Skip to content

Commit

Permalink
privateca: update certificate authority samples with more realistic v…
Browse files Browse the repository at this point in the history 
…alues

Some of the properties configured here are either wrong or at least
not very sensible on root certificates / subordinates.

A similar set of fixes got applied to terraform documentation samples
in terraform-google-modules/terraform-docs-samples#631

Signed-off-by: Sven Hoexter <[email protected]>
  • Loading branch information
@hoexter
hoexter committed Nov 6, 2024
1 parent cacf5f4 commit c8c3991
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 60 deletions.
22 changes: 5 additions & 17 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
Expand Down
2 changes: 0 additions & 2 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
Expand All @@ -46,7 +45,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
name_constraints {
Expand Down
20 changes: 3 additions & 17 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,43 +8,29 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
subject_key_id {
key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
key_spec {
cloud_kms_key_version = "{{index $.Vars "kms_key_name"}}/cryptoKeyVersions/1"
}
Expand Down
34 changes: 10 additions & 24 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
Expand All @@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
Expand Down Expand Up @@ -52,43 +48,33 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
# Force the sub CA to only issue leaf certs.
# Use e.g.
# max_issuer_path_length = 1
# if you need to chain more subordinates.
zero_max_issuer_path_length = true
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 5 years
lifetime = "${5 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
algorithm = "RSA_PKCS1_2048_SHA256"
}
type = "SUBORDINATE"
}

0 comments on commit c8c3991

Please sign in to comment.