subcategory | page_title | description |
---|---|---|
Certificate Authority Service |
Google: google_privateca_certificate_authority |
A CertificateAuthority represents an individual Certificate Authority. |
A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.
To get more information about CertificateAuthority, see:
- API documentation
- How-to Guides
~> Warning: On newer versions of the provider, you must explicitly set deletion_protection=false
(and run terraform apply
to write the field to state) in order to destroy a CertificateAuthority.
It is recommended to not set this field (or set it to true) until you're ready to destroy.
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
deletion_protection = "true"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
resource "google_privateca_certificate_authority" "root-ca" {
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
deletion_protection = false
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority-sub"
location = "us-central1"
deletion_protection = "true"
subordinate_config {
certificate_authority = google_privateca_certificate_authority.root-ca.name
}
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
type = "SUBORDINATE"
}
resource "google_project_service_identity" "privateca_sa" {
service = "privateca.googleapis.com"
}
resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" {
crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
role = "roles/cloudkms.signerVerifier"
members = [
"serviceAccount:${google_project_service_identity.privateca_sa.email}",
]
}
resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" {
crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
role = "roles/viewer"
members = [
"serviceAccount:${google_project_service_identity.privateca_sa.email}",
]
}
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
deletion_protection = "true"
key_spec {
cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
}
config {
subject_config {
subject {
organization = "Example, Org."
common_name = "Example Authority"
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
depends_on = [
google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier,
google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer,
]
}
The following arguments are supported:
-
location
- (Required) Location of the CertificateAuthority. A full list of valid locations can be found by runninggcloud privateca locations list
. -
certificate_authority_id
- (Required) The user provided Resource ID for this Certificate Authority. -
pool
- (Required) The name of the CaPool this Certificate Authority belongs to. -
config
- (Required) The config used to create a self-signed X.509 certificate or CSR. Structure is documented below. -
key_spec
- (Required) Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
-
x509_config
- (Required) Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below. -
subject_config
- (Required) Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The x509_config
block supports:
-
additional_extensions
- (Optional) Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below. -
policy_ids
- (Optional) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below. -
aia_ocsp_servers
- (Optional) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. -
ca_options
- (Required) Describes values that are relevant in a CA certificate. Structure is documented below. -
key_usage
- (Required) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
The additional_extensions
block supports:
-
critical
- (Required) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). -
value
- (Required) The value of this X.509 extension. A base64-encoded string. -
object_id
- (Required) Describes values that are relevant in a CA certificate. Structure is documented below.
object_id_path
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The policy_ids
block supports:
object_id_path
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The ca_options
block supports:
-
is_ca
- (Required) When true, the "CA" in Basic Constraints extension will be set to true. -
non_ca
- (Optional) When true, the "CA" in Basic Constraints extension will be set to false. If bothis_ca
andnon_ca
are unset, the extension will be omitted from the CA certificate. -
max_issuer_path_length
- (Optional) Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. -
zero_max_issuer_path_length
- (Optional) When true, the "path length constraint" in Basic Constraints extension will be set to 0. if bothmax_issuer_path_length
andzero_max_issuer_path_length
are unset, the max path length will be omitted from the CA certificate.
-
base_key_usage
- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
extended_key_usage
- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
unknown_extended_key_usages
- (Optional) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
The base_key_usage
block supports:
-
digital_signature
- (Optional) The key may be used for digital signatures. -
content_commitment
- (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". -
key_encipherment
- (Optional) The key may be used to encipher other keys. -
data_encipherment
- (Optional) The key may be used to encipher data. -
key_agreement
- (Optional) The key may be used in a key agreement protocol. -
cert_sign
- (Optional) The key may be used to sign certificates. -
crl_sign
- (Optional) The key may be used sign certificate revocation lists. -
encipher_only
- (Optional) The key may be used to encipher only. -
decipher_only
- (Optional) The key may be used to decipher only.
The extended_key_usage
block supports:
-
server_auth
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. -
client_auth
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. -
code_signing
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". -
email_protection
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". -
time_stamping
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". -
ocsp_signing
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
The unknown_extended_key_usages
block supports:
object_id_path
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The subject_config
block supports:
-
subject
- (Required) Contains distinguished name fields such as the location and organization. Structure is documented below. -
subject_alt_name
- (Optional) The subject alternative name fields. Structure is documented below.
-
country_code
- (Optional) The country code of the subject. -
organization
- (Required) The organization of the subject. -
organizational_unit
- (Optional) The organizational unit of the subject. -
locality
- (Optional) The locality or city of the subject. -
province
- (Optional) The province, territory, or regional state of the subject. -
street_address
- (Optional) The street address of the subject. -
postal_code
- (Optional) The postal code of the subject. -
common_name
- (Required) The common name of the distinguished name.
The subject_alt_name
block supports:
-
dns_names
- (Optional) Contains only valid, fully-qualified host names. -
uris
- (Optional) Contains only valid RFC 3986 URIs. -
email_addresses
- (Optional) Contains only valid RFC 2822 E-mail addresses. -
ip_addresses
- (Optional) Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
-
cloud_kms_key_version
- (Optional) The resource name for an existing Cloud KMS CryptoKeyVersion in the formatprojects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. -
algorithm
- (Optional) The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values areSIGN_HASH_ALGORITHM_UNSPECIFIED
,RSA_PSS_2048_SHA256
,RSA_PSS_3072_SHA256
,RSA_PSS_4096_SHA256
,RSA_PKCS1_2048_SHA256
,RSA_PKCS1_3072_SHA256
,RSA_PKCS1_4096_SHA256
,EC_P256_SHA256
, andEC_P384_SHA384
.
-
pem_ca_certificate
- (Optional) The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer. -
ignore_active_certificates_on_deletion
- (Optional) This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults tofalse
. -
skip_grace_period
- (Optional) If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults tofalse
. -
type
- (Optional) The Type of this CertificateAuthority. ~> Note: ForSUBORDINATE
Certificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED
. Possible values areSELF_SIGNED
andSUBORDINATE
. -
lifetime
- (Optional) The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". -
subordinate_config
- (Optional) If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below. -
gcs_bucket
- (Optional) The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such asgs://
) or suffixes (such as.googleapis.com
). For example, to use a bucket named my-bucket, you would simply specifymy-bucket
. If not specified, a managed bucket will be created. -
labels
- (Optional) Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. -
project
- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used. -
deletion_protection
- (Optional) Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, aterraform destroy
orterraform apply
that would delete the instance will fail. -
desired_state
- (Optional) Desired state of the CertificateAuthority. Set this field toSTAGED
to create aSTAGED
root CA.
The subordinate_config
block supports:
-
certificate_authority
- (Optional) This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the formatprojects/*/locations/*/caPools/*/certificateAuthorities/*
. -
pem_issuer_chain
- (Optional) Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
The pem_issuer_chain
block supports:
pem_certificates
- (Optional) Expected to be in leaf-to-root order according to RFC 5246.
In addition to the arguments listed above, the following computed attributes are exported:
-
id
- an identifier for the resource with formatprojects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
-
name
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*. -
state
- The State for this CertificateAuthority. -
pem_ca_certificates
- This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. -
access_urls
- URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below. -
create_time
- The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". -
update_time
- The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
The access_urls
block contains:
-
ca_certificate_access_url
- The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated. -
crl_access_urls
- The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.
CertificateAuthority can be imported using any of these accepted formats:
$ terraform import google_privateca_certificate_authority.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{location}}/{{pool}}/{{certificate_authority_id}}
This resource supports User Project Overrides.