Create Private CA and Certificates using Terraform
In this post we will look at how to create Private CA and Certificates using Terraform.
If you want to create this using OpenSSL refer the following post.
The terraform code will create following. This can be logically divided into two parts.
Part I — Setting up Private CA
- Create CA Private Key
- Create CA Certificate
Part II — Create Server Certificates
- Create Server Private key
- Create Certificate Signing Request (CSR)
- Create Certificate signed by Private CA
We will do this in a single terraform code base which is good for development purpose.
Just to keep it simple we will have a following set of files in the Terraform code.
/main.tf
/providers.tfPart I — Create Private CA
- Create Private Key for CA
# main.tf
resource "tls_private_key" "cm_ca_private_key" {
algorithm = "RSA"
}
#
resource "local_file" "cloudmanthan_ca_key" {
content = tls_private_key.cm_ca_private_key.private_key_pem
filename = "${path.module}/certs/cloudmanthanCA.key"
}# Run the terraform workflow
terraform init
terraform plan
terraform apply 
This should create private key and save it on the local machine as well.
The Private Key is (cm_private_key) is marked as sensitive and it’s value is not shown in the output. However you can inspect the private key by opening the state file — terraform.tfstate from your local machine.
For Production environment ensure that you keep your CA’s private key secured. The terraform state file keeps everything in an unencrypted manner and is security issue. You can also see the security notice on the official Terraform documentation as well !
2. Create Private CA certificate
This is going to be self signed certificate as we are our own Certificate Authority !
resource "tls_self_signed_cert" "cm_ca_cert" {
private_key_pem = tls_private_key.cm_ca_private_key.private_key_pem
is_ca_certificate = true
subject {
country = "IN"
province = "Mahrashatra"
locality = "Mumbai"
common_name = "Cloud Manthan Root CA"
organization = "Cloud Manthan Software Solutions Pvt Ltd."
organizational_unit = "Cloud Manthan Root Certification Auhtority"
}
validity_period_hours = 43800 // 1825 days or 5 years
allowed_uses = [
"digital_signature",
"cert_signing",
"crl_signing",
]
}
resource "local_file" "cloudmanthan_ca_cert" {
content = tls_self_signed_cert.cm_ca_cert.cert_pem
filename = "${path.module}/certs/cloudmanthanCA.cert"
}
terraform apply
Thus we have CA Private Key (cloudmanthanCA.key) and CA Certificate (cloudmanthanCA.cert).
Part II — Create Server Certificate signed by Private CA
- Create Private Key for server certificate and store it locally
# Create private key for server certificate
resource "tls_private_key" "cm_internal" {
algorithm = "RSA"
}
resource "local_file" "cm_internal_key" {
content = tls_private_key.cm_internal.private_key_pem
filename = "${path.module}/certs/dev.cloudmanthan.key"
}2. Create Certificate Signing Request (CSR)
Note : Earlier we created self signed certificate for our own CA. In this case we are creating certificate signing request.
# Create CSR for for server certificate
resource "tls_cert_request" "cm_internal_csr" {
private_key_pem = tls_private_key.cm_internal.private_key_pem
dns_names = ["dev.cloudmanthan.internal"]
subject {
country = "IN"
province = "Mahrashatra"
locality = "Mumbai"
common_name = "Cloud Manthan Internal Development "
organization = "Cloud Manthan"
organizational_unit = "Development"
}
}3. Sign Server certificate by Private CA and store certificate in local file
# Sign Seerver Certificate by Private CA
resource "tls_locally_signed_cert" "cm_internal" {
// CSR by the development servers
cert_request_pem = tls_cert_request.cm_internal_csr.cert_request_pem
// CA Private key
ca_private_key_pem = tls_private_key.cm_ca_private_key.private_key_pem
// CA certificate
ca_cert_pem = tls_self_signed_cert.cm_ca_cert.cert_pem
validity_period_hours = 43800
allowed_uses = [
"digital_signature",
"key_encipherment",
"server_auth",
"client_auth",
]
}
resource "local_file" "cm_internal_cert" {
content = tls_locally_signed_cert.cm_internal.cert_pem
filename = "${path.module}/certs/dev.cloudmanthan.cert"
}Run the Terraform workflow.
terraform apply 
Let us verify the generated server certificate using OpenSSL.
openssl x509 -text -noout -in dev.cloudmanahtn.cert
This shows the server certificate details. Note the following values
- CA : FALSE
- Subject Alternative Name : dev.cloudmanthan.internal
- Key Id : 05:9C:…:BA:4A
Similarly let us check the CA Certificate.
openssl x509 -noout -text -in cloudmanthanCA.cert
You should note following attributes for this certificate
- CA: TRUE
- Subject Key Identifier : 05:9C:…BA:4A
Subject Key Identifier matches with the Authority Key Identifier for the Server certificate seen earlier.
This confirms that the server certificate is signed by our Private CA !
Thus we have seen how to create Private CA and use the Private CA to sign the server certificate !
Note : The source code is available here for easy reference.
Summary
Terraform makes it very easy to create Private CA and using it to sign server certificates. This is really useful when you want to have a self contained development environment with various certificates created and installed on the various servers internally.
However make a note of security concern around Private Key in terraform state file, as it is kept in the plain text. It is better to create it outside the Terraform or store it securely !
