Not able to generate tls certificates with csr set to 'service'

[forevergenin]

I am using terraform venafi provider v0.15.5. Below is the snippet I am trying out. The certificate generation is failing and I am getting Error: pkcs8: only PBES2 supported as error. I am running this against Venafi Trust Protection Platform version 21.4.0.4246.

resource "venafi_certificate" "certificate" {
  common_name  = "subdomain.mydomain.com"
  algorithm    = "RSA"
  rsa_bits     = "2048"
  key_password = <16-character-random-password>
  valid_days   = 365
  csr_origin   = "service"
}

When I tried the same using vcert (version v4.17.1) command, I can enroll a new certificate get the json response back.

  vcert enroll \
        --format json \
        --csr service \
        --cn "subdomain.mydomain.com"

I digged this up to some extent and seems like the pkcs8 go library is the one responsible for the error message.

I am wondering if this issue is specific to my environment.

Update: I checked the certificate generation status on the portal. Looks like the certificate got generated but the pick-up by the terraform venafi provider failed.

[forevergenin]

I tested and the certificate enrollment and pickup with csr set to service is working fine with vcert version v4.18.2 as well.

[luispresuelVenafi]

Hi @forevergenin I just tested this with the following quick snippet:

terraform {
  required_providers {
    venafi = {
      source = "venafi/venafi"
      version = "0.15.5"
    }
  }
  required_version = ">= 0.15"
}

provider "venafi" {
  url = "https://<tpp_url>"
  trust_bundle = file("path-ou-bundle")
  access_token = "<access_token_with_cert_manage_scope>"
  zone = "<zone_that_accepts_service_generated_keys>"
}

resource "venafi_certificate" "certificate" {
  algorithm       = "RSA"
  rsa_bits       = "2048"
  common_name     = "tls-tpp.venafi.example.com"
  key_password    = "<16-character-random-password>"
  san_dns = [
    "tls-tpp.venafi.example.com",
  ]
  valid_days = 365
  csr_origin      = "service"
}

And our provider ran successfully:

I believe this error is indeed due to your environment, could you share more info about zone? Is your policy PBE (password-based encryption) algorithm configured for either "SHA1 3DES" or "SHA256 AES256"? I recall having the same error using "MD5 DES" which we no longer support in the TPP version you are currently using.

[forevergenin]

@luispresuelVenafi you are correct. While using vcert, if I set the format flag to pkcs12 I run into the below error. I will work with my administrator to update the PBE algorithm and test this out. Thanks for your time and effort !

vcert pickup --pickup-id "\\VED\\Policy\\@<redacted>" --key-password <random-password> --format pkcs12 --file $FQDN.pkcs12

vCert: 2022/04/27 17:30:38 Successfully connected to Trust Protection Platform
vCert: 2022/04/27 17:30:40 Successfully retrieved request for \VED\Policy\@<redacted>
vCert: 2022/04/27 17:30:40 ERROR: To continue, you must select either the SHA1 3DES or SHA256 AES256 private key PBE algorithm. In a web browser, log in to TLS Protect and go to Configuration > Folders, select your zone, then click Certificate Policy and expand Show Advanced Options to make the change.

[forevergenin]

I verified the PBE configuration. It is set to High security but low system compatibility (SHA256 AES256).

[tr1ck3r]

Hi @forevergenin can you please check the "Other Information" section of the Settings > Certificate tab of the policy folder that matches the zone you're specifying for Terraform or VCert? What you showed in your screenshot applies to the Adaptable Application driver which is an unrelated feature of TPP.

[forevergenin]

@tr1ck3r I checked the "Other Information" section. The PBE is configured as MD5 3DES.

[tr1ck3r]

@forevergenin you should be all set if you change that to "SHA1 3DES" or "SHA256 AES256" (both are stronger password based encryption than you currently have it configured).

[luispresuelVenafi]

Hi @forevergenin,

Were you able to solve your issue with the commented above?

[forevergenin]

@luispresuelVenafi @tr1ck3r thank you so much for your insights. Updated the PBE for the zone to "SHA256 AES256" and this resolved the issue. I have verified it using vcert command line tool. I will soon verify it via terraform provider as well.

[luispresuelVenafi]

Thank you for your feedback @forevergenin ! I'll be closing the ticket now. Let us now if you encounter any other issues.