privateca: update certificate authority samples with more realistic values (#12259) (#20222)

modular-magician · web-flow · commit 495f491e29c5 · 2024-11-07T08:50:38.000-08:00
[upstream:27812e087aaf4250c076b5d572b3934c1a013e2e]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/12259.txt b/.changelog/12259.txt
@@ -0,0 +1,2 @@
+```release-note:none
+```
diff --git a/google/services/privateca/resource_privateca_certificate_authority_generated_test.go b/google/services/privateca/resource_privateca_certificate_authority_generated_test.go
@@ -70,40 +70,28 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
+        # is_ca *MUST* be true for certificate authorities
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
@@ -149,12 +137,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
@@ -168,7 +153,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
           crl_sign = true
         }
         extended_key_usage {
-          server_auth = false
         }
       }
     }
@@ -196,43 +180,33 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-subordinate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
         is_ca = true
-        # Force the sub CA to only issue leaf certs
-        max_issuer_path_length = 0
+        # Force the sub CA to only issue leaf certs.
+        # Use e.g.
+        #    max_issuer_path_length = 1
+        # if you need to chain more subordinates.
+        zero_max_issuer_path_length = true
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 5 years
+  lifetime = "${5 * 365 * 24 * 3600}s"
   key_spec {
-    algorithm = "RSA_PKCS1_4096_SHA256"
+    algorithm = "RSA_PKCS1_2048_SHA256"
   }
   type = "SUBORDINATE"
 }
diff --git a/website/docs/r/privateca_certificate_authority.html.markdown b/website/docs/r/privateca_certificate_authority.html.markdown
@@ -52,40 +52,28 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
+        # is_ca *MUST* be true for certificate authorities
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
@@ -107,12 +95,9 @@ resource "google_privateca_certificate_authority" "root-ca" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
@@ -126,7 +111,6 @@ resource "google_privateca_certificate_authority" "root-ca" {
           crl_sign = true
         }
         extended_key_usage {
-          server_auth = false
         }
       }
     }
@@ -154,43 +138,33 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-subordinate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
         is_ca = true
-        # Force the sub CA to only issue leaf certs
-        max_issuer_path_length = 0
+        # Force the sub CA to only issue leaf certs.
+        # Use e.g.
+        #    max_issuer_path_length = 1
+        # if you need to chain more subordinates.
+        zero_max_issuer_path_length = true
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 5 years
+  lifetime = "${5 * 365 * 24 * 3600}s"
   key_spec {
-    algorithm = "RSA_PKCS1_4096_SHA256"
+    algorithm = "RSA_PKCS1_2048_SHA256"
   }
   type = "SUBORDINATE"
 }
@@ -238,7 +212,6 @@ resource "google_privateca_certificate_authority" "default" {
       ca_options {
         # is_ca *MUST* be true for certificate authorities
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
@@ -247,7 +220,6 @@ resource "google_privateca_certificate_authority" "default" {
           crl_sign = true
         }
         extended_key_usage {
-          server_auth = false
         }
       }
       name_constraints {
@@ -284,43 +256,29 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     subject_key_id {
         key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
     }
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
       }
       key_usage {
         base_key_usage {
-          digital_signature = true
-          content_commitment = true
-          key_encipherment = false
-          data_encipherment = true
-          key_agreement = true
           cert_sign = true
           crl_sign = true
-          decipher_only = true
         }
         extended_key_usage {
-          server_auth = true
-          client_auth = false
-          email_protection = true
-          code_signing = true
-          time_stamping = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
   key_spec {
     cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
   }

Original file line number	Diff line number	Diff line change
`@@ -70,40 +70,28 @@ resource "google_privateca_certificate_authority" "default" {`
`70`	`70`	`config {`
`71`	`71`	`subject_config {`
`72`	`72`	`subject {`
`73`		`- organization = "HashiCorp"`
	`73`	`+ organization = "ACME"`
`74`	`74`	`common_name = "my-certificate-authority"`
`75`	`75`	`}`
`76`		`- subject_alt_name {`
`77`		`- dns_names = ["hashicorp.com"]`
`78`		`- }`
`79`	`76`	`}`
`80`	`77`	`x509_config {`
`81`	`78`	`ca_options {`
	`79`	`+ # is_ca MUST be true for certificate authorities`
`82`	`80`	`is_ca = true`
`83`		`- max_issuer_path_length = 10`
`84`	`81`	`}`
`85`	`82`	`key_usage {`
`86`	`83`	`base_key_usage {`
`87`		`- digital_signature = true`
`88`		`- content_commitment = true`
`89`		`- key_encipherment = false`
`90`		`- data_encipherment = true`
`91`		`- key_agreement = true`
	`84`	`+ # cert_sign and crl_sign MUST be true for certificate authorities`
`92`	`85`	`cert_sign = true`
`93`	`86`	`crl_sign = true`
`94`		`- decipher_only = true`
`95`	`87`	`}`
`96`	`88`	`extended_key_usage {`
`97`		`- server_auth = true`
`98`		`- client_auth = false`
`99`		`- email_protection = true`
`100`		`- code_signing = true`
`101`		`- time_stamping = true`
`102`	`89`	`}`
`103`	`90`	`}`
`104`	`91`	`}`
`105`	`92`	`}`
`106`		`- lifetime = "86400s"`
	`93`	`+ # valid for 10 years`
	`94`	`+ lifetime = "${10 * 365 * 24 * 3600}s"`
`107`	`95`	`key_spec {`
`108`	`96`	`algorithm = "RSA_PKCS1_4096_SHA256"`
`109`	`97`	`}`
`@@ -149,12 +137,9 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`149`	`137`	`config {`
`150`	`138`	`subject_config {`
`151`	`139`	`subject {`
`152`		`- organization = "HashiCorp"`
	`140`	`+ organization = "ACME"`
`153`	`141`	`common_name = "my-certificate-authority"`
`154`	`142`	`}`
`155`		`- subject_alt_name {`
`156`		`- dns_names = ["hashicorp.com"]`
`157`		`- }`
`158`	`143`	`}`
`159`	`144`	`x509_config {`
`160`	`145`	`ca_options {`
`@@ -168,7 +153,6 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`168`	`153`	`crl_sign = true`
`169`	`154`	`}`
`170`	`155`	`extended_key_usage {`
`171`		`- server_auth = false`
`172`	`156`	`}`
`173`	`157`	`}`
`174`	`158`	`}`
`@@ -196,43 +180,33 @@ resource "google_privateca_certificate_authority" "default" {`
`196`	`180`	`config {`
`197`	`181`	`subject_config {`
`198`	`182`	`subject {`
`199`		`- organization = "HashiCorp"`
	`183`	`+ organization = "ACME"`
`200`	`184`	`common_name = "my-subordinate-authority"`
`201`	`185`	`}`
`202`		`- subject_alt_name {`
`203`		`- dns_names = ["hashicorp.com"]`
`204`		`- }`
`205`	`186`	`}`
`206`	`187`	`x509_config {`
`207`	`188`	`ca_options {`
`208`	`189`	`is_ca = true`
`209`		`- # Force the sub CA to only issue leaf certs`
`210`		`- max_issuer_path_length = 0`
	`190`	`+ # Force the sub CA to only issue leaf certs.`
	`191`	`+ # Use e.g.`
	`192`	`+ # max_issuer_path_length = 1`
	`193`	`+ # if you need to chain more subordinates.`
	`194`	`+ zero_max_issuer_path_length = true`
`211`	`195`	`}`
`212`	`196`	`key_usage {`
`213`	`197`	`base_key_usage {`
`214`		`- digital_signature = true`
`215`		`- content_commitment = true`
`216`		`- key_encipherment = false`
`217`		`- data_encipherment = true`
`218`		`- key_agreement = true`
`219`	`198`	`cert_sign = true`
`220`	`199`	`crl_sign = true`
`221`		`- decipher_only = true`
`222`	`200`	`}`
`223`	`201`	`extended_key_usage {`
`224`		`- server_auth = true`
`225`		`- client_auth = false`
`226`		`- email_protection = true`
`227`		`- code_signing = true`
`228`		`- time_stamping = true`
`229`	`202`	`}`
`230`	`203`	`}`
`231`	`204`	`}`
`232`	`205`	`}`
`233`		`- lifetime = "86400s"`
	`206`	`+ # valid for 5 years`
	`207`	`+ lifetime = "${5 * 365 * 24 * 3600}s"`
`234`	`208`	`key_spec {`
`235`		`- algorithm = "RSA_PKCS1_4096_SHA256"`
	`209`	`+ algorithm = "RSA_PKCS1_2048_SHA256"`
`236`	`210`	`}`
`237`	`211`	`type = "SUBORDINATE"`
`238`	`212`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,40 +52,28 @@ resource "google_privateca_certificate_authority" "default" {`
`52`	`52`	`config {`
`53`	`53`	`subject_config {`
`54`	`54`	`subject {`
`55`		`- organization = "HashiCorp"`
	`55`	`+ organization = "ACME"`
`56`	`56`	`common_name = "my-certificate-authority"`
`57`	`57`	`}`
`58`		`- subject_alt_name {`
`59`		`- dns_names = ["hashicorp.com"]`
`60`		`- }`
`61`	`58`	`}`
`62`	`59`	`x509_config {`
`63`	`60`	`ca_options {`
	`61`	`+ # is_ca MUST be true for certificate authorities`
`64`	`62`	`is_ca = true`
`65`		`- max_issuer_path_length = 10`
`66`	`63`	`}`
`67`	`64`	`key_usage {`
`68`	`65`	`base_key_usage {`
`69`		`- digital_signature = true`
`70`		`- content_commitment = true`
`71`		`- key_encipherment = false`
`72`		`- data_encipherment = true`
`73`		`- key_agreement = true`
	`66`	`+ # cert_sign and crl_sign MUST be true for certificate authorities`
`74`	`67`	`cert_sign = true`
`75`	`68`	`crl_sign = true`
`76`		`- decipher_only = true`
`77`	`69`	`}`
`78`	`70`	`extended_key_usage {`
`79`		`- server_auth = true`
`80`		`- client_auth = false`
`81`		`- email_protection = true`
`82`		`- code_signing = true`
`83`		`- time_stamping = true`
`84`	`71`	`}`
`85`	`72`	`}`
`86`	`73`	`}`
`87`	`74`	`}`
`88`		`- lifetime = "86400s"`
	`75`	`+ # valid for 10 years`
	`76`	`+ lifetime = "${10 * 365 * 24 * 3600}s"`
`89`	`77`	`key_spec {`
`90`	`78`	`algorithm = "RSA_PKCS1_4096_SHA256"`
`91`	`79`	`}`
`@@ -107,12 +95,9 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`107`	`95`	`config {`
`108`	`96`	`subject_config {`
`109`	`97`	`subject {`
`110`		`- organization = "HashiCorp"`
	`98`	`+ organization = "ACME"`
`111`	`99`	`common_name = "my-certificate-authority"`
`112`	`100`	`}`
`113`		`- subject_alt_name {`
`114`		`- dns_names = ["hashicorp.com"]`
`115`		`- }`
`116`	`101`	`}`
`117`	`102`	`x509_config {`
`118`	`103`	`ca_options {`
`@@ -126,7 +111,6 @@ resource "google_privateca_certificate_authority" "root-ca" {`
`126`	`111`	`crl_sign = true`
`127`	`112`	`}`
`128`	`113`	`extended_key_usage {`
`129`		`- server_auth = false`
`130`	`114`	`}`
`131`	`115`	`}`
`132`	`116`	`}`
`@@ -154,43 +138,33 @@ resource "google_privateca_certificate_authority" "default" {`
`154`	`138`	`config {`
`155`	`139`	`subject_config {`
`156`	`140`	`subject {`
`157`		`- organization = "HashiCorp"`
	`141`	`+ organization = "ACME"`
`158`	`142`	`common_name = "my-subordinate-authority"`
`159`	`143`	`}`
`160`		`- subject_alt_name {`
`161`		`- dns_names = ["hashicorp.com"]`
`162`		`- }`
`163`	`144`	`}`
`164`	`145`	`x509_config {`
`165`	`146`	`ca_options {`
`166`	`147`	`is_ca = true`
`167`		`- # Force the sub CA to only issue leaf certs`
`168`		`- max_issuer_path_length = 0`
	`148`	`+ # Force the sub CA to only issue leaf certs.`
	`149`	`+ # Use e.g.`
	`150`	`+ # max_issuer_path_length = 1`
	`151`	`+ # if you need to chain more subordinates.`
	`152`	`+ zero_max_issuer_path_length = true`
`169`	`153`	`}`
`170`	`154`	`key_usage {`
`171`	`155`	`base_key_usage {`
`172`		`- digital_signature = true`
`173`		`- content_commitment = true`
`174`		`- key_encipherment = false`
`175`		`- data_encipherment = true`
`176`		`- key_agreement = true`
`177`	`156`	`cert_sign = true`
`178`	`157`	`crl_sign = true`
`179`		`- decipher_only = true`
`180`	`158`	`}`
`181`	`159`	`extended_key_usage {`
`182`		`- server_auth = true`
`183`		`- client_auth = false`
`184`		`- email_protection = true`
`185`		`- code_signing = true`
`186`		`- time_stamping = true`
`187`	`160`	`}`
`188`	`161`	`}`
`189`	`162`	`}`
`190`	`163`	`}`
`191`		`- lifetime = "86400s"`
	`164`	`+ # valid for 5 years`
	`165`	`+ lifetime = "${5 * 365 * 24 * 3600}s"`
`192`	`166`	`key_spec {`
`193`		`- algorithm = "RSA_PKCS1_4096_SHA256"`
	`167`	`+ algorithm = "RSA_PKCS1_2048_SHA256"`
`194`	`168`	`}`
`195`	`169`	`type = "SUBORDINATE"`
`196`	`170`	`}`
`@@ -238,7 +212,6 @@ resource "google_privateca_certificate_authority" "default" {`
`238`	`212`	`ca_options {`
`239`	`213`	`# is_ca MUST be true for certificate authorities`
`240`	`214`	`is_ca = true`
`241`		`- max_issuer_path_length = 10`
`242`	`215`	`}`
`243`	`216`	`key_usage {`
`244`	`217`	`base_key_usage {`
`@@ -247,7 +220,6 @@ resource "google_privateca_certificate_authority" "default" {`
`247`	`220`	`crl_sign = true`
`248`	`221`	`}`
`249`	`222`	`extended_key_usage {`
`250`		`- server_auth = false`
`251`	`223`	`}`
`252`	`224`	`}`
`253`	`225`	`name_constraints {`
`@@ -284,43 +256,29 @@ resource "google_privateca_certificate_authority" "default" {`
`284`	`256`	`config {`
`285`	`257`	`subject_config {`
`286`	`258`	`subject {`
`287`		`- organization = "HashiCorp"`
	`259`	`+ organization = "ACME"`
`288`	`260`	`common_name = "my-certificate-authority"`
`289`	`261`	`}`
`290`		`- subject_alt_name {`
`291`		`- dns_names = ["hashicorp.com"]`
`292`		`- }`
`293`	`262`	`}`
`294`	`263`	`subject_key_id {`
`295`	`264`	`key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"`
`296`	`265`	`}`
`297`	`266`	`x509_config {`
`298`	`267`	`ca_options {`
`299`	`268`	`is_ca = true`
`300`		`- max_issuer_path_length = 10`
`301`	`269`	`}`
`302`	`270`	`key_usage {`
`303`	`271`	`base_key_usage {`
`304`		`- digital_signature = true`
`305`		`- content_commitment = true`
`306`		`- key_encipherment = false`
`307`		`- data_encipherment = true`
`308`		`- key_agreement = true`
`309`	`272`	`cert_sign = true`
`310`	`273`	`crl_sign = true`
`311`		`- decipher_only = true`
`312`	`274`	`}`
`313`	`275`	`extended_key_usage {`
`314`		`- server_auth = true`
`315`		`- client_auth = false`
`316`		`- email_protection = true`
`317`		`- code_signing = true`
`318`		`- time_stamping = true`
`319`	`276`	`}`
`320`	`277`	`}`
`321`	`278`	`}`
`322`	`279`	`}`
`323`		`- lifetime = "86400s"`
	`280`	`+ # valid for 10 years`
	`281`	`+ lifetime = "${10 * 365 * 24 * 3600}s"`
`324`	`282`	`key_spec {`
`325`	`283`	`cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"`
`326`	`284`	`}`