privateca: update certificate authority samples with more realistic values (GoogleCloudPlatform#12259)

hoexter · amanMahendroo · commit 05228fbf3c8d · 2024-12-17T05:34:33.000Z
Signed-off-by: Sven Hoexter &lt;sven@stormbind.net&gt;
diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.tmpl
@@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
+        # is_ca *MUST* be true for certificate authorities
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_byo_key.tf.tmpl
@@ -37,7 +37,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
       ca_options {
         # is_ca *MUST* be true for certificate authorities
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
@@ -46,7 +45,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
           crl_sign = true
         }
         extended_key_usage {
-          server_auth = false
         }
       }
       name_constraints {
diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_custom_ski.tf.tmpl
@@ -8,43 +8,29 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     subject_key_id {
         key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
     }
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
   key_spec {
     cloud_kms_key_version = "{{index $.Vars "kms_key_name"}}/cryptoKeyVersions/1"
   }
diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl b/mmv1/templates/terraform/examples/privateca_certificate_authority_subordinate.tf.tmpl
@@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
@@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
           crl_sign = true
         }
         extended_key_usage {
-          server_auth = false
         }
       }
     }
@@ -52,43 +48,33 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-subordinate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
         is_ca = true
-        # Force the sub CA to only issue leaf certs
-        max_issuer_path_length = 0
+        # Force the sub CA to only issue leaf certs.
+        # Use e.g.
+        #    max_issuer_path_length = 1
+        # if you need to chain more subordinates.
+        zero_max_issuer_path_length = true
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 5 years
+  lifetime = "${5 * 365 * 24 * 3600}s"
   key_spec {
-    algorithm = "RSA_PKCS1_4096_SHA256"
+    algorithm = "RSA_PKCS1_2048_SHA256"
   }
   type = "SUBORDINATE"
 }

Original file line number	Diff line number	Diff line change
`@@ -8,40 +8,28 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {`
`8`	`8`	`config {`
`9`	`9`	`subject_config {`
`10`	`10`	`subject {`
`11`		`- organization = "HashiCorp"`
	`11`	`+ organization = "ACME"`
`12`	`12`	`common_name = "my-certificate-authority"`
`13`	`13`	`}`
`14`		`- subject_alt_name {`
`15`		`- dns_names = ["hashicorp.com"]`
`16`		`- }`
`17`	`14`	`}`
`18`	`15`	`x509_config {`
`19`	`16`	`ca_options {`
	`17`	`+ # is_ca MUST be true for certificate authorities`
`20`	`18`	`is_ca = true`
`21`		`- max_issuer_path_length = 10`
`22`	`19`	`}`
`23`	`20`	`key_usage {`
`24`	`21`	`base_key_usage {`
`25`		`- digital_signature = true`
`26`		`- content_commitment = true`
`27`		`- key_encipherment = false`
`28`		`- data_encipherment = true`
`29`		`- key_agreement = true`
	`22`	`+ # cert_sign and crl_sign MUST be true for certificate authorities`
`30`	`23`	`cert_sign = true`
`31`	`24`	`crl_sign = true`
`32`		`- decipher_only = true`
`33`	`25`	`}`
`34`	`26`	`extended_key_usage {`
`35`		`- server_auth = true`
`36`		`- client_auth = false`
`37`		`- email_protection = true`
`38`		`- code_signing = true`
`39`		`- time_stamping = true`
`40`	`27`	`}`
`41`	`28`	`}`
`42`	`29`	`}`
`43`	`30`	`}`
`44`		`- lifetime = "86400s"`
	`31`	`+ # valid for 10 years`
	`32`	`+ lifetime = "${10 * 365 * 24 * 3600}s"`
`45`	`33`	`key_spec {`
`46`	`34`	`algorithm = "RSA_PKCS1_4096_SHA256"`
`47`	`35`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {`
`37`	`37`	`ca_options {`
`38`	`38`	`# is_ca MUST be true for certificate authorities`
`39`	`39`	`is_ca = true`
`40`		`- max_issuer_path_length = 10`
`41`	`40`	`}`
`42`	`41`	`key_usage {`
`43`	`42`	`base_key_usage {`
`@@ -46,7 +45,6 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {`
`46`	`45`	`crl_sign = true`
`47`	`46`	`}`
`48`	`47`	`extended_key_usage {`
`49`		`- server_auth = false`
`50`	`48`	`}`
`51`	`49`	`}`
`52`	`50`	`name_constraints {`
Original file line number	Diff line number	Diff line change
`@@ -8,43 +8,29 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {`
`8`	`8`	`config {`
`9`	`9`	`subject_config {`
`10`	`10`	`subject {`
`11`		`- organization = "HashiCorp"`
	`11`	`+ organization = "ACME"`
`12`	`12`	`common_name = "my-certificate-authority"`
`13`	`13`	`}`
`14`		`- subject_alt_name {`
`15`		`- dns_names = ["hashicorp.com"]`
`16`		`- }`
`17`	`14`	`}`
`18`	`15`	`subject_key_id {`
`19`	`16`	`key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"`
`20`	`17`	`}`
`21`	`18`	`x509_config {`
`22`	`19`	`ca_options {`
`23`	`20`	`is_ca = true`
`24`		`- max_issuer_path_length = 10`
`25`	`21`	`}`
`26`	`22`	`key_usage {`
`27`	`23`	`base_key_usage {`
`28`		`- digital_signature = true`
`29`		`- content_commitment = true`
`30`		`- key_encipherment = false`
`31`		`- data_encipherment = true`
`32`		`- key_agreement = true`
`33`	`24`	`cert_sign = true`
`34`	`25`	`crl_sign = true`
`35`		`- decipher_only = true`
`36`	`26`	`}`
`37`	`27`	`extended_key_usage {`
`38`		`- server_auth = true`
`39`		`- client_auth = false`
`40`		`- email_protection = true`
`41`		`- code_signing = true`
`42`		`- time_stamping = true`
`43`	`28`	`}`
`44`	`29`	`}`
`45`	`30`	`}`
`46`	`31`	`}`
`47`		`- lifetime = "86400s"`
	`32`	`+ # valid for 10 years`
	`33`	`+ lifetime = "${10 * 365 * 24 * 3600}s"`
`48`	`34`	`key_spec {`
`49`	`35`	`cloud_kms_key_version = "{{index $.Vars "kms_key_name"}}/cryptoKeyVersions/1"`
`50`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,12 +5,9 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`5`	`5`	`config {`
`6`	`6`	`subject_config {`
`7`	`7`	`subject {`
`8`		`- organization = "HashiCorp"`
	`8`	`+ organization = "ACME"`
`9`	`9`	`common_name = "my-certificate-authority"`
`10`	`10`	`}`
`11`		`- subject_alt_name {`
`12`		`- dns_names = ["hashicorp.com"]`
`13`		`- }`
`14`	`11`	`}`
`15`	`12`	`x509_config {`
`16`	`13`	`ca_options {`
`@@ -24,7 +21,6 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`24`	`21`	`crl_sign = true`
`25`	`22`	`}`
`26`	`23`	`extended_key_usage {`
`27`		`- server_auth = false`
`28`	`24`	`}`
`29`	`25`	`}`
`30`	`26`	`}`
`@@ -52,43 +48,33 @@ resource "google_privateca_certificate_authority" "{{$.PrimaryResourceId}}" {`
`52`	`48`	`config {`
`53`	`49`	`subject_config {`
`54`	`50`	`subject {`
`55`		`- organization = "HashiCorp"`
	`51`	`+ organization = "ACME"`
`56`	`52`	`common_name = "my-subordinate-authority"`
`57`	`53`	`}`
`58`		`- subject_alt_name {`
`59`		`- dns_names = ["hashicorp.com"]`
`60`		`- }`
`61`	`54`	`}`
`62`	`55`	`x509_config {`
`63`	`56`	`ca_options {`
`64`	`57`	`is_ca = true`
`65`		`- # Force the sub CA to only issue leaf certs`
`66`		`- max_issuer_path_length = 0`
	`58`	`+ # Force the sub CA to only issue leaf certs.`
	`59`	`+ # Use e.g.`
	`60`	`+ # max_issuer_path_length = 1`
	`61`	`+ # if you need to chain more subordinates.`
	`62`	`+ zero_max_issuer_path_length = true`
`67`	`63`	`}`
`68`	`64`	`key_usage {`
`69`	`65`	`base_key_usage {`
`70`		`- digital_signature = true`
`71`		`- content_commitment = true`
`72`		`- key_encipherment = false`
`73`		`- data_encipherment = true`
`74`		`- key_agreement = true`
`75`	`66`	`cert_sign = true`
`76`	`67`	`crl_sign = true`
`77`		`- decipher_only = true`
`78`	`68`	`}`
`79`	`69`	`extended_key_usage {`
`80`		`- server_auth = true`
`81`		`- client_auth = false`
`82`		`- email_protection = true`
`83`		`- code_signing = true`
`84`		`- time_stamping = true`
`85`	`70`	`}`
`86`	`71`	`}`
`87`	`72`	`}`
`88`	`73`	`}`
`89`		`- lifetime = "86400s"`
	`74`	`+ # valid for 5 years`
	`75`	`+ lifetime = "${5 * 365 * 24 * 3600}s"`
`90`	`76`	`key_spec {`
`91`		`- algorithm = "RSA_PKCS1_4096_SHA256"`
	`77`	`+ algorithm = "RSA_PKCS1_2048_SHA256"`
`92`	`78`	`}`
`93`	`79`	`type = "SUBORDINATE"`
`94`	`80`	`}`