feat(cdn): add custom certificate support (#983)

relates to STACKITCDN-1000
2025-09-18 19:27:22 +02:00 · 2025-09-18 19:27:22 +02:00 · df0f152158
commit df0f152158
parent 813b8c0e81
8 changed files with 834 additions and 71 deletions
--- a/docs/data-sources/cdn_custom_domain.md
+++ b/docs/data-sources/cdn_custom_domain.md
@ -32,8 +32,19 @@ data "stackit_cdn_custom_domain" "example" {
 - `name` (String)
 - `project_id` (String) STACKIT project ID associated with the distribution

+### Optional
+
+- `certificate` (Attributes) The TLS certificate for the custom domain. If omitted, a managed certificate will be used. If the block is specified, a custom certificate is used. (see [below for nested schema](#nestedatt--certificate))
+
 ### Read-Only

 - `errors` (List of String) List of distribution errors
 - `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`distribution_id`".
 - `status` (String) Status of the distribution
+
+<a id="nestedatt--certificate"></a>
+### Nested Schema for `certificate`
+
+Read-Only:
+
+- `version` (Number) A version identifier for the certificate. Required for custom certificates. The certificate will be updated if this field is changed.
--- a/docs/resources/cdn_custom_domain.md
+++ b/docs/resources/cdn_custom_domain.md
@ -20,6 +20,10 @@ resource "stackit_cdn_custom_domain" "example" {
  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  distribution_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name            = "https://xxx.xxx"
+  certificate = {
+    certificate = "-----BEGIN CERTIFICATE-----\nY2VydGlmaWNhdGVfZGF0YQ==\n-----END CERTIFICATE---"
+    private_key = "-----BEGIN RSA PRIVATE KEY-----\nY2VydGlmaWNhdGVfZGF0YQ==\n-----END RSA PRIVATE KEY---"
+  }
 }

 # Only use the import statement, if you want to import an existing cdn custom domain
@ -38,8 +42,24 @@ import {
 - `name` (String)
 - `project_id` (String) STACKIT project ID associated with the distribution

+### Optional
+
+- `certificate` (Attributes) The TLS certificate for the custom domain. If omitted, a managed certificate will be used. If the block is specified, a custom certificate is used. (see [below for nested schema](#nestedatt--certificate))
+
 ### Read-Only

 - `errors` (List of String) List of distribution errors
 - `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`distribution_id`".
 - `status` (String) Status of the distribution
+
+<a id="nestedatt--certificate"></a>
+### Nested Schema for `certificate`
+
+Optional:
+
+- `certificate` (String, Sensitive) The PEM-encoded TLS certificate. Required for custom certificates.
+- `private_key` (String, Sensitive) The PEM-encoded private key for the certificate. Required for custom certificates. The certificate will be updated if this field is changed.
+
+Read-Only:
+
+- `version` (Number) A version identifier for the certificate. Required for custom certificates. The certificate will be updated if this field is changed.
--- a/examples/resources/stackit_cdn_custom_domain/resource.tf
+++ b/examples/resources/stackit_cdn_custom_domain/resource.tf
@ -2,10 +2,14 @@ resource "stackit_cdn_custom_domain" "example" {
  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  distribution_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name            = "https://xxx.xxx"
+  certificate = {
+    certificate = "-----BEGIN CERTIFICATE-----\nY2VydGlmaWNhdGVfZGF0YQ==\n-----END CERTIFICATE---"
+    private_key = "-----BEGIN RSA PRIVATE KEY-----\nY2VydGlmaWNhdGVfZGF0YQ==\n-----END RSA PRIVATE KEY---"
+  }
 }

 # Only use the import statement, if you want to import an existing cdn custom domain
 import {
  to = stackit_cdn_custom_domain.import-example
  id = "${var.project_id},${var.distribution_id},${var.custom_domain_name}"
-}
+}
--- a/stackit/internal/services/cdn/cdn_acc_test.go
+++ b/stackit/internal/services/cdn/cdn_acc_test.go
@ -2,7 +2,13 @@ package cdn_test

 import (
 	"context"
+	cryptoRand "crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
+	"math/big"
 	"net"
 	"strings"
 	"testing"
@ -26,6 +32,7 @@ var instanceResource = map[string]string{
 	"config_regions_updated":    "\"EU\", \"US\", \"ASIA\"",
 	"blocked_countries":         "\"CU\", \"AQ\"", // Do NOT use DE or AT here, because the request might be blocked by bunny at the time of creation - don't lock yourself out
 	"custom_domain_prefix":      uuid.NewString(), // we use a different domain prefix each test run due to inconsistent upstream release of domains, which might impair consecutive test runs
+	"dns_name":                  fmt.Sprintf("tf-acc-%s.stackit.gg", strings.Split(uuid.NewString(), "-")[0]),
 }

 func configResources(regions string) string {
@ -51,7 +58,7 @@ func configResources(regions string) string {
 				resource "stackit_dns_zone" "dns_zone" {
 					project_id    = "%s"
 					name          = "cdn_acc_test_zone"
-					dns_name      = "cdntestzone.stackit.gg"
+					dns_name      = "%s"
 					contact_email = "aa@bb.cc"
 					type          = "primary"
 					default_ttl   = 3600
@ -64,40 +71,87 @@ func configResources(regions string) string {
 					records    = ["${stackit_cdn_distribution.distribution.domains[0].name}."]
 				}
 		`, testutil.CdnProviderConfig(), testutil.ProjectId, instanceResource["config_backend_origin_url"],
-		regions, instanceResource["blocked_countries"], testutil.ProjectId,
+		regions, instanceResource["blocked_countries"], testutil.ProjectId, instanceResource["dns_name"],
 		testutil.ProjectId, instanceResource["custom_domain_prefix"])
 }

-func configCustomDomainResources(regions string) string {
+func configCustomDomainResources(regions, cert, key string) string {
 	return fmt.Sprintf(`
 				%s

 		        resource "stackit_cdn_custom_domain" "custom_domain" {
 					project_id = stackit_cdn_distribution.distribution.project_id
 					distribution_id = stackit_cdn_distribution.distribution.distribution_id
-		            name = "${stackit_dns_record_set.dns_record.name}.cdntestzone.stackit.gg"
+		            name = "${stackit_dns_record_set.dns_record.name}.${stackit_dns_zone.dns_zone.dns_name}"
+					certificate = {
+						certificate = %q
+						private_key = %q
+					}
 				}
-`, configResources(regions))
+`, configResources(regions), cert, key)
 }

-func configDatasources(regions string) string {
+func configDatasources(regions, cert, key string) string {
 	return fmt.Sprintf(`
-				%s
+        %s 

-				data "stackit_cdn_distribution" "distribution" {
+        data "stackit_cdn_distribution" "distribution" {
 					project_id = stackit_cdn_distribution.distribution.project_id
-					distribution_id = stackit_cdn_distribution.distribution.distribution_id
-				}
-				
-				data "stackit_cdn_custom_domain" "custom_domain" {
+            distribution_id = stackit_cdn_distribution.distribution.distribution_id
+        }
+        
+        data "stackit_cdn_custom_domain" "custom_domain" {
 					project_id = stackit_cdn_custom_domain.custom_domain.project_id
 					distribution_id = stackit_cdn_custom_domain.custom_domain.distribution_id
 					name = stackit_cdn_custom_domain.custom_domain.name
-				}
-		`, configCustomDomainResources(regions))
-}

+        }
+		`, configCustomDomainResources(regions, cert, key))
+}
+func makeCertAndKey(t *testing.T, organization string) (cert, key []byte) {
+	privateKey, err := rsa.GenerateKey(cryptoRand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("failed to generate key: %s", err.Error())
+	}
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Issuer:       pkix.Name{CommonName: organization},
+		Subject: pkix.Name{
+			Organization: []string{organization},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour),
+
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	cert, err = x509.CreateCertificate(
+		cryptoRand.Reader,
+		&template,
+		&template,
+		&privateKey.PublicKey,
+		privateKey,
+	)
+	if err != nil {
+		t.Fatalf("failed to generate cert: %s", err.Error())
+	}
+
+	return pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: cert,
+		}), pem.EncodeToMemory(&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+		})
+}
 func TestAccCDNDistributionResource(t *testing.T) {
+	fullDomainName := fmt.Sprintf("%s.%s", instanceResource["custom_domain_prefix"], instanceResource["dns_name"])
+	organization := fmt.Sprintf("organization-%s", uuid.NewString())
+	cert, key := makeCertAndKey(t, organization)
+
+	organization_updated := fmt.Sprintf("organization-updated-%s", uuid.NewString())
+	cert_updated, key_updated := makeCertAndKey(t, organization_updated)
 	resource.Test(t, resource.TestCase{
 		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
 		CheckDestroy:             testAccCheckCDNDistributionDestroy,
@ -128,16 +182,16 @@ func TestAccCDNDistributionResource(t *testing.T) {
 			{
 				Config: configResources(instanceResource["config_regions"]),
 				Check: func(_ *terraform.State) error {
-					_, err := blockUntilDomainResolves(instanceResource["custom_domain_prefix"] + ".cdntestzone.stackit.gg")
+					_, err := blockUntilDomainResolves(fullDomainName)
 					return err
 				},
 			},
 			// Custom Domain Create
 			{
-				Config: configCustomDomainResources(instanceResource["config_regions"]),
+				Config: configCustomDomainResources(instanceResource["config_regions"], string(cert), string(key)),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttr("stackit_cdn_custom_domain.custom_domain", "status", "ACTIVE"),
-					resource.TestCheckResourceAttr("stackit_cdn_custom_domain.custom_domain", "name", instanceResource["custom_domain_prefix"]+".cdntestzone.stackit.gg"),
+					resource.TestCheckResourceAttr("stackit_cdn_custom_domain.custom_domain", "name", fullDomainName),
 					resource.TestCheckResourceAttrPair("stackit_cdn_distribution.distribution", "distribution_id", "stackit_cdn_custom_domain.custom_domain", "distribution_id"),
 					resource.TestCheckResourceAttrPair("stackit_cdn_distribution.distribution", "project_id", "stackit_cdn_custom_domain.custom_domain", "project_id"),
 				),
@ -181,17 +235,21 @@ func TestAccCDNDistributionResource(t *testing.T) {
 				},
 				ImportState:       true,
 				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"certificate.certificate",
+					"certificate.private_key",
+				},
 			},
 			// Data Source
 			{
-				Config: configDatasources(instanceResource["config_regions"]),
+				Config: configDatasources(instanceResource["config_regions"], string(cert), string(key)),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttrSet("data.stackit_cdn_distribution.distribution", "distribution_id"),
 					resource.TestCheckResourceAttrSet("data.stackit_cdn_distribution.distribution", "created_at"),
 					resource.TestCheckResourceAttrSet("data.stackit_cdn_distribution.distribution", "updated_at"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "domains.#", "2"),
 					resource.TestCheckResourceAttrSet("data.stackit_cdn_distribution.distribution", "domains.0.name"),
-					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "domains.1.name", instanceResource["custom_domain_prefix"]+".cdntestzone.stackit.gg"),
+					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "domains.1.name", fullDomainName),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "domains.0.status", "ACTIVE"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "domains.1.status", "ACTIVE"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "domains.0.type", "managed"),
@ -206,20 +264,21 @@ func TestAccCDNDistributionResource(t *testing.T) {
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "project_id", testutil.ProjectId),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "status", "ACTIVE"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_custom_domain.custom_domain", "status", "ACTIVE"),
-					resource.TestCheckResourceAttr("data.stackit_cdn_custom_domain.custom_domain", "name", instanceResource["custom_domain_prefix"]+".cdntestzone.stackit.gg"),
+					resource.TestCheckResourceAttr("data.stackit_cdn_custom_domain.custom_domain", "certificate.version", "1"),
+					resource.TestCheckResourceAttr("data.stackit_cdn_custom_domain.custom_domain", "name", fullDomainName),
 					resource.TestCheckResourceAttrPair("stackit_cdn_distribution.distribution", "distribution_id", "stackit_cdn_custom_domain.custom_domain", "distribution_id"),
 				),
 			},
 			// Update
 			{
-				Config: configCustomDomainResources(instanceResource["config_regions_updated"]),
+				Config: configCustomDomainResources(instanceResource["config_regions_updated"], string(cert_updated), string(key_updated)),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttrSet("stackit_cdn_distribution.distribution", "distribution_id"),
 					resource.TestCheckResourceAttrSet("stackit_cdn_distribution.distribution", "created_at"),
 					resource.TestCheckResourceAttrSet("stackit_cdn_distribution.distribution", "updated_at"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "domains.#", "2"),
 					resource.TestCheckResourceAttrSet("stackit_cdn_distribution.distribution", "domains.0.name"),
-					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "domains.1.name", instanceResource["custom_domain_prefix"]+".cdntestzone.stackit.gg"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "domains.1.name", fullDomainName),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "domains.0.status", "ACTIVE"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "domains.1.status", "ACTIVE"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "domains.0.type", "managed"),
@ -235,7 +294,8 @@ func TestAccCDNDistributionResource(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "project_id", testutil.ProjectId),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "status", "ACTIVE"),
 					resource.TestCheckResourceAttr("stackit_cdn_custom_domain.custom_domain", "status", "ACTIVE"),
-					resource.TestCheckResourceAttr("stackit_cdn_custom_domain.custom_domain", "name", instanceResource["custom_domain_prefix"]+".cdntestzone.stackit.gg"),
+					resource.TestCheckResourceAttr("stackit_cdn_custom_domain.custom_domain", "certificate.version", "2"),
+					resource.TestCheckResourceAttr("stackit_cdn_custom_domain.custom_domain", "name", fullDomainName),
 					resource.TestCheckResourceAttrPair("stackit_cdn_distribution.distribution", "distribution_id", "stackit_cdn_custom_domain.custom_domain", "distribution_id"),
 					resource.TestCheckResourceAttrPair("stackit_cdn_distribution.distribution", "project_id", "stackit_cdn_custom_domain.custom_domain", "project_id"),
 				),
--- a/stackit/internal/services/cdn/customdomain/datasource.go
+++ b/stackit/internal/services/cdn/customdomain/datasource.go
@ -9,6 +9,7 @@ import (
 	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
 	cdnUtils "github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/cdn/utils"

+	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
@ -27,6 +28,10 @@ var (
 	_ datasource.DataSourceWithConfigure = &customDomainDataSource{}
 )

+var certificateDataSourceTypes = map[string]attr.Type{
+	"version": types.Int64Type,
+}
+
 type customDomainDataSource struct {
 	client *cdn.APIClient
 }
@ -35,6 +40,16 @@ func NewCustomDomainDataSource() datasource.DataSource {
 	return &customDomainDataSource{}
 }

+type customDomainDataSourceModel struct {
+	ID             types.String `tfsdk:"id"`
+	DistributionId types.String `tfsdk:"distribution_id"`
+	ProjectId      types.String `tfsdk:"project_id"`
+	Name           types.String `tfsdk:"name"`
+	Status         types.String `tfsdk:"status"`
+	Errors         types.List   `tfsdk:"errors"`
+	Certificate    types.Object `tfsdk:"certificate"`
+}
+
 func (d *customDomainDataSource) Configure(ctx context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
 	providerData, ok := conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
 	if !ok {
@ -89,12 +104,22 @@ func (r *customDomainDataSource) Schema(_ context.Context, _ datasource.SchemaRe
 				Computed:    true,
 				Description: customDomainSchemaDescriptions["errors"],
 			},
+			"certificate": schema.SingleNestedAttribute{
+				Description: certificateSchemaDescriptions["main"],
+				Optional:    true,
+				Attributes: map[string]schema.Attribute{
+					"version": schema.Int64Attribute{
+						Description: certificateSchemaDescriptions["version"],
+						Computed:    true,
+					},
+				},
+			},
 		},
 	}
 }

 func (r *customDomainDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) { // nolint:gocritic // function signature required by Terraform
-	var model CustomDomainModel
+	var model customDomainDataSourceModel // Use the new data source model
 	diags := req.Config.Get(ctx, &model)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
@ -111,7 +136,6 @@ func (r *customDomainDataSource) Read(ctx context.Context, req datasource.ReadRe
 	customDomainResp, err := r.client.GetCustomDomain(ctx, projectId, distributionId, name).Execute()
 	if err != nil {
 		var oapiErr *oapierror.GenericOpenAPIError
-		// n.b. err is caught here if of type *oapierror.GenericOpenAPIError, which the stackit SDK client returns
 		if errors.As(err, &oapiErr) {
 			if oapiErr.StatusCode == http.StatusNotFound {
 				resp.State.RemoveResource(ctx)
@ -121,11 +145,14 @@ func (r *customDomainDataSource) Read(ctx context.Context, req datasource.ReadRe
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading CDN custom domain", fmt.Sprintf("Calling API: %v", err))
 		return
 	}
-	err = mapCustomDomainFields(customDomainResp.CustomDomain, &model)
+
+	// Call the new data source mapping function
+	err = mapCustomDomainDataSourceFields(customDomainResp, &model, projectId, distributionId)
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading CDN custom domain", fmt.Sprintf("Processing API payload: %v", err))
 		return
 	}
+
 	// Set refreshed state
 	diags = resp.State.Set(ctx, model)
 	resp.Diagnostics.Append(diags...)
@ -134,3 +161,72 @@ func (r *customDomainDataSource) Read(ctx context.Context, req datasource.ReadRe
 	}
 	tflog.Info(ctx, "CDN custom domain read")
 }
+
+func mapCustomDomainDataSourceFields(customDomainResponse *cdn.GetCustomDomainResponse, model *customDomainDataSourceModel, projectId, distributionId string) error {
+	if customDomainResponse == nil {
+		return fmt.Errorf("response input is nil")
+	}
+	if model == nil {
+		return fmt.Errorf("model input is nil")
+	}
+
+	if customDomainResponse.CustomDomain == nil {
+		return fmt.Errorf("CustomDomain is missing in response")
+	}
+
+	if customDomainResponse.CustomDomain.Name == nil {
+		return fmt.Errorf("name is missing in response")
+	}
+	if customDomainResponse.CustomDomain.Status == nil {
+		return fmt.Errorf("status missing in response")
+	}
+
+	normalizedCert, err := normalizeCertificate(customDomainResponse.Certificate)
+	if err != nil {
+		return fmt.Errorf("Certificate error in normalizer: %w", err)
+	}
+
+	// If the certificate is managed, the certificate block in the state should be null.
+	if normalizedCert.Type == "managed" {
+		model.Certificate = types.ObjectNull(certificateDataSourceTypes)
+	} else {
+		// For custom certificates, we only care about the version.
+		version := types.Int64Null()
+		if normalizedCert.Version != nil {
+			version = types.Int64Value(*normalizedCert.Version)
+		}
+
+		certificateObj, diags := types.ObjectValue(certificateDataSourceTypes, map[string]attr.Value{
+			"version": version,
+		})
+		if diags.HasError() {
+			return fmt.Errorf("failed to map certificate: %w", core.DiagsToError(diags))
+		}
+		model.Certificate = certificateObj
+	}
+
+	model.ID = types.StringValue(fmt.Sprintf("%s,%s,%s", projectId, distributionId, *customDomainResponse.CustomDomain.Name))
+	model.Status = types.StringValue(string(*customDomainResponse.CustomDomain.Status))
+
+	customDomainErrors := []attr.Value{}
+	if customDomainResponse.CustomDomain.Errors != nil {
+		for _, e := range *customDomainResponse.CustomDomain.Errors {
+			if e.En == nil {
+				return fmt.Errorf("error description missing")
+			}
+			customDomainErrors = append(customDomainErrors, types.StringValue(*e.En))
+		}
+	}
+	modelErrors, diags := types.ListValue(types.StringType, customDomainErrors)
+	if diags.HasError() {
+		return core.DiagsToError(diags)
+	}
+	model.Errors = modelErrors
+
+	// Also map the fields back to the model from the config
+	model.ProjectId = types.StringValue(projectId)
+	model.DistributionId = types.StringValue(distributionId)
+	model.Name = types.StringValue(*customDomainResponse.CustomDomain.Name)
+
+	return nil
+}
--- a/stackit/internal/services/cdn/customdomain/datasource_test.go
+++ b/stackit/internal/services/cdn/customdomain/datasource_test.go
@ -0,0 +1,137 @@
+package cdn
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/stackitcloud/stackit-sdk-go/services/cdn"
+)
+
+func TestMapDataSourceFields(t *testing.T) {
+	emtpyErrorsList := types.ListValueMust(types.StringType, []attr.Value{})
+
+	// Expected certificate object when a custom certificate is returned
+	certAttributes := map[string]attr.Value{
+		"version": types.Int64Value(3),
+	}
+	certificateObj, _ := types.ObjectValue(certificateDataSourceTypes, certAttributes)
+
+	// Helper to create expected model instances
+	expectedModel := func(mods ...func(*customDomainDataSourceModel)) *customDomainDataSourceModel {
+		model := &customDomainDataSourceModel{
+			ID:             types.StringValue("test-project-id,test-distribution-id,https://testdomain.com"),
+			DistributionId: types.StringValue("test-distribution-id"),
+			ProjectId:      types.StringValue("test-project-id"),
+			Name:           types.StringValue("https://testdomain.com"),
+			Status:         types.StringValue("ACTIVE"),
+			Errors:         emtpyErrorsList,
+			Certificate:    types.ObjectUnknown(certificateDataSourceTypes),
+		}
+		for _, mod := range mods {
+			mod(model)
+		}
+		return model
+	}
+
+	// API response fixtures for custom and managed certificates
+	customType := "custom"
+	customVersion := int64(3)
+	getRespCustom := cdn.GetCustomDomainResponseGetCertificateAttributeType(&cdn.GetCustomDomainResponseCertificate{
+		GetCustomDomainCustomCertificate: &cdn.GetCustomDomainCustomCertificate{
+			Type:    &customType,
+			Version: &customVersion,
+		},
+	})
+
+	managedType := "managed"
+	getRespManaged := cdn.GetCustomDomainResponseGetCertificateAttributeType(&cdn.GetCustomDomainResponseCertificate{
+		GetCustomDomainManagedCertificate: &cdn.GetCustomDomainManagedCertificate{
+			Type: &managedType,
+		},
+	})
+
+	// Helper to create API response fixtures
+	customDomainFixture := func(mods ...func(*cdn.GetCustomDomainResponse)) *cdn.GetCustomDomainResponse {
+		distribution := &cdn.CustomDomain{
+			Errors: &[]cdn.StatusError{},
+			Name:   cdn.PtrString("https://testdomain.com"),
+			Status: cdn.DOMAINSTATUS_ACTIVE.Ptr(),
+		}
+		customDomainResponse := &cdn.GetCustomDomainResponse{
+			CustomDomain: distribution,
+			Certificate:  getRespCustom,
+		}
+
+		for _, mod := range mods {
+			mod(customDomainResponse)
+		}
+		return customDomainResponse
+	}
+
+	// Test cases
+	tests := map[string]struct {
+		Input    *cdn.GetCustomDomainResponse
+		Expected *customDomainDataSourceModel
+		IsValid  bool
+	}{
+		"happy_path_custom_cert": {
+			Expected: expectedModel(func(m *customDomainDataSourceModel) {
+				m.Certificate = certificateObj
+			}),
+			Input:   customDomainFixture(),
+			IsValid: true,
+		},
+		"happy_path_managed_cert": {
+			Expected: expectedModel(func(m *customDomainDataSourceModel) {
+				m.Certificate = types.ObjectNull(certificateDataSourceTypes)
+			}),
+			Input: customDomainFixture(func(gcdr *cdn.GetCustomDomainResponse) {
+				gcdr.Certificate = getRespManaged
+			}),
+			IsValid: true,
+		},
+		"happy_path_status_error": {
+			Expected: expectedModel(func(m *customDomainDataSourceModel) {
+				m.Status = types.StringValue("ERROR")
+				m.Certificate = certificateObj
+			}),
+			Input: customDomainFixture(func(d *cdn.GetCustomDomainResponse) {
+				d.CustomDomain.Status = cdn.DOMAINSTATUS_ERROR.Ptr()
+			}),
+			IsValid: true,
+		},
+		"sad_path_response_nil": {
+			Expected: expectedModel(),
+			Input:    nil,
+			IsValid:  false,
+		},
+		"sad_path_name_missing": {
+			Expected: expectedModel(),
+			Input: customDomainFixture(func(d *cdn.GetCustomDomainResponse) {
+				d.CustomDomain.Name = nil
+			}),
+			IsValid: false,
+		},
+	}
+	for tn, tc := range tests {
+		t.Run(tn, func(t *testing.T) {
+			model := &customDomainDataSourceModel{}
+			err := mapCustomDomainDataSourceFields(tc.Input, model, "test-project-id", "test-distribution-id")
+
+			if err != nil && tc.IsValid {
+				t.Fatalf("Error mapping fields: %v", err)
+			}
+			if err == nil && !tc.IsValid {
+				t.Fatalf("Should have failed")
+			}
+			if tc.IsValid {
+				diff := cmp.Diff(tc.Expected, model)
+				if diff != "" {
+					t.Fatalf("Mapped model not as expected (-want +got):\n%s", diff)
+				}
+			}
+		})
+	}
+}
--- a/stackit/internal/services/cdn/customdomain/resource.go
+++ b/stackit/internal/services/cdn/customdomain/resource.go
@ -2,6 +2,7 @@ package cdn

 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/http"
@ -22,6 +23,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/stackitcloud/stackit-sdk-go/core/oapierror"
 	"github.com/stackitcloud/stackit-sdk-go/services/cdn"
@ -37,6 +39,18 @@ var (
 	_ resource.ResourceWithConfigure   = &customDomainResource{}
 	_ resource.ResourceWithImportState = &customDomainResource{}
 )
+var certificateSchemaDescriptions = map[string]string{
+	"main":        "The TLS certificate for the custom domain. If omitted, a managed certificate will be used. If the block is specified, a custom certificate is used.",
+	"certificate": "The PEM-encoded TLS certificate. Required for custom certificates.",
+	"private_key": "The PEM-encoded private key for the certificate. Required for custom certificates. The certificate will be updated if this field is changed.",
+	"version":     "A version identifier for the certificate. Required for custom certificates. The certificate will be updated if this field is changed.",
+}
+
+var certificateTypes = map[string]attr.Type{
+	"version":     types.Int64Type,
+	"certificate": types.StringType,
+	"private_key": types.StringType,
+}

 var customDomainSchemaDescriptions = map[string]string{
 	"id":              "Terraform's internal resource identifier. It is structured as \"`project_id`,`distribution_id`\".",
@ -46,6 +60,12 @@ var customDomainSchemaDescriptions = map[string]string{
 	"errors":          "List of distribution errors",
 }

+type CertificateModel struct {
+	Certificate types.String `tfsdk:"certificate"`
+	PrivateKey  types.String `tfsdk:"private_key"`
+	Version     types.Int64  `tfsdk:"version"`
+}
+
 type CustomDomainModel struct {
 	ID             types.String `tfsdk:"id"`              // Required by Terraform
 	DistributionId types.String `tfsdk:"distribution_id"` // DistributionID associated with the cdn distribution
@ -53,6 +73,7 @@ type CustomDomainModel struct {
 	Name           types.String `tfsdk:"name"`            // The custom domain
 	Status         types.String `tfsdk:"status"`          // The status of the cdn distribution
 	Errors         types.List   `tfsdk:"errors"`          // Any errors that the distribution has
+	Certificate    types.Object `tfsdk:"certificate"`     // the certificate of the custom domain
 }

 type customDomainResource struct {
@ -63,6 +84,11 @@ func NewCustomDomainResource() resource.Resource {
 	return &customDomainResource{}
 }

+type Certificate struct {
+	Type    string
+	Version *int64
+}
+
 func (r *customDomainResource) Configure(ctx context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
 	providerData, ok := conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
 	if !ok {
@ -120,6 +146,26 @@ func (r *customDomainResource) Schema(_ context.Context, _ resource.SchemaReques
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
+			"certificate": schema.SingleNestedAttribute{
+				Description: certificateSchemaDescriptions["main"],
+				Optional:    true,
+				Attributes: map[string]schema.Attribute{
+					"certificate": schema.StringAttribute{
+						Description: certificateSchemaDescriptions["certificate"],
+						Optional:    true,
+						Sensitive:   true,
+					},
+					"private_key": schema.StringAttribute{
+						Description: certificateSchemaDescriptions["private_key"],
+						Optional:    true,
+						Sensitive:   true,
+					},
+					"version": schema.Int64Attribute{
+						Description: certificateSchemaDescriptions["version"],
+						Computed:    true,
+					},
+				},
+			},
 			"status": schema.StringAttribute{
 				Computed:    true,
 				Description: customDomainSchemaDescriptions["status"],
@ -146,21 +192,33 @@ func (r *customDomainResource) Create(ctx context.Context, req resource.CreateRe
 	ctx = tflog.SetField(ctx, "distribution_id", distributionId)
 	name := model.Name.ValueString()
 	ctx = tflog.SetField(ctx, "name", name)
+	certificate, err := toCertificatePayload(ctx, &model)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Creating API payload: %v", err))
+		return
+	}

-	payload := cdn.PutCustomDomainPayload{IntentId: cdn.PtrString(uuid.NewString())}
-
-	_, err := r.client.PutCustomDomain(ctx, projectId, distributionId, name).PutCustomDomainPayload(payload).Execute()
+	payload := cdn.PutCustomDomainPayload{
+		IntentId:    cdn.PtrString(uuid.NewString()),
+		Certificate: certificate,
+	}
+	_, err = r.client.PutCustomDomain(ctx, projectId, distributionId, name).PutCustomDomainPayload(payload).Execute()
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Calling API: %v", err))
 		return
 	}
-	waitResp, err := wait.CreateCDNCustomDomainWaitHandler(ctx, r.client, projectId, distributionId, name).SetTimeout(5 * time.Minute).WaitWithContext(ctx)
+	_, err = wait.CreateCDNCustomDomainWaitHandler(ctx, r.client, projectId, distributionId, name).SetTimeout(5 * time.Minute).WaitWithContext(ctx)
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Waiting for create: %v", err))
 		return
 	}

-	err = mapCustomDomainFields(waitResp, &model)
+	respCustomDomain, err := r.client.GetCustomDomainExecute(ctx, projectId, distributionId, name)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Calling API: %v", err))
+		return
+	}
+	err = mapCustomDomainResourceFields(respCustomDomain, &model)
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Processing API payload: %v", err))
 		return
@ -190,6 +248,7 @@ func (r *customDomainResource) Read(ctx context.Context, req resource.ReadReques
 	ctx = tflog.SetField(ctx, "name", name)

 	customDomainResp, err := r.client.GetCustomDomain(ctx, projectId, distributionId, name).Execute()
+
 	if err != nil {
 		var oapiErr *oapierror.GenericOpenAPIError
 		// n.b. err is caught here if of type *oapierror.GenericOpenAPIError, which the stackit SDK client returns
@ -202,7 +261,7 @@ func (r *customDomainResource) Read(ctx context.Context, req resource.ReadReques
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading CDN custom domain", fmt.Sprintf("Calling API: %v", err))
 		return
 	}
-	err = mapCustomDomainFields(customDomainResp.CustomDomain, &model)
+	err = mapCustomDomainResourceFields(customDomainResp, &model)
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading CDN custom domain", fmt.Sprintf("Processing API payload: %v", err))
 		return
@ -216,9 +275,59 @@ func (r *customDomainResource) Read(ctx context.Context, req resource.ReadReques
 	tflog.Info(ctx, "CDN custom domain read")
 }

-func (r *customDomainResource) Update(ctx context.Context, _ resource.UpdateRequest, resp *resource.UpdateResponse) { // nolint:gocritic // function signature required by Terraform
-	// Update shouldn't be called; custom domains have only computed fields and fields that require replacement when changed
-	core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain", "Custom domain cannot be updated")
+func (r *customDomainResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) { // nolint:gocritic // function signature required by Terraform
+	var model CustomDomainModel
+	diags := req.Plan.Get(ctx, &model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	projectId := model.ProjectId.ValueString()
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	distributionId := model.DistributionId.ValueString()
+	ctx = tflog.SetField(ctx, "distribution_id", distributionId)
+	name := model.Name.ValueString()
+	ctx = tflog.SetField(ctx, "name", name)
+
+	certificate, err := toCertificatePayload(ctx, &model)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Creating API payload: %v", err))
+		return
+	}
+
+	payload := cdn.PutCustomDomainPayload{
+		IntentId:    cdn.PtrString(uuid.NewString()),
+		Certificate: certificate,
+	}
+	_, err = r.client.PutCustomDomain(ctx, projectId, distributionId, name).PutCustomDomainPayload(payload).Execute()
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Calling API: %v", err))
+		return
+	}
+
+	_, err = wait.CreateCDNCustomDomainWaitHandler(ctx, r.client, projectId, distributionId, name).SetTimeout(5 * time.Minute).WaitWithContext(ctx)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Waiting for update: %v", err))
+		return
+	}
+
+	respCustomDomain, err := r.client.GetCustomDomainExecute(ctx, projectId, distributionId, name)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Calling API to read final state: %v", err))
+		return
+	}
+	err = mapCustomDomainResourceFields(respCustomDomain, &model)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Processing API payload: %v", err))
+		return
+	}
+	diags = resp.State.Set(ctx, model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	tflog.Info(ctx, "CDN custom domain certificate updated")
 }

 func (r *customDomainResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { // nolint:gocritic // function signature required by Terraform
@ -260,30 +369,138 @@ func (r *customDomainResource) ImportState(ctx context.Context, req resource.Imp
 	tflog.Info(ctx, "CDN custom domain state imported")
 }

-func mapCustomDomainFields(customDomain *cdn.CustomDomain, model *CustomDomainModel) error {
-	if customDomain == nil {
+func normalizeCertificate(certInput cdn.GetCustomDomainResponseGetCertificateAttributeType) (Certificate, error) {
+	var customCert *cdn.GetCustomDomainCustomCertificate
+	var managedCert *cdn.GetCustomDomainManagedCertificate
+
+	if certInput == nil {
+		return Certificate{}, errors.New("input of type GetCustomDomainResponseCertificate is nil")
+	}
+	customCert = certInput.GetCustomDomainCustomCertificate
+	managedCert = certInput.GetCustomDomainManagedCertificate
+
+	// Now we process the extracted certificates
+	if customCert != nil && customCert.Type != nil && customCert.Version != nil {
+		return Certificate{
+			Type:    *customCert.Type,
+			Version: customCert.Version, // Converts from *int64 to int
+		}, nil
+	}
+
+	if managedCert != nil && managedCert.Type != nil {
+		// The version will be the zero value for int (0), as requested
+		return Certificate{
+			Type: *managedCert.Type,
+		}, nil
+	}
+
+	return Certificate{}, errors.New("certificate structure is empty, neither custom nor managed is set")
+}
+
+// toCertificatePayload constructs the certificate part of the payload for the API request.
+// It defaults to a managed certificate if the certificate block is omitted, otherwise it creates a custom certificate.
+func toCertificatePayload(ctx context.Context, model *CustomDomainModel) (*cdn.PutCustomDomainPayloadCertificate, error) {
+	// If the certificate block is not specified, default to a managed certificate.
+	if model.Certificate.IsNull() {
+		managedCert := cdn.NewPutCustomDomainManagedCertificate("managed")
+		certPayload := cdn.PutCustomDomainManagedCertificateAsPutCustomDomainPayloadCertificate(managedCert)
+		return &certPayload, nil
+	}
+
+	var certModel CertificateModel
+	// Unpack the Terraform object into the temporary struct.
+	respDiags := model.Certificate.As(ctx, &certModel, basetypes.ObjectAsOptions{})
+	if respDiags.HasError() {
+		return nil, fmt.Errorf("invalid certificate or private key: %w", core.DiagsToError(respDiags))
+	}
+
+	if utils.IsUndefined(certModel.Certificate) || utils.IsUndefined(certModel.PrivateKey) {
+		return nil, fmt.Errorf(`"certificate" and "private_key" must be set`)
+	}
+
+	certStr := base64.StdEncoding.EncodeToString([]byte(certModel.Certificate.ValueString()))
+	keyStr := base64.StdEncoding.EncodeToString([]byte(certModel.PrivateKey.ValueString()))
+
+	if certStr == "" || keyStr == "" {
+		return nil, errors.New("invalid certificate or private key. Please check if the string of the public certificate and private key in PEM format")
+	}
+
+	customCert := cdn.NewPutCustomDomainCustomCertificate(
+		certStr,
+		keyStr,
+		"custom",
+	)
+	certPayload := cdn.PutCustomDomainCustomCertificateAsPutCustomDomainPayloadCertificate(customCert)
+
+	return &certPayload, nil
+}
+
+func mapCustomDomainResourceFields(customDomainResponse *cdn.GetCustomDomainResponse, model *CustomDomainModel) error {
+	if customDomainResponse == nil {
 		return fmt.Errorf("response input is nil")
 	}
 	if model == nil {
 		return fmt.Errorf("model input is nil")
 	}

-	if customDomain.Name == nil {
-		return fmt.Errorf("Name is missing in response")
+	if customDomainResponse.CustomDomain == nil {
+		return fmt.Errorf("CustomDomain is missing in response")
+	}
+	if customDomainResponse.CustomDomain.Name == nil {
+		return fmt.Errorf("name is missing in response")
 	}

-	if customDomain.Status == nil {
-		return fmt.Errorf("Status missing in response")
+	if customDomainResponse.CustomDomain.Status == nil {
+		return fmt.Errorf("status missing in response")
+	}
+	normalizedCert, err := normalizeCertificate(customDomainResponse.Certificate)
+	if err != nil {
+		return fmt.Errorf("Certificate error in normalizer: %w", err)
 	}

-	model.ID = utils.BuildInternalTerraformId(model.ProjectId.ValueString(), model.DistributionId.ValueString(), *customDomain.Name)
-	model.Status = types.StringValue(string(*customDomain.Status))
+	// If the certificate is managed, the certificate block in the state should be null.
+	if normalizedCert.Type == "managed" {
+		model.Certificate = types.ObjectNull(certificateTypes)
+	} else {
+		// If the certificate is custom, we need to preserve the user-configured
+		// certificate and private key from the plan/state, and only update the computed version.
+		certAttributes := map[string]attr.Value{
+			"certificate": types.StringNull(), // Default to null
+			"private_key": types.StringNull(), // Default to null
+			"version":     types.Int64Null(),
+		}
+
+		// Get existing values from the model's certificate object if it exists
+		if !model.Certificate.IsNull() {
+			existingAttrs := model.Certificate.Attributes()
+			if val, ok := existingAttrs["certificate"]; ok {
+				certAttributes["certificate"] = val
+			}
+			if val, ok := existingAttrs["private_key"]; ok {
+				certAttributes["private_key"] = val
+			}
+		}
+
+		// Set the computed version from the API response
+		if normalizedCert.Version != nil {
+			certAttributes["version"] = types.Int64Value(*normalizedCert.Version)
+		}
+
+		certificateObj, diags := types.ObjectValue(certificateTypes, certAttributes)
+		if diags.HasError() {
+			return fmt.Errorf("failed to map certificate: %w", core.DiagsToError(diags))
+		}
+		model.Certificate = certificateObj
+	}
+
+	model.ID = utils.BuildInternalTerraformId(model.ProjectId.ValueString(), model.DistributionId.ValueString(), *customDomainResponse.CustomDomain.Name)
+	model.Status = types.StringValue(string(*customDomainResponse.CustomDomain.Status))

 	customDomainErrors := []attr.Value{}
-	if customDomain.Errors != nil {
-		for _, e := range *customDomain.Errors {
+	if customDomainResponse.CustomDomain.Errors != nil {
+		for _, e := range *customDomainResponse.CustomDomain.Errors {
 			if e.En == nil {
-				return fmt.Errorf("Error description missing")
+				return fmt.Errorf("error description missing")
 			}
 			customDomainErrors = append(customDomainErrors, types.StringValue(*e.En))
 		}
--- a/stackit/internal/services/cdn/customdomain/resource_test.go
+++ b/stackit/internal/services/cdn/customdomain/resource_test.go
@ -1,16 +1,47 @@
 package cdn

 import (
+	"context"
+	cryptoRand "crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"math/big"
 	"testing"
+	"time"

 	"github.com/google/go-cmp/cmp"
+	"github.com/google/uuid"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/stackitcloud/stackit-sdk-go/services/cdn"
 )

 func TestMapFields(t *testing.T) {
+	// Redefine certificateTypes locally for testing, matching the updated schema
+	certificateTypes := map[string]attr.Type{
+		"version":     types.Int64Type,
+		"certificate": types.StringType,
+		"private_key": types.StringType,
+	}
+
+	const dummyCert = "dummy-cert-pem"
+	const dummyKey = "dummy-key-pem"
+
 	emtpyErrorsList := types.ListValueMust(types.StringType, []attr.Value{})
+
+	// Expected object when a custom certificate is returned
+	certAttributes := map[string]attr.Value{
+		"version":     types.Int64Value(3),
+		"certificate": types.StringValue(dummyCert),
+		"private_key": types.StringValue(dummyKey),
+	}
+	certificateObj, _ := types.ObjectValue(certificateTypes, certAttributes)
+
 	expectedModel := func(mods ...func(*CustomDomainModel)) *CustomDomainModel {
 		model := &CustomDomainModel{
 			ID:             types.StringValue("test-project-id,test-distribution-id,https://testdomain.com"),
@ -18,61 +49,117 @@ func TestMapFields(t *testing.T) {
 			ProjectId:      types.StringValue("test-project-id"),
 			Status:         types.StringValue("ACTIVE"),
 			Errors:         emtpyErrorsList,
+			Certificate:    types.ObjectUnknown(certificateTypes),
 		}
 		for _, mod := range mods {
 			mod(model)
 		}
 		return model
 	}
-	customDomainFixture := func(mods ...func(*cdn.CustomDomain)) *cdn.CustomDomain {
+
+	customType := "custom"
+	customVersion := int64(3)
+	getRespCustom := cdn.GetCustomDomainResponseGetCertificateAttributeType(&cdn.GetCustomDomainResponseCertificate{
+		GetCustomDomainCustomCertificate: &cdn.GetCustomDomainCustomCertificate{
+			Type:    &customType,
+			Version: &customVersion,
+		},
+	})
+
+	managedType := "managed"
+	getRespManaged := cdn.GetCustomDomainResponseGetCertificateAttributeType(&cdn.GetCustomDomainResponseCertificate{
+		GetCustomDomainManagedCertificate: &cdn.GetCustomDomainManagedCertificate{
+			Type: &managedType,
+		},
+	})
+
+	customDomainFixture := func(mods ...func(*cdn.GetCustomDomainResponse)) *cdn.GetCustomDomainResponse {
 		distribution := &cdn.CustomDomain{
 			Errors: &[]cdn.StatusError{},
 			Name:   cdn.PtrString("https://testdomain.com"),
 			Status: cdn.DOMAINSTATUS_ACTIVE.Ptr(),
 		}
-		for _, mod := range mods {
-			mod(distribution)
+		customDomainResponse := &cdn.GetCustomDomainResponse{
+			CustomDomain: distribution,
+			Certificate:  getRespCustom,
 		}
-		return distribution
+
+		for _, mod := range mods {
+			mod(customDomainResponse)
+		}
+		return customDomainResponse
 	}
+
 	tests := map[string]struct {
-		Input    *cdn.CustomDomain
-		Expected *CustomDomainModel
-		IsValid  bool
+		Input          *cdn.GetCustomDomainResponse
+		Certificate    interface{}
+		Expected       *CustomDomainModel
+		InitialModel   *CustomDomainModel
+		IsValid        bool
+		SkipInitialNil bool
 	}{
-		"happy_path": {
-			Expected: expectedModel(),
-			Input:    customDomainFixture(),
-			IsValid:  true,
+		"happy_path_custom_cert": {
+			Expected: expectedModel(func(m *CustomDomainModel) {
+				m.Certificate = certificateObj
+			}),
+			Input:   customDomainFixture(),
+			IsValid: true,
+			InitialModel: expectedModel(func(m *CustomDomainModel) {
+				m.Certificate = basetypes.NewObjectValueMust(certificateTypes, map[string]attr.Value{
+					"certificate": types.StringValue(dummyCert),
+					"private_key": types.StringValue(dummyKey),
+					"version":     types.Int64Null(),
+				})
+			}),
+		},
+		"happy_path_managed_cert": {
+			Expected: expectedModel(func(m *CustomDomainModel) {
+				m.Certificate = types.ObjectNull(certificateTypes)
+			}),
+			Input: customDomainFixture(func(gcdr *cdn.GetCustomDomainResponse) {
+				gcdr.Certificate = getRespManaged
+			}),
+			IsValid:      true,
+			InitialModel: expectedModel(func(m *CustomDomainModel) { m.Certificate = types.ObjectNull(certificateTypes) }),
 		},
 		"happy_path_status_error": {
 			Expected: expectedModel(func(m *CustomDomainModel) {
 				m.Status = types.StringValue("ERROR")
+				m.Certificate = certificateObj
 			}),
-			Input: customDomainFixture(func(d *cdn.CustomDomain) {
-				d.Status = cdn.DOMAINSTATUS_ERROR.Ptr()
+			Input: customDomainFixture(func(d *cdn.GetCustomDomainResponse) {
+				d.CustomDomain.Status = cdn.DOMAINSTATUS_ERROR.Ptr()
 			}),
 			IsValid: true,
+			InitialModel: expectedModel(func(m *CustomDomainModel) {
+				m.Certificate = basetypes.NewObjectValueMust(certificateTypes, map[string]attr.Value{
+					"certificate": types.StringValue(dummyCert),
+					"private_key": types.StringValue(dummyKey),
+					"version":     types.Int64Null(),
+				})
+			}),
 		},
 		"sad_path_custom_domain_nil": {
-			Expected: expectedModel(),
-			Input:    nil,
-			IsValid:  false,
+			Expected:     expectedModel(),
+			Input:        nil,
+			IsValid:      false,
+			InitialModel: &CustomDomainModel{},
 		},
 		"sad_path_name_missing": {
 			Expected: expectedModel(),
-			Input: customDomainFixture(func(d *cdn.CustomDomain) {
-				d.Name = nil
+			Input: customDomainFixture(func(d *cdn.GetCustomDomainResponse) {
+				d.CustomDomain.Name = nil
 			}),
-			IsValid: false,
+			IsValid:      false,
+			InitialModel: &CustomDomainModel{},
 		},
 	}
 	for tn, tc := range tests {
 		t.Run(tn, func(t *testing.T) {
-			model := &CustomDomainModel{}
+			model := tc.InitialModel
 			model.DistributionId = tc.Expected.DistributionId
 			model.ProjectId = tc.Expected.ProjectId
-			err := mapCustomDomainFields(tc.Input, model)
+			err := mapCustomDomainResourceFields(tc.Input, model)
 			if err != nil && tc.IsValid {
 				t.Fatalf("Error mapping fields: %v", err)
 			}
@ -80,11 +167,142 @@ func TestMapFields(t *testing.T) {
 				t.Fatalf("Should have failed")
 			}
 			if tc.IsValid {
-				diff := cmp.Diff(model, tc.Expected)
+				diff := cmp.Diff(tc.Expected, model)
 				if diff != "" {
-					t.Fatalf("Create Payload not as expected: %s", diff)
+					t.Fatalf("Mapped model not as expected (-want +got):\n%s", diff)
 				}
 			}
 		})
 	}
 }
+
+func makeCertAndKey(t *testing.T, organization string) (cert, key []byte) {
+	privateKey, err := rsa.GenerateKey(cryptoRand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("failed to generate key: %s", err.Error())
+	}
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Issuer:       pkix.Name{CommonName: organization},
+		Subject: pkix.Name{
+			Organization: []string{organization},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour),
+
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	cert, err = x509.CreateCertificate(
+		cryptoRand.Reader,
+		&template,
+		&template,
+		&privateKey.PublicKey,
+		privateKey,
+	)
+	if err != nil {
+		t.Fatalf("failed to generate cert: %s", err.Error())
+	}
+
+	return pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: cert,
+		}), pem.EncodeToMemory(&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+		})
+}
+func TestToCertificatePayload(t *testing.T) {
+	organization := fmt.Sprintf("organization-%s", uuid.NewString())
+	cert, key := makeCertAndKey(t, organization)
+	certPEM := string(cert)
+	keyPEM := string(key)
+	certBase64 := base64.StdEncoding.EncodeToString(cert)
+	keyBase64 := base64.StdEncoding.EncodeToString(key)
+
+	tests := map[string]struct {
+		model           *CustomDomainModel
+		expectedPayload *cdn.PutCustomDomainPayloadCertificate
+		expectErr       bool
+		expectedErrMsg  string
+	}{
+		"success_managed_when_certificate_block_is_nil": {
+			model: &CustomDomainModel{
+				Certificate: types.ObjectNull(certificateTypes),
+			},
+			expectedPayload: &cdn.PutCustomDomainPayloadCertificate{
+				PutCustomDomainManagedCertificate: cdn.NewPutCustomDomainManagedCertificate("managed"),
+			},
+			expectErr: false,
+		},
+		"success_custom_certificate": {
+			model: &CustomDomainModel{
+				Certificate: basetypes.NewObjectValueMust(
+					certificateTypes,
+					map[string]attr.Value{
+						"version":     types.Int64Null(),
+						"certificate": types.StringValue(certPEM),
+						"private_key": types.StringValue(keyPEM),
+					},
+				),
+			},
+			expectedPayload: &cdn.PutCustomDomainPayloadCertificate{
+				PutCustomDomainCustomCertificate: cdn.NewPutCustomDomainCustomCertificate(certBase64, keyBase64, "custom"),
+			},
+			expectErr: false,
+		},
+		"fail_custom_missing_cert_value": {
+			model: &CustomDomainModel{
+				Certificate: basetypes.NewObjectValueMust(
+					certificateTypes,
+					map[string]attr.Value{
+						"version":     types.Int64Null(),
+						"certificate": types.StringValue(""), // Empty certificate
+						"private_key": types.StringValue(keyPEM),
+					},
+				),
+			},
+			expectErr:      true,
+			expectedErrMsg: "invalid certificate or private key. Please check if the string of the public certificate and private key in PEM format",
+		},
+
+		"success_managed_when_certificate_attributes_are_nil": {
+			model: &CustomDomainModel{
+				Certificate: basetypes.NewObjectValueMust(
+					certificateTypes,
+					map[string]attr.Value{
+						"version":     types.Int64Null(),
+						"certificate": types.StringNull(),
+						"private_key": types.StringNull(),
+					},
+				),
+			},
+			expectErr:      true,
+			expectedErrMsg: `"certificate" and "private_key" must be set`,
+		},
+	}
+
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			payload, err := toCertificatePayload(context.Background(), tt.model)
+			if tt.expectErr {
+				if err == nil {
+					t.Fatalf("expected err, but got none")
+				}
+				if err.Error() != tt.expectedErrMsg {
+					t.Fatalf("expected err '%s', got '%s'", tt.expectedErrMsg, err.Error())
+				}
+				return // Test ends here for failing cases
+			}
+
+			if err != nil {
+				t.Fatalf("did not expect err, but got: %s", err.Error())
+			}
+
+			if diff := cmp.Diff(tt.expectedPayload, payload); diff != "" {
+				t.Errorf("payload mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}