Azure 上的 Terraform 未创建 PKCS12 证书

问题描述 投票:0回答:1

我正在尝试创建一个 Terraform 脚本,该脚本将由 Azure DevOps 中的 yml 管道驱动。它需要创建一个 pfx 自签名证书以用于基于证书的身份验证。下面的脚本将创建一个证书,但即使我设置了 Secret_properties 内容类型,它似乎也没有创建 pfx。

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.89.0"
    }
  }

}

provider "azurerm" {
  features {
    # key_vault {
    #   purge_soft_deleted_certificates_on_destroy = true
    #   recover_soft_deleted_certificates          = true
    # }
  }
}

# Required so that the tenant_id element can be dynamically added
data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "mtc-rg" {
  name     = "mtc-resources"
  location = "Australia Southeast"
  tags = {
    environment = "dev"
  }
}

resource "azurerm_key_vault" "mtc-keyv" {
  name                = "mtc-keyvault"
  location            = azurerm_resource_group.mtc-rg.location
  resource_group_name = azurerm_resource_group.mtc-rg.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  soft_delete_retention_days = 90
  purge_protection_enabled   = true # <------ TODO

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = "<< user object_id here >>"

    certificate_permissions = [
      "Create",
      "Delete",
      "List",
      "Get"
    ]
  }
}

resource "azurerm_key_vault_certificate" "mtc-cert" {
  name         = "snoogans"
  key_vault_id = azurerm_key_vault.mtc-keyv.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_type   = "RSA"
      key_size   = 2048
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    x509_certificate_properties {
      # Adjust the subject, validity period, etc., as needed
      subject            = "CN=SomeSubject"
      validity_in_months = 60

      key_usage = [
        "digitalSignature",
        "keyEncipherment",
      ]

      # serverAuth OID = 1.3.6.1.5.5.7.3.1
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
    }
  }

  depends_on = [
    azurerm_key_vault.mtc-keyv,
  ]

}

在运行 tf 下载证书后,我一直在运行 azure cli 脚本,以便我可以导出公钥并编码为 Base 64,以提供给管理部门令牌服务器的团队。我要求此证书为 pfx,以便我的 .NET Core REST API 可以从 Azure 获取证书并生成 jwt(需要私钥),然后将其与身份验证请求一起传递到令牌服务器,然后令牌服务器使用之前的内容验证 jwt导出公钥。

因此,从天蓝色下载证书后,我无法导出,因为它的格式显然错误。我检查了 Azure 门户 KeyVault,可以看到下载 pfx 的选项已禁用。

任何人都可以在我的tf中看到我缺少的东西吗?

azure terraform x509certificate
1个回答
0
投票

我尝试使用 terraform 在 azure key Vault 上创建 PKCS12 证书,并且能够成功配置要求

您已基本正确配置了脚本,使用 

secret_properties
块将内容类型设置为 
application/x-pkcs12
,这是 PFX 文件的 MIME 类型。

在 Azure 门户中禁用下载为 PFX 选项的一个可能原因是证书的私钥不可用或未标记为可导出。您已在 Terraform 代码中的 

exportable = true
下指定了 
key_properties
,这应该使私钥可导出。但是,如果问题仍然存在,您可以尝试以下步骤:

  1. 权限: Terraform 脚本应由服务主体或具有从 Key Vault 生成和导出密钥和证书的正确权限的用户运行。

  2. Azure CLI 或 SDK: 要使用 Azure CLI 或任何 SDK 获取证书,您需要使用正确的命令并拥有适当的权限。

我的地形配置:

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "mtcvk-resources"
  location = "east us"
}

resource "azurerm_key_vault" "example" {
  name                        = "mtcvk-keyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name                    = "standard"
  soft_delete_retention_days  = 90
  purge_protection_enabled    = true

  access_policy {
    tenant_id           = data.azurerm_client_config.current.tenant_id
    object_id           = "enter your user or SP object ID"
    key_permissions     = ["Create", "Get", "Delete", "List", "Update", "Import", "Backup", "Restore", "Recover"]
    secret_permissions  = ["Set", "Get", "Delete", "List", "Recover", "Backup", "Restore"]
    certificate_permissions = ["Create", "Delete", "Get", "List", "Update", "ManageContacts", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers"]

  }
}

resource "azurerm_key_vault_certificate" "example" {
  name         = "snoogans"
  key_vault_id = azurerm_key_vault.example.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_type   = "RSA"
      key_size   = 2048
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    x509_certificate_properties {
      subject            = "CN=SomeSubject"
      validity_in_months = 60
      key_usage          = ["digitalSignature", "keyEncipherment"]
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
    }
  }
}

输出:

enter image description here

enter image description here

enter image description here

enter image description here

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.