terraform-provider-tls icon indicating copy to clipboard operation
terraform-provider-tls copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Support for PKCS#12 archive format

Open detro opened this issue 3 years ago • 7 comments

Terraform CLI and Provider Versions

1.1.x

Use Cases or Problem Statement

PKCS#12 is a specification for a cryptographic archive format. Here are some useful links:

  • https://datatracker.ietf.org/doc/html/rfc7292
  • https://en.wikipedia.org/wiki/PKCS_12

Support for this has been a long standing request, and contributors have provided some implementations or reporting:

  • https://github.com/hashicorp/terraform-provider-tls/issues/29
  • https://github.com/hashicorp/terraform-provider-tls/issues/36
  • https://github.com/hashicorp/terraform-provider-tls/pull/69
  • https://github.com/hashicorp/terraform-provider-tls/pull/70
  • https://github.com/hashicorp/terraform-provider-tls/pull/119

Based on what's reported in issues and tickets, this would allow for better interoperability with other providers, like Azure.

The approaches range between having resources expose PKCS#12 as an additional Computed: attribute, sitting side by side with cert_pem or private_key_pem, or as an entirely new resource, where we can use the other resources/data-sources to create it.

Proposal

Create a PCKS#12 resource that allows to archive (with optional password) cryptographic objects.

Leverage the contributions listed above as inspiration, but considering the age of some PRs, it's unlikely a cherry pick will be possible.

NOTE: The exact implementation might still require some thought, as it might be more beneficial to instead export PKCS#12 archives as additional attributes. How exactly the implementation will look like might need to be delayed until this issue is addressed.

How much impact is this issue causing?

Low

Additional Information

Closes #29 Closes #36 Closes #69 Closes #70 Closes #119

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

detro avatar May 09 '22 17:05 detro

Obsoletes https://github.com/chilicat/terraform-provider-pkcs12 Very welcome! :)

chilicat avatar May 16 '22 18:05 chilicat

It would be great to be able to produce somewhat arbitrary PKCS12 bundles, rather than being limited to getting a PKCS12 bundle containing a single certificate chain and/or private key.

Java >= 9 uses PKCS12 as its default trust store format (just a big archive of CA certificates). Currently there is no simple way to centrally manage these trust stores across many deployed Java applications using only Terraform providers, since there is no PKCS12 provider that supports providing an arbitrary list of certificates and no keys.

jbg avatar Feb 24 '23 03:02 jbg

ping @detro @bookshelfdave @ebekker @ @vancluever @zimbatm @digiwhite1980 @vadimkuznetsov @rajatrawat99 @elliotchaim @chilicat @troyready @Poil @slessardjr @easkay @holderbaum @dominik-lekse @ @draggeta @Leon99 @tombuildsstuff @MattMencel @apparentlymart @ @asc-adean @flokli @identifysun @mhaarbrink @ @marcmarcet @ @ankit-kumar-mck @ @Socolin @ @cicorias @jbg @tiwood @devlincashman @slessardjr

any update for this / any idea to push this forward? there is still nothing to be used out of the box (without workaround and without compiling something on my own)

h0nIg avatar May 26 '23 08:05 h0nIg

If there were updates, you'd see them in this ticket. If you're going to ping 30+ random people, at least have something to add… 🙄

jbg avatar May 26 '23 08:05 jbg

Hi @h0nIg 👋, This PR is currently on-hold as our team's attention is currently elsewhere at the moment. Apologies for any inconvenience.

bendbennett avatar May 26 '23 09:05 bendbennett

@bendbennett is there an ETA to continue work on this?

jkroepke avatar Nov 28 '23 07:11 jkroepke

+1 is there any current state of this feature request? Especially Azure depends a lot on pfx/ pkcs12 formatted certificate bundles.

clowa avatar Jun 15 '24 14:06 clowa