use certificate role

defaults/main.yml

@@ -1,4 +1,2 @@
-certificate_authority_private_key_size: 4096
-certificate_authority_subject: "{% if certificate_authority_country is defined%}/C={{certificate_authority_country}}{% endif %}{% if certificate_authority_state is defined%}/ST={{certificate_authority_state}}{% endif %}{% if certificate_authority_locality is defined%}/L={{certificate_authority_locality}}{% endif %}{% if certificate_authority_organization is defined%}/O={{certificate_authority_organization}}{% endif %}{% if certificate_authority_organizational_unit is defined%}/OU={{certificate_authority_organizational_unit}}{% endif %}/CN={{certificate_authority_common_name}}"
 certificate_authority_policy: strict
 certificate_authority_unique_subject: no

tasks/directory.yml

@@ -0,0 +1,48 @@
+---
+
+# setup ca directory
+
+- name: directory
+  file:
+    path: "{{ certificate_authority_directory }}"
+    #mode: 0700
+    state: directory
+
+- name: subdirectories
+  file:
+    path: "{{ certificate_authority_directory }}/{{ item }}"
+    #mode: 0700
+    state: directory
+  with_items:
+    - certs
+    - crl
+    - csr
+    - newcerts
+
+- name: private directory
+  file:
+    path: "{{ certificate_authority_directory }}/private"
+    mode: 0700
+    state: directory
+
+- name: index
+  copy:
+    content: ""
+    dest: "{{ certificate_authority_directory }}/index"
+    force: no
+
+- name: index config
+  template:
+    src: index.attr.j2
+    dest: "{{ certificate_authority_directory }}/index.attr"
+
+- name: serial
+  copy:
+    content: "00\n"
+    dest: "{{ certificate_authority_directory }}/serial"
+    force: no
+
+- name: openssl config
+  template:
+    src: openssl.cnf.j2
+    dest: "{{ certificate_authority_directory }}/openssl.cnf"

tasks/main.yml

@@ -2,89 +2,35 @@
 
 # https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
 
-- name: directory
-  file:
-    path: "{{ certificate_authority_directory }}"
-    #mode: 0700
-    state: directory
-
-- name: subdirectories
-  file:
-    path: "{{ certificate_authority_directory }}/{{ item }}"
-    #mode: 0700
-    state: directory
-  with_items:
-    - certs
-    - crl
-    - csr
-    - newcerts
-
-- name: private directory
-  file:
-    path: "{{ certificate_authority_directory }}/private"
-    mode: 0700
-    state: directory
-
-- name: private key
-  command:
-    openssl genrsa
-    -out private/ca.key.pem
-    {{ certificate_authority_private_key_size }}
-  args:
-    chdir: "{{ certificate_authority_directory }}"
-    creates: "{{ certificate_authority_directory }}/private/ca.key.pem"
-
-- name: openssl config
-  template:
-    src: openssl.cnf.j2
-    dest: "{{ certificate_authority_directory }}/openssl.cnf"
-
-- name: extensions config
-  template:
-    src: extensions.cnf.j2
-    dest: "{{ certificate_authority_directory }}/extensions.cnf"
-
-- name: index config
-  template:
-    src: index.attr.j2
-    dest: "{{ certificate_authority_directory }}/index.attr"
-
-- name: index
-  copy:
-    content: ""
-    dest: "{{ certificate_authority_directory }}/index"
-    force: no
-
-- name: serial
-  copy:
-    content: "00\n"
-    dest: "{{ certificate_authority_directory }}/serial"
-    force: no
-
-- name: certificate signing request
-  command: openssl req -new
-    -config openssl.cnf
-    -key private/ca.key.pem
-    -days {{ certificate_authority_days }}
-    -sha256
-    -out csr/ca.csr.pem
-    -subj "{{ certificate_authority_subject }}"
-  args:
-    chdir: "{{ certificate_authority_directory }}"
-    creates: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
-  #when: certificate_authority_type == "intermediate"
+- include: directory.yml
+
+- include_role:
+    name: certificate
+  vars:
+    certificate_name: ca
+    certificate_provider: manual
+    certificate_authority: true
+    certificate_key_usage:
+      - digitalSignature
+      - cRLSign
+      - keyCertSign
+    certificate_directory: "{{ certificate_authority_directory }}"
+    certificate_file: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
+    certificate_signing_request_file: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
+    certificate_signing_request_config_file: "{{ certificate_authority_directory }}/csr/ca.csr.cnf"
+    certificate_private_key_file: "{{ certificate_authority_directory }}/private/ca.key.pem"
 
 - name: self sign certificate
-  command: openssl ca -selfsign -batch
+  command: openssl ca -selfsign -batch -notext
     -config openssl.cnf
-    -days {{ certificate_authority_days }}
-    -extensions certificate_authority
     -in csr/ca.csr.pem
     -out certs/ca.cert.pem
-    -subj "{{ certificate_authority_subject }}"
+    {{ certificate_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
   args:
     chdir: "{{ certificate_authority_directory }}"
     creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
+  environment:
+    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
   when: certificate_authority_type == "root"
 
 - name: certificate info
@@ -94,6 +40,6 @@
   changed_when: false
   register: _certificate_authority_info
 
-- name: show certificate info
+- name: certificate debug
   debug:
-    msg: "{{ _certificate_authority_info }}"
+    msg: "{{ _certificate_authority_info.stdout_lines }}"

templates/basic_constraints.json.j2

@@ -1,6 +0,0 @@
-[
-"CA:TRUE",
-{% if certificate_authority_pathlen is defined %}
-"pathlen:{{certificate_authority_pathlen}}",
-{% endif %}
-]

templates/extensions.cnf.j2

@@ -1,9 +0,0 @@
-[ certificate_authority ]
-# Extensions for a typical CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, {{ certificate_authority_basic_constraints | join(', ') }}
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-{% if certificate_authority_name_constraints is defined %}
-nameConstraints = critical, {{ certificate_authority_name_constraints | join(',') }}
-{% endif %}

templates/openssl.cnf.j2

@@ -1,3 +1,5 @@
+{{ ansible_managed | comment }}
+
 [ ca ]
 # `man ca`
 default_ca = CA_default
@@ -27,10 +29,13 @@ default_md        = sha256
 
 name_opt          = ca_default
 cert_opt          = ca_default
-default_days      = 375
 preserve          = no
 policy            = policy_{{ certificate_authority_policy }}
 
+copy_extensions   = copy
+
+default_enddate   = {{ lookup('pipe','date -u --date="'+(certificate_authority_enddate|string)+'" +%Y%m%d%H%M%SZ') }}
+
 [ policy_strict ]
 # The root CA should only sign intermediate certificates that match.
 # See the POLICY FORMAT section of `man ca`.
@@ -92,23 +97,17 @@ localityName_default            = {{ certificate_authority_locality | default(''
 organizationalUnitName_default  = {{ certificate_authority_organizational_unit | default('') }}
 #emailAddress_default           =
 
-{% include "extensions.cnf.j2" %}
-
 [ usr_cert ]
 # Extensions for client certificates (`man x509v3_config`).
 basicConstraints = CA:FALSE
-nsCertType = client, email
-nsComment = "OpenSSL Generated Client Certificate"
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
+authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, emailProtection
 
 [ server_cert ]
 # Extensions for server certificates (`man x509v3_config`).
 basicConstraints = CA:FALSE
-nsCertType = server
-nsComment = "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, digitalSignature, keyEncipherment