azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

huangapple
go评论100阅读模式
英文:

Can azurerm_key_vault_certificate set a password on a certificate when generating a new one?

问题

遇到一个问题,通过 Azure Key Vault 生成自签名证书时,无法在创建时添加主体备用名称。

为了解决这个问题,我尝试通过 azurerm Terraform 提供程序创建密钥。密钥生成成功,但没有密码。

根据 azurerm_key_vault_certificate 的文档,此处 只有在导入证书时才能在 certificate 块中添加密码值。

我感觉有些困扰,无法通过门户创建带有 SAN 的证书,也无法通过 Terraform 创建带有加密密码的证书。我有遗漏什么吗?

英文:

I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.

To work around that I tried to create the keys via the azurerm terraform provider. The keys generate successfully but don't have a password.

From what I can see on the documentation for azurerm_key_vault_certificate here a password value can only be added in a certificate block, which is only used when importing a certificate.

I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?

答案1

得分: 0

>在生成新证书时,azurerm_key_vault_certificate可以为证书设置密码吗?

在Azure Key Vault生成证书时,无法设置密码。在Terraform中,要创建新证书,您必须使用azurerm_key_vault_certificate资源中的certificate_policy参数,该参数不包括密码参数,设置密码仅支持导入证书。

>我在通过Azure Key Vault生成自签名证书时遇到了一个问题,在创建时无法添加替代主题名称(SAN)。

我使用以下Terraform代码在Azure Key Vault中生成带有替代主题名称(SAN)的证书:

  1. resource "azurerm_key_vault_certificate" "kvcert01" {
  2.   name         = "kvcertvjy"
  3.   key_vault_id = data.azurerm_key_vault.kvkisdujfgweuvjy.id
  5.   certificate_policy {
  6.     issuer_parameters {
  7.       name = "Self"       # 用于自签名证书
  8.     }
  10.     key_properties {
  11.       exportable = true
  12.       key_size   = 2048
  13.       key_type   = "RSA"
  14.       reuse_key  = true
  15.     }
  17.     lifetime_action {
  18.       action {
  19.         action_type = "AutoRenew"
  20.       }
  22.       trigger {
  23.         days_before_expiry = 30
  24.       }
  25.     }
  27.     secret_properties {
  28.       content_type = "application/x-pkcs12"
  29.     }
  31.     x509_certificate_properties {
  32.       # Server Authentication = 1.3.6.1.5.5.7.3.1
  33.       # Client Authentication = 1.3.6.1.5.5.7.3.2
  34.       extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
  36.       key_usage = [
  37.         "cRLSign",
  38.         "dataEncipherment",
  39.         "digitalSignature",
  40.         "keyAgreement",
  41.         "keyCertSign",
  42.         "keyEncipherment",
  43.       ]
  45.       subject_alternative_names {
  46.         dns_names = ["portal.contoso.com", "terraform.hello.world"]
  47.       }
  49.       subject            = "CN=hello-world-terraform"
  50.       validity_in_months = 12
  51.     }
  52.   }
  53. }

Terraform输出:链接到图片
在门户中验证:
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

>我感到有些困惑,无法通过门户创建带有SAN的证书,也无法通过Terraform创建带有加密密码的证书。我漏掉了什么吗?

您可以按照以下步骤在门户中设置DNS名称以创建带有SAN的证书。
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

验证证书
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

英文:

>Can azurerm_key_vault_certificate set a password on a certificate when generating a new one?

While generating a certificate in azure key vault, you cannot set password.
In terraform, to create a new certificate, you have to use certificate_policy argument in azurerm_key_vault_certificate resource which doesn't have password parameter and setting password is only support for importing certificate.

>I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.

I used the following Terraform code to generate a certificate with a Subject Alternative Name in Azure Key Vault:

  1. resource "azurerm_key_vault_certificate" "kvcert01" {
  2.   name         = "kvcertvjy"
  3.   key_vault_id = data.azurerm_key_vault.kvkisdujfgweuvjy.id
  5.   certificate_policy {
  6.     issuer_parameters {
  7.       name = "Self"       # for self-signed certificates
  8.     }
  10.     key_properties {
  11.       exportable = true
  12.       key_size   = 2048
  13.       key_type   = "RSA"
  14.       reuse_key  = true
  15.     }
  17.     lifetime_action {
  18.       action {
  19.         action_type = "AutoRenew"
  20.       }
  22.       trigger {
  23.         days_before_expiry = 30
  24.       }
  25.     }
  27.     secret_properties {
  28.       content_type = "application/x-pkcs12"
  29.     }
  31.     x509_certificate_properties {
  32.       # Server Authentication = 1.3.6.1.5.5.7.3.1
  33.       # Client Authentication = 1.3.6.1.5.5.7.3.2
  34.       extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
  36.       key_usage = [
  37.         "cRLSign",
  38.         "dataEncipherment",
  39.         "digitalSignature",
  40.         "keyAgreement",
  41.         "keyCertSign",
  42.         "keyEncipherment",
  43.       ]
  45.       subject_alternative_names {
  46.         dns_names = ["portal.contoso.com", "terraform.hello.world"]
  47.       }
  49.       subject            = "CN=hello-world-terraform"
  50.       validity_in_months = 12
  51.     }
  52.   }
  53. }

Terrafrom Output: https://i.imgur.com/P0ZO9Cw.png
Verify in portal:
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

>I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?

You can create a certificate with SAN in portal by setting DNS names by following the below steps.
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

Verify the certificate
azurerm_key_vault_certificate在生成新证书时是否可以设置密码?

huangapple
  • 本文由 发表于 2023年6月12日 23:25:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76458125.html
  • azure
  • azure-keyvault
  • terraform
  • terraform-provider-azure
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定