plumb thru root cert tll to the aws ca provider (#11449)

* plumb thru root cert ttl to the aws ca provider

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Update .changelog/11449.txt

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
This commit is contained in:
FFMMM 2021-11-04 12:19:08 -07:00 committed by GitHub
parent e5e65b71ad
commit 9afecfa10c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 35 additions and 10 deletions

3
.changelog/11449.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate.
```

View File

@ -33,9 +33,6 @@ const (
// leaf cert.
LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
// RootTTL is the validity duration for root certs we create.
AWSRootTTL = 5 * 365 * 24 * time.Hour
// IntermediateTTL is the validity duration for the intermediate certs we
// create.
AWSIntermediateTTL = 1 * 365 * 24 * time.Hour
@ -211,7 +208,7 @@ func (a *AWSProvider) ensureCA() error {
}
// Self-sign it as a root
certPEM, err := a.signCSR(csrPEM, RootTemplateARN, AWSRootTTL)
certPEM, err := a.signCSR(csrPEM, RootTemplateARN, a.config.RootCertTTL)
if err != nil {
return err
}

View File

@ -5,6 +5,7 @@ import (
"strconv"
"strings"
"testing"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/acmpca"
@ -41,6 +42,7 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
cfg := map[string]interface{}{
"PrivateKeyType": tc.KeyType,
"PrivateKeyBits": tc.KeyBits,
"RootCertTTL": "8761h",
}
provider := testAWSProvider(t, testProviderConfigPrimary(t, cfg))
defer provider.Cleanup(true, nil)
@ -69,10 +71,37 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
require.Equal(tc.KeyType, keyType)
require.Equal(tc.KeyBits, keyBits)
// Ensure that the root cert ttl is withing the configured value
// computation is similar to how we are passing the TTL thru the aws client
expectedTime := time.Now().AddDate(0, 0, int(8761*60*time.Minute/day)).UTC()
require.WithinDuration(expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
// Sign a leaf with it
testSignAndValidate(t, provider, rootPEM, nil)
})
}
t.Run("Test default root ttl for aws ca provider", func(t *testing.T) {
provider := testAWSProvider(t, testProviderConfigPrimary(t, nil))
defer provider.Cleanup(true, nil)
// Generate the root
require.NoError(t, provider.GenerateRoot())
// Fetch Active Root
rootPEM, err := provider.ActiveRoot()
require.NoError(t, err)
// Ensure they use the right key type
rootCert, err := connect.ParseCert(rootPEM)
require.NoError(t, err)
// Ensure that the root cert ttl is withing the configured value
// computation is similar to how we are passing the TTL thru the aws client
expectedTime := time.Now().AddDate(0, 0, int(87600*60*time.Minute/day)).UTC()
require.WithinDuration(t, expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
})
}
func testSignAndValidate(t *testing.T, p Provider, rootPEM string, intermediatePEMs []string) {

View File

@ -1271,9 +1271,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
intermediate certificate TTL.
This setting currently applies only to the consul connect and Vault CA providers. It is
ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
CA provider is 5 years and not configurable at this time.
This setting applies to all Consul CA providers.
For the Vault provider, this value is only used if the backend is not initialized at first.

View File

@ -39,9 +39,7 @@ The following configuration options are supported by all CA providers:
Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
intermediate certificate TTL.
This setting currently applies only to the consul connect and Vault CA providers. It is
ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
CA provider is 5 years and not configurable at this time.
This setting applies to all Consul CA providers.
For the Vault provider, this value is only used if the backend is not initialized at first.