azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

huangapple
go评论67阅读模式
英文:

Can azurerm_key_vault_certificate set a password on a certificate when generating a new one?

问题

遇到一个问题,通过 Azure Key Vault 生成自签名证书时,无法在创建时添加主体备用名称。

为了解决这个问题,我尝试通过 azurerm Terraform 提供程序创建密钥。密钥生成成功,但没有密码。

根据 azurerm_key_vault_certificate 的文档,此处 只有在导入证书时才能在 certificate 块中添加密码值。

我感觉有些困扰,无法通过门户创建带有 SAN 的证书,也无法通过 Terraform 创建带有加密密码的证书。我有遗漏什么吗?

英文:

I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.

To work around that I tried to create the keys via the azurerm terraform provider. The keys generate successfully but don't have a password.

From what I can see on the documentation for azurerm_key_vault_certificate here a password value can only be added in a certificate block, which is only used when importing a certificate.

I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?

答案1

得分: 0

>在生成新证书时,azurerm_key_vault_certificate可以为证书设置密码吗?

在Azure Key Vault生成证书时,无法设置密码。在Terraform中,要创建新证书,您必须使用azurerm_key_vault_certificate资源中的certificate_policy参数,该参数不包括密码参数,设置密码仅支持导入证书。

>我在通过Azure Key Vault生成自签名证书时遇到了一个问题,在创建时无法添加替代主题名称(SAN)。

我使用以下Terraform代码在Azure Key Vault中生成带有替代主题名称(SAN)的证书:

resource "azurerm_key_vault_certificate" "kvcert01" {
  name         = "kvcertvjy"
  key_vault_id = data.azurerm_key_vault.kvkisdujfgweuvjy.id

  certificate_policy {
    issuer_parameters {
      name = "Self"       # 用于自签名证书
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      # Server Authentication = 1.3.6.1.5.5.7.3.1
      # Client Authentication = 1.3.6.1.5.5.7.3.2
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["portal.contoso.com", "terraform.hello.world"]
      }

      subject            = "CN=hello-world-terraform"
      validity_in_months = 12
    }
  }
}

Terraform输出:链接到图片
在门户中验证:
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

>我感到有些困惑,无法通过门户创建带有SAN的证书,也无法通过Terraform创建带有加密密码的证书。我漏掉了什么吗?

您可以按照以下步骤在门户中设置DNS名称以创建带有SAN的证书。
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

验证证书
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

英文:

>Can azurerm_key_vault_certificate set a password on a certificate when generating a new one?

While generating a certificate in azure key vault, you cannot set password.
In terraform, to create a new certificate, you have to use certificate_policy argument in azurerm_key_vault_certificate resource which doesn't have password parameter and setting password is only support for importing certificate.

>I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.

I used the following Terraform code to generate a certificate with a Subject Alternative Name in Azure Key Vault:

resource "azurerm_key_vault_certificate" "kvcert01" {
  name         = "kvcertvjy"
  key_vault_id = data.azurerm_key_vault.kvkisdujfgweuvjy.id

  certificate_policy {
    issuer_parameters {
      name = "Self"       # for self-signed certificates
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      # Server Authentication = 1.3.6.1.5.5.7.3.1
      # Client Authentication = 1.3.6.1.5.5.7.3.2
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["portal.contoso.com", "terraform.hello.world"]
      }

      subject            = "CN=hello-world-terraform"
      validity_in_months = 12
    }
  }
}

Terrafrom Output: https://i.imgur.com/P0ZO9Cw.png
Verify in portal:
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

>I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?

You can create a certificate with SAN in portal by setting DNS names by following the below steps.
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

Verify the certificate
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

huangapple
  • 本文由 发表于 2023年6月12日 23:25:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76458125.html
  • azure
  • azure-keyvault
  • terraform
  • terraform-provider-azure
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定