ca setup

defaults/main.yml

@@ -0,0 +1,4 @@
+certificate_authority_private_key_size: 4096
+certificate_authority_subject: "{% if certificate_authority_country is defined%}/C={{certificate_authority_country}}{% endif %}{% if certificate_authority_state is defined%}/ST={{certificate_authority_state}}{% endif %}{% if certificate_authority_locality is defined%}/L={{certificate_authority_locality}}{% endif %}{% if certificate_authority_organization is defined%}/O={{certificate_authority_organization}}{% endif %}{% if certificate_authority_organizational_unit is defined%}/OU={{certificate_authority_organizational_unit}}{% endif %}/CN={{certificate_authority_common_name}}"
+certificate_authority_policy: strict
+certificate_authority_unique_subject: no

tasks/main.yml

@@ -0,0 +1,98 @@
+---
+
+# https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
+
+- name: directory
+  file:
+    path: "{{ certificate_authority_directory }}"
+    #mode: 0700
+    state: directory
+
+- name: subdirectories
+  file:
+    path: "{{ certificate_authority_directory }}/{{ item }}"
+    #mode: 0700
+    state: directory
+  with_items:
+    - certs
+    - crl
+    - csr
+    - newcerts
+
+- name: private directory
+  file:
+    path: "{{ certificate_authority_directory }}/private"
+    mode: 0700
+    state: directory
+
+- name: private key
+  command:
+    openssl genrsa
+    -out private/ca.key.pem {{ certificate_authority_private_key_size }}
+  args:
+    chdir: "{{ certificate_authority_directory }}"
+    creates: "{{ certificate_authority_directory }}/private/ca.key.pem"
+
+- name: openssl config
+  template:
+    src: openssl.cnf.j2
+    dest: "{{ certificate_authority_directory }}/openssl.cnf"
+
+- name: extensions config
+  template:
+    src: extensions.cnf.j2
+    dest: "{{ certificate_authority_directory }}/extensions.cnf"
+
+- name: index config
+  template:
+    src: index.attr.j2
+    dest: "{{ certificate_authority_directory }}/index.attr"
+
+- name: index
+  copy:
+    content: ""
+    dest: "{{ certificate_authority_directory }}/index"
+    force: no
+
+- name: serial
+  copy:
+    content: "00\n"
+    dest: "{{ certificate_authority_directory }}/serial"
+    force: no
+
+- name: certificate signing request
+  command: openssl req -new
+    -config openssl.cnf
+    -key private/ca.key.pem
+    -days {{ certificate_authority_days }}
+    -sha256
+    -out csr/ca.csr.pem
+    -subj "{{ certificate_authority_subject }}"
+  args:
+    chdir: "{{ certificate_authority_directory }}"
+    creates: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
+  #when: certificate_authority_type == "intermediate"
+
+- name: self sign certificate
+  command: openssl ca -selfsign -batch
+    -config openssl.cnf
+    -days {{ certificate_authority_days }}
+    -extensions certificate_authority
+    -in csr/ca.csr.pem
+    -out certs/ca.cert.pem
+    -subj "{{ certificate_authority_subject }}"
+  args:
+    chdir: "{{ certificate_authority_directory }}"
+    creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
+  when: certificate_authority_type == "root"
+
+- name: certificate info
+  command: openssl x509 -text -noout -in certs/ca.cert.pem
+  args:
+    chdir: "{{ certificate_authority_directory }}"
+  changed_when: false
+  register: _certificate_authority_info
+
+- name: show certificate info
+  debug:
+    msg: "{{ _certificate_authority_info }}"

templates/basic_constraints.json.j2

@@ -0,0 +1,6 @@
+[
+"CA:TRUE",
+{% if certificate_authority_pathlen is defined %}
+"pathlen:{{certificate_authority_pathlen}}",
+{% endif %}
+]

templates/extensions.cnf.j2

@@ -0,0 +1,9 @@
+[ certificate_authority ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, {{ certificate_authority_basic_constraints | join(', ') }}
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+{% if certificate_authority_name_constraints is defined %}
+nameConstraints = critical, {{ certificate_authority_name_constraints | join(',') }}
+{% endif %}

templates/index.attr.j2

@@ -0,0 +1 @@
+unique_subject = {{ certificate_authority_unique_subject | ternary('yes','no') }}

templates/openssl.cnf.j2

@@ -0,0 +1,127 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = {{ certificate_authority_directory }}
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_{{ certificate_authority_policy }}
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_strict_org ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+#x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = {{ certificate_authority_country | default('') }}
+stateOrProvinceName_default     = {{ certificate_authority_state | default('') }}
+localityName_default            = {{ certificate_authority_locality | default('') }}
+0.organizationName_default      = {{ certificate_authority_organization | default('') }}
+organizationalUnitName_default  = {{ certificate_authority_organizational_unit | default('') }}
+#emailAddress_default           =
+
+{% include "extensions.cnf.j2" %}
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

vars/main.yml

@@ -0,0 +1 @@
+certificate_authority_basic_constraints: "{{ lookup('template','basic_constraints.json.j2') }}"