diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl index ed24575b3c9b..e4eb51d3b870 100644 --- a/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl +++ b/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl @@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" { config { subject_config { subject { - organization = "HashiCorp" + organization = "ACME" common_name = "my-certificate-authority" } - subject_alt_name { - dns_names = ["hashicorp.com"] - } } x509_config { ca_options { + # is_ca *MUST* be true for certificate authorities is_ca = true - max_issuer_path_length = 10 } key_usage { base_key_usage { - digital_signature = true - content_commitment = true - key_encipherment = false - data_encipherment = true - key_agreement = true + # cert_sign and crl_sign *MUST* be true for certificate authorities cert_sign = true crl_sign = true - decipher_only = true } extended_key_usage { - server_auth = true - client_auth = false - email_protection = true - code_signing = true - time_stamping = true } } } } - lifetime = "86400s" + # valid for 10 years + lifetime = "${10 * 365 * 24 * 3600}s" key_spec { algorithm = "RSA_PKCS1_4096_SHA256" } diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl index 2c93253cbb2a..505e9a4e0852 100644 --- a/mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl +++ b/mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl @@ -37,7 +37,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" { ca_options { # is_ca *MUST* be true for certificate authorities is_ca = true - max_issuer_path_length = 10 } key_usage { base_key_usage { @@ -46,7 +45,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" { crl_sign = true } extended_key_usage { - server_auth = false } } name_constraints { diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl index 757455779e18..8a05eabf8339 100644 --- a/mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl +++ b/mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl @@ -8,12 +8,9 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" { config { subject_config { subject { - organization = "HashiCorp" + organization = "ACME" common_name = "my-certificate-authority" } - subject_alt_name { - dns_names = ["hashicorp.com"] - } } subject_key_id { key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca" @@ -21,30 +18,19 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" { x509_config { ca_options { is_ca = true - max_issuer_path_length = 10 } key_usage { base_key_usage { - digital_signature = true - content_commitment = true - key_encipherment = false - data_encipherment = true - key_agreement = true cert_sign = true crl_sign = true - decipher_only = true } extended_key_usage { - server_auth = true - client_auth = false - email_protection = true - code_signing = true - time_stamping = true } } } } - lifetime = "86400s" + # valid for 10 years + lifetime = "${10 * 365 * 24 * 3600}s" key_spec { cloud_kms_key_version = "{{index $.Vars "kms_key_name"}}/cryptoKeyVersions/1" } diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl index e43ce2111cb7..754d1f26c065 100644 --- a/mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl +++ b/mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl @@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" { config { subject_config { subject { - organization = "HashiCorp" + organization = "ACME" common_name = "my-certificate-authority" } - subject_alt_name { - dns_names = ["hashicorp.com"] - } } x509_config { ca_options { @@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" { crl_sign = true } extended_key_usage { - server_auth = false } } } @@ -52,43 +48,33 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" { config { subject_config { subject { - organization = "HashiCorp" + organization = "ACME" common_name = "my-subordinate-authority" } - subject_alt_name { - dns_names = ["hashicorp.com"] - } } x509_config { ca_options { is_ca = true - # Force the sub CA to only issue leaf certs - max_issuer_path_length = 0 + # Force the sub CA to only issue leaf certs. + # Use e.g. + # max_issuer_path_length = 1 + # if you need to chain more subordinates. + zero_max_issuer_path_length = true } key_usage { base_key_usage { - digital_signature = true - content_commitment = true - key_encipherment = false - data_encipherment = true - key_agreement = true cert_sign = true crl_sign = true - decipher_only = true } extended_key_usage { - server_auth = true - client_auth = false - email_protection = true - code_signing = true - time_stamping = true } } } } - lifetime = "86400s" + # valid for 5 years + lifetime = "${5 * 365 * 24 * 3600}s" key_spec { - algorithm = "RSA_PKCS1_4096_SHA256" + algorithm = "RSA_PKCS1_2048_SHA256" } type = "SUBORDINATE" }