Support for PKCS#12 archive format

[detro]

Terraform CLI and Provider Versions

1.1.x

Use Cases or Problem Statement

PKCS#12 is a specification for a cryptographic archive format. Here are some useful links:

• https://datatracker.ietf.org/doc/html/rfc7292
• https://en.wikipedia.org/wiki/PKCS_12

Support for this has been a long standing request, and contributors have provided some implementations or reporting:

• Resource to generate a PKCS #12 archive file out of PKI components #29
• AG needs PKCS12 format but Terraform only provides PEM support #36
• Add PKCS12 archive bundle to self-signed certificate resource #69
• Generates PKCS#12 archive #70
• add pfx bundle to certificates #119

Based on what's reported in issues and tickets, this would allow for better interoperability with other providers, like Azure.

The approaches range between having resources expose PKCS#12 as an additional Computed: attribute, sitting side by side with cert_pem or private_key_pem, or as an entirely new resource, where we can use the other resources/data-sources to create it.

Proposal

Create a PCKS#12 resource that allows to archive (with optional password) cryptographic objects.

Leverage the contributions listed above as inspiration, but considering the age of some PRs, it's unlikely a cherry pick will be possible.

NOTE: The exact implementation might still require some thought, as it might be more beneficial to instead export PKCS#12 archives as additional attributes. How exactly the implementation will look like might need to be delayed until this issue is addressed.

How much impact is this issue causing?

Low

Additional Information

Closes #29
Closes #36
Closes #69
Closes #70
Closes #119

Code of Conduct

• I agree to follow this project's Code of Conduct

[chilicat]

Obsoletes https://github.com/chilicat/terraform-provider-pkcs12
Very welcome! :)

[jbg]

It would be great to be able to produce somewhat arbitrary PKCS12 bundles, rather than being limited to getting a PKCS12 bundle containing a single certificate chain and/or private key.

Java >= 9 uses PKCS12 as its default trust store format (just a big archive of CA certificates). Currently there is no simple way to centrally manage these trust stores across many deployed Java applications using only Terraform providers, since there is no PKCS12 provider that supports providing an arbitrary list of certificates and no keys.

[h0nIg]

ping @detro @bookshelfdave @ebekker @ @vancluever @zimbatm @digiwhite1980 @vadimkuznetsov @rajatrawat99 @elliotchaim @chilicat @troyready @Poil @slessardjr @easkay @holderbaum @dominik-lekse @ @draggeta @Leon99 @tombuildsstuff @MattMencel @apparentlymart @ @asc-adean @flokli @identifysun @mhaarbrink @ @marcmarcet @ @ankit-kumar-mck @ @Socolin @ @cicorias @jbg @tiwood @devlincashman @slessardjr

any update for this / any idea to push this forward? there is still nothing to be used out of the box (without workaround and without compiling something on my own)

[jbg]

If there were updates, you'd see them in this ticket. If you're going to ping 30+ random people, at least have something to add… 🙄

[bendbennett]

Hi @h0nIg 👋,
This PR is currently on-hold as our team's attention is currently elsewhere at the moment. Apologies for any inconvenience.

[jkroepke]

@bendbennett is there an ETA to continue work on this?