| subcategory | page_title | description |
|---|---|---|
Certificate Authority Service |
Google: google_privateca_certificate_authority |
A CertificateAuthority represents an individual Certificate Authority. |
A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.
To get more information about CertificateAuthority, see:
- API documentation
- How-to Guides
~> Warning: On newer versions of the provider, you must explicitly set deletion_protection=false
(and run terraform apply to write the field to state) in order to destroy a CertificateAuthority.
It is recommended to not set this field (or set it to true) until you're ready to destroy.
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
deletion_protection = "true"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}resource "google_privateca_certificate_authority" "root-ca" {
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
deletion_protection = false
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority-sub"
location = "us-central1"
deletion_protection = "true"
subordinate_config {
certificate_authority = google_privateca_certificate_authority.root-ca.name
}
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
type = "SUBORDINATE"
}resource "google_project_service_identity" "privateca_sa" {
service = "privateca.googleapis.com"
}
resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" {
crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
role = "roles/cloudkms.signerVerifier"
members = [
"serviceAccount:${google_project_service_identity.privateca_sa.email}",
]
}
resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" {
crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
role = "roles/viewer"
members = [
"serviceAccount:${google_project_service_identity.privateca_sa.email}",
]
}
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
deletion_protection = "true"
key_spec {
cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
}
config {
subject_config {
subject {
organization = "Example, Org."
common_name = "Example Authority"
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
depends_on = [
google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier,
google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer,
]
}The following arguments are supported:
-
location- (Required) Location of the CertificateAuthority. A full list of valid locations can be found by runninggcloud privateca locations list. -
certificate_authority_id- (Required) The user provided Resource ID for this Certificate Authority. -
pool- (Required) The name of the CaPool this Certificate Authority belongs to. -
config- (Required) The config used to create a self-signed X.509 certificate or CSR. Structure is documented below. -
key_spec- (Required) Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
-
x509_config- (Required) Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below. -
subject_config- (Required) Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The x509_config block supports:
-
additional_extensions- (Optional) Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below. -
policy_ids- (Optional) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below. -
aia_ocsp_servers- (Optional) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. -
ca_options- (Required) Describes values that are relevant in a CA certificate. Structure is documented below. -
key_usage- (Required) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
The additional_extensions block supports:
-
critical- (Required) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). -
value- (Required) The value of this X.509 extension. A base64-encoded string. -
object_id- (Required) Describes values that are relevant in a CA certificate. Structure is documented below.
object_id_path- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The policy_ids block supports:
object_id_path- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The ca_options block supports:
-
is_ca- (Required) When true, the "CA" in Basic Constraints extension will be set to true. -
non_ca- (Optional) When true, the "CA" in Basic Constraints extension will be set to false. If bothis_caandnon_caare unset, the extension will be omitted from the CA certificate. -
max_issuer_path_length- (Optional) Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. -
zero_max_issuer_path_length- (Optional) When true, the "path length constraint" in Basic Constraints extension will be set to 0. if bothmax_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
-
base_key_usage- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
extended_key_usage- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
unknown_extended_key_usages- (Optional) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
The base_key_usage block supports:
-
digital_signature- (Optional) The key may be used for digital signatures. -
content_commitment- (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". -
key_encipherment- (Optional) The key may be used to encipher other keys. -
data_encipherment- (Optional) The key may be used to encipher data. -
key_agreement- (Optional) The key may be used in a key agreement protocol. -
cert_sign- (Optional) The key may be used to sign certificates. -
crl_sign- (Optional) The key may be used sign certificate revocation lists. -
encipher_only- (Optional) The key may be used to encipher only. -
decipher_only- (Optional) The key may be used to decipher only.
The extended_key_usage block supports:
-
server_auth- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. -
client_auth- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. -
code_signing- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". -
email_protection- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". -
time_stamping- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". -
ocsp_signing- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
The unknown_extended_key_usages block supports:
object_id_path- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The subject_config block supports:
-
subject- (Required) Contains distinguished name fields such as the location and organization. Structure is documented below. -
subject_alt_name- (Optional) The subject alternative name fields. Structure is documented below.
-
country_code- (Optional) The country code of the subject. -
organization- (Required) The organization of the subject. -
organizational_unit- (Optional) The organizational unit of the subject. -
locality- (Optional) The locality or city of the subject. -
province- (Optional) The province, territory, or regional state of the subject. -
street_address- (Optional) The street address of the subject. -
postal_code- (Optional) The postal code of the subject. -
common_name- (Required) The common name of the distinguished name.
The subject_alt_name block supports:
-
dns_names- (Optional) Contains only valid, fully-qualified host names. -
uris- (Optional) Contains only valid RFC 3986 URIs. -
email_addresses- (Optional) Contains only valid RFC 2822 E-mail addresses. -
ip_addresses- (Optional) Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
-
cloud_kms_key_version- (Optional) The resource name for an existing Cloud KMS CryptoKeyVersion in the formatprojects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. -
algorithm- (Optional) The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values areSIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256, andEC_P384_SHA384.
-
pem_ca_certificate- (Optional) The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer. -
ignore_active_certificates_on_deletion- (Optional) This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults tofalse. -
skip_grace_period- (Optional) If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults tofalse. -
type- (Optional) The Type of this CertificateAuthority. ~> Note: ForSUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values areSELF_SIGNEDandSUBORDINATE. -
lifetime- (Optional) The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". -
subordinate_config- (Optional) If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below. -
gcs_bucket- (Optional) The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such asgs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. -
labels- (Optional) Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. -
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used. -
deletion_protection- (Optional) Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, aterraform destroyorterraform applythat would delete the instance will fail. -
desired_state- (Optional) Desired state of the CertificateAuthority. Set this field toSTAGEDto create aSTAGEDroot CA.
The subordinate_config block supports:
-
certificate_authority- (Optional) This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the formatprojects/*/locations/*/caPools/*/certificateAuthorities/*. -
pem_issuer_chain- (Optional) Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
The pem_issuer_chain block supports:
pem_certificates- (Optional) Expected to be in leaf-to-root order according to RFC 5246.
In addition to the arguments listed above, the following computed attributes are exported:
-
id- an identifier for the resource with formatprojects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}} -
name- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*. -
state- The State for this CertificateAuthority. -
pem_ca_certificates- This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. -
access_urls- URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below. -
create_time- The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". -
update_time- The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
The access_urls block contains:
-
ca_certificate_access_url- The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated. -
crl_access_urls- The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
CertificateAuthority can be imported using any of these accepted formats:
$ terraform import google_privateca_certificate_authority.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{location}}/{{pool}}/{{certificate_authority_id}}This resource supports User Project Overrides.