search

hashicorp / terraform-provider-tls

Utility provider that works with Transport Layer Security keys and certificates. It provides resources that allow private keys, certificates and certficate requests to be created as part of a Terraform deployment.
https://registry.terraform.io/providers/hashicorp/tls/latest
Mozilla Public License 2.0
182 stars 102 forks source link

Support for PKCS#12 archive format #205

Open detro opened 2 years ago

detro commented 2 years ago

Terraform CLI and Provider Versions

1.1.x

Use Cases or Problem Statement

PKCS#12 is a specification for a cryptographic archive format. Here are some useful links:

Support for this has been a long standing request, and contributors have provided some implementations or reporting:

Based on what's reported in issues and tickets, this would allow for better interoperability with other providers, like Azure.

The approaches range between having resources expose PKCS#12 as an additional Computed: attribute, sitting side by side with cert_pem or private_key_pem, or as an entirely new resource, where we can use the other resources/data-sources to create it.

Proposal

Create a PCKS#12 resource that allows to archive (with optional password) cryptographic objects.

Leverage the contributions listed above as inspiration, but considering the age of some PRs, it's unlikely a cherry pick will be possible.

NOTE: The exact implementation might still require some thought, as it might be more beneficial to instead export PKCS#12 archives as additional attributes. How exactly the implementation will look like might need to be delayed until this issue is addressed.

How much impact is this issue causing?

Low

Additional Information

Closes #29 Closes #36 Closes #69 Closes #70 Closes #119

Code of Conduct

chilicat commented 2 years ago

Obsoletes https://github.com/chilicat/terraform-provider-pkcs12 Very welcome! :)

jbg commented 1 year ago

It would be great to be able to produce somewhat arbitrary PKCS12 bundles, rather than being limited to getting a PKCS12 bundle containing a single certificate chain and/or private key.

Java >= 9 uses PKCS12 as its default trust store format (just a big archive of CA certificates). Currently there is no simple way to centrally manage these trust stores across many deployed Java applications using only Terraform providers, since there is no PKCS12 provider that supports providing an arbitrary list of certificates and no keys.

h0nIg commented 1 year ago

ping @detro @bookshelfdave @ebekker @ @vancluever @zimbatm @digiwhite1980 @vadimkuznetsov @rajatrawat99 @elliotchaim @chilicat @troyready @Poil @slessardjr @easkay @holderbaum @dominik-lekse @ @draggeta @Leon99 @tombuildsstuff @MattMencel @apparentlymart @ @asc-adean @flokli @identifysun @mhaarbrink @ @marcmarcet @ @ankit-kumar-mck @ @Socolin @ @cicorias @jbg @tiwood @devlincashman @slessardjr

any update for this / any idea to push this forward? there is still nothing to be used out of the box (without workaround and without compiling something on my own)

jbg commented 1 year ago

If there were updates, you'd see them in this ticket. If you're going to ping 30+ random people, at least have something to add… 🙄

bendbennett commented 1 year ago

Hi @h0nIg 👋, This PR is currently on-hold as our team's attention is currently elsewhere at the moment. Apologies for any inconvenience.

jkroepke commented 9 months ago

@bendbennett is there an ETA to continue work on this?

clowa commented 2 months ago

+1 is there any current state of this feature request? Especially Azure depends a lot on pfx/ pkcs12 formatted certificate bundles.