Skip to content

Commit

Permalink
privateca: update certificate authority samples with more realistic v…
Browse files Browse the repository at this point in the history 
…alues (GoogleCloudPlatform#12259)

Signed-off-by: Sven Hoexter <[email protected]>
  • Loading branch information
@hoexter @amanMahendroo
hoexter authored and amanMahendroo committed Dec 17, 2024
1 parent bed7acc commit 05228fb
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 60 deletions.
22 changes: 5 additions & 17 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
Expand Down
2 changes: 0 additions & 2 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
Expand All @@ -46,7 +45,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
name_constraints {
Expand Down
20 changes: 3 additions & 17 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,43 +8,29 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
subject_key_id {
key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
key_spec {
cloud_kms_key_version = "{{index $.Vars "kms_key_name"}}/cryptoKeyVersions/1"
}
Expand Down
34 changes: 10 additions & 24 deletions mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
Expand All @@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
Expand Down Expand Up @@ -52,43 +48,33 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
# Force the sub CA to only issue leaf certs.
# Use e.g.
# max_issuer_path_length = 1
# if you need to chain more subordinates.
zero_max_issuer_path_length = true
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 5 years
lifetime = "${5 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
algorithm = "RSA_PKCS1_2048_SHA256"
}
type = "SUBORDINATE"
}

0 comments on commit 05228fb

Please sign in to comment.