I am following the exact approach described in this github repo: https://github.com/gehlotanish/terraform-x509/tree/main

Certificate is created in pfx format and when trying to export private key, the password is empty instead of the one I provided. Can someone please assist?

I also had a requirement to create PKCS12 from PEM files, so thank you for making this provider!!

I was wondering, would it be possible for you to also do the inverse?
Allow PEM files to be created from a PFX file.
I would imagine:
A data block for the PFX file
A resource block for the certificate (in PEM format)
A resource block for the private key (in PEM format, with no password, or password to be optional as some requirements need PEM format with no password on the file, and some allow a private key password)
Maybe a resource block for the ca cert?

Hi,
Is it possible in the next release to include an Apple Silicon (darwin/arm64) architecture? Thanks.

In theory, this provider should include the CA certificates when you use the parameter ca_pem, but if you inspect the pkcs12 file generated, it does not include them, I'm using:

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts.cer

But the file cacerts.cer is empty, looks like you can't include them and in consecuence, when you try to use the generated pfx, it send errors about missing intermediate certs.

Hello there,

Thank you for this useful Terraform provider, good job.

Unfortunately, I was not able to use it for Google Cloud. It was necessary to create a resource with PKCS12 keystore. Still, it turned out that it was created using OpenSSL v1.x and other resources in the Google Cloud project refused to accept the unsupported keystore format. In this regard, could you add another argument to set up the encoder type, e.g. Modern2023 or Legacy?

Best regards.

Ever since this commit here which was part of a refactor for v0.1.0 around a month ago, we can no longer provide a full certificate chain (public cert + CA/intermediate certs) to cert_pem. It instead returns an error saying cert_pem must contains exactly one certificate.

This is problematic for us because we use the pcks12_from_pem resource to create PFX files from two different sources, one of which, azurerm_key_vault_certificate_data, only provides a fullchain and privatekey and does not provide a separate attribute to get the certificate and chain separately.

Is there a way the provider could be adjusted to support this kind of scenario ? For now I configured Terraform to only use version 0.0.7, which does not contain this fix, but we're not big fans of using old/unsupported versions of providers.

Thanks!

In resource_pkcs12.go#L103 the error is not evaluated. On errors from the function, the provider and terraform will report no issue, but the result will be "".

Would it be possible to add an output for the sha1 thumbprint besides the resulting base64?

Feature request: Ability to convert trusted root CA certificates from PEM to PKCS12/PFX.

Currently password and private_key_pem are required attributes. However, if conversion is needed for trusted, unencrypted root CA certificate in PFX format, it means that password and private key are not applicable.

When you pass a bad string as key_pem, loadCertificates will not report an error and will leave cert.PrivateKey nil (utils.go#L20)

In resource_pkcs12.go#L79 cert.PrivateKey is checked to not be "", but it will still be nil and provider will continue.

Is there a reason why the sensitive flag isn't set on the result? I get that PKCS12 should be encrypted with a password that "only I know" but I have a funny use case, where I really don't need that functionality, just have two PEMs for an app that demands PKCS12.

With that in mind, would there be harm in a PR that sets the result to be sensitive?

I would also suggest making the "password" field optional too since providing just an empty string seems to work fine...