plumb thru root cert tll to the aws ca provider (#11449)
* plumb thru root cert ttl to the aws ca provider Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11449.txt Co-authored-by: Dhia Ayachi <dhia@hashicorp.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
This commit is contained in:
parent
e5e65b71ad
commit
9afecfa10c
|
@ -0,0 +1,3 @@
|
|||
```release-note:feature
|
||||
ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate.
|
||||
```
|
|
@ -33,9 +33,6 @@ const (
|
|||
// leaf cert.
|
||||
LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
|
||||
|
||||
// RootTTL is the validity duration for root certs we create.
|
||||
AWSRootTTL = 5 * 365 * 24 * time.Hour
|
||||
|
||||
// IntermediateTTL is the validity duration for the intermediate certs we
|
||||
// create.
|
||||
AWSIntermediateTTL = 1 * 365 * 24 * time.Hour
|
||||
|
@ -211,7 +208,7 @@ func (a *AWSProvider) ensureCA() error {
|
|||
}
|
||||
|
||||
// Self-sign it as a root
|
||||
certPEM, err := a.signCSR(csrPEM, RootTemplateARN, AWSRootTTL)
|
||||
certPEM, err := a.signCSR(csrPEM, RootTemplateARN, a.config.RootCertTTL)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@ import (
|
|||
"strconv"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/service/acmpca"
|
||||
|
@ -41,6 +42,7 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
|
|||
cfg := map[string]interface{}{
|
||||
"PrivateKeyType": tc.KeyType,
|
||||
"PrivateKeyBits": tc.KeyBits,
|
||||
"RootCertTTL": "8761h",
|
||||
}
|
||||
provider := testAWSProvider(t, testProviderConfigPrimary(t, cfg))
|
||||
defer provider.Cleanup(true, nil)
|
||||
|
@ -69,10 +71,37 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
|
|||
require.Equal(tc.KeyType, keyType)
|
||||
require.Equal(tc.KeyBits, keyBits)
|
||||
|
||||
// Ensure that the root cert ttl is withing the configured value
|
||||
// computation is similar to how we are passing the TTL thru the aws client
|
||||
expectedTime := time.Now().AddDate(0, 0, int(8761*60*time.Minute/day)).UTC()
|
||||
require.WithinDuration(expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
|
||||
|
||||
// Sign a leaf with it
|
||||
testSignAndValidate(t, provider, rootPEM, nil)
|
||||
})
|
||||
}
|
||||
|
||||
t.Run("Test default root ttl for aws ca provider", func(t *testing.T) {
|
||||
|
||||
provider := testAWSProvider(t, testProviderConfigPrimary(t, nil))
|
||||
defer provider.Cleanup(true, nil)
|
||||
|
||||
// Generate the root
|
||||
require.NoError(t, provider.GenerateRoot())
|
||||
|
||||
// Fetch Active Root
|
||||
rootPEM, err := provider.ActiveRoot()
|
||||
require.NoError(t, err)
|
||||
|
||||
// Ensure they use the right key type
|
||||
rootCert, err := connect.ParseCert(rootPEM)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Ensure that the root cert ttl is withing the configured value
|
||||
// computation is similar to how we are passing the TTL thru the aws client
|
||||
expectedTime := time.Now().AddDate(0, 0, int(87600*60*time.Minute/day)).UTC()
|
||||
require.WithinDuration(t, expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
|
||||
})
|
||||
}
|
||||
|
||||
func testSignAndValidate(t *testing.T, p Provider, rootPEM string, intermediatePEMs []string) {
|
||||
|
|
|
@ -1271,9 +1271,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
|||
Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
|
||||
intermediate certificate TTL.
|
||||
|
||||
This setting currently applies only to the consul connect and Vault CA providers. It is
|
||||
ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
|
||||
CA provider is 5 years and not configurable at this time.
|
||||
This setting applies to all Consul CA providers.
|
||||
|
||||
For the Vault provider, this value is only used if the backend is not initialized at first.
|
||||
|
||||
|
|
|
@ -39,9 +39,7 @@ The following configuration options are supported by all CA providers:
|
|||
Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
|
||||
intermediate certificate TTL.
|
||||
|
||||
This setting currently applies only to the consul connect and Vault CA providers. It is
|
||||
ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
|
||||
CA provider is 5 years and not configurable at this time.
|
||||
This setting applies to all Consul CA providers.
|
||||
|
||||
For the Vault provider, this value is only used if the backend is not initialized at first.
|
||||
|
||||
|
|
Loading…
Reference in New Issue