privateca root ca example is invalid for a standard compliant root ca

Question

privateca root ca example is invalid for a standard compliant root ca

hoexter opened this issue 2 months ago · comments

TL;DR

The sample in privateca/certificate_authority_basic/main.tf looks like it's a copy of the subordinate setup and not for the root.

Expected behavior

Sample should be somewhat compliant to RFC 5280 and CA/B Baseline Requirements.

Observed behavior

SAN on Root -> does not make any sense
pathLen on Root is not forbidden but according to the rfc not evaluated and not recommended by CA/B BR
extendedKeyUsage is forbidden by CA/B BR on a root

Terraform Configuration

does not apply

Terraform Version

does not apply

Additional information

No response

Jennifer Davis · Answer 1 · Tue Apr 16 2024 12:36:52 GMT+0800 (China Standard Time)

Thanks for your feedback @hoexter and the additional reference materials. They are super helpful. While I've left feedback on the PR, it seems like we may need to get the main terraform docs updated as well so that we are matching up our docs across pages. @msampathkumar do you have knowledge on these samples?