infra/ansible-role-certificates
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

make ownca useable

Browse source
This commit is contained in:
nd 2020-05-23 12:36:49 +02:00
parent eeb4b3cc93
commit 12895a364f
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
1 changed files with 22 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

37
tasks/ownca_cert.yml
View file

@ -15,6 +15,11 @@
src: "{{ cert.csrpath }}" src: "{{ cert.csrpath }}"
register: csrfile register: csrfile
- name: slurp key for {{ certname }}
slurp:
src: "{{ cert.keypath }}"
register: keyfile
- name: setup ca - name: setup ca
delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}" delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}"
block: block:
@ -51,6 +56,15 @@
openssl_csr: openssl_csr:
path: "{{ cacsrpath }}" path: "{{ cacsrpath }}"
privatekey_path: "{{ cakeypath }}" privatekey_path: "{{ cakeypath }}"
basic_constraints: "CA:TRUE"
key_usage:
- digitalSignature
- keyCertSign
- cRLSign
key_usage_critical: yes
basic_constraints_critical: yes
use_common_name_for_san: false
common_name: "Root CA: {{ cert_backend.name }}"
- name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})" - name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})"
openssl_certificate: openssl_certificate:
path: "{{ cacertpath }}" path: "{{ cacertpath }}"
@ -58,6 +72,7 @@
csr_path: "{{ cacsrpath }}" csr_path: "{{ cacsrpath }}"
provider: selfsigned provider: selfsigned
selfsigned_not_after: "{{ cert_backend.ca_not_after }}" selfsigned_not_after: "{{ cert_backend.ca_not_after }}"
selfsigned_create_subject_key_identifier: always_create
- name: slurp ca crt for {{ cert_backend.name }} ({{ certname }})" - name: slurp ca crt for {{ cert_backend.name }} ({{ certname }})"
slurp: slurp:
src: "{{ cacertpath }}" src: "{{ cacertpath }}"
@ -75,6 +90,7 @@
ownca_privatekey_path: "{{ cakeypath }}" ownca_privatekey_path: "{{ cakeypath }}"
provider: ownca provider: ownca
ownca_not_after: "{{ cert_backend.not_after }}" ownca_not_after: "{{ cert_backend.not_after }}"
ownca_create_subject_key_identifier: always_create
- name: "copy crt from ca for {{ certname }}" - name: "copy crt from ca for {{ certname }}"
slurp: slurp:
src: "{{ remotecrtpath }}" src: "{{ remotecrtpath }}"
@ -89,25 +105,16 @@
content: "{{ cafile.content | b64decode }}" content: "{{ cafile.content | b64decode }}"
dest: "{{ cert.capath }}" dest: "{{ cert.capath }}"
- name: "generate concatinated versions (chain) for {{ certname }}" - name: "generate concatinated versions (chain) for {{ certname }}"
shell: "umask 0137; cat {{ cert.certpath }} {{ cert.capath }} > {{ cert.chainpath }}" copy:
args: content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}"
creates: "{{ cert.chainpath }}" dest: "{{ cert.chainpath }}"
- name: "set permission for concatinated versions (chain) for {{ certname }}"
file:
path: "{{ cert.chainpath }}"
mode: 0644 mode: 0644
owner: root owner: root
group: ssl-cert group: ssl-cert
- name: "generate concatinated versions (full) for {{ certname }}" - name: "generate concatinated versions (full) for {{ certname }}"
shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}" copy:
args: content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}{{ keyfile.content | b64decode }}"
creates: "{{ cert.fullpath }}" dest: "{{ cert.fullpath }}"
- name: "set permissions for concatinated versions (full) for {{ certname }}"
file:
path: "{{ cert.fullpath }}"
mode: 0640 mode: 0640
owner: root owner: root
group: ssl-cert group: ssl-cert