certificate generation

7 vuotta sitten · 34f26afd00
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -0,0 +1,17 @@
 certificate_name: "{{ certificate_common_name | regex_replace(' ', '_') }}"
 certificate_file: "{{ certificate_directory }}/{{ certificate_name }}.cert.pem"

 certificate_private_directory: "{{ certificate_directory }}/private"

 certificate_private_key_file: "{{ certificate_private_directory }}/{{ certificate_name }}.key.pem"
 certificate_private_key_size: 4096

 certificate_signing_request_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.pem"
 certificate_signing_request_config_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.cnf"

 certificate_authority: false
 certificate_key_usage:
  - digitalSignature
  - keyEncipherment
 #certificate_extended_key_usage:
 #  - serverAuth
--- a/tasks/csr.yml
+++ b/tasks/csr.yml
@@ -0,0 +1,28 @@
 ---

 - name: certificate signing request config
  template:
    src: csr.cnf.j2
    dest: "{{ certificate_signing_request_config_file }}"

 - name: certificate signing request
  command: openssl req -new
    -config "{{ certificate_signing_request_config_file }}"
    -key "{{ certificate_private_key_file }}"
    -sha256
    -out "{{certificate_signing_request_file}}"
    {{ certificate_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
  args:
    creates: "{{certificate_signing_request_file}}"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"

 - name: certificate signing request info
  command: openssl req -text -noout
    -in "{{certificate_signing_request_file}}"
  changed_when: false
  register: _certificate_signing_request_info

 - name: certificate signing request debug
  debug:
    msg: "{{ _certificate_signing_request_info.stdout_lines }}"
--- a/tasks/key.yml
+++ b/tasks/key.yml
@@ -0,0 +1,11 @@
 ---

 - name: private key
  command: openssl genrsa
    -out "{{certificate_private_key_file}}"
    {{ certificate_private_key_password is defined | ternary('-aes256 -passout env:PRIVATE_KEY_PASSWORD','') }}
    {{ certificate_private_key_size }}
  args:
    creates: "{{ certificate_private_key_file }}"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,16 @@
 ---

 - name: setup
  include: setup_{{ansible_os_family}}.yml

 - name: method
  include: "provider-{{ certificate_provider }}.yml"

 # - name: info
 #   command: openssl x509 -text -noout
 #     -in "{{ certificate_file }}"
 #   changed_when: false
 #   register: _certificate_info
 #
 # - debug:
 #     msg: "{{ _certificate_info.stdout_lines }}"
--- a/tasks/provider-manual.yml
+++ b/tasks/provider-manual.yml
@@ -0,0 +1,4 @@
 ---

 - include: key.yml
 - include: csr.yml
--- a/tasks/provider-selfsigned.yml
+++ b/tasks/provider-selfsigned.yml
@@ -0,0 +1,17 @@
 ---

 - include: key.yml
 - include: csr.yml

 - name: self sign certificate
  command: openssl x509 -req
    -in "{{ certificate_signing_request_file }}"
    -signkey "{{ certificate_private_key_file }}"
    -extfile "{{ certificate_signing_request_config_file }}"
    -extensions certificate_extensions
    -out "{{ certificate_file }}"
    {{ certificate_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
  args:
    creates: "{{ certificate_file }}"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
--- a/tasks/setup_Debian.yml
+++ b/tasks/setup_Debian.yml
@@ -0,0 +1,5 @@
 ---

 - name: install openssl
  apt:
    pkg: openssl
--- a/templates/basic_constraints.json.j2
+++ b/templates/basic_constraints.json.j2
@@ -0,0 +1,6 @@
 [
 "CA:{{certificate_authority|ternary('TRUE','FALSE')}}",
 {% if certificate_pathlen is defined %}
 "pathlen:{{certificate_pathlen}}",
 {% endif %}
 ]
--- a/templates/certificate_extensions.cnf.j2
+++ b/templates/certificate_extensions.cnf.j2
@@ -0,0 +1,16 @@
 {{ ansible_managed | comment }}

 [certificate_extensions]
 # Extensions for server certificates (`man x509v3_config`).
 basicConstraints = critical, {{ certificate_basic_constraints | join(', ') }}
 keyUsage = critical, {{ certificate_key_usage | join(', ') }}
 {% if certificate_extended_key_usage is defined  and  certificate_extended_key_usage %}
 extendedKeyUsage=critical, {{ certificate_extended_key_usage | join(', ') }}
 {% endif %}
 subjectKeyIdentifier = hash
 {% if certificate_alt_names is defined %}
 subjectAltName = {{ certificate_alt_names | join(', ')}}
 {% endif %}
 {% if certificate_name_constraints is defined %}
 nameConstraints = critical, {{ certificate_name_constraints | join(',') }}
 {% endif %}
--- a/templates/csr.cnf.j2
+++ b/templates/csr.cnf.j2
@@ -0,0 +1,29 @@
 {{ ansible_managed | comment }}

 [req]
 distinguished_name = req_distinguished_name
 req_extensions = certificate_extensions
 prompt = no

 [req_distinguished_name]
 {% if certificate_country is defined%}
 C = {{ certificate_country }}
 {% endif %}
 {% if certificate_state is defined%}
 ST = {{certificate_state}}
 {% endif %}
 {% if certificate_locality is defined%}
 L = {{certificate_locality}}
 {% endif %}
 {% if certificate_organization is defined%}
 O = {{certificate_organization}}
 {% endif %}
 {% if certificate_organizational_unit is defined%}/OU=
 OU = {{certificate_organizational_unit}}
 {% endif %}
 CN = {{certificate_common_name}}
 {% if certificate_email_address is defined %}
 emailAddress = {{certificate_email_address}}
 {% endif %}

 {% include "certificate_extensions.cnf.j2" %}
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -0,0 +1 @@
 certificate_basic_constraints: "{{ lookup('template','basic_constraints.json.j2') }}"