(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow any name
         """
         return pulumi.get(self, "allow_any_name")
 
     @allow_any_name.setter
-    def allow_any_name(self, value: Optional[pulumi.Input[bool]]):
+    def allow_any_name(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_any_name", value)
 
     @property
     @pulumi.getter(name="allowBareDomains")
-    def allow_bare_domains(self) -> Optional[pulumi.Input[bool]]:
+    def allow_bare_domains(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow certificates matching the actual domain
         """
         return pulumi.get(self, "allow_bare_domains")
 
     @allow_bare_domains.setter
-    def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
+    def allow_bare_domains(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_bare_domains", value)
 
     @property
     @pulumi.getter(name="allowGlobDomains")
-    def allow_glob_domains(self) -> Optional[pulumi.Input[bool]]:
+    def allow_glob_domains(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow names containing glob patterns.
         """
         return pulumi.get(self, "allow_glob_domains")
 
     @allow_glob_domains.setter
-    def allow_glob_domains(self, value: Optional[pulumi.Input[bool]]):
+    def allow_glob_domains(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_glob_domains", value)
 
     @property
     @pulumi.getter(name="allowIpSans")
-    def allow_ip_sans(self) -> Optional[pulumi.Input[bool]]:
+    def allow_ip_sans(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow IP SANs
         """
         return pulumi.get(self, "allow_ip_sans")
 
     @allow_ip_sans.setter
-    def allow_ip_sans(self, value: Optional[pulumi.Input[bool]]):
+    def allow_ip_sans(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_ip_sans", value)
 
     @property
     @pulumi.getter(name="allowLocalhost")
-    def allow_localhost(self) -> Optional[pulumi.Input[bool]]:
+    def allow_localhost(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow certificates for localhost
         """
         return pulumi.get(self, "allow_localhost")
 
     @allow_localhost.setter
-    def allow_localhost(self, value: Optional[pulumi.Input[bool]]):
+    def allow_localhost(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_localhost", value)
 
     @property
     @pulumi.getter(name="allowSubdomains")
-    def allow_subdomains(self) -> Optional[pulumi.Input[bool]]:
+    def allow_subdomains(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow certificates matching subdomains
         """
         return pulumi.get(self, "allow_subdomains")
 
     @allow_subdomains.setter
-    def allow_subdomains(self, value: Optional[pulumi.Input[bool]]):
+    def allow_subdomains(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_subdomains", value)
 
     @property
     @pulumi.getter(name="allowWildcardCertificates")
-    def allow_wildcard_certificates(self) -> Optional[pulumi.Input[bool]]:
+    def allow_wildcard_certificates(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow wildcard certificates.
         """
         return pulumi.get(self, "allow_wildcard_certificates")
 
     @allow_wildcard_certificates.setter
-    def allow_wildcard_certificates(self, value: Optional[pulumi.Input[bool]]):
+    def allow_wildcard_certificates(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_wildcard_certificates", value)
 
     @property
     @pulumi.getter(name="allowedDomains")
-    def allowed_domains(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_domains(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of allowed domains for certificates
         """
         return pulumi.get(self, "allowed_domains")
 
     @allowed_domains.setter
-    def allowed_domains(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_domains(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_domains", value)
 
     @property
     @pulumi.getter(name="allowedDomainsTemplate")
-    def allowed_domains_template(self) -> Optional[pulumi.Input[bool]]:
+    def allowed_domains_template(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
         """
         return pulumi.get(self, "allowed_domains_template")
 
     @allowed_domains_template.setter
-    def allowed_domains_template(self, value: Optional[pulumi.Input[bool]]):
+    def allowed_domains_template(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allowed_domains_template", value)
 
     @property
     @pulumi.getter(name="allowedOtherSans")
-    def allowed_other_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_other_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Defines allowed custom SANs
         """
         return pulumi.get(self, "allowed_other_sans")
 
     @allowed_other_sans.setter
-    def allowed_other_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_other_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_other_sans", value)
 
     @property
     @pulumi.getter(name="allowedSerialNumbers")
-    def allowed_serial_numbers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_serial_numbers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         An array of allowed serial numbers to put in Subject
         """
         return pulumi.get(self, "allowed_serial_numbers")
 
     @allowed_serial_numbers.setter
-    def allowed_serial_numbers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_serial_numbers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_serial_numbers", value)
 
     @property
     @pulumi.getter(name="allowedUriSans")
-    def allowed_uri_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_uri_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Defines allowed URI SANs
         """
         return pulumi.get(self, "allowed_uri_sans")
 
     @allowed_uri_sans.setter
-    def allowed_uri_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_uri_sans(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_uri_sans", value)
 
     @property
     @pulumi.getter(name="allowedUriSansTemplate")
-    def allowed_uri_sans_template(self) -> Optional[pulumi.Input[bool]]:
+    def allowed_uri_sans_template(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
         """
         return pulumi.get(self, "allowed_uri_sans_template")
 
     @allowed_uri_sans_template.setter
-    def allowed_uri_sans_template(self, value: Optional[pulumi.Input[bool]]):
+    def allowed_uri_sans_template(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allowed_uri_sans_template", value)
 
     @property
     @pulumi.getter(name="allowedUserIds")
-    def allowed_user_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_user_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Defines allowed User IDs
         """
         return pulumi.get(self, "allowed_user_ids")
 
     @allowed_user_ids.setter
-    def allowed_user_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_user_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_user_ids", value)
 
     @property
     @pulumi.getter
-    def backend(self) -> Optional[pulumi.Input[str]]:
+    def backend(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
         """
         return pulumi.get(self, "backend")
 
     @backend.setter
-    def backend(self, value: Optional[pulumi.Input[str]]):
+    def backend(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "backend", value)
 
     @property
     @pulumi.getter(name="basicConstraintsValidForNonCa")
-    def basic_constraints_valid_for_non_ca(self) -> Optional[pulumi.Input[bool]]:
+    def basic_constraints_valid_for_non_ca(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to mark basic constraints valid when issuing non-CA certificates
         """
         return pulumi.get(self, "basic_constraints_valid_for_non_ca")
 
     @basic_constraints_valid_for_non_ca.setter
-    def basic_constraints_valid_for_non_ca(self, value: Optional[pulumi.Input[bool]]):
+    def basic_constraints_valid_for_non_ca(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "basic_constraints_valid_for_non_ca", value)
 
     @property
     @pulumi.getter(name="clientFlag")
-    def client_flag(self) -> Optional[pulumi.Input[bool]]:
+    def client_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for client use
         """
         return pulumi.get(self, "client_flag")
 
     @client_flag.setter
-    def client_flag(self, value: Optional[pulumi.Input[bool]]):
+    def client_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "client_flag", value)
 
     @property
     @pulumi.getter(name="cnValidations")
-    def cn_validations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def cn_validations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
         """
         return pulumi.get(self, "cn_validations")
 
     @cn_validations.setter
-    def cn_validations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def cn_validations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "cn_validations", value)
 
     @property
     @pulumi.getter(name="codeSigningFlag")
-    def code_signing_flag(self) -> Optional[pulumi.Input[bool]]:
+    def code_signing_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for code signing use
         """
         return pulumi.get(self, "code_signing_flag")
 
     @code_signing_flag.setter
-    def code_signing_flag(self, value: Optional[pulumi.Input[bool]]):
+    def code_signing_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "code_signing_flag", value)
 
     @property
     @pulumi.getter
-    def countries(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def countries(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The country of generated certificates
         """
         return pulumi.get(self, "countries")
 
     @countries.setter
-    def countries(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def countries(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "countries", value)
 
     @property
     @pulumi.getter(name="emailProtectionFlag")
-    def email_protection_flag(self) -> Optional[pulumi.Input[bool]]:
+    def email_protection_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for email protection use
         """
         return pulumi.get(self, "email_protection_flag")
 
     @email_protection_flag.setter
-    def email_protection_flag(self, value: Optional[pulumi.Input[bool]]):
+    def email_protection_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "email_protection_flag", value)
 
     @property
     @pulumi.getter(name="enforceHostnames")
-    def enforce_hostnames(self) -> Optional[pulumi.Input[bool]]:
+    def enforce_hostnames(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to allow only valid host names
         """
         return pulumi.get(self, "enforce_hostnames")
 
     @enforce_hostnames.setter
-    def enforce_hostnames(self, value: Optional[pulumi.Input[bool]]):
+    def enforce_hostnames(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "enforce_hostnames", value)
 
     @property
     @pulumi.getter(name="extKeyUsageOids")
-    def ext_key_usage_oids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def ext_key_usage_oids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the allowed extended key usage OIDs constraint on issued certificates
         """
         return pulumi.get(self, "ext_key_usage_oids")
 
     @ext_key_usage_oids.setter
-    def ext_key_usage_oids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def ext_key_usage_oids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "ext_key_usage_oids", value)
 
     @property
     @pulumi.getter(name="extKeyUsages")
-    def ext_key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def ext_key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the allowed extended key usage constraint on issued certificates
         """
         return pulumi.get(self, "ext_key_usages")
 
     @ext_key_usages.setter
-    def ext_key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def ext_key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "ext_key_usages", value)
 
     @property
     @pulumi.getter(name="generateLease")
-    def generate_lease(self) -> Optional[pulumi.Input[bool]]:
+    def generate_lease(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to generate leases with certificates
         """
         return pulumi.get(self, "generate_lease")
 
     @generate_lease.setter
-    def generate_lease(self, value: Optional[pulumi.Input[bool]]):
+    def generate_lease(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "generate_lease", value)
 
     @property
     @pulumi.getter(name="issuerRef")
-    def issuer_ref(self) -> Optional[pulumi.Input[str]]:
+    def issuer_ref(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the default issuer of this request. May
         be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
@@ -1311,24 +1418,24 @@ class _SecretBackendRoleState:
         return pulumi.get(self, "issuer_ref")
 
     @issuer_ref.setter
-    def issuer_ref(self, value: Optional[pulumi.Input[str]]):
+    def issuer_ref(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "issuer_ref", value)
 
     @property
     @pulumi.getter(name="keyBits")
-    def key_bits(self) -> Optional[pulumi.Input[int]]:
+    def key_bits(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         The number of bits of generated keys
         """
         return pulumi.get(self, "key_bits")
 
     @key_bits.setter
-    def key_bits(self, value: Optional[pulumi.Input[int]]):
+    def key_bits(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "key_bits", value)
 
     @property
     @pulumi.getter(name="keyType")
-    def key_type(self) -> Optional[pulumi.Input[str]]:
+    def key_type(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
         Defaults to `rsa`
@@ -1336,12 +1443,12 @@ class _SecretBackendRoleState:
         return pulumi.get(self, "key_type")
 
     @key_type.setter
-    def key_type(self, value: Optional[pulumi.Input[str]]):
+    def key_type(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "key_type", value)
 
     @property
     @pulumi.getter(name="keyUsages")
-    def key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the allowed key usage constraint on issued
         certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
@@ -1350,48 +1457,48 @@ class _SecretBackendRoleState:
         return pulumi.get(self, "key_usages")
 
     @key_usages.setter
-    def key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "key_usages", value)
 
     @property
     @pulumi.getter
-    def localities(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def localities(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The locality of generated certificates
         """
         return pulumi.get(self, "localities")
 
     @localities.setter
-    def localities(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def localities(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "localities", value)
 
     @property
     @pulumi.getter(name="maxTtl")
-    def max_ttl(self) -> Optional[pulumi.Input[str]]:
+    def max_ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The maximum lease TTL, in seconds, for the role.
         """
         return pulumi.get(self, "max_ttl")
 
     @max_ttl.setter
-    def max_ttl(self, value: Optional[pulumi.Input[str]]):
+    def max_ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "max_ttl", value)
 
     @property
     @pulumi.getter
-    def name(self) -> Optional[pulumi.Input[str]]:
+    def name(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The name to identify this role within the backend. Must be unique within the backend.
         """
         return pulumi.get(self, "name")
 
     @name.setter
-    def name(self, value: Optional[pulumi.Input[str]]):
+    def name(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "name", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -1401,55 +1508,79 @@ class _SecretBackendRoleState:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
     @property
     @pulumi.getter(name="noStore")
-    def no_store(self) -> Optional[pulumi.Input[bool]]:
+    def no_store(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to not store certificates in the storage backend
         """
         return pulumi.get(self, "no_store")
 
     @no_store.setter
-    def no_store(self, value: Optional[pulumi.Input[bool]]):
+    def no_store(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "no_store", value)
 
+    @property
+    @pulumi.getter(name="noStoreMetadata")
+    def no_store_metadata(self) -> Optional[pulumi.Input[builtins.bool]]:
+        """
+        Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
+        """
+        return pulumi.get(self, "no_store_metadata")
+
+    @no_store_metadata.setter
+    def no_store_metadata(self, value: Optional[pulumi.Input[builtins.bool]]):
+        pulumi.set(self, "no_store_metadata", value)
+
+    @property
+    @pulumi.getter(name="notAfter")
+    def not_after(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        """
+        return pulumi.get(self, "not_after")
+
+    @not_after.setter
+    def not_after(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "not_after", value)
+
     @property
     @pulumi.getter(name="notBeforeDuration")
-    def not_before_duration(self) -> Optional[pulumi.Input[str]]:
+    def not_before_duration(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the duration by which to backdate the NotBefore property.
         """
         return pulumi.get(self, "not_before_duration")
 
     @not_before_duration.setter
-    def not_before_duration(self, value: Optional[pulumi.Input[str]]):
+    def not_before_duration(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "not_before_duration", value)
 
     @property
     @pulumi.getter(name="organizationUnit")
-    def organization_unit(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def organization_unit(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The organization unit of generated certificates
         """
         return pulumi.get(self, "organization_unit")
 
     @organization_unit.setter
-    def organization_unit(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def organization_unit(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "organization_unit", value)
 
     @property
     @pulumi.getter
-    def organizations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def organizations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The organization of generated certificates
         """
         return pulumi.get(self, "organizations")
 
     @organizations.setter
-    def organizations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def organizations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "organizations", value)
 
     @property
@@ -1466,165 +1597,208 @@ class _SecretBackendRoleState:
 
     @property
     @pulumi.getter(name="policyIdentifiers")
-    def policy_identifiers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def policy_identifiers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
         """
         return pulumi.get(self, "policy_identifiers")
 
     @policy_identifiers.setter
-    def policy_identifiers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def policy_identifiers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "policy_identifiers", value)
 
     @property
     @pulumi.getter(name="postalCodes")
-    def postal_codes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def postal_codes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The postal code of generated certificates
         """
         return pulumi.get(self, "postal_codes")
 
     @postal_codes.setter
-    def postal_codes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def postal_codes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "postal_codes", value)
 
     @property
     @pulumi.getter
-    def provinces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def provinces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The province of generated certificates
         """
         return pulumi.get(self, "provinces")
 
     @provinces.setter
-    def provinces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def provinces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "provinces", value)
 
     @property
     @pulumi.getter(name="requireCn")
-    def require_cn(self) -> Optional[pulumi.Input[bool]]:
+    def require_cn(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to force CN usage
         """
         return pulumi.get(self, "require_cn")
 
     @require_cn.setter
-    def require_cn(self, value: Optional[pulumi.Input[bool]]):
+    def require_cn(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "require_cn", value)
 
+    @property
+    @pulumi.getter(name="serialNumberSource")
+    def serial_number_source(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
+
+        Example usage:
+        """
+        return pulumi.get(self, "serial_number_source")
+
+    @serial_number_source.setter
+    def serial_number_source(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "serial_number_source", value)
+
     @property
     @pulumi.getter(name="serverFlag")
-    def server_flag(self) -> Optional[pulumi.Input[bool]]:
+    def server_flag(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to specify certificates for server use
         """
         return pulumi.get(self, "server_flag")
 
     @server_flag.setter
-    def server_flag(self, value: Optional[pulumi.Input[bool]]):
+    def server_flag(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "server_flag", value)
 
+    @property
+    @pulumi.getter(name="signatureBits")
+    def signature_bits(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The number of bits to use in the signature algorithm
+        """
+        return pulumi.get(self, "signature_bits")
+
+    @signature_bits.setter
+    def signature_bits(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "signature_bits", value)
+
     @property
     @pulumi.getter(name="streetAddresses")
-    def street_addresses(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def street_addresses(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         The street address of generated certificates
         """
         return pulumi.get(self, "street_addresses")
 
     @street_addresses.setter
-    def street_addresses(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def street_addresses(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "street_addresses", value)
 
     @property
     @pulumi.getter
-    def ttl(self) -> Optional[pulumi.Input[str]]:
+    def ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The TTL, in seconds, for any certificate issued against this role.
         """
         return pulumi.get(self, "ttl")
 
     @ttl.setter
-    def ttl(self, value: Optional[pulumi.Input[str]]):
+    def ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "ttl", value)
 
     @property
     @pulumi.getter(name="useCsrCommonName")
-    def use_csr_common_name(self) -> Optional[pulumi.Input[bool]]:
+    def use_csr_common_name(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to use the CN in the CSR
         """
         return pulumi.get(self, "use_csr_common_name")
 
     @use_csr_common_name.setter
-    def use_csr_common_name(self, value: Optional[pulumi.Input[bool]]):
+    def use_csr_common_name(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "use_csr_common_name", value)
 
     @property
     @pulumi.getter(name="useCsrSans")
-    def use_csr_sans(self) -> Optional[pulumi.Input[bool]]:
+    def use_csr_sans(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Flag to use the SANs in the CSR
         """
         return pulumi.get(self, "use_csr_sans")
 
     @use_csr_sans.setter
-    def use_csr_sans(self, value: Optional[pulumi.Input[bool]]):
+    def use_csr_sans(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "use_csr_sans", value)
 
+    @property
+    @pulumi.getter(name="usePss")
+    def use_pss(self) -> Optional[pulumi.Input[builtins.bool]]:
+        """
+        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
+        """
+        return pulumi.get(self, "use_pss")
+
+    @use_pss.setter
+    def use_pss(self, value: Optional[pulumi.Input[builtins.bool]]):
+        pulumi.set(self, "use_pss", value)
+
 
 class SecretBackendRole(pulumi.CustomResource):
     @overload
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 allow_any_name: Optional[pulumi.Input[bool]] = None,
-                 allow_bare_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_glob_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_ip_sans: Optional[pulumi.Input[bool]] = None,
-                 allow_localhost: Optional[pulumi.Input[bool]] = None,
-                 allow_subdomains: Optional[pulumi.Input[bool]] = None,
-                 allow_wildcard_certificates: Optional[pulumi.Input[bool]] = None,
-                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_domains_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None,
-                 client_flag: Optional[pulumi.Input[bool]] = None,
-                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 code_signing_flag: Optional[pulumi.Input[bool]] = None,
-                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 email_protection_flag: Optional[pulumi.Input[bool]] = None,
-                 enforce_hostnames: Optional[pulumi.Input[bool]] = None,
-                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 generate_lease: Optional[pulumi.Input[bool]] = None,
-                 issuer_ref: Optional[pulumi.Input[str]] = None,
-                 key_bits: Optional[pulumi.Input[int]] = None,
-                 key_type: Optional[pulumi.Input[str]] = None,
-                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 no_store: Optional[pulumi.Input[bool]] = None,
-                 not_before_duration: Optional[pulumi.Input[str]] = None,
-                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 allow_any_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_bare_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_glob_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_ip_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_localhost: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_subdomains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_wildcard_certificates: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_domains_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[builtins.bool]] = None,
+                 client_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 code_signing_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 email_protection_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 enforce_hostnames: Optional[pulumi.Input[builtins.bool]] = None,
+                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 generate_lease: Optional[pulumi.Input[builtins.bool]] = None,
+                 issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+                 key_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 key_type: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 no_store: Optional[pulumi.Input[builtins.bool]] = None,
+                 no_store_metadata: Optional[pulumi.Input[builtins.bool]] = None,
+                 not_after: Optional[pulumi.Input[builtins.str]] = None,
+                 not_before_duration: Optional[pulumi.Input[builtins.str]] = None,
+                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  policy_identifier: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRolePolicyIdentifierArgs', 'SecretBackendRolePolicyIdentifierArgsDict']]]]] = None,
-                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 require_cn: Optional[pulumi.Input[bool]] = None,
-                 server_flag: Optional[pulumi.Input[bool]] = None,
-                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None,
-                 use_csr_common_name: Optional[pulumi.Input[bool]] = None,
-                 use_csr_sans: Optional[pulumi.Input[bool]] = None,
+                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 require_cn: Optional[pulumi.Input[builtins.bool]] = None,
+                 serial_number_source: Optional[pulumi.Input[builtins.str]] = None,
+                 server_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 signature_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 use_csr_common_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_csr_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_pss: Optional[pulumi.Input[builtins.bool]] = None,
                  __props__=None):
         """
         Creates a role on an PKI Secret Backend for Vault.
@@ -1664,62 +1838,69 @@ class SecretBackendRole(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[bool] allow_any_name: Flag to allow any name
-        :param pulumi.Input[bool] allow_bare_domains: Flag to allow certificates matching the actual domain
-        :param pulumi.Input[bool] allow_glob_domains: Flag to allow names containing glob patterns.
-        :param pulumi.Input[bool] allow_ip_sans: Flag to allow IP SANs
-        :param pulumi.Input[bool] allow_localhost: Flag to allow certificates for localhost
-        :param pulumi.Input[bool] allow_subdomains: Flag to allow certificates matching subdomains
-        :param pulumi.Input[bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_domains: List of allowed domains for certificates
-        :param pulumi.Input[bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_other_sans: Defines allowed custom SANs
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Defines allowed URI SANs
-        :param pulumi.Input[bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_user_ids: Defines allowed User IDs
-        :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
-        :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
-        :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates
-        :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use
-        :param pulumi.Input[bool] enforce_hostnames: Flag to allow only valid host names
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
-        :param pulumi.Input[bool] generate_lease: Flag to generate leases with certificates
-        :param pulumi.Input[str] issuer_ref: Specifies the default issuer of this request. May
+        :param pulumi.Input[builtins.bool] allow_any_name: Flag to allow any name
+        :param pulumi.Input[builtins.bool] allow_bare_domains: Flag to allow certificates matching the actual domain
+        :param pulumi.Input[builtins.bool] allow_glob_domains: Flag to allow names containing glob patterns.
+        :param pulumi.Input[builtins.bool] allow_ip_sans: Flag to allow IP SANs
+        :param pulumi.Input[builtins.bool] allow_localhost: Flag to allow certificates for localhost
+        :param pulumi.Input[builtins.bool] allow_subdomains: Flag to allow certificates matching subdomains
+        :param pulumi.Input[builtins.bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_domains: List of allowed domains for certificates
+        :param pulumi.Input[builtins.bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_other_sans: Defines allowed custom SANs
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_uri_sans: Defines allowed URI SANs
+        :param pulumi.Input[builtins.bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_user_ids: Defines allowed User IDs
+        :param pulumi.Input[builtins.str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
+        :param pulumi.Input[builtins.bool] client_flag: Flag to specify certificates for client use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
+        :param pulumi.Input[builtins.bool] code_signing_flag: Flag to specify certificates for code signing use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] countries: The country of generated certificates
+        :param pulumi.Input[builtins.bool] email_protection_flag: Flag to specify certificates for email protection use
+        :param pulumi.Input[builtins.bool] enforce_hostnames: Flag to allow only valid host names
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
+        :param pulumi.Input[builtins.bool] generate_lease: Flag to generate leases with certificates
+        :param pulumi.Input[builtins.str] issuer_ref: Specifies the default issuer of this request. May
                be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
-        :param pulumi.Input[int] key_bits: The number of bits of generated keys
-        :param pulumi.Input[str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
+        :param pulumi.Input[builtins.int] key_bits: The number of bits of generated keys
+        :param pulumi.Input[builtins.str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
                Defaults to `rsa`
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] key_usages: Specify the allowed key usage constraint on issued
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the allowed key usage constraint on issued
                certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
                To specify no default key usage constraints, set this to an empty list `[]`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] localities: The locality of generated certificates
-        :param pulumi.Input[str] max_ttl: The maximum lease TTL, in seconds, for the role.
-        :param pulumi.Input[str] name: The name to identify this role within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] localities: The locality of generated certificates
+        :param pulumi.Input[builtins.str] max_ttl: The maximum lease TTL, in seconds, for the role.
+        :param pulumi.Input[builtins.str] name: The name to identify this role within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] no_store: Flag to not store certificates in the storage backend
-        :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organization_unit: The organization unit of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organizations: The organization of generated certificates
+        :param pulumi.Input[builtins.bool] no_store: Flag to not store certificates in the storage backend
+        :param pulumi.Input[builtins.bool] no_store_metadata: Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
+        :param pulumi.Input[builtins.str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        :param pulumi.Input[builtins.str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organization_unit: The organization unit of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organizations: The organization of generated certificates
         :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRolePolicyIdentifierArgs', 'SecretBackendRolePolicyIdentifierArgsDict']]]] policy_identifier: (Vault 1.11+ only) A block for specifying policy identifers. The `policy_identifier` block can be repeated, and supports the following arguments:
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] postal_codes: The postal code of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provinces: The province of generated certificates
-        :param pulumi.Input[bool] require_cn: Flag to force CN usage
-        :param pulumi.Input[bool] server_flag: Flag to specify certificates for server use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] street_addresses: The street address of generated certificates
-        :param pulumi.Input[str] ttl: The TTL, in seconds, for any certificate issued against this role.
-        :param pulumi.Input[bool] use_csr_common_name: Flag to use the CN in the CSR
-        :param pulumi.Input[bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] postal_codes: The postal code of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] provinces: The province of generated certificates
+        :param pulumi.Input[builtins.bool] require_cn: Flag to force CN usage
+        :param pulumi.Input[builtins.str] serial_number_source: Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
+               
+               Example usage:
+        :param pulumi.Input[builtins.bool] server_flag: Flag to specify certificates for server use
+        :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] street_addresses: The street address of generated certificates
+        :param pulumi.Input[builtins.str] ttl: The TTL, in seconds, for any certificate issued against this role.
+        :param pulumi.Input[builtins.bool] use_csr_common_name: Flag to use the CN in the CSR
+        :param pulumi.Input[builtins.bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         ...
     @overload
@@ -1778,53 +1959,58 @@ class SecretBackendRole(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 allow_any_name: Optional[pulumi.Input[bool]] = None,
-                 allow_bare_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_glob_domains: Optional[pulumi.Input[bool]] = None,
-                 allow_ip_sans: Optional[pulumi.Input[bool]] = None,
-                 allow_localhost: Optional[pulumi.Input[bool]] = None,
-                 allow_subdomains: Optional[pulumi.Input[bool]] = None,
-                 allow_wildcard_certificates: Optional[pulumi.Input[bool]] = None,
-                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_domains_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_uri_sans_template: Optional[pulumi.Input[bool]] = None,
-                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None,
-                 client_flag: Optional[pulumi.Input[bool]] = None,
-                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 code_signing_flag: Optional[pulumi.Input[bool]] = None,
-                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 email_protection_flag: Optional[pulumi.Input[bool]] = None,
-                 enforce_hostnames: Optional[pulumi.Input[bool]] = None,
-                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 generate_lease: Optional[pulumi.Input[bool]] = None,
-                 issuer_ref: Optional[pulumi.Input[str]] = None,
-                 key_bits: Optional[pulumi.Input[int]] = None,
-                 key_type: Optional[pulumi.Input[str]] = None,
-                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 no_store: Optional[pulumi.Input[bool]] = None,
-                 not_before_duration: Optional[pulumi.Input[str]] = None,
-                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 allow_any_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_bare_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_glob_domains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_ip_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_localhost: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_subdomains: Optional[pulumi.Input[builtins.bool]] = None,
+                 allow_wildcard_certificates: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_domains_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_uri_sans_template: Optional[pulumi.Input[builtins.bool]] = None,
+                 allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 basic_constraints_valid_for_non_ca: Optional[pulumi.Input[builtins.bool]] = None,
+                 client_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 code_signing_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 countries: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 email_protection_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 enforce_hostnames: Optional[pulumi.Input[builtins.bool]] = None,
+                 ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 generate_lease: Optional[pulumi.Input[builtins.bool]] = None,
+                 issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+                 key_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 key_type: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 localities: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 no_store: Optional[pulumi.Input[builtins.bool]] = None,
+                 no_store_metadata: Optional[pulumi.Input[builtins.bool]] = None,
+                 not_after: Optional[pulumi.Input[builtins.str]] = None,
+                 not_before_duration: Optional[pulumi.Input[builtins.str]] = None,
+                 organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 organizations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  policy_identifier: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRolePolicyIdentifierArgs', 'SecretBackendRolePolicyIdentifierArgsDict']]]]] = None,
-                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 require_cn: Optional[pulumi.Input[bool]] = None,
-                 server_flag: Optional[pulumi.Input[bool]] = None,
-                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None,
-                 use_csr_common_name: Optional[pulumi.Input[bool]] = None,
-                 use_csr_sans: Optional[pulumi.Input[bool]] = None,
+                 policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 provinces: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 require_cn: Optional[pulumi.Input[builtins.bool]] = None,
+                 serial_number_source: Optional[pulumi.Input[builtins.str]] = None,
+                 server_flag: Optional[pulumi.Input[builtins.bool]] = None,
+                 signature_bits: Optional[pulumi.Input[builtins.int]] = None,
+                 street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 use_csr_common_name: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_csr_sans: Optional[pulumi.Input[builtins.bool]] = None,
+                 use_pss: Optional[pulumi.Input[builtins.bool]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -1870,6 +2056,8 @@ class SecretBackendRole(pulumi.CustomResource):
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["no_store"] = no_store
+            __props__.__dict__["no_store_metadata"] = no_store_metadata
+            __props__.__dict__["not_after"] = not_after
             __props__.__dict__["not_before_duration"] = not_before_duration
             __props__.__dict__["organization_unit"] = organization_unit
             __props__.__dict__["organizations"] = organizations
@@ -1878,11 +2066,14 @@ class SecretBackendRole(pulumi.CustomResource):
             __props__.__dict__["postal_codes"] = postal_codes
             __props__.__dict__["provinces"] = provinces
             __props__.__dict__["require_cn"] = require_cn
+            __props__.__dict__["serial_number_source"] = serial_number_source
             __props__.__dict__["server_flag"] = server_flag
+            __props__.__dict__["signature_bits"] = signature_bits
             __props__.__dict__["street_addresses"] = street_addresses
             __props__.__dict__["ttl"] = ttl
             __props__.__dict__["use_csr_common_name"] = use_csr_common_name
             __props__.__dict__["use_csr_sans"] = use_csr_sans
+            __props__.__dict__["use_pss"] = use_pss
         super(SecretBackendRole, __self__).__init__(
             'vault:pkiSecret/secretBackendRole:SecretBackendRole',
             resource_name,
@@ -1893,53 +2084,58 @@ class SecretBackendRole(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            allow_any_name: Optional[pulumi.Input[bool]] = None,
-            allow_bare_domains: Optional[pulumi.Input[bool]] = None,
-            allow_glob_domains: Optional[pulumi.Input[bool]] = None,
-            allow_ip_sans: Optional[pulumi.Input[bool]] = None,
-            allow_localhost: Optional[pulumi.Input[bool]] = None,
-            allow_subdomains: Optional[pulumi.Input[bool]] = None,
-            allow_wildcard_certificates: Optional[pulumi.Input[bool]] = None,
-            allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            allowed_domains_template: Optional[pulumi.Input[bool]] = None,
-            allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            allowed_uri_sans_template: Optional[pulumi.Input[bool]] = None,
-            allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            backend: Optional[pulumi.Input[str]] = None,
-            basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None,
-            client_flag: Optional[pulumi.Input[bool]] = None,
-            cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            code_signing_flag: Optional[pulumi.Input[bool]] = None,
-            countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            email_protection_flag: Optional[pulumi.Input[bool]] = None,
-            enforce_hostnames: Optional[pulumi.Input[bool]] = None,
-            ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            generate_lease: Optional[pulumi.Input[bool]] = None,
-            issuer_ref: Optional[pulumi.Input[str]] = None,
-            key_bits: Optional[pulumi.Input[int]] = None,
-            key_type: Optional[pulumi.Input[str]] = None,
-            key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            localities: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            max_ttl: Optional[pulumi.Input[str]] = None,
-            name: Optional[pulumi.Input[str]] = None,
-            namespace: Optional[pulumi.Input[str]] = None,
-            no_store: Optional[pulumi.Input[bool]] = None,
-            not_before_duration: Optional[pulumi.Input[str]] = None,
-            organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            organizations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+            allow_any_name: Optional[pulumi.Input[builtins.bool]] = None,
+            allow_bare_domains: Optional[pulumi.Input[builtins.bool]] = None,
+            allow_glob_domains: Optional[pulumi.Input[builtins.bool]] = None,
+            allow_ip_sans: Optional[pulumi.Input[builtins.bool]] = None,
+            allow_localhost: Optional[pulumi.Input[builtins.bool]] = None,
+            allow_subdomains: Optional[pulumi.Input[builtins.bool]] = None,
+            allow_wildcard_certificates: Optional[pulumi.Input[builtins.bool]] = None,
+            allowed_domains: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            allowed_domains_template: Optional[pulumi.Input[builtins.bool]] = None,
+            allowed_other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            allowed_serial_numbers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            allowed_uri_sans_template: Optional[pulumi.Input[builtins.bool]] = None,
+            allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            backend: Optional[pulumi.Input[builtins.str]] = None,
+            basic_constraints_valid_for_non_ca: Optional[pulumi.Input[builtins.bool]] = None,
+            client_flag: Optional[pulumi.Input[builtins.bool]] = None,
+            cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            code_signing_flag: Optional[pulumi.Input[builtins.bool]] = None,
+            countries: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            email_protection_flag: Optional[pulumi.Input[builtins.bool]] = None,
+            enforce_hostnames: Optional[pulumi.Input[builtins.bool]] = None,
+            ext_key_usage_oids: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            ext_key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            generate_lease: Optional[pulumi.Input[builtins.bool]] = None,
+            issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+            key_bits: Optional[pulumi.Input[builtins.int]] = None,
+            key_type: Optional[pulumi.Input[builtins.str]] = None,
+            key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            localities: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+            name: Optional[pulumi.Input[builtins.str]] = None,
+            namespace: Optional[pulumi.Input[builtins.str]] = None,
+            no_store: Optional[pulumi.Input[builtins.bool]] = None,
+            no_store_metadata: Optional[pulumi.Input[builtins.bool]] = None,
+            not_after: Optional[pulumi.Input[builtins.str]] = None,
+            not_before_duration: Optional[pulumi.Input[builtins.str]] = None,
+            organization_unit: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            organizations: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
             policy_identifier: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRolePolicyIdentifierArgs', 'SecretBackendRolePolicyIdentifierArgsDict']]]]] = None,
-            policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            provinces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            require_cn: Optional[pulumi.Input[bool]] = None,
-            server_flag: Optional[pulumi.Input[bool]] = None,
-            street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            ttl: Optional[pulumi.Input[str]] = None,
-            use_csr_common_name: Optional[pulumi.Input[bool]] = None,
-            use_csr_sans: Optional[pulumi.Input[bool]] = None) -> 'SecretBackendRole':
+            policy_identifiers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            postal_codes: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            provinces: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            require_cn: Optional[pulumi.Input[builtins.bool]] = None,
+            serial_number_source: Optional[pulumi.Input[builtins.str]] = None,
+            server_flag: Optional[pulumi.Input[builtins.bool]] = None,
+            signature_bits: Optional[pulumi.Input[builtins.int]] = None,
+            street_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            ttl: Optional[pulumi.Input[builtins.str]] = None,
+            use_csr_common_name: Optional[pulumi.Input[builtins.bool]] = None,
+            use_csr_sans: Optional[pulumi.Input[builtins.bool]] = None,
+            use_pss: Optional[pulumi.Input[builtins.bool]] = None) -> 'SecretBackendRole':
         """
         Get an existing SecretBackendRole resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -1947,62 +2143,69 @@ class SecretBackendRole(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[bool] allow_any_name: Flag to allow any name
-        :param pulumi.Input[bool] allow_bare_domains: Flag to allow certificates matching the actual domain
-        :param pulumi.Input[bool] allow_glob_domains: Flag to allow names containing glob patterns.
-        :param pulumi.Input[bool] allow_ip_sans: Flag to allow IP SANs
-        :param pulumi.Input[bool] allow_localhost: Flag to allow certificates for localhost
-        :param pulumi.Input[bool] allow_subdomains: Flag to allow certificates matching subdomains
-        :param pulumi.Input[bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_domains: List of allowed domains for certificates
-        :param pulumi.Input[bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_other_sans: Defines allowed custom SANs
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Defines allowed URI SANs
-        :param pulumi.Input[bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_user_ids: Defines allowed User IDs
-        :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
-        :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
-        :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates
-        :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use
-        :param pulumi.Input[bool] enforce_hostnames: Flag to allow only valid host names
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
-        :param pulumi.Input[bool] generate_lease: Flag to generate leases with certificates
-        :param pulumi.Input[str] issuer_ref: Specifies the default issuer of this request. May
+        :param pulumi.Input[builtins.bool] allow_any_name: Flag to allow any name
+        :param pulumi.Input[builtins.bool] allow_bare_domains: Flag to allow certificates matching the actual domain
+        :param pulumi.Input[builtins.bool] allow_glob_domains: Flag to allow names containing glob patterns.
+        :param pulumi.Input[builtins.bool] allow_ip_sans: Flag to allow IP SANs
+        :param pulumi.Input[builtins.bool] allow_localhost: Flag to allow certificates for localhost
+        :param pulumi.Input[builtins.bool] allow_subdomains: Flag to allow certificates matching subdomains
+        :param pulumi.Input[builtins.bool] allow_wildcard_certificates: Flag to allow wildcard certificates.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_domains: List of allowed domains for certificates
+        :param pulumi.Input[builtins.bool] allowed_domains_template: Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_other_sans: Defines allowed custom SANs
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_serial_numbers: An array of allowed serial numbers to put in Subject
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_uri_sans: Defines allowed URI SANs
+        :param pulumi.Input[builtins.bool] allowed_uri_sans_template: Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_user_ids: Defines allowed User IDs
+        :param pulumi.Input[builtins.str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates
+        :param pulumi.Input[builtins.bool] client_flag: Flag to specify certificates for client use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
+        :param pulumi.Input[builtins.bool] code_signing_flag: Flag to specify certificates for code signing use
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] countries: The country of generated certificates
+        :param pulumi.Input[builtins.bool] email_protection_flag: Flag to specify certificates for email protection use
+        :param pulumi.Input[builtins.bool] enforce_hostnames: Flag to allow only valid host names
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usage_oids: Specify the allowed extended key usage OIDs constraint on issued certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] ext_key_usages: Specify the allowed extended key usage constraint on issued certificates
+        :param pulumi.Input[builtins.bool] generate_lease: Flag to generate leases with certificates
+        :param pulumi.Input[builtins.str] issuer_ref: Specifies the default issuer of this request. May
                be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
-        :param pulumi.Input[int] key_bits: The number of bits of generated keys
-        :param pulumi.Input[str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
+        :param pulumi.Input[builtins.int] key_bits: The number of bits of generated keys
+        :param pulumi.Input[builtins.str] key_type: The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
                Defaults to `rsa`
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] key_usages: Specify the allowed key usage constraint on issued
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the allowed key usage constraint on issued
                certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
                To specify no default key usage constraints, set this to an empty list `[]`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] localities: The locality of generated certificates
-        :param pulumi.Input[str] max_ttl: The maximum lease TTL, in seconds, for the role.
-        :param pulumi.Input[str] name: The name to identify this role within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] localities: The locality of generated certificates
+        :param pulumi.Input[builtins.str] max_ttl: The maximum lease TTL, in seconds, for the role.
+        :param pulumi.Input[builtins.str] name: The name to identify this role within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] no_store: Flag to not store certificates in the storage backend
-        :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organization_unit: The organization unit of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] organizations: The organization of generated certificates
+        :param pulumi.Input[builtins.bool] no_store: Flag to not store certificates in the storage backend
+        :param pulumi.Input[builtins.bool] no_store_metadata: Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
+        :param pulumi.Input[builtins.str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        :param pulumi.Input[builtins.str] not_before_duration: Specifies the duration by which to backdate the NotBefore property.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organization_unit: The organization unit of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] organizations: The organization of generated certificates
         :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRolePolicyIdentifierArgs', 'SecretBackendRolePolicyIdentifierArgsDict']]]] policy_identifier: (Vault 1.11+ only) A block for specifying policy identifers. The `policy_identifier` block can be repeated, and supports the following arguments:
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] postal_codes: The postal code of generated certificates
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provinces: The province of generated certificates
-        :param pulumi.Input[bool] require_cn: Flag to force CN usage
-        :param pulumi.Input[bool] server_flag: Flag to specify certificates for server use
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] street_addresses: The street address of generated certificates
-        :param pulumi.Input[str] ttl: The TTL, in seconds, for any certificate issued against this role.
-        :param pulumi.Input[bool] use_csr_common_name: Flag to use the CN in the CSR
-        :param pulumi.Input[bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] policy_identifiers: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] postal_codes: The postal code of generated certificates
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] provinces: The province of generated certificates
+        :param pulumi.Input[builtins.bool] require_cn: Flag to force CN usage
+        :param pulumi.Input[builtins.str] serial_number_source: Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
+               
+               Example usage:
+        :param pulumi.Input[builtins.bool] server_flag: Flag to specify certificates for server use
+        :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] street_addresses: The street address of generated certificates
+        :param pulumi.Input[builtins.str] ttl: The TTL, in seconds, for any certificate issued against this role.
+        :param pulumi.Input[builtins.bool] use_csr_common_name: Flag to use the CN in the CSR
+        :param pulumi.Input[builtins.bool] use_csr_sans: Flag to use the SANs in the CSR
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -2042,6 +2245,8 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["no_store"] = no_store
+        __props__.__dict__["no_store_metadata"] = no_store_metadata
+        __props__.__dict__["not_after"] = not_after
         __props__.__dict__["not_before_duration"] = not_before_duration
         __props__.__dict__["organization_unit"] = organization_unit
         __props__.__dict__["organizations"] = organizations
@@ -2050,16 +2255,19 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["postal_codes"] = postal_codes
         __props__.__dict__["provinces"] = provinces
         __props__.__dict__["require_cn"] = require_cn
+        __props__.__dict__["serial_number_source"] = serial_number_source
         __props__.__dict__["server_flag"] = server_flag
+        __props__.__dict__["signature_bits"] = signature_bits
         __props__.__dict__["street_addresses"] = street_addresses
         __props__.__dict__["ttl"] = ttl
         __props__.__dict__["use_csr_common_name"] = use_csr_common_name
         __props__.__dict__["use_csr_sans"] = use_csr_sans
+        __props__.__dict__["use_pss"] = use_pss
         return SecretBackendRole(resource_name, opts=opts, __props__=__props__)
 
     @property
     @pulumi.getter(name="allowAnyName")
-    def allow_any_name(self) -> pulumi.Output[Optional[bool]]:
+    def allow_any_name(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow any name
         """
@@ -2067,7 +2275,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowBareDomains")
-    def allow_bare_domains(self) -> pulumi.Output[Optional[bool]]:
+    def allow_bare_domains(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow certificates matching the actual domain
         """
@@ -2075,7 +2283,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowGlobDomains")
-    def allow_glob_domains(self) -> pulumi.Output[Optional[bool]]:
+    def allow_glob_domains(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow names containing glob patterns.
         """
@@ -2083,7 +2291,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowIpSans")
-    def allow_ip_sans(self) -> pulumi.Output[Optional[bool]]:
+    def allow_ip_sans(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow IP SANs
         """
@@ -2091,7 +2299,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowLocalhost")
-    def allow_localhost(self) -> pulumi.Output[Optional[bool]]:
+    def allow_localhost(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow certificates for localhost
         """
@@ -2099,7 +2307,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowSubdomains")
-    def allow_subdomains(self) -> pulumi.Output[Optional[bool]]:
+    def allow_subdomains(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow certificates matching subdomains
         """
@@ -2107,7 +2315,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowWildcardCertificates")
-    def allow_wildcard_certificates(self) -> pulumi.Output[Optional[bool]]:
+    def allow_wildcard_certificates(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow wildcard certificates.
         """
@@ -2115,7 +2323,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedDomains")
-    def allowed_domains(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def allowed_domains(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         List of allowed domains for certificates
         """
@@ -2123,7 +2331,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedDomainsTemplate")
-    def allowed_domains_template(self) -> pulumi.Output[Optional[bool]]:
+    def allowed_domains_template(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
         """
@@ -2131,7 +2339,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedOtherSans")
-    def allowed_other_sans(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def allowed_other_sans(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Defines allowed custom SANs
         """
@@ -2139,7 +2347,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedSerialNumbers")
-    def allowed_serial_numbers(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def allowed_serial_numbers(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         An array of allowed serial numbers to put in Subject
         """
@@ -2147,7 +2355,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedUriSans")
-    def allowed_uri_sans(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def allowed_uri_sans(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Defines allowed URI SANs
         """
@@ -2155,7 +2363,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedUriSansTemplate")
-    def allowed_uri_sans_template(self) -> pulumi.Output[bool]:
+    def allowed_uri_sans_template(self) -> pulumi.Output[builtins.bool]:
         """
         Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
         """
@@ -2163,7 +2371,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedUserIds")
-    def allowed_user_ids(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def allowed_user_ids(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Defines allowed User IDs
         """
@@ -2171,7 +2379,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def backend(self) -> pulumi.Output[str]:
+    def backend(self) -> pulumi.Output[builtins.str]:
         """
         The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
         """
@@ -2179,7 +2387,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="basicConstraintsValidForNonCa")
-    def basic_constraints_valid_for_non_ca(self) -> pulumi.Output[Optional[bool]]:
+    def basic_constraints_valid_for_non_ca(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to mark basic constraints valid when issuing non-CA certificates
         """
@@ -2187,7 +2395,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="clientFlag")
-    def client_flag(self) -> pulumi.Output[Optional[bool]]:
+    def client_flag(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to specify certificates for client use
         """
@@ -2195,7 +2403,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="cnValidations")
-    def cn_validations(self) -> pulumi.Output[Sequence[str]]:
+    def cn_validations(self) -> pulumi.Output[Sequence[builtins.str]]:
         """
         Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
         """
@@ -2203,7 +2411,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="codeSigningFlag")
-    def code_signing_flag(self) -> pulumi.Output[Optional[bool]]:
+    def code_signing_flag(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to specify certificates for code signing use
         """
@@ -2211,7 +2419,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def countries(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def countries(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         The country of generated certificates
         """
@@ -2219,7 +2427,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="emailProtectionFlag")
-    def email_protection_flag(self) -> pulumi.Output[Optional[bool]]:
+    def email_protection_flag(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to specify certificates for email protection use
         """
@@ -2227,7 +2435,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="enforceHostnames")
-    def enforce_hostnames(self) -> pulumi.Output[Optional[bool]]:
+    def enforce_hostnames(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to allow only valid host names
         """
@@ -2235,7 +2443,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="extKeyUsageOids")
-    def ext_key_usage_oids(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def ext_key_usage_oids(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Specify the allowed extended key usage OIDs constraint on issued certificates
         """
@@ -2243,7 +2451,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="extKeyUsages")
-    def ext_key_usages(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def ext_key_usages(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Specify the allowed extended key usage constraint on issued certificates
         """
@@ -2251,7 +2459,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="generateLease")
-    def generate_lease(self) -> pulumi.Output[Optional[bool]]:
+    def generate_lease(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to generate leases with certificates
         """
@@ -2259,7 +2467,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="issuerRef")
-    def issuer_ref(self) -> pulumi.Output[str]:
+    def issuer_ref(self) -> pulumi.Output[builtins.str]:
         """
         Specifies the default issuer of this request. May
         be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
@@ -2270,7 +2478,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="keyBits")
-    def key_bits(self) -> pulumi.Output[Optional[int]]:
+    def key_bits(self) -> pulumi.Output[Optional[builtins.int]]:
         """
         The number of bits of generated keys
         """
@@ -2278,7 +2486,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="keyType")
-    def key_type(self) -> pulumi.Output[Optional[str]]:
+    def key_type(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
         Defaults to `rsa`
@@ -2287,7 +2495,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="keyUsages")
-    def key_usages(self) -> pulumi.Output[Sequence[str]]:
+    def key_usages(self) -> pulumi.Output[Sequence[builtins.str]]:
         """
         Specify the allowed key usage constraint on issued
         certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
@@ -2297,7 +2505,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def localities(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def localities(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         The locality of generated certificates
         """
@@ -2305,7 +2513,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="maxTtl")
-    def max_ttl(self) -> pulumi.Output[str]:
+    def max_ttl(self) -> pulumi.Output[builtins.str]:
         """
         The maximum lease TTL, in seconds, for the role.
         """
@@ -2313,7 +2521,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def name(self) -> pulumi.Output[str]:
+    def name(self) -> pulumi.Output[builtins.str]:
         """
         The name to identify this role within the backend. Must be unique within the backend.
         """
@@ -2321,7 +2529,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def namespace(self) -> pulumi.Output[Optional[str]]:
+    def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -2332,15 +2540,31 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="noStore")
-    def no_store(self) -> pulumi.Output[Optional[bool]]:
+    def no_store(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to not store certificates in the storage backend
         """
         return pulumi.get(self, "no_store")
 
+    @property
+    @pulumi.getter(name="noStoreMetadata")
+    def no_store_metadata(self) -> pulumi.Output[Optional[builtins.bool]]:
+        """
+        Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
+        """
+        return pulumi.get(self, "no_store_metadata")
+
+    @property
+    @pulumi.getter(name="notAfter")
+    def not_after(self) -> pulumi.Output[Optional[builtins.str]]:
+        """
+        Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        """
+        return pulumi.get(self, "not_after")
+
     @property
     @pulumi.getter(name="notBeforeDuration")
-    def not_before_duration(self) -> pulumi.Output[str]:
+    def not_before_duration(self) -> pulumi.Output[builtins.str]:
         """
         Specifies the duration by which to backdate the NotBefore property.
         """
@@ -2348,7 +2572,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="organizationUnit")
-    def organization_unit(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def organization_unit(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         The organization unit of generated certificates
         """
@@ -2356,7 +2580,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def organizations(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def organizations(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         The organization of generated certificates
         """
@@ -2372,7 +2596,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="policyIdentifiers")
-    def policy_identifiers(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def policy_identifiers(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead
         """
@@ -2380,7 +2604,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="postalCodes")
-    def postal_codes(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def postal_codes(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         The postal code of generated certificates
         """
@@ -2388,7 +2612,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def provinces(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def provinces(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         The province of generated certificates
         """
@@ -2396,23 +2620,41 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="requireCn")
-    def require_cn(self) -> pulumi.Output[Optional[bool]]:
+    def require_cn(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to force CN usage
         """
         return pulumi.get(self, "require_cn")
 
+    @property
+    @pulumi.getter(name="serialNumberSource")
+    def serial_number_source(self) -> pulumi.Output[builtins.str]:
+        """
+        Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
+
+        Example usage:
+        """
+        return pulumi.get(self, "serial_number_source")
+
     @property
     @pulumi.getter(name="serverFlag")
-    def server_flag(self) -> pulumi.Output[Optional[bool]]:
+    def server_flag(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to specify certificates for server use
         """
         return pulumi.get(self, "server_flag")
 
+    @property
+    @pulumi.getter(name="signatureBits")
+    def signature_bits(self) -> pulumi.Output[builtins.int]:
+        """
+        The number of bits to use in the signature algorithm
+        """
+        return pulumi.get(self, "signature_bits")
+
     @property
     @pulumi.getter(name="streetAddresses")
-    def street_addresses(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def street_addresses(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         The street address of generated certificates
         """
@@ -2420,7 +2662,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def ttl(self) -> pulumi.Output[str]:
+    def ttl(self) -> pulumi.Output[builtins.str]:
         """
         The TTL, in seconds, for any certificate issued against this role.
         """
@@ -2428,7 +2670,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="useCsrCommonName")
-    def use_csr_common_name(self) -> pulumi.Output[Optional[bool]]:
+    def use_csr_common_name(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to use the CN in the CSR
         """
@@ -2436,9 +2678,17 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="useCsrSans")
-    def use_csr_sans(self) -> pulumi.Output[Optional[bool]]:
+    def use_csr_sans(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Flag to use the SANs in the CSR
         """
         return pulumi.get(self, "use_csr_sans")
 
+    @property
+    @pulumi.getter(name="usePss")
+    def use_pss(self) -> pulumi.Output[Optional[builtins.bool]]:
+        """
+        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
+        """
+        return pulumi.get(self, "use_pss")
+