Closed tofkamp closed 1 month ago
Ok, I need time to think about whether it is possible to implement it and how best to do it.
:tada: This issue has been resolved in version 1.51.0 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
data "routeros_x509" "cert" {
data = <<EOT
-----BEGIN CERTIFICATE-----
MIIBlTCCATugAwIBAgIINLsws71B5zIwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
RXh0ZXJuYWwgQ2VydGlmaWNhdGUwHhcNMjQwNTE3MjEyOTUzWhcNMjUwNTE3MjEy
OTUzWjAfMR0wGwYDVQQDDBRFeHRlcm5hbCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABKE1g0Qj4ujIold9tklu2z4BUu/K7xDFF5YmedtOfJyM
1/80APNboqn71y4m4XNE1JNtQuR2bSZPHVrzODkR16ujYTBfMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgG2MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAdBgNVHQ4EFgQUNXd5bvluIV9YAhGc5yMHc6OzXpMwCgYIKoZIzj0EAwID
SAAwRQIhAODte/qS6CE30cvnQpxP/ObWBPIPZnHtkFHIIC1AOSXwAiBGCGQE+aJY
W72Rw0Y1ckvlt6sU0urkzGuj5wxVF/gSYA==
-----END CERTIFICATE-----
EOT
}
resource "routeros_file" "key" {
name = "external.key"
# The lines of the certificate must not contain indentation.
contents = <<EOT
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiy/wEW6/MglgICCAAw
HQYJYIZIAWUDBAEqBBD6v8dLA2FjPn62Xz57pcu9BIGQhclivPw1eC2b14ea58Tw
nzDdbYN6/yUiMqapW2xZaT7ZFnbEai4n9/utgtEDnfKHlZvZj2kRhvYoWrvTkt/W
1mkd5d/runsn+B5GO+CMHFHh4t41WMpZysmg+iP8FiiehOQEsWyEZFaedxfYYtSL
Sk+abxJ+NMQoh+S5d73niu1CO8uqQjOd8BoSOurURsOh
-----END ENCRYPTED PRIVATE KEY-----
EOT
}
resource "routeros_file" "cert" {
name = "external.crt"
# Normalized certificate
contents = data.routeros_x509.cert.pem
}
resource "routeros_system_certificate" "external" {
name = "external.crt"
common_name = data.routeros_x509.cert.common_name
import {
cert_file_name = routeros_file.cert.name
key_file_name = routeros_file.key.name
passphrase = "11111111"
}
depends_on = [routeros_file.key, routeros_file.cert]
}
Thank you for makeing this possible, but I see a flaw. Usual certificates are signed by sub-CA or CA's. The public keys of the CA has to be imported also. I could use this feature to import the CA certificate, but this implementation demands a key in order to import the certificate, which I do not have of the CA (or sub-CA). And even if I have the private key, I do not want to install it on the switch because of security. I tried concatenated the public key of the CA, to the public key of the certificate, but that did not solve the problem neither. What if the CA was already present on the mikrotik switch ? It should be a seperate entity in terraform, so it can be managed by terraform (expiration/renew etc).
You can easily import a certificate that does not contain a private key. To do this, you only need to specify the certificate data. I don't quite understand the problem regarding the root CA. Please explain it in more detail. You can import a resource for any certificate.
Yes, you are right. I read the documentation wrong. I can import a certificate (CA or not) without a key.
Is your feature request related to a problem? Please describe. Want to make a openVPN connection from external source, so I have to import the certificates.
Describe the solution you'd like I do a resource "routeros_file" "VPN_CA", and want to import the certificate, but I can not because the function is not present.
/certificate/import file-name="VPN_CA.crt" name="VPN_CA"
Additional context This could also be used to config https-access with your own certificates.