Skip to content

Commit

Permalink
privateca: update certificate authority samples with more realistic v…
Browse files Browse the repository at this point in the history 
…alues (#12259) (#8649)

[upstream:27812e087aaf4250c076b5d572b3934c1a013e2e]

Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
@modular-magician
modular-magician authored Nov 7, 2024
1 parent c9ed1e6 commit 82dfd20
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 101 deletions.
2 changes: 2 additions & 0 deletions .changelog/12259.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
```release-note:none
```
56 changes: 15 additions & 41 deletions google-beta/services/privateca/resource_privateca_certificate_authority_generated_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,40 +70,28 @@ resource "google_privateca_certificate_authority" "default" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
Expand Down Expand Up @@ -149,12 +137,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
Expand All @@ -168,7 +153,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
Expand Down Expand Up @@ -196,43 +180,33 @@ resource "google_privateca_certificate_authority" "default" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
# Force the sub CA to only issue leaf certs.
# Use e.g.
# max_issuer_path_length = 1
# if you need to chain more subordinates.
zero_max_issuer_path_length = true
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 5 years
lifetime = "${5 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
algorithm = "RSA_PKCS1_2048_SHA256"
}
type = "SUBORDINATE"
}
Expand Down
78 changes: 18 additions & 60 deletions website/docs/r/privateca_certificate_authority.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,40 +52,28 @@ resource "google_privateca_certificate_authority" "default" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
Expand All @@ -107,12 +95,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
Expand All @@ -126,7 +111,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
Expand Down Expand Up @@ -154,43 +138,33 @@ resource "google_privateca_certificate_authority" "default" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
# Force the sub CA to only issue leaf certs.
# Use e.g.
# max_issuer_path_length = 1
# if you need to chain more subordinates.
zero_max_issuer_path_length = true
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 5 years
lifetime = "${5 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
algorithm = "RSA_PKCS1_2048_SHA256"
}
type = "SUBORDINATE"
}
Expand Down Expand Up @@ -238,7 +212,6 @@ resource "google_privateca_certificate_authority" "default" {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
Expand All @@ -247,7 +220,6 @@ resource "google_privateca_certificate_authority" "default" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
name_constraints {
Expand Down Expand Up @@ -284,43 +256,29 @@ resource "google_privateca_certificate_authority" "default" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
subject_key_id {
key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
# valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
key_spec {
cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
}
Expand Down

0 comments on commit 82dfd20

Please sign in to comment.