Last active
January 28, 2022 15:26
-
-
Save EronWright/81d0d016f4fb766074d59e863f132c67 to your computer and use it in GitHub Desktop.
Generate a CA Certificate using Pulumi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Copyright (c) 2020 StreamNative. All rights reserved. | |
This work is licensed under the terms of the MIT license. | |
For a copy, see <https://opensource.org/licenses/MIT>. | |
*/ | |
import * as pulumi from "@pulumi/pulumi"; | |
import * as tls from "@pulumi/tls"; | |
/** | |
* A resource representing a root signing certificate for CA purposes. | |
*/ | |
export class RootSigningCertificate extends pulumi.ComponentResource { | |
public readonly privateKey: tls.PrivateKey; | |
public readonly certificate: tls.SelfSignedCert; | |
constructor(name: string, args: RootSigningCertificateArgs, opts?: pulumi.ComponentResourceOptions) { | |
super("util:tls:RootSigningCertificate", name, {}, opts); | |
this.privateKey = new tls.PrivateKey("key", { | |
algorithm: args.algorithm || "RSA", | |
rsaBits: args.rsaBits || 2048, | |
}, { parent: this }); | |
this.certificate = new tls.SelfSignedCert("cert", { | |
subjects: [{commonName: args.issuerName}], | |
keyAlgorithm: this.privateKey.algorithm, | |
privateKeyPem: this.privateKey.privateKeyPem, | |
isCaCertificate: true, | |
validityPeriodHours: 87600, | |
allowedUses: [ | |
"key_encipherment", | |
"digital_signature", | |
"cert_signing", | |
], | |
}, { parent: this }); | |
} | |
/** | |
* Gets the public key associated with the certificate as a PEM-encoded string. | |
*/ | |
getPublicKey() : pulumi.Output<string> { | |
return this.privateKey.publicKeyPem; | |
} | |
/** | |
* Gets the private key associated with the certificate as a PEM-encoded string. | |
*/ | |
getPrivateKey() : pulumi.Output<string> { | |
return pulumi.secret(this.privateKey.privateKeyPem); | |
} | |
/** | |
* Gets the certificate as a PEM-encoded string. | |
*/ | |
getCertificate() : pulumi.Output<string> { | |
return this.certificate.certPem; | |
} | |
} | |
export interface RootSigningCertificateArgs { | |
/** | |
* The issuer name to use as the common name of the certificate. | |
*/ | |
readonly issuerName: pulumi.Input<string>; | |
/** | |
* The algorithm to use for the private key. Defaults to 'RSA'. | |
*/ | |
readonly algorithm?: string; | |
/** | |
* The number of RSA bits to use for the private key (for algorithm 'RSA'). Defaults to 2048. | |
*/ | |
readonly rsaBits?: number; | |
/** | |
* The validity period (in hours) of the certificate. Defaults to 10 years. | |
*/ | |
readonly validityPeriodHours?: number; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Copyright (c) 2020 StreamNative. All rights reserved. | |
This work is licensed under the terms of the MIT license. | |
For a copy, see <https://opensource.org/licenses/MIT>. | |
*/ | |
import * as pulumi from "@pulumi/pulumi"; | |
import {RootSigningCertificate} from "./ca-certificate" | |
const config = new pulumi.Config(); | |
const caCert = new RootSigningCertificate("cacert", { issuerName: config.require("issuerName") }); | |
// export the CA keys and certificate | |
export const caPrivateKey = caCert.getPrivateKey(); | |
export const caPublicKey = caCert.getPublicKey(); | |
export const caCertificate = caCert.getCertificate(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment