Преглед на файлове

certificate generation

master
Markus Katharina Brechtel преди 7 години
ревизия
34f26afd00
променени са 11 файла, в които са добавени 150 реда и са изтрити 0 реда
  1. +17
    -0
      defaults/main.yml
  2. +28
    -0
      tasks/csr.yml
  3. +11
    -0
      tasks/key.yml
  4. +16
    -0
      tasks/main.yml
  5. +4
    -0
      tasks/provider-manual.yml
  6. +17
    -0
      tasks/provider-selfsigned.yml
  7. +5
    -0
      tasks/setup_Debian.yml
  8. +6
    -0
      templates/basic_constraints.json.j2
  9. +16
    -0
      templates/certificate_extensions.cnf.j2
  10. +29
    -0
      templates/csr.cnf.j2
  11. +1
    -0
      vars/main.yml

+ 17
- 0
defaults/main.yml Целия файл

@@ -0,0 +1,17 @@
certificate_name: "{{ certificate_common_name | regex_replace(' ', '_') }}"
certificate_file: "{{ certificate_directory }}/{{ certificate_name }}.cert.pem"

certificate_private_directory: "{{ certificate_directory }}/private"

certificate_private_key_file: "{{ certificate_private_directory }}/{{ certificate_name }}.key.pem"
certificate_private_key_size: 4096

certificate_signing_request_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.pem"
certificate_signing_request_config_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.cnf"

certificate_authority: false
certificate_key_usage:
- digitalSignature
- keyEncipherment
#certificate_extended_key_usage:
# - serverAuth

+ 28
- 0
tasks/csr.yml Целия файл

@@ -0,0 +1,28 @@
---

- name: certificate signing request config
template:
src: csr.cnf.j2
dest: "{{ certificate_signing_request_config_file }}"

- name: certificate signing request
command: openssl req -new
-config "{{ certificate_signing_request_config_file }}"
-key "{{ certificate_private_key_file }}"
-sha256
-out "{{certificate_signing_request_file}}"
{{ certificate_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
args:
creates: "{{certificate_signing_request_file}}"
environment:
PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"

- name: certificate signing request info
command: openssl req -text -noout
-in "{{certificate_signing_request_file}}"
changed_when: false
register: _certificate_signing_request_info

- name: certificate signing request debug
debug:
msg: "{{ _certificate_signing_request_info.stdout_lines }}"

+ 11
- 0
tasks/key.yml Целия файл

@@ -0,0 +1,11 @@
---

- name: private key
command: openssl genrsa
-out "{{certificate_private_key_file}}"
{{ certificate_private_key_password is defined | ternary('-aes256 -passout env:PRIVATE_KEY_PASSWORD','') }}
{{ certificate_private_key_size }}
args:
creates: "{{ certificate_private_key_file }}"
environment:
PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"

+ 16
- 0
tasks/main.yml Целия файл

@@ -0,0 +1,16 @@
---

- name: setup
include: setup_{{ansible_os_family}}.yml

- name: method
include: "provider-{{ certificate_provider }}.yml"

# - name: info
# command: openssl x509 -text -noout
# -in "{{ certificate_file }}"
# changed_when: false
# register: _certificate_info
#
# - debug:
# msg: "{{ _certificate_info.stdout_lines }}"

+ 4
- 0
tasks/provider-manual.yml Целия файл

@@ -0,0 +1,4 @@
---

- include: key.yml
- include: csr.yml

+ 17
- 0
tasks/provider-selfsigned.yml Целия файл

@@ -0,0 +1,17 @@
---

- include: key.yml
- include: csr.yml

- name: self sign certificate
command: openssl x509 -req
-in "{{ certificate_signing_request_file }}"
-signkey "{{ certificate_private_key_file }}"
-extfile "{{ certificate_signing_request_config_file }}"
-extensions certificate_extensions
-out "{{ certificate_file }}"
{{ certificate_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
args:
creates: "{{ certificate_file }}"
environment:
PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"

+ 5
- 0
tasks/setup_Debian.yml Целия файл

@@ -0,0 +1,5 @@
---

- name: install openssl
apt:
pkg: openssl

+ 6
- 0
templates/basic_constraints.json.j2 Целия файл

@@ -0,0 +1,6 @@
[
"CA:{{certificate_authority|ternary('TRUE','FALSE')}}",
{% if certificate_pathlen is defined %}
"pathlen:{{certificate_pathlen}}",
{% endif %}
]

+ 16
- 0
templates/certificate_extensions.cnf.j2 Целия файл

@@ -0,0 +1,16 @@
{{ ansible_managed | comment }}

[certificate_extensions]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = critical, {{ certificate_basic_constraints | join(', ') }}
keyUsage = critical, {{ certificate_key_usage | join(', ') }}
{% if certificate_extended_key_usage is defined and certificate_extended_key_usage %}
extendedKeyUsage=critical, {{ certificate_extended_key_usage | join(', ') }}
{% endif %}
subjectKeyIdentifier = hash
{% if certificate_alt_names is defined %}
subjectAltName = {{ certificate_alt_names | join(', ')}}
{% endif %}
{% if certificate_name_constraints is defined %}
nameConstraints = critical, {{ certificate_name_constraints | join(',') }}
{% endif %}

+ 29
- 0
templates/csr.cnf.j2 Целия файл

@@ -0,0 +1,29 @@
{{ ansible_managed | comment }}

[req]
distinguished_name = req_distinguished_name
req_extensions = certificate_extensions
prompt = no

[req_distinguished_name]
{% if certificate_country is defined%}
C = {{ certificate_country }}
{% endif %}
{% if certificate_state is defined%}
ST = {{certificate_state}}
{% endif %}
{% if certificate_locality is defined%}
L = {{certificate_locality}}
{% endif %}
{% if certificate_organization is defined%}
O = {{certificate_organization}}
{% endif %}
{% if certificate_organizational_unit is defined%}/OU=
OU = {{certificate_organizational_unit}}
{% endif %}
CN = {{certificate_common_name}}
{% if certificate_email_address is defined %}
emailAddress = {{certificate_email_address}}
{% endif %}

{% include "certificate_extensions.cnf.j2" %}

+ 1
- 0
vars/main.yml Целия файл

@@ -0,0 +1 @@
certificate_basic_constraints: "{{ lookup('template','basic_constraints.json.j2') }}"

Loading…
Отказ
Запис