Skip to content

Instantly share code, notes, and snippets.

@pbrumblay

pbrumblay/cert_authority.tf

Created March 27, 2025 22:55
Show Gist options
  • Save pbrumblay/4fbfc005dbd1700a363669aa49c891ed to your computer and use it in GitHub Desktop.
Save pbrumblay/4fbfc005dbd1700a363669aa49c891ed to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cert_authority.tf
resource "google_privateca_ca_pool" "root_ca_pool" {
location = var.region
project = var.target_project_id
name = "root-ca-pool"
tier = "ENTERPRISE"
publishing_options {
publish_ca_cert = true
publish_crl = true
}
}
resource "google_privateca_certificate_authority" "root_ca" {
certificate_authority_id = "root-ca"
location = var.region
pool = google_privateca_ca_pool.root_ca_pool.name
config {
subject_config {
subject {
organization = "DMV-DI"
common_name = "dmv-root-cert"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
type = "SELF_SIGNED"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
resource "google_privateca_ca_pool" "subordinate" {
name = "sub-pool"
location = var.region
tier = "ENTERPRISE"
publishing_options {
publish_ca_cert = true
publish_crl = true
}
issuance_policy {
baseline_values {
ca_options {
is_ca = false
}
key_usage {
base_key_usage {
digital_signature = true
key_encipherment = true
}
extended_key_usage {
server_auth = true
}
}
}
}
}
resource "google_privateca_certificate_authority" "sub_ca" {
pool = google_privateca_ca_pool.subordinate.name
certificate_authority_id = "dmv-sub-ca"
location = var.region
subordinate_config {
certificate_authority = google_privateca_certificate_authority.root_ca.name
}
config {
subject_config {
subject {
organization = "DMV-DI"
common_name = "dmv-sub-cert"
}
subject_alt_name {
dns_names = [""]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
lifetime = "31536000s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
type = "SUBORDINATE"
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
resource "tls_private_key" "default" {
algorithm = "RSA"
}
resource "tls_cert_request" "dmv_cert" {
private_key_pem = tls_private_key.default.private_key_pem
subject {
common_name = "dmv-cert"
organization = "DMV-DI"
}
}
resource "google_privateca_certificate" "default" {
pool = google_privateca_ca_pool.subordinate.name
# Explicitly refer the sub-CA so that the certificate creation will wait for the CA creation.
certificate_authority = google_privateca_certificate_authority.sub_ca.certificate_authority_id
location = var.region
lifetime = "860s"
name = "dmv-cert"
pem_csr = tls_cert_request.dmv_cert.cert_request_pem
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment