Skip to content

Commit bde7cbf

Browse files
hoexterhoexter
committed
privateca: update certificate authority samples with more realistic values
Some of the properties configured here are either wrong or at least not very sensible on root certificates / subordinates. A similar set of fixes got applied to terraform documentation samples in terraform-google-modules/terraform-docs-samples#631 Signed-off-by: Sven Hoexter <[email protected]>
1 parent cacf5f4 commit bde7cbf

File tree

4 files changed

+13
-58
lines changed

4 files changed

+13
-58
lines changed

mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl

Lines changed: 5 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
88
config {
99
subject_config {
1010
subject {
11-
organization = "HashiCorp"
11+
organization = "ACME"
1212
common_name = "my-certificate-authority"
1313
}
14-
subject_alt_name {
15-
dns_names = ["hashicorp.com"]
16-
}
1714
}
1815
x509_config {
1916
ca_options {
17+
# is_ca *MUST* be true for certificate authorities
2018
is_ca = true
21-
max_issuer_path_length = 10
2219
}
2320
key_usage {
2421
base_key_usage {
25-
digital_signature = true
26-
content_commitment = true
27-
key_encipherment = false
28-
data_encipherment = true
29-
key_agreement = true
22+
# cert_sign and crl_sign *MUST* be true for certificate authorities
3023
cert_sign = true
3124
crl_sign = true
32-
decipher_only = true
3325
}
3426
extended_key_usage {
35-
server_auth = true
36-
client_auth = false
37-
email_protection = true
38-
code_signing = true
39-
time_stamping = true
4027
}
4128
}
4229
}
4330
}
44-
lifetime = "86400s"
31+
# valid for 10 years
32+
lifetime = "${10 * 365 * 24 * 3600}s"
4533
key_spec {
4634
algorithm = "RSA_PKCS1_4096_SHA256"
4735
}

mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
3737
ca_options {
3838
# is_ca *MUST* be true for certificate authorities
3939
is_ca = true
40-
max_issuer_path_length = 10
4140
}
4241
key_usage {
4342
base_key_usage {
@@ -46,7 +45,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
4645
crl_sign = true
4746
}
4847
extended_key_usage {
49-
server_auth = false
5048
}
5149
}
5250
name_constraints {

mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl

Lines changed: 3 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -8,43 +8,29 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
88
config {
99
subject_config {
1010
subject {
11-
organization = "HashiCorp"
11+
organization = "ACME"
1212
common_name = "my-certificate-authority"
1313
}
14-
subject_alt_name {
15-
dns_names = ["hashicorp.com"]
16-
}
1714
}
1815
subject_key_id {
1916
key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
2017
}
2118
x509_config {
2219
ca_options {
2320
is_ca = true
24-
max_issuer_path_length = 10
2521
}
2622
key_usage {
2723
base_key_usage {
28-
digital_signature = true
29-
content_commitment = true
30-
key_encipherment = false
31-
data_encipherment = true
32-
key_agreement = true
3324
cert_sign = true
3425
crl_sign = true
35-
decipher_only = true
3626
}
3727
extended_key_usage {
38-
server_auth = true
39-
client_auth = false
40-
email_protection = true
41-
code_signing = true
42-
time_stamping = true
4328
}
4429
}
4530
}
4631
}
47-
lifetime = "86400s"
32+
# valid for 10 years
33+
lifetime = "${10 * 365 * 24 * 3600}s"
4834
key_spec {
4935
cloud_kms_key_version = "{{index $.Vars "kms_key_name"}}/cryptoKeyVersions/1"
5036
}

mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl

Lines changed: 5 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
55
config {
66
subject_config {
77
subject {
8-
organization = "HashiCorp"
8+
organization = "ACME"
99
common_name = "my-certificate-authority"
1010
}
11-
subject_alt_name {
12-
dns_names = ["hashicorp.com"]
13-
}
1411
}
1512
x509_config {
1613
ca_options {
@@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
2421
crl_sign = true
2522
}
2623
extended_key_usage {
27-
server_auth = false
2824
}
2925
}
3026
}
@@ -52,12 +48,9 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
5248
config {
5349
subject_config {
5450
subject {
55-
organization = "HashiCorp"
51+
organization = "ACME"
5652
common_name = "my-subordinate-authority"
5753
}
58-
subject_alt_name {
59-
dns_names = ["hashicorp.com"]
60-
}
6154
}
6255
x509_config {
6356
ca_options {
@@ -67,28 +60,18 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
6760
}
6861
key_usage {
6962
base_key_usage {
70-
digital_signature = true
71-
content_commitment = true
72-
key_encipherment = false
73-
data_encipherment = true
74-
key_agreement = true
7563
cert_sign = true
7664
crl_sign = true
77-
decipher_only = true
7865
}
7966
extended_key_usage {
80-
server_auth = true
81-
client_auth = false
82-
email_protection = true
83-
code_signing = true
84-
time_stamping = true
8567
}
8668
}
8769
}
8870
}
89-
lifetime = "86400s"
71+
# valid for 5 years
72+
lifetime = "${5 * 365 * 24 * 3600}s"
9073
key_spec {
91-
algorithm = "RSA_PKCS1_4096_SHA256"
74+
algorithm = "RSA_PKCS1_2048_SHA256"
9275
}
9376
type = "SUBORDINATE"
9477
}

0 commit comments

Comments
 (0)