commit
23f0dcade6
7 changed files with 246 additions and 0 deletions
Split View
Diff Options
-
+4 -0defaults/main.yml
-
+98 -0tasks/main.yml
-
+6 -0templates/basic_constraints.json.j2
-
+9 -0templates/extensions.cnf.j2
-
+1 -0templates/index.attr.j2
-
+127 -0templates/openssl.cnf.j2
-
+1 -0vars/main.yml
+ 4
- 0
defaults/main.yml
View File
| @@ -0,0 +1,4 @@ | |||
| certificate_authority_private_key_size: 4096 | |||
| certificate_authority_subject: "{% if certificate_authority_country is defined%}/C={{certificate_authority_country}}{% endif %}{% if certificate_authority_state is defined%}/ST={{certificate_authority_state}}{% endif %}{% if certificate_authority_locality is defined%}/L={{certificate_authority_locality}}{% endif %}{% if certificate_authority_organization is defined%}/O={{certificate_authority_organization}}{% endif %}{% if certificate_authority_organizational_unit is defined%}/OU={{certificate_authority_organizational_unit}}{% endif %}/CN={{certificate_authority_common_name}}" | |||
| certificate_authority_policy: strict | |||
| certificate_authority_unique_subject: no | |||
+ 98
- 0
tasks/main.yml
View File
| @@ -0,0 +1,98 @@ | |||
| --- | |||
| # https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html | |||
| - name: directory | |||
| file: | |||
| path: "{{ certificate_authority_directory }}" | |||
| #mode: 0700 | |||
| state: directory | |||
| - name: subdirectories | |||
| file: | |||
| path: "{{ certificate_authority_directory }}/{{ item }}" | |||
| #mode: 0700 | |||
| state: directory | |||
| with_items: | |||
| - certs | |||
| - crl | |||
| - csr | |||
| - newcerts | |||
| - name: private directory | |||
| file: | |||
| path: "{{ certificate_authority_directory }}/private" | |||
| mode: 0700 | |||
| state: directory | |||
| - name: private key | |||
| command: | |||
| openssl genrsa | |||
| -out private/ca.key.pem {{ certificate_authority_private_key_size }} | |||
| args: | |||
| chdir: "{{ certificate_authority_directory }}" | |||
| creates: "{{ certificate_authority_directory }}/private/ca.key.pem" | |||
| - name: openssl config | |||
| template: | |||
| src: openssl.cnf.j2 | |||
| dest: "{{ certificate_authority_directory }}/openssl.cnf" | |||
| - name: extensions config | |||
| template: | |||
| src: extensions.cnf.j2 | |||
| dest: "{{ certificate_authority_directory }}/extensions.cnf" | |||
| - name: index config | |||
| template: | |||
| src: index.attr.j2 | |||
| dest: "{{ certificate_authority_directory }}/index.attr" | |||
| - name: index | |||
| copy: | |||
| content: "" | |||
| dest: "{{ certificate_authority_directory }}/index" | |||
| force: no | |||
| - name: serial | |||
| copy: | |||
| content: "00\n" | |||
| dest: "{{ certificate_authority_directory }}/serial" | |||
| force: no | |||
| - name: certificate signing request | |||
| command: openssl req -new | |||
| -config openssl.cnf | |||
| -key private/ca.key.pem | |||
| -days {{ certificate_authority_days }} | |||
| -sha256 | |||
| -out csr/ca.csr.pem | |||
| -subj "{{ certificate_authority_subject }}" | |||
| args: | |||
| chdir: "{{ certificate_authority_directory }}" | |||
| creates: "{{ certificate_authority_directory }}/csr/ca.csr.pem" | |||
| #when: certificate_authority_type == "intermediate" | |||
| - name: self sign certificate | |||
| command: openssl ca -selfsign -batch | |||
| -config openssl.cnf | |||
| -days {{ certificate_authority_days }} | |||
| -extensions certificate_authority | |||
| -in csr/ca.csr.pem | |||
| -out certs/ca.cert.pem | |||
| -subj "{{ certificate_authority_subject }}" | |||
| args: | |||
| chdir: "{{ certificate_authority_directory }}" | |||
| creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem" | |||
| when: certificate_authority_type == "root" | |||
| - name: certificate info | |||
| command: openssl x509 -text -noout -in certs/ca.cert.pem | |||
| args: | |||
| chdir: "{{ certificate_authority_directory }}" | |||
| changed_when: false | |||
| register: _certificate_authority_info | |||
| - name: show certificate info | |||
| debug: | |||
| msg: "{{ _certificate_authority_info }}" | |||
+ 6
- 0
templates/basic_constraints.json.j2
View File
| @@ -0,0 +1,6 @@ | |||
| [ | |||
| "CA:TRUE", | |||
| {% if certificate_authority_pathlen is defined %} | |||
| "pathlen:{{certificate_authority_pathlen}}", | |||
| {% endif %} | |||
| ] | |||
+ 9
- 0
templates/extensions.cnf.j2
View File
| @@ -0,0 +1,9 @@ | |||
| [ certificate_authority ] | |||
| # Extensions for a typical CA (`man x509v3_config`). | |||
| subjectKeyIdentifier = hash | |||
| authorityKeyIdentifier = keyid:always,issuer | |||
| basicConstraints = critical, {{ certificate_authority_basic_constraints | join(', ') }} | |||
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |||
| {% if certificate_authority_name_constraints is defined %} | |||
| nameConstraints = critical, {{ certificate_authority_name_constraints | join(',') }} | |||
| {% endif %} | |||
+ 1
- 0
templates/index.attr.j2
View File
| @@ -0,0 +1 @@ | |||
| unique_subject = {{ certificate_authority_unique_subject | ternary('yes','no') }} | |||
+ 127
- 0
templates/openssl.cnf.j2
View File
| @@ -0,0 +1,127 @@ | |||
| [ ca ] | |||
| # `man ca` | |||
| default_ca = CA_default | |||
| [ CA_default ] | |||
| # Directory and file locations. | |||
| dir = {{ certificate_authority_directory }} | |||
| certs = $dir/certs | |||
| crl_dir = $dir/crl | |||
| new_certs_dir = $dir/newcerts | |||
| database = $dir/index | |||
| serial = $dir/serial | |||
| RANDFILE = $dir/private/.rand | |||
| # The root key and root certificate. | |||
| private_key = $dir/private/ca.key.pem | |||
| certificate = $dir/certs/ca.cert.pem | |||
| # For certificate revocation lists. | |||
| crlnumber = $dir/crlnumber | |||
| crl = $dir/crl/ca.crl.pem | |||
| crl_extensions = crl_ext | |||
| default_crl_days = 30 | |||
| # SHA-1 is deprecated, so use SHA-2 instead. | |||
| default_md = sha256 | |||
| name_opt = ca_default | |||
| cert_opt = ca_default | |||
| default_days = 375 | |||
| preserve = no | |||
| policy = policy_{{ certificate_authority_policy }} | |||
| [ policy_strict ] | |||
| # The root CA should only sign intermediate certificates that match. | |||
| # See the POLICY FORMAT section of `man ca`. | |||
| countryName = match | |||
| stateOrProvinceName = match | |||
| organizationName = match | |||
| organizationalUnitName = optional | |||
| commonName = supplied | |||
| emailAddress = optional | |||
| [ policy_strict_org ] | |||
| # The root CA should only sign intermediate certificates that match. | |||
| # See the POLICY FORMAT section of `man ca`. | |||
| countryName = optional | |||
| stateOrProvinceName = optional | |||
| organizationName = match | |||
| organizationalUnitName = optional | |||
| commonName = supplied | |||
| emailAddress = optional | |||
| [ policy_loose ] | |||
| # Allow the intermediate CA to sign a more diverse range of certificates. | |||
| # See the POLICY FORMAT section of the `ca` man page. | |||
| countryName = optional | |||
| stateOrProvinceName = optional | |||
| localityName = optional | |||
| organizationName = optional | |||
| organizationalUnitName = optional | |||
| commonName = supplied | |||
| emailAddress = optional | |||
| [ req ] | |||
| # Options for the `req` tool (`man req`). | |||
| default_bits = 2048 | |||
| distinguished_name = req_distinguished_name | |||
| string_mask = utf8only | |||
| # SHA-1 is deprecated, so use SHA-2 instead. | |||
| default_md = sha256 | |||
| # Extension to add when the -x509 option is used. | |||
| #x509_extensions = v3_ca | |||
| [ req_distinguished_name ] | |||
| # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. | |||
| countryName = Country Name (2 letter code) | |||
| stateOrProvinceName = State or Province Name | |||
| localityName = Locality Name | |||
| 0.organizationName = Organization Name | |||
| organizationalUnitName = Organizational Unit Name | |||
| commonName = Common Name | |||
| emailAddress = Email Address | |||
| # Optionally, specify some defaults. | |||
| countryName_default = {{ certificate_authority_country | default('') }} | |||
| stateOrProvinceName_default = {{ certificate_authority_state | default('') }} | |||
| localityName_default = {{ certificate_authority_locality | default('') }} | |||
| 0.organizationName_default = {{ certificate_authority_organization | default('') }} | |||
| organizationalUnitName_default = {{ certificate_authority_organizational_unit | default('') }} | |||
| #emailAddress_default = | |||
| {% include "extensions.cnf.j2" %} | |||
| [ usr_cert ] | |||
| # Extensions for client certificates (`man x509v3_config`). | |||
| basicConstraints = CA:FALSE | |||
| nsCertType = client, email | |||
| nsComment = "OpenSSL Generated Client Certificate" | |||
| subjectKeyIdentifier = hash | |||
| authorityKeyIdentifier = keyid,issuer | |||
| keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | |||
| extendedKeyUsage = clientAuth, emailProtection | |||
| [ server_cert ] | |||
| # Extensions for server certificates (`man x509v3_config`). | |||
| basicConstraints = CA:FALSE | |||
| nsCertType = server | |||
| nsComment = "OpenSSL Generated Server Certificate" | |||
| subjectKeyIdentifier = hash | |||
| authorityKeyIdentifier = keyid,issuer:always | |||
| keyUsage = critical, digitalSignature, keyEncipherment | |||
| extendedKeyUsage = serverAuth | |||
| [ crl_ext ] | |||
| # Extension for CRLs (`man x509v3_config`). | |||
| authorityKeyIdentifier=keyid:always | |||
| [ ocsp ] | |||
| # Extension for OCSP signing certificates (`man ocsp`). | |||
| basicConstraints = CA:FALSE | |||
| subjectKeyIdentifier = hash | |||
| authorityKeyIdentifier = keyid,issuer | |||
| keyUsage = critical, digitalSignature | |||
| extendedKeyUsage = critical, OCSPSigning | |||
+ 1
- 0
vars/main.yml
View File
| @@ -0,0 +1 @@ | |||
| certificate_authority_basic_constraints: "{{ lookup('template','basic_constraints.json.j2') }}" | |||