使用terraform 生成自签名证书

terraform 是一个很不错的基础设施工具，我们可以用来做关于基础设施部署的事情，可以实现基础设施即代码
以下演示一个简单的自签名证书的生成（使用tls provider）

main.tf 文件

resource "tls_private_key" "example" {

  algorithm = "RSA"

resource "tls_self_signed_cert" "example" {

  key_algorithm = "${tls_private_key.example.algorithm}"

  private_key_pem = "${tls_private_key.example.private_key_pem}"

  # Certificate expires after 12 hours.

  validity_period_hours = 120000000

  # Generate a new certificate if Terraform is run within three

  # hours of the certificate's expiration time.

  early_renewal_hours = 30000000

  is_ca_certificate = true

  # Reasonable set of uses for a server SSL certificate.

  allowed_uses = [

      "key_encipherment",

      "digital_signature",

      "server_auth",

  ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]

  dns_names = ["api.example.com", "k8sapi.example.com"]

  subject {

      common_name = "example.com"

      organization = "example, Inc"

data "archive_file" "userinfos" {

  type = "zip"

  output_path = "tf-result/cert.zip"

  source {

    content = tls_private_key.example.private_key_pem

    filename = "private_key_pem"

  source {

    content = tls_private_key.example.public_key_pem

    filename = "public_key_pem"

  source {

    content = tls_self_signed_cert.example.cert_pem

    filename = "cert_pem"

resource 说明

以上代码使用了archive provider 进行生成文件压缩，使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书

运行

init 下载插件

terraform init

查看计划

terraform plan

效果

Refreshing Terraform state in-memory prior to plan...

The refreshed state will be used to calculate this plan, but will not be

persisted to local or remote state storage.

------------------------------------------------------------------------

An execution plan has been generated and is shown below.

Resource actions are indicated with the following symbols:

  + create

 <= read (data resources)

Terraform will perform the following actions:

  # data.archive_file.userinfos will be read during apply

  # (config refers to values not yet known)

 <= data "archive_file" "userinfos" {

      + id = (known after apply)

      + output_base64sha256 = (known after apply)

      + output_md5 = (known after apply)

      + output_path = "tf-result/cert.zip"

      + output_sha = (known after apply)

      + output_size = (known after apply)

      + type = "zip"

      + source {

          + content = (known after apply)

          + filename = "cert_pem"

      + source {

          + content = (known after apply)

          + filename = "private_key_pem"

      + source {

          + content = (known after apply)

          + filename = "public_key_pem"

  # tls_private_key.example will be created

  + resource "tls_private_key" "example" {

      + algorithm = "RSA"

      + ecdsa_curve = "P224"

      + id = (known after apply)

      + private_key_pem = (known after apply)

      + public_key_fingerprint_md5 = (known after apply)

      + public_key_openssh = (known after apply)

      + public_key_pem = (known after apply)

      + rsa_bits = 2048

  # tls_self_signed_cert.example will be created

  + resource "tls_self_signed_cert" "example" {

      + allowed_uses = [

          + "key_encipherment",

          + "digital_signature",

          + "server_auth",

      + cert_pem = (known after apply)

      + dns_names = [

          + "api.example.com",

          + "k8sapi.example.com",

      + early_renewal_hours = 30000000

      + id = (known after apply)

      + ip_addresses = [

          + "127.0.0.1",

          + "192.168.0.111",

          + "10.10.18.119",

      + is_ca_certificate = true

      + key_algorithm = "RSA"

      + private_key_pem = (known after apply)

      + validity_end_time = (known after apply)

      + validity_period_hours = 120000000

      + validity_start_time = (known after apply)

      + subject {

          + common_name = "example.com"

          + organization = "example, Inc"

Plan: 2 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform

can't guarantee that exactly these actions will be performed if

"terraform apply" is subsequently run.

apply

terraform apply

效果

An execution plan has been generated and is shown below.

Resource actions are indicated with the following symbols:

  + create

 <= read (data resources)

Terraform will perform the following actions:

  # data.archive_file.userinfos will be read during apply

  # (config refers to values not yet known)

 <= data "archive_file" "userinfos" {

      + id = (known after apply)

      + output_base64sha256 = (known after apply)

      + output_md5 = (known after apply)

      + output_path = "tf-result/cert.zip"

      + output_sha = (known after apply)

      + output_size = (known after apply)

      + type = "zip"

      + source {

          + content = (known after apply)

          + filename = "cert_pem"

      + source {

          + content = (known after apply)

          + filename = "private_key_pem"

      + source {

          + content = (known after apply)

          + filename = "public_key_pem"

  # tls_private_key.example will be created

  + resource "tls_private_key" "example" {

      + algorithm = "RSA"

      + ecdsa_curve = "P224"

      + id = (known after apply)

      + private_key_pem = (known after apply)

      + public_key_fingerprint_md5 = (known after apply)

      + public_key_openssh = (known after apply)

      + public_key_pem = (known after apply)

      + rsa_bits = 2048

  # tls_self_signed_cert.example will be created

  + resource "tls_self_signed_cert" "example" {

      + allowed_uses = [

          + "key_encipherment",

          + "digital_signature",

          + "server_auth",

      + cert_pem = (known after apply)

      + dns_names = [

          + "api.example.com",

          + "k8sapi.example.com",

      + early_renewal_hours = 30000000

      + id = (known after apply)

      + ip_addresses = [

          + "127.0.0.1",

          + "192.168.0.111",

          + "10.10.18.119",

      + is_ca_certificate = true

      + key_algorithm = "RSA"

      + private_key_pem = (known after apply)

      + validity_end_time = (known after apply)

      + validity_period_hours = 120000000

      + validity_start_time = (known after apply)

      + subject {

          + common_name = "example.com"

          + organization = "example, Inc"

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?

  Terraform will perform the actions described above.

  Only 'yes' will be accepted to approve.

  Enter a value: yes

tls_private_key.example: Creating...

tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]

tls_self_signed_cert.example: Creating...

tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]

data.archive_file.userinfos: Refreshing state...

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

文件内容

unzip cert.zip

Archive: cert.zip

  inflating: cert_pem

  inflating: private_key_pem

  inflating: public_key_pem

说明

我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码

参考资料

https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine

使用terraform 生成自签名证书的更多相关文章

cmd命令生成android签名证书
cmd命令生成android签名证书,有空在写一篇eclipse导出带签名的apk,这里面包括生成新的签名.现在还是讲讲在cmd怎么操作生成签名证书. 1.dos下进入JDK的bin目录运行如下命令 ...
windows下使用makecert命令生成自签名证书
1.makecert命令路径 C:\Program Files (x86)\Windows Kits\8.1\bin\x64 2.生成一个自签名证书 makecert -r -pe -n " ...
openssl生成自签名证书
1.生成x509格式的CA自签名证书 openssl req -new -x509 -keyout ca.key -out ca.crt 2.生成服务端的私钥(key文件)及申请证书文件csr文件 o ...
用OpenSSL生成自签名证书在IIS上搭建Https站点（用于iOS的https访问）
前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...
[ipsec][strongswan] 用strongswan pki工具生成自签名证书
如题.我在实验环境里,分别要为两个endpoint(T9和T129)生成证书. 证书是如何生成的呢? 证书是由根证书机构签发的.申请证书的人将request提交给根证书机构,然后根证书机构根据requ ...
ios生成自签名证书，实现web下载安装app
抄自http://beyondvincent.com/blog/2014/03/17/five-tips-for-using-self-signed-ssl-certificates-with-ios ...
生成自签名证书-开启https
1.生成CA证书 # 生成 CA 私钥 openssl genrsa -out ca.key 2048 # X.509 Certificate Signing Request (CSR) Manage ...
OpenSSL使用1（用OpenSSL生成自签名证书在IIS上搭建Https站点）（用于iOS的https访问）
前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...
Windows下生成自签名证书
最近通过openssl生成了自签名的证书,总结成下面这张图. 说明:下载openssl0.9.8之后解压,然后运行bin\openssl.exe进入openssl运行环境,然后按上图中顺序执行命令.( ...

随机推荐

Netty源码分析之NioEventLoop(三)—NioEventLoop的执行
前面两篇文章Netty源码分析之NioEventLoop(一)—NioEventLoop的创建与Netty源码分析之NioEventLoop(二)—NioEventLoop的启动中我们对NioEven ...
24H玩转 Grafana 被工程师称相当专业，如何做到？
国庆假期发生了两件小事,其一是我默默度过 35 周岁生日,其二是玩了下grafana `并在节后第一天被工程师 M 称赞:相当专业. 1.我为什么要玩 grafana 呢? 数月前我提交了一份数据后台 ...
ComPtr的介绍以及使用
ComPtr是为COM而设计的智能指针.它支持WindowsRT,也支持传统Win32.相比ATL里的CComPtr类,它有了一些提升. ComPtr包含在Windows 8.x SDK and Wi ...
SQL Server——死锁查看
一.通过语句查看 --查询哪些死锁SELECT request_session_id spid, OBJECT_NAME( resource_associated_entity_id ) tableN ...
在docker容器上如何实现代码的版本管理
之前在一台centos7的虚拟机上部署了docker并运行了三个容器给开发写代码用,写代码肯定会涉及到版本控制管理. 开始建议是开发在容器中写代码,然后通过docker commit的方式将其保存为i ...
getElementsByClassName兼容封装
众所周知,JS获取DOM有个getElementsByClassName,非常方便,但是呢,为了兼容某些浏览器(你懂的).只能进行封装下了.解决方法如下 <!DOCTYPE html> ...
Java 之 Session
Session 一.概述 Session技术:服务器端会话技术,在一次会话的多次请求间共享数据,将数据保存在服务器端的对象(HttpSession)中. 二.使用步骤 1.获取 HttpSession ...
Oracle 逻辑存储结构
一.总述逻辑存储结构是 Oracle 数据库存储结构的核心内容,对 Oracle 数据库的所有操作都会涉及逻辑存储结构.逻辑存储结构是从逻辑的角度分析数据库的组成,是对数据存储结构在逻辑概念上的划分 ...
网络监听工具嗅探器 SpyNet
配置网卡注册监听配置开始捕获
unity shader入门（四）：高光
高光反射计算公式(phong模型)Cspecular=(Clight*Mspecular)max(0,v*r)mgloss mgloss为材质的官泽度,也成反射度,控制高光区域亮点有多大 Mspecu ...