S A
Home » DevOps » Terraform: How to generate self-signed SSL certificates

Terraform: How to generate self-signed SSL certificates

Updated: February 3, 2024 By: Guest Contributor Post a comment
Table Of Contents
1 Introduction
1.1 Pre-requisites
2 Steps-by-Step Instructions
2.1 Step 1: Setting up your Terraform Configuration
2.2 Step 2: Creating a Self-Signed Certificate
2.3 Step 3: Detailed Configuration
2.4 Step 4: Exporting Certificates for Use
2.5 Step 5: Automating Certificate Renewal
3 Advanced Configurations
4 Conclusion

Introduction

Managing infrastructure as code is becoming a standard for DevOps practices, and Terraform by HashiCorp stands out as a leader in this domain. It allows you to define resources and infrastructure through simple, declarative configuration files that can be versioned, reused, and shared. In this comprehensive tutorial, we’ll delve into how Terraform can be used to generate self-signed SSL certificates, ensuring that your internal services can communicate securely. This process is crucial for environments where you don’t necessarily need certificates signed by a Certificate Authority (CA), like development, testing, or internal applications.

Let’s start with the basics and progressively dive into more complex configurations.

Pre-requisites

  • Terraform installed
  • A basic understanding of SSL/TLS certificates
  • An understanding of PKI (Public Key Infrastructure)

Steps-by-Step Instructions

Step 1: Setting up your Terraform Configuration

First, ensure that you have Terraform installed and configured on your machine. For this tutorial, we’ll be using Terraform v0.14.0 or newer. Terraform’s tls_provider offers resources for generating SSL certificates, so no external tools are required. Let’s create a directory for our project:

mkdir terraform-ssl
cd terraform-ssl

Create a file named main.tf. This file will contain our terraform configuration. Now, let’s initialize Terraform to prepare our project:

terraform init

Step 2: Creating a Self-Signed Certificate

Now, we’ll start by defining a simple self-signed SSL certificate. Add the following configuration to your main.tf:

resource "tls_private_key" "example" {
  algorithm = "RSA"
  rsa_bits = 2048
}

resource "tls_self_signed_cert" "example" {
  key_algorithm = "RSA"
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name = "example.com"
    organization = "Example, Inc."
  }

  validity_period_hours = 72

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

Apply the configuration to generate your SSL certificate:

terraform apply

You now have a self-signed SSL certificate and a private key. They can be found in the Terraform state file or by using output variables to display them directly. Make sure not to expose your private key!

Step 3: Detailed Configuration

For a more detailed configuration, including the addition of Subject Alt Names (SANs), you might enhance your tls_self_signed_cert resource as follows:

resource "tls_self_signed_cert" "example" {
  // Previous configuration...
  
  subject_alternative_names = ["example.net", "www.example.com"]

  // Rest of the configuration...
}

This lets your SSL certificate be valid for both example.com and alternative domains or subdomains you specify.

Step 4: Exporting Certificates for Use

Once generated, these certificates and keys need to be usable by your applications. This step involves outputting the certificate and key from Terraform and potentially converting formats (e.g., PEM to DER). Add the following output configurations to your main.tf:

output "private_key" {
  value = tls_private_key.example.private_key_pem
  sensitive = true
}

output "certificate" {
  value = tls_self_signed_cert.example.cert_pem
}

Now, when you run terraform apply, Terraform will display the paths to your certificate and private key. Use these outputs to configure your applications or services as necessary.

Step 5: Automating Certificate Renewal

Sometimes, you may need to automate the renewal of your self-signed certificates, especially if they’re used for short-lived environments or testing. Terraform doesn’t directly support automated renewals out of the box, but you can achieve this by setting up a simple CI/CD pipeline that runs terraform apply periodically to regenerate the certificates.

Advanced Configurations

In more complex scenarios, you might need to create a certificate authority (CA) with Terraform and then issue certificates signed by that CA. This setup is more involved but offers greater control and mimics a more production-like environment with trust chains. The basic idea involves creating a CA certificate and key, then using these to sign other certificates.

Conclusion

By now, you should have a solid understanding of how to generate self-signed SSL certificates with Terraform. Although self-signed certificates are typically not recommended for production environments due to their inherent lack of trust, they’re immensely useful for development, testing, and other non-public facing applications. Remember, good security practices involve responsible management of private keys and an understanding of when and where to use different types of certificates.

Search tutorials, examples, and resources