3

I have created a service account key for a GCP service account using the Terraform google provider. I've set the private key type to "TYPE_PKCS12_FILE", which we require for compatibility with an existing application.

When I was testing this as a PoC, I created the P12 key though the console, and it worked with no issues. Now, I want to handle key generation in our Terraform script, and I cannot get a working P12 key. The actual key resource is created, and it contains a public_key field, which can be base64 decoded to a valid RSA certificate, and a private_key, which is supposedly a P12 file which has been base64 encoded, if I am reading the documentation properly.

I have tried saving the private_key value from Terraform into a file, and base64 decoding it manually. It superficially resembles a known valid P12 bundle, but it is reported as an invalid certificate when I try to import it anywhere.

The object in the state looks like:

"private_key": "MIIJ[...]GoA==",
"private_key_type": "TYPE_PKCS12_FILE",
"public_key": "LS0t[...]LQo=",
"public_key_data": null,
"public_key_type": "TYPE_X509_PEM_FILE",

So, how do I turn the private_key from the Terraform resource into a usable P12 file that can be uploaded to our application?

bluemoon6790
  • 467
  • 2
  • 11
  • 2
    IIRC the **private_key** value must be base-64 decoded which returns a data structure. Within that data structure is your P12 (PFX) certificate. If you can edit your question with masked details, I will probably recognize what is being returned. – John Hanley Mar 02 '22 at 21:14
  • @JohnHanley You're right. My error was thinking Terraform could handle the base64 decode. I used Windows' built-in certutil to decode it instead of trying to do it in TF, and it did work. – bluemoon6790 Mar 03 '22 at 14:40

1 Answers1

2

Answering this question for myself because the specific error received from Terraform needs some explanation. If you try to use TF's built-in base64decode() function on the private key, it gives the error "the result of decoding the provided string is not valid UTF-8".

I originally assumed that this was an error with the cert, because I had thought that I was expecting the private key to be a PEM certificate, but the private_key value actually contains the full P12 bundle.

The basic operation of decoding that string as base64 is correct, but as it turns out, Terraform only supports a limited range of encodings. Decoding to a P12 bundle is not supported in Terraform, because TF parses the output of the base64decode() call to confirm it is valid and it cannot validate the encoding of a P12, since that encoding is not supported.

The solution is to save the output string of the private_key property into a txt file, then use a certificate management tool like openssl or certutil to handle the decoding.

Example:

certutil -decode please-decode-me.txt my-mydecoded-cert.p12

EDIT: Also, note that at minimum, the encode/decode extensions for VS Code do NOT handle that operation correctly for P12 files. I tried that approach thinking that those operations would leave the underlying data of the file unchanged and simply parse it again with a different encoding. This is incorrect, it will change the file data to match the "symbol not found" glyph wherever that glyph is used.

I assume this is well known and/or obvious for security specialists, but I thought I'd explicitly mention it in case it's of use to any other SREs or application devs who don't interact with certificate automation on a regular basis.

bluemoon6790
  • 467
  • 2
  • 11
  • I have a similar issue posted here: https://stackoverflow.com/questions/74609490/create-p12-keystore-secret-in-tfs-kubernetes-provider Can you please verify my approach? – Nishant Kansal Nov 29 '22 at 05:27