fix: provide a sensible example for a privateca Root CA example #631
Conversation
| email_protection = true | ||
| code_signing = true | ||
| time_stamping = true | ||
| server_auth = false |
There was a problem hiding this comment.
I think for the basic case this should be true; matching up to documentation here https://registry.terraform.io/providers/hashicorp/google/5.24.0/docs/resources/privateca_certificate_authority.
For the subordinate it's false.
There was a problem hiding this comment.
Plesae don't look at the provider configuration examples, those are equally wrong. Please take a look at either RFCs or the CA/B BR. E.g. here for the EKU values take a look at https://cabforum.org/uploads/CA-Browser-Forum-TLS-BRs-v2.0.2.pdf 7.1.2.1.2 Root CA Extensions -> It's "Extension extKeyUsage" "Presence MUST NOT".
For a subordinate the EKU values are a MUST if it's not empty aka unrestricted.
There was a problem hiding this comment.
Just to mention the obvious I'm not a PKIX expert myself, but inside Google you also have wizards like Ryan Sleevi, though trivial stuff like this might be not a good target for a wizard. The people who developed the CAS product should be also fine to consult with for the details.
There was a problem hiding this comment.
Agreed with @hoexter: by default, we probably don't want any EKUs here.
EKUs can appear on a CA, but they have a different meaning there -- specifically, they function to limit the allowed set of EKUs on all intermediate CAs and leaf certificates in that chain. That's probably not something most people want to do at their root-level CA.
There was a problem hiding this comment.
Btw, in this case I'd suggest dropping the extended_key_usage { .. } block completely, rather than including it with only false values.
There was a problem hiding this comment.
Currently the language server tells me that the provider expects the extended_key_usage {} block to be present, maybe it can be empty.
|
/gcbrun |
|
@msampathkumar Can you help add @pmansour to the list of reviewers? |
There was a problem hiding this comment.
Great callouts, thanks for helping to fix this! The values in this sample were probably copied over from somewhere without much thought about reasonable defaults. I think the changes here go a long way towards making these more realistic.
- Peter from the CAS eng team
| email_protection = true | ||
| code_signing = true | ||
| time_stamping = true | ||
| server_auth = false |
There was a problem hiding this comment.
Agreed with @hoexter: by default, we probably don't want any EKUs here.
EKUs can appear on a CA, but they have a different meaning there -- specifically, they function to limit the allowed set of EKUs on all intermediate CAs and leaf certificates in that chain. That's probably not something most people want to do at their root-level CA.
| email_protection = true | ||
| code_signing = true | ||
| time_stamping = true | ||
| server_auth = false |
There was a problem hiding this comment.
Btw, in this case I'd suggest dropping the extended_key_usage { .. } block completely, rather than including it with only false values.
| @@ -27,9 +29,6 @@ resource "google_privateca_certificate_authority" "root_ca" { | |||
| organization = "HashiCorp" | |||
| common_name = "my-certificate-authority" | |||
| } | |||
| subject_alt_name { | |||
| dns_names = ["hashicorp.com"] | |||
| } | |||
| } | |||
| x509_config { | |||
There was a problem hiding this comment.
could you also remove the extended_key_usage { .. } block here as well?
| } | ||
|
|
||
| resource "google_privateca_certificate_authority" "default" { | ||
| // This example assumes this pool already exists. | ||
| // Pools cannot be deleted in normal test circumstances, so we depend on static pools | ||
| pool = "my-pool" | ||
| pool = "my-sub-pool" | ||
| certificate_authority_id = "my-certificate-authority-sub" | ||
| location = "us-central1" | ||
| deletion_protection = false # set to true to prevent destruction of the resource |
There was a problem hiding this comment.
(sorry for the misplaced comment -- I can't figure out how to comment on the actual lines I want to mention, which weren't modified here)
Could you also make the following changes for the sub CA:
- Remove the
subject_alt_name - Get rid of all
base_key_usagevalues except forcert_signandcrl_sign. - Get rid of the
extended_key_usageblock entirely - Update the lifetime from 1 day (86400s) to 5 years (
"{5 * 365 * 24 * 3600}") - Update the signing key algorithm to use
RSA_PKCS1_2048_SHA256(more efficient for use in a sub CA)
There was a problem hiding this comment.
done, also took the freedom to replace HashiCorp with ACME
eku block is empty, someone has to check what the provider actually makes out of it
There was a problem hiding this comment.
https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/products/privateca/CertificateAuthority.yaml#L404 there it's requiring the EKU block
This one looks a lot like someone copied by accident the subordinate example out of `certificate_authority_subordinate/main.tf` as a root CA. Thus it contains a lot of values set which are outright invalid or not recommend for Root CA certficates if you consider RFC 5280 and CA/B Baseline Requirements as the standard to follow. Also the subordinate example is a bit odd, e.g. configuring SAN on any kind of CA certificate doesn't make sense. And the resources examples there make use of the same pool name. Align the lifetime to some practical values, 10years for a Root CA and 5years for a subordinate. Signed-off-by: Sven Höxter <[email protected]>
hoexter
force-pushed
the
fix-root-ca-sample
branch
from
1697025 to
bdda738
Compare
|
This PR has been inactive for two months. If this inactivity continues for another two weeks, I will close the request. |
|
@msampathkumar I updated the PR long ago with the proposed changes by @pmansour. Thus it's just waiting for a review by you/your team. :) |
|
/gcbrun |
|
/gcbrun |
|
Can I do anything else to help you to review this PR and get it a state you can merge? |
|
/gcbrun |
|
I haven't been able to find a subject matter expert on this, but looking at the changes made, it seems reasonable. I'm not an expert on RFC5280, but removing some of the extra fields appears to match what modules do (e.g.. csa-certificate-authority-service) |
|
/gcbrun |
…alues Some of the properties configured here are either wrong or at least not very sensible on root certificates / subordinates. A similar set of fixes got applied to terraform documentation samples in terraform-google-modules/terraform-docs-samples#631 Signed-off-by: Sven Hoexter <[email protected]>
…alues Some of the properties configured here are either wrong or at least not very sensible on root certificates / subordinates. A similar set of fixes got applied to terraform documentation samples in terraform-google-modules/terraform-docs-samples#631 Signed-off-by: Sven Hoexter <[email protected]>
This one looks a lot like someone copied by accident the subordinate example out of
certificate_authority_subordinate/main.tfas a root CA. Thus it contains a lot of values set which are outright invalid or not recommend for Root CA certficates if you consider RFC 5280 and CA/B Baseline Requirements as the standard to follow.Also the subordinate example is a bit odd, e.g. configuring SAN on any kind of CA certificate doesn't make sense. And the resources examples there make use of the same pool name.
I tried to keep the lifetime setting, but set it to 99 years. That is probably a sensible value for a P(rivate)KI setup. For something public 10y or 15y are probably more sensible.
Description
Fixes #630
Note: If you are not associated with Google, open an issue for discussion before submitting a pull request.
Checklist
Readiness
Testing
I have performed tests described in the Contributing guide:
terraform applyterraform fmtcheck--> this should get a test run somewhere, right now I don't have a test setup at hand to validate it against the API of the CAS