(re)Formatting x509 Certificates in Terraform

todd-dsm · May 8, 2023, 10:24pm

Hey all, is there a recommended method of formatting or reformatting an x509 Certificate within Terraform?

I’m currently automating the relationship between Azure AD (IdP) and Okta " Identity Providers" configuration. In the Okta docs a certificate must be generated manually in an Azure Enterprise App; that certificate is later downloaded from Azure, then uploaded to the Okta " Identity Providers" config.

I can create this certificate with Terraform:

resource "azuread_service_principal_token_signing_certificate" "saml_signing_cert" {
  service_principal_id = azuread_service_principal.okta_sp.id
  display_name         = "CN=${var.myCo} SSO Certificate"
  end_date             = time_rotating.saml_certificate.rotation_rfc3339

  provisioner "local-exec" {
    command = <<-SHELL
      az ad sp update --id ${self.service_principal_id} \
        --set preferredTokenSigningKeyThumbprint=${self.thumbprint}
    SHELL
  }
}

Then create an idp_signing_key in Okta to receive it.

resource "okta_idp_saml_key" "idp_signing_key" {
  x5c = ["azuread_service_principal_token_signing_certificate.saml_signing_cert.value"]
}

At the end of the apply, this error is displayed:

Error: failed to create identity provider signing key: the API returned an error: Api validation failed: JsonWebKey. Causes: errorSummary: The IDP certificate JWK has an invalid x5c.

I’ve validated the contents of the cert created in the Azure AD Enterprise App by downloading it and comparing it to azuread_service_principal_token_signing_certificate.saml_signing_cert.value output; they are the same.

I believe the difference is that Okta is expecting a standard x509 format:

-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAxIBAgIQLR20Xyb3sI5O6/Ga+l6L6jANBgkqjkiG9w0BAQsFADA0MTIwMAYDVQQD
...
-----END CERTIFICATE-----

Basically, a BEGIN/END CERTIFICATE declaration with content that breaks to new lines after 78 characters.

In this case, it appears that the value in the state is just a long string:

terraform show -json | grep MIIC8DCCAdigAxIBAgIQLR20Xyb3sI5O6

There are no BEGIN/END CERTIFICATE declarations with breaks to new lines after 78 characters. So, the question becomes:

Does Terraform have a library that converts this certificate back into the expected format?

Topic		Replies	Views
Azure Service Principal Client Certificate Error Azure	3	4507	July 31, 2024
Azuread provider SAML Signing Certificate support Azure	4	1275	September 10, 2024
Azurerm_automation_certificate - Certificate base64Value is invalid Azure	1	1149	August 17, 2020
Unable to build authorizer for Resource Manager API Azure	2	867	November 2, 2024
Azurerm provider - tls: failed to verify certificate: x509: certificate signed by unknown authority Azure	1	714	January 22, 2024

(re)Formatting x509 Certificates in Terraform

Hey all, is there a recommended method of formatting or reformatting an x509 Certificate within Terraform?

Related topics