Browse Source

ca setup

master
commit
23f0dcade6
7 changed files with 246 additions and 0 deletions
  1. +4
    -0
      defaults/main.yml
  2. +98
    -0
      tasks/main.yml
  3. +6
    -0
      templates/basic_constraints.json.j2
  4. +9
    -0
      templates/extensions.cnf.j2
  5. +1
    -0
      templates/index.attr.j2
  6. +127
    -0
      templates/openssl.cnf.j2
  7. +1
    -0
      vars/main.yml

+ 4
- 0
defaults/main.yml View File

@@ -0,0 +1,4 @@
certificate_authority_private_key_size: 4096
certificate_authority_subject: "{% if certificate_authority_country is defined%}/C={{certificate_authority_country}}{% endif %}{% if certificate_authority_state is defined%}/ST={{certificate_authority_state}}{% endif %}{% if certificate_authority_locality is defined%}/L={{certificate_authority_locality}}{% endif %}{% if certificate_authority_organization is defined%}/O={{certificate_authority_organization}}{% endif %}{% if certificate_authority_organizational_unit is defined%}/OU={{certificate_authority_organizational_unit}}{% endif %}/CN={{certificate_authority_common_name}}"
certificate_authority_policy: strict
certificate_authority_unique_subject: no

+ 98
- 0
tasks/main.yml View File

@@ -0,0 +1,98 @@
---

# https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

- name: directory
file:
path: "{{ certificate_authority_directory }}"
#mode: 0700
state: directory

- name: subdirectories
file:
path: "{{ certificate_authority_directory }}/{{ item }}"
#mode: 0700
state: directory
with_items:
- certs
- crl
- csr
- newcerts

- name: private directory
file:
path: "{{ certificate_authority_directory }}/private"
mode: 0700
state: directory

- name: private key
command:
openssl genrsa
-out private/ca.key.pem {{ certificate_authority_private_key_size }}
args:
chdir: "{{ certificate_authority_directory }}"
creates: "{{ certificate_authority_directory }}/private/ca.key.pem"

- name: openssl config
template:
src: openssl.cnf.j2
dest: "{{ certificate_authority_directory }}/openssl.cnf"

- name: extensions config
template:
src: extensions.cnf.j2
dest: "{{ certificate_authority_directory }}/extensions.cnf"

- name: index config
template:
src: index.attr.j2
dest: "{{ certificate_authority_directory }}/index.attr"

- name: index
copy:
content: ""
dest: "{{ certificate_authority_directory }}/index"
force: no

- name: serial
copy:
content: "00\n"
dest: "{{ certificate_authority_directory }}/serial"
force: no

- name: certificate signing request
command: openssl req -new
-config openssl.cnf
-key private/ca.key.pem
-days {{ certificate_authority_days }}
-sha256
-out csr/ca.csr.pem
-subj "{{ certificate_authority_subject }}"
args:
chdir: "{{ certificate_authority_directory }}"
creates: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
#when: certificate_authority_type == "intermediate"

- name: self sign certificate
command: openssl ca -selfsign -batch
-config openssl.cnf
-days {{ certificate_authority_days }}
-extensions certificate_authority
-in csr/ca.csr.pem
-out certs/ca.cert.pem
-subj "{{ certificate_authority_subject }}"
args:
chdir: "{{ certificate_authority_directory }}"
creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
when: certificate_authority_type == "root"

- name: certificate info
command: openssl x509 -text -noout -in certs/ca.cert.pem
args:
chdir: "{{ certificate_authority_directory }}"
changed_when: false
register: _certificate_authority_info

- name: show certificate info
debug:
msg: "{{ _certificate_authority_info }}"

+ 6
- 0
templates/basic_constraints.json.j2 View File

@@ -0,0 +1,6 @@
[
"CA:TRUE",
{% if certificate_authority_pathlen is defined %}
"pathlen:{{certificate_authority_pathlen}}",
{% endif %}
]

+ 9
- 0
templates/extensions.cnf.j2 View File

@@ -0,0 +1,9 @@
[ certificate_authority ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, {{ certificate_authority_basic_constraints | join(', ') }}
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
{% if certificate_authority_name_constraints is defined %}
nameConstraints = critical, {{ certificate_authority_name_constraints | join(',') }}
{% endif %}

+ 1
- 0
templates/index.attr.j2 View File

@@ -0,0 +1 @@
unique_subject = {{ certificate_authority_unique_subject | ternary('yes','no') }}

+ 127
- 0
templates/openssl.cnf.j2 View File

@@ -0,0 +1,127 @@
[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir = {{ certificate_authority_directory }}
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand

# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256

name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_{{ certificate_authority_policy }}

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_strict_org ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = optional
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256

# Extension to add when the -x509 option is used.
#x509_extensions = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address

# Optionally, specify some defaults.
countryName_default = {{ certificate_authority_country | default('') }}
stateOrProvinceName_default = {{ certificate_authority_state | default('') }}
localityName_default = {{ certificate_authority_locality | default('') }}
0.organizationName_default = {{ certificate_authority_organization | default('') }}
organizationalUnitName_default = {{ certificate_authority_organizational_unit | default('') }}
#emailAddress_default =

{% include "extensions.cnf.j2" %}

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

+ 1
- 0
vars/main.yml View File

@@ -0,0 +1 @@
certificate_authority_basic_constraints: "{{ lookup('template','basic_constraints.json.j2') }}"

Loading…
Cancel
Save