diff --git a/defaults/main.yml b/defaults/main.yml index 14a443c..1a842d4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,2 @@ -certificate_authority_private_key_size: 4096 -certificate_authority_subject: "{% if certificate_authority_country is defined%}/C={{certificate_authority_country}}{% endif %}{% if certificate_authority_state is defined%}/ST={{certificate_authority_state}}{% endif %}{% if certificate_authority_locality is defined%}/L={{certificate_authority_locality}}{% endif %}{% if certificate_authority_organization is defined%}/O={{certificate_authority_organization}}{% endif %}{% if certificate_authority_organizational_unit is defined%}/OU={{certificate_authority_organizational_unit}}{% endif %}/CN={{certificate_authority_common_name}}" certificate_authority_policy: strict certificate_authority_unique_subject: no diff --git a/tasks/directory.yml b/tasks/directory.yml new file mode 100644 index 0000000..92612f4 --- /dev/null +++ b/tasks/directory.yml @@ -0,0 +1,48 @@ +--- + +# setup ca directory + +- name: directory + file: + path: "{{ certificate_authority_directory }}" + #mode: 0700 + state: directory + +- name: subdirectories + file: + path: "{{ certificate_authority_directory }}/{{ item }}" + #mode: 0700 + state: directory + with_items: + - certs + - crl + - csr + - newcerts + +- name: private directory + file: + path: "{{ certificate_authority_directory }}/private" + mode: 0700 + state: directory + +- name: index + copy: + content: "" + dest: "{{ certificate_authority_directory }}/index" + force: no + +- name: index config + template: + src: index.attr.j2 + dest: "{{ certificate_authority_directory }}/index.attr" + +- name: serial + copy: + content: "00\n" + dest: "{{ certificate_authority_directory }}/serial" + force: no + +- name: openssl config + template: + src: openssl.cnf.j2 + dest: "{{ certificate_authority_directory }}/openssl.cnf" diff --git a/tasks/main.yml b/tasks/main.yml index 02aa6fc..c1cc0fd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,89 +2,35 @@ # https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html -- name: directory - file: - path: "{{ certificate_authority_directory }}" - #mode: 0700 - state: directory - -- name: subdirectories - file: - path: "{{ certificate_authority_directory }}/{{ item }}" - #mode: 0700 - state: directory - with_items: - - certs - - crl - - csr - - newcerts - -- name: private directory - file: - path: "{{ certificate_authority_directory }}/private" - mode: 0700 - state: directory - -- name: private key - command: - openssl genrsa - -out private/ca.key.pem - {{ certificate_authority_private_key_size }} - args: - chdir: "{{ certificate_authority_directory }}" - creates: "{{ certificate_authority_directory }}/private/ca.key.pem" - -- name: openssl config - template: - src: openssl.cnf.j2 - dest: "{{ certificate_authority_directory }}/openssl.cnf" - -- name: extensions config - template: - src: extensions.cnf.j2 - dest: "{{ certificate_authority_directory }}/extensions.cnf" - -- name: index config - template: - src: index.attr.j2 - dest: "{{ certificate_authority_directory }}/index.attr" - -- name: index - copy: - content: "" - dest: "{{ certificate_authority_directory }}/index" - force: no - -- name: serial - copy: - content: "00\n" - dest: "{{ certificate_authority_directory }}/serial" - force: no - -- name: certificate signing request - command: openssl req -new - -config openssl.cnf - -key private/ca.key.pem - -days {{ certificate_authority_days }} - -sha256 - -out csr/ca.csr.pem - -subj "{{ certificate_authority_subject }}" - args: - chdir: "{{ certificate_authority_directory }}" - creates: "{{ certificate_authority_directory }}/csr/ca.csr.pem" - #when: certificate_authority_type == "intermediate" +- include: directory.yml + +- include_role: + name: certificate + vars: + certificate_name: ca + certificate_provider: manual + certificate_authority: true + certificate_key_usage: + - digitalSignature + - cRLSign + - keyCertSign + certificate_directory: "{{ certificate_authority_directory }}" + certificate_file: "{{ certificate_authority_directory }}/certs/ca.cert.pem" + certificate_signing_request_file: "{{ certificate_authority_directory }}/csr/ca.csr.pem" + certificate_signing_request_config_file: "{{ certificate_authority_directory }}/csr/ca.csr.cnf" + certificate_private_key_file: "{{ certificate_authority_directory }}/private/ca.key.pem" - name: self sign certificate - command: openssl ca -selfsign -batch + command: openssl ca -selfsign -batch -notext -config openssl.cnf - -days {{ certificate_authority_days }} - -extensions certificate_authority -in csr/ca.csr.pem -out certs/ca.cert.pem - -subj "{{ certificate_authority_subject }}" + {{ certificate_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }} args: chdir: "{{ certificate_authority_directory }}" creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem" + environment: + PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}" when: certificate_authority_type == "root" - name: certificate info @@ -94,6 +40,6 @@ changed_when: false register: _certificate_authority_info -- name: show certificate info +- name: certificate debug debug: - msg: "{{ _certificate_authority_info }}" + msg: "{{ _certificate_authority_info.stdout_lines }}" diff --git a/templates/basic_constraints.json.j2 b/templates/basic_constraints.json.j2 deleted file mode 100644 index f1f64cf..0000000 --- a/templates/basic_constraints.json.j2 +++ /dev/null @@ -1,6 +0,0 @@ -[ -"CA:TRUE", -{% if certificate_authority_pathlen is defined %} -"pathlen:{{certificate_authority_pathlen}}", -{% endif %} -] diff --git a/templates/extensions.cnf.j2 b/templates/extensions.cnf.j2 deleted file mode 100644 index 3a2ed2b..0000000 --- a/templates/extensions.cnf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -[ certificate_authority ] -# Extensions for a typical CA (`man x509v3_config`). -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, {{ certificate_authority_basic_constraints | join(', ') }} -keyUsage = critical, digitalSignature, cRLSign, keyCertSign -{% if certificate_authority_name_constraints is defined %} -nameConstraints = critical, {{ certificate_authority_name_constraints | join(',') }} -{% endif %} diff --git a/templates/openssl.cnf.j2 b/templates/openssl.cnf.j2 index 65928ed..fe48772 100644 --- a/templates/openssl.cnf.j2 +++ b/templates/openssl.cnf.j2 @@ -1,3 +1,5 @@ +{{ ansible_managed | comment }} + [ ca ] # `man ca` default_ca = CA_default @@ -27,10 +29,13 @@ default_md = sha256 name_opt = ca_default cert_opt = ca_default -default_days = 375 preserve = no policy = policy_{{ certificate_authority_policy }} +copy_extensions = copy + +default_enddate = {{ lookup('pipe','date -u --date="'+(certificate_authority_enddate|string)+'" +%Y%m%d%H%M%SZ') }} + [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. @@ -92,23 +97,17 @@ localityName_default = {{ certificate_authority_locality | default('' organizationalUnitName_default = {{ certificate_authority_organizational_unit | default('') }} #emailAddress_default = -{% include "extensions.cnf.j2" %} - [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE -nsCertType = client, email -nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer +authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment