Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: provide a sensible example for a privateca Root CA example #631

Merged
merged 7 commits into from
Nov 4, 2024
Merged

fix: provide a sensible example for a privateca Root CA example #631

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bdda738
fix: provide a sensible example for a privateca Root CA example
hoexter Apr 2, 2024
ee34cf8
Merge branch 'main' into fix-root-ca-sample
hoexter Jul 9, 2024
572726a
Merge branch 'main' into fix-root-ca-sample
hoexter Oct 7, 2024
f5acd83
Merge branch 'main' into fix-root-ca-sample
glasnt Oct 10, 2024
2e01f3b
Merge branch 'main' into fix-root-ca-sample
iennae Oct 14, 2024
5b144c9
Merge branch 'main' into fix-root-ca-sample
glasnt Oct 23, 2024
a0147de
Merge branch 'main' into fix-root-ca-sample
glasnt Nov 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 14 additions & 25 deletions privateca/certificate_authority_basic/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,52 +15,41 @@
*/

# [START privateca_create_ca]
resource "google_privateca_certificate_authority" "default" {
resource "google_privateca_certificate_authority" "root_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-hashicorp"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
# is_ca *MUST* be true for certificate authorities
is_ca = true
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
}
# [END privateca_create_ca]
39 changes: 13 additions & 26 deletions privateca/certificate_authority_subordinate/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

# [START privateca_create_subordinateca]
resource "google_privateca_certificate_authority" "root_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
Expand All @@ -24,12 +26,9 @@ resource "google_privateca_certificate_authority" "root_ca" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you also remove the extended_key_usage { .. } block here as well?

ca_options {
Expand All @@ -43,20 +42,21 @@ resource "google_privateca_certificate_authority" "root_ca" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
}

resource "google_privateca_certificate_authority" "default" {
resource "google_privateca_certificate_authority" "sub_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
pool = "my-sub-pool"
glasnt marked this conversation as resolved.
Show resolved Hide resolved
certificate_authority_id = "my-certificate-authority-sub"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(sorry for the misplaced comment -- I can't figure out how to comment on the actual lines I want to mention, which weren't modified here)

Could you also make the following changes for the sub CA:

  • Remove the subject_alt_name
  • Get rid of all base_key_usage values except for cert_sign and crl_sign.
  • Get rid of the extended_key_usage block entirely
  • Update the lifetime from 1 day (86400s) to 5 years ("{5 * 365 * 24 * 3600}")
  • Update the signing key algorithm to use RSA_PKCS1_2048_SHA256 (more efficient for use in a sub CA)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done, also took the freedom to replace HashiCorp with ACME
eku block is empty, someone has to check what the provider actually makes out of it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/products/privateca/CertificateAuthority.yaml#L404 there it's requiring the EKU block

Expand All @@ -66,12 +66,9 @@ resource "google_privateca_certificate_authority" "default" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
Expand All @@ -81,28 +78,18 @@ resource "google_privateca_certificate_authority" "default" {
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
// valid for 5 years
lifetime = "${5 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
algorithm = "RSA_PKCS1_2048_SHA256"
}
type = "SUBORDINATE"
}
Expand Down