Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resource to generate a PKCS #12 archive file out of PKI components #29

Closed
ebekker opened this issue Jul 10, 2018 · 8 comments
Closed

Resource to generate a PKCS #12 archive file out of PKI components #29

ebekker opened this issue Jul 10, 2018 · 8 comments

Comments

@ebekker
Copy link

ebekker commented Jul 10, 2018

It would be useful to support generating a PKCS #12 (PKCS12 or also known as PFX) archive file out of PKI components, including an optional private key, and a chain of one or more certificates. The current set of TLS resources support generating/exporting to PEM format files, but there are many cases where a PFX archive file is preferred or required such as Windows host environments, Azure provider or Oracle OCI provider.

I recommend supporting this resource in a more general-purpose manner, such that you can give it an optional private key PEM, and one or more certificates (i.e. an array of certificate PEM clobs). By doing so, the resource would be usable in tandem with other resources of this provider, as well as alternate providers, such as the third-party ACME cert provider.

An example usage might look like this:

## Generate a self-signed cert using a private key stored on disk
resource "tls_self_signed_cert" "example" {
  key_algorithm   = "ECDSA"
  private_key_pem = "${file(\"private_key.pem\")}"

  subject {
    common_name  = "example.com"
    organization = "HCTF Examples, Inc"
  }

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

## Produce a PKCS #12 archive of the self-signed cert (private key included)
resource "tls_pkcs12_archive" "example_pfx" {
  private_key_pem = "${file(\"private_key.pem\")}"
  certificate_pem = [
    "${tls_self_signed_cert.example.cert_pem}"
  ]
}

## Save the PKCS #12 archive to an S3 bucket
resource "aws_s3_bucket_object" "example_pfx_s3obj" {
    bucket = "${aws_s3_bucket.example_s3_bucket.id}"
    key    = "pki/example.pfx"

    content = <<EOF
${tls_pkcs12_archive.example_pfx.archive_blob}
EOF
}

Terraform Version

Terraform v0.11.3

Affected Resource(s)

provider.tls v1.1.0

@digiwhite1980
Copy link

I guess a password option in some way is also needed...

@vadimkuznetsov
Copy link

#69

@rajatrawat99
Copy link

is there any update on this issue?

@elliotchaim
Copy link

Hi guys any update on this?

@chilicat
Copy link

I have created a provider that helps to create PKCS12 from PEM files:

https://registry.terraform.io/providers/chilicat/pkcs12/latest/docs/resources/from_pem

@Poil
Copy link

Poil commented Nov 9, 2021

I have created a provider that helps to create PKCS12 from PEM files:

https://registry.terraform.io/providers/chilicat/pkcs12/latest/docs/resources/from_pem

It will be nice to also have a datasource to read a PFX and allow to get his private key and cert
Regards

@detro
Copy link
Contributor

detro commented May 16, 2022

Superseded by #205.

@detro detro closed this as completed May 16, 2022
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
9 participants