google_privateca_certificate

A Certificate corresponds to a signed X.509 certificate issued by a Certificate.

Example Usage - Privateca Certificate Generated Key

resource "google_privateca_ca_pool" "default" {
  location = "us-central1"
  name = "default"
  tier = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority_id = "my-authority"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}

resource "tls_private_key" "cert_key" {
  algorithm = "RSA"
}

resource "google_privateca_certificate" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
  lifetime = "86000s"
  name = "cert-1"
  config {
    subject_config  {
      subject {
        common_name = "san1.example.com"
        country_code = "us"
        organization = "google"
        organizational_unit = "enterprise"
        locality = "mountain view"
        province = "california"
        street_address = "1600 amphitheatre parkway"
      } 
      subject_alt_name {
        email_addresses = ["email@example.com"]
        ip_addresses = ["127.0.0.1"]
        uris = ["http://www.ietf.org/rfc/rfc3986.txt"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
      name_constraints {
        critical                  = true
        permitted_dns_names       = ["*.example.com"]
        excluded_dns_names        = ["*.deny.example.com"]
        permitted_ip_ranges       = ["10.0.0.0/8"]
        excluded_ip_ranges        = ["10.1.1.0/24"]
        permitted_email_addresses = [".example.com"]
        excluded_email_addresses  = [".deny.example.com"]
        permitted_uris            = [".example.com"]
        excluded_uris             = [".deny.example.com"]
      }
    }
    public_key {
      format = "PEM"
      key = base64encode(tls_private_key.cert_key.public_key_pem)
    }
  }
}

Example Usage - Privateca Certificate With Template

resource "google_privateca_ca_pool" "default" {
  location = "us-central1"
  name = "my-pool"
  tier = "ENTERPRISE"
}

resource "google_privateca_certificate_template" "default" {
  location    = "us-central1"
  name = "my-certificate-template"
  description = "An updated sample certificate template"

  identity_constraints {
    allow_subject_alt_names_passthrough = true
    allow_subject_passthrough           = true

    cel_expression {
      description = "Always true"
      expression  = "true"
      location    = "any.file.anywhere"
      title       = "Sample expression"
    }
  }

  passthrough_extensions {
    additional_extensions {
      object_id_path = [1, 6]
    }

    known_extensions = ["EXTENDED_KEY_USAGE"]
  }

  predefined_values {
    additional_extensions {
      object_id {
        object_id_path = [1, 6]
      }

      value    = "c3RyaW5nCg=="
      critical = true
    }

    aia_ocsp_servers = ["string"]

    ca_options {
      is_ca                  = false
      max_issuer_path_length = 6
    }

    key_usage {
      base_key_usage {
        cert_sign          = false
        content_commitment = true
        crl_sign           = false
        data_encipherment  = true
        decipher_only      = true
        digital_signature  = true
        encipher_only      = true
        key_agreement      = true
        key_encipherment   = true
      }

      extended_key_usage {
        client_auth      = true
        code_signing     = true
        email_protection = true
        ocsp_signing     = true
        server_auth      = true
        time_stamping    = true
      }

      unknown_extended_key_usages {
        object_id_path = [1, 6]
      }
    }

    policy_ids {
      object_id_path = [1, 6]
    }
  }
}

resource "google_privateca_certificate_authority" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority_id = "my-authority"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca = true
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}


resource "google_privateca_certificate" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
  name = "my-certificate"
  lifetime = "860s"
  pem_csr = file("test-fixtures/rsa_csr.pem")
  certificate_template = google_privateca_certificate_template.default.id
}

Example Usage - Privateca Certificate Csr

resource "google_privateca_ca_pool" "default" {
  location = "us-central1"
  name = "my-pool"
  tier = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority_id = "my-authority"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca = true
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}


resource "google_privateca_certificate" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
  name = "my-certificate"
  lifetime = "860s"
  pem_csr = file("test-fixtures/rsa_csr.pem")
}

Example Usage - Privateca Certificate No Authority

resource "google_privateca_ca_pool" "default" {
  location = "us-central1"
  name = "my-pool"
  tier = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority_id = "my-authority"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}


resource "google_privateca_certificate" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  name = "my-certificate"
  lifetime = "860s"
  config {
    subject_config  {
      subject {
        common_name = "san1.example.com"
        country_code = "us"
        organization = "google"
        organizational_unit = "enterprise"
        locality = "mountain view"
        province = "california"
        street_address = "1600 amphitheatre parkway"
        postal_code = "94109"
      }
    }
    x509_config {
      ca_options {
        is_ca = false
      }
      key_usage {
        base_key_usage {
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
    public_key {
      format = "PEM"
      key = filebase64("test-fixtures/rsa_public.pem")
    }
  }
  // Certificates require an authority to exist in the pool, though they don't
  // need to be explicitly connected to it
  depends_on = [google_privateca_certificate_authority.default]
}

Example Usage - Privateca Certificate Custom Ski

resource "google_privateca_ca_pool" "default" {
  location = "us-central1"
  name = "my-pool"
  tier = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority_id = "my-authority"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}


resource "google_privateca_certificate" "default" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  name = "my-certificate"
  lifetime = "860s"
  config {
    subject_config  {
      subject {
        common_name = "san1.example.com"
        country_code = "us"
        organization = "google"
        organizational_unit = "enterprise"
        locality = "mountain view"
        province = "california"
        street_address = "1600 amphitheatre parkway"
        postal_code = "94109"
      }
    }
    subject_key_id {
      key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
    }
    x509_config {
      ca_options {
        is_ca = false
      }
      key_usage {
        base_key_usage {
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
    public_key {
      format = "PEM"
      key = filebase64("test-fixtures/rsa_public.pem")
    }
  }
  // Certificates require an authority to exist in the pool, though they don't
  // need to be explicitly connected to it
  depends_on = [google_privateca_certificate_authority.default]
}

Argument Reference

The following arguments are supported:


The config block supports:

The x509_config block supports:

The additional_extensions block supports:

The object_id block supports:

The policy_ids block supports:

The ca_options block supports:

The key_usage block supports:

The base_key_usage block supports:

The extended_key_usage block supports:

The unknown_extended_key_usages block supports:

The name_constraints block supports:

The subject_config block supports:

The subject block supports:

The subject_alt_name block supports:

The subject_key_id block supports:

The public_key block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

The revocation_details block contains:

The certificate_description block contains:

The subject_description block contains:

The subject block contains:

The subject_alt_name block contains:

The custom_sans block contains:

The obect_id block contains:

The x509_description block contains:

The additional_extensions block contains:

The object_id block contains:

The policy_ids block contains:

The ca_options block contains:

The key_usage block contains:

The base_key_usage block contains:

The extended_key_usage block contains:

The unknown_extended_key_usages block contains:

The name_constraints block contains:

The public_key block contains:

The subject_key_id block contains:

The authority_key_id block contains:

The cert_fingerprint block contains:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Certificate can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Certificate using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}"
  to = google_privateca_certificate.default
}

When using the terraform import command, Certificate can be imported using one of the formats above. For example:

$ terraform import google_privateca_certificate.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}
$ terraform import google_privateca_certificate.default {{project}}/{{location}}/{{pool}}/{{name}}
$ terraform import google_privateca_certificate.default {{location}}/{{pool}}/{{name}}

User Project Overrides

This resource supports User Project Overrides.