diff --git a/.changelog/11449.txt b/.changelog/11449.txt new file mode 100644 index 0000000000..ada48bd34f --- /dev/null +++ b/.changelog/11449.txt @@ -0,0 +1,3 @@ +```release-note:feature +ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. +``` diff --git a/agent/connect/ca/provider_aws.go b/agent/connect/ca/provider_aws.go index 170728a0a2..531f39f03a 100644 --- a/agent/connect/ca/provider_aws.go +++ b/agent/connect/ca/provider_aws.go @@ -33,9 +33,6 @@ const ( // leaf cert. LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1" - // RootTTL is the validity duration for root certs we create. - AWSRootTTL = 5 * 365 * 24 * time.Hour - // IntermediateTTL is the validity duration for the intermediate certs we // create. AWSIntermediateTTL = 1 * 365 * 24 * time.Hour @@ -211,7 +208,7 @@ func (a *AWSProvider) ensureCA() error { } // Self-sign it as a root - certPEM, err := a.signCSR(csrPEM, RootTemplateARN, AWSRootTTL) + certPEM, err := a.signCSR(csrPEM, RootTemplateARN, a.config.RootCertTTL) if err != nil { return err } diff --git a/agent/connect/ca/provider_aws_test.go b/agent/connect/ca/provider_aws_test.go index 23d64d474b..dab8f8dcd6 100644 --- a/agent/connect/ca/provider_aws_test.go +++ b/agent/connect/ca/provider_aws_test.go @@ -5,6 +5,7 @@ import ( "strconv" "strings" "testing" + "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/acmpca" @@ -41,6 +42,7 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) { cfg := map[string]interface{}{ "PrivateKeyType": tc.KeyType, "PrivateKeyBits": tc.KeyBits, + "RootCertTTL": "8761h", } provider := testAWSProvider(t, testProviderConfigPrimary(t, cfg)) defer provider.Cleanup(true, nil) @@ -69,10 +71,37 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) { require.Equal(tc.KeyType, keyType) require.Equal(tc.KeyBits, keyBits) + // Ensure that the root cert ttl is withing the configured value + // computation is similar to how we are passing the TTL thru the aws client + expectedTime := time.Now().AddDate(0, 0, int(8761*60*time.Minute/day)).UTC() + require.WithinDuration(expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured") + // Sign a leaf with it testSignAndValidate(t, provider, rootPEM, nil) }) } + + t.Run("Test default root ttl for aws ca provider", func(t *testing.T) { + + provider := testAWSProvider(t, testProviderConfigPrimary(t, nil)) + defer provider.Cleanup(true, nil) + + // Generate the root + require.NoError(t, provider.GenerateRoot()) + + // Fetch Active Root + rootPEM, err := provider.ActiveRoot() + require.NoError(t, err) + + // Ensure they use the right key type + rootCert, err := connect.ParseCert(rootPEM) + require.NoError(t, err) + + // Ensure that the root cert ttl is withing the configured value + // computation is similar to how we are passing the TTL thru the aws client + expectedTime := time.Now().AddDate(0, 0, int(87600*60*time.Minute/day)).UTC() + require.WithinDuration(t, expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured") + }) } func testSignAndValidate(t *testing.T, p Provider, rootPEM string, intermediatePEMs []string) { diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index 1eaf0a637a..5ebe54320b 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -1271,9 +1271,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the intermediate certificate TTL. - This setting currently applies only to the consul connect and Vault CA providers. It is - ignored for the AWS acm pca provider. The value for root certificates issued by the AWS - CA provider is 5 years and not configurable at this time. + This setting applies to all Consul CA providers. For the Vault provider, this value is only used if the backend is not initialized at first. diff --git a/website/content/partials/http_api_connect_ca_common_options.mdx b/website/content/partials/http_api_connect_ca_common_options.mdx index c467bc5489..6ef48d5e5f 100644 --- a/website/content/partials/http_api_connect_ca_common_options.mdx +++ b/website/content/partials/http_api_connect_ca_common_options.mdx @@ -39,9 +39,7 @@ The following configuration options are supported by all CA providers: Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the intermediate certificate TTL. - This setting currently applies only to the consul connect and Vault CA providers. It is - ignored for the AWS acm pca provider. The value for root certificates issued by the AWS - CA provider is 5 years and not configurable at this time. + This setting applies to all Consul CA providers. For the Vault provider, this value is only used if the backend is not initialized at first.