Skip to content

Commit

Permalink
fix: provide a sensible example for a privateca Root CA example
Browse files Browse the repository at this point in the history 
This one looks a lot like someone copied by accident the subordinate
example out of `certificate_authority_subordinate/main.tf` as a root
CA. Thus it contains a lot of values set which are outright invalid
or not recommend for Root CA certficates if you consider RFC 5280
and CA/B Baseline Requirements as the standard to follow.

Also the subordinate example is a bit odd, e.g. configuring SAN
on any kind of CA certificate doesn't make sense. And the resources
examples there make use of the same pool name.

Align the lifetime to some practical values, 10years for a Root CA
and 5years for a subordinate.

Signed-off-by: Sven Höxter <[email protected]>
  • Loading branch information
@hoexter
hoexter committed Jul 9, 2024
1 parent ad0ed50 commit bdda738
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 51 deletions.
39 changes: 14 additions & 25 deletions privateca/certificate_authority_basic/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,52 +15,41 @@
*/

# [START privateca_create_ca]
resource "google_privateca_certificate_authority" "default" {
resource "google_privateca_certificate_authority" "root_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-hashicorp"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
# is_ca *MUST* be true for certificate authorities
is_ca = true
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
}
# [END privateca_create_ca]
39 changes: 13 additions & 26 deletions privateca/certificate_authority_subordinate/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

# [START privateca_create_subordinateca]
resource "google_privateca_certificate_authority" "root_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
Expand All @@ -24,12 +26,9 @@ resource "google_privateca_certificate_authority" "root_ca" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
Expand All @@ -43,20 +42,21 @@ resource "google_privateca_certificate_authority" "root_ca" {
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
}

resource "google_privateca_certificate_authority" "default" {
resource "google_privateca_certificate_authority" "sub_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
pool = "my-sub-pool"
certificate_authority_id = "my-certificate-authority-sub"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
Expand All @@ -66,12 +66,9 @@ resource "google_privateca_certificate_authority" "default" {
config {
subject_config {
subject {
organization = "HashiCorp"
organization = "ACME"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
Expand All @@ -81,28 +78,18 @@ resource "google_privateca_certificate_authority" "default" {
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
// valid for 5 years
lifetime = "${5 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
algorithm = "RSA_PKCS1_2048_SHA256"
}
type = "SUBORDINATE"
}
Expand Down

0 comments on commit bdda738

Please sign in to comment.