I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.
To work around that I tried to create the keys via the azurerm
terraform provider. The keys generate successfully but don't have a password.
From what I can see on the documentation for azurerm_key_vault_certificate
here a password value can only be added in a certificate
block, which is only used when importing a certificate.
I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?
Can azurerm_key_vault_certificate set a password on a certificate when generating a new one?
While generating a certificate in azure key vault, you cannot set password. In terraform, to create a new certificate, you have to use certificate_policy argument in azurerm_key_vault_certificate resource which doesn't have password parameter and setting password is only support for importing certificate.
I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.
I used the following Terraform code to generate a certificate with a Subject Alternative Name in Azure Key Vault:
resource "azurerm_key_vault_certificate" "kvcert01" {
name = "kvcertvjy"
key_vault_id = data.azurerm_key_vault.kvkisdujfgweuvjy.id
certificate_policy {
issuer_parameters {
name = "Self" # for self-signed certificates
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject_alternative_names {
dns_names = ["portal.contoso.com", "terraform.hello.world"]
}
subject = "CN=hello-world-terraform"
validity_in_months = 12
}
}
}
Terrafrom Output: https://i.imgur.com/P0ZO9Cw.png Verify in portal:
I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?
You can create a certificate with SAN in portal by setting DNS names by following the below steps.
Verify the certificate