privateca: update certificate authority samples with more realistic values (#12259) (#848)

modular-magician · web-flow · commit 8f46bc3b5f2e · 2024-11-07T08:49:19.000-08:00
[upstream:27812e087aaf4250c076b5d572b3934c1a013e2e]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/privateca_certificate_authority_basic/main.tf b/privateca_certificate_authority_basic/main.tf
@@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
+        # is_ca *MUST* be true for certificate authorities
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
diff --git a/privateca_certificate_authority_subordinate/main.tf b/privateca_certificate_authority_subordinate/main.tf
@@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
@@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
           crl_sign = true
         }
         extended_key_usage {
-          server_auth = false
         }
       }
     }
@@ -52,43 +48,33 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-subordinate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
         is_ca = true
-        # Force the sub CA to only issue leaf certs
-        max_issuer_path_length = 0
+        # Force the sub CA to only issue leaf certs.
+        # Use e.g.
+        #    max_issuer_path_length = 1
+        # if you need to chain more subordinates.
+        zero_max_issuer_path_length = true
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 5 years
+  lifetime = "${5 * 365 * 24 * 3600}s"
   key_spec {
-    algorithm = "RSA_PKCS1_4096_SHA256"
+    algorithm = "RSA_PKCS1_2048_SHA256"
   }
   type = "SUBORDINATE"
 }

Original file line number	Diff line number	Diff line change
`@@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "default" {`
`8`	`8`	`config {`
`9`	`9`	`subject_config {`
`10`	`10`	`subject {`
`11`		`- organization = "HashiCorp"`
	`11`	`+ organization = "ACME"`
`12`	`12`	`common_name = "my-certificate-authority"`
`13`	`13`	`}`
`14`		`- subject_alt_name {`
`15`		`- dns_names = ["hashicorp.com"]`
`16`		`- }`
`17`	`14`	`}`
`18`	`15`	`x509_config {`
`19`	`16`	`ca_options {`
	`17`	`+ # is_ca MUST be true for certificate authorities`
`20`	`18`	`is_ca = true`
`21`		`- max_issuer_path_length = 10`
`22`	`19`	`}`
`23`	`20`	`key_usage {`
`24`	`21`	`base_key_usage {`
`25`		`- digital_signature = true`
`26`		`- content_commitment = true`
`27`		`- key_encipherment = false`
`28`		`- data_encipherment = true`
`29`		`- key_agreement = true`
	`22`	`+ # cert_sign and crl_sign MUST be true for certificate authorities`
`30`	`23`	`cert_sign = true`
`31`	`24`	`crl_sign = true`
`32`		`- decipher_only = true`
`33`	`25`	`}`
`34`	`26`	`extended_key_usage {`
`35`		`- server_auth = true`
`36`		`- client_auth = false`
`37`		`- email_protection = true`
`38`		`- code_signing = true`
`39`		`- time_stamping = true`
`40`	`27`	`}`
`41`	`28`	`}`
`42`	`29`	`}`
`43`	`30`	`}`
`44`		`- lifetime = "86400s"`
	`31`	`+ # valid for 10 years`
	`32`	`+ lifetime = "${10 * 365 * 24 * 3600}s"`
`45`	`33`	`key_spec {`
`46`	`34`	`algorithm = "RSA_PKCS1_4096_SHA256"`
`47`	`35`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`5`	`5`	`config {`
`6`	`6`	`subject_config {`
`7`	`7`	`subject {`
`8`		`- organization = "HashiCorp"`
	`8`	`+ organization = "ACME"`
`9`	`9`	`common_name = "my-certificate-authority"`
`10`	`10`	`}`
`11`		`- subject_alt_name {`
`12`		`- dns_names = ["hashicorp.com"]`
`13`		`- }`
`14`	`11`	`}`
`15`	`12`	`x509_config {`
`16`	`13`	`ca_options {`
`@@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`24`	`21`	`crl_sign = true`
`25`	`22`	`}`
`26`	`23`	`extended_key_usage {`
`27`		`- server_auth = false`
`28`	`24`	`}`
`29`	`25`	`}`
`30`	`26`	`}`
`@@ -52,43 +48,33 @@ resource "google_privateca_certificate_authority" "default" {`
`52`	`48`	`config {`
`53`	`49`	`subject_config {`
`54`	`50`	`subject {`
`55`		`- organization = "HashiCorp"`
	`51`	`+ organization = "ACME"`
`56`	`52`	`common_name = "my-subordinate-authority"`
`57`	`53`	`}`
`58`		`- subject_alt_name {`
`59`		`- dns_names = ["hashicorp.com"]`
`60`		`- }`
`61`	`54`	`}`
`62`	`55`	`x509_config {`
`63`	`56`	`ca_options {`
`64`	`57`	`is_ca = true`
`65`		`- # Force the sub CA to only issue leaf certs`
`66`		`- max_issuer_path_length = 0`
	`58`	`+ # Force the sub CA to only issue leaf certs.`
	`59`	`+ # Use e.g.`
	`60`	`+ # max_issuer_path_length = 1`
	`61`	`+ # if you need to chain more subordinates.`
	`62`	`+ zero_max_issuer_path_length = true`
`67`	`63`	`}`
`68`	`64`	`key_usage {`
`69`	`65`	`base_key_usage {`
`70`		`- digital_signature = true`
`71`		`- content_commitment = true`
`72`		`- key_encipherment = false`
`73`		`- data_encipherment = true`
`74`		`- key_agreement = true`
`75`	`66`	`cert_sign = true`
`76`	`67`	`crl_sign = true`
`77`		`- decipher_only = true`
`78`	`68`	`}`
`79`	`69`	`extended_key_usage {`
`80`		`- server_auth = true`
`81`		`- client_auth = false`
`82`		`- email_protection = true`
`83`		`- code_signing = true`
`84`		`- time_stamping = true`
`85`	`70`	`}`
`86`	`71`	`}`
`87`	`72`	`}`
`88`	`73`	`}`
`89`		`- lifetime = "86400s"`
	`74`	`+ # valid for 5 years`
	`75`	`+ lifetime = "${5 * 365 * 24 * 3600}s"`
`90`	`76`	`key_spec {`
`91`		`- algorithm = "RSA_PKCS1_4096_SHA256"`
	`77`	`+ algorithm = "RSA_PKCS1_2048_SHA256"`
`92`	`78`	`}`
`93`	`79`	`type = "SUBORDINATE"`
`94`	`80`	`}`