support ownca certificates

README.md

@@ -11,6 +11,7 @@ All configuration is to be placed inside the `certificates` dict.
 backends:
   letsencrypt: *letsencrypt-backend-config*
   selfsigned: *selfsigned-backend-config*
+  ownca: *ownca-backend-config*
 
 # default options for certificates
 defaults:
@@ -57,7 +58,7 @@ san: []
 # services to restart if this certificate changes
 depending_services: []
 
-# which backend to use, can be 'selfsigned' or 'letsencrypt'
+# which backend to use, can be 'selfsigned', 'letsencrypt' or 'ownca''
 backend: 'selfsigned'
 
 # overwrite a backend setting for this certificate
@@ -85,11 +86,34 @@ challangeserver: []
 
 #### Selfsigned
 
+*selfsigned-backend-config*
+
 ```
 # how long should the certificate be valid?
 not_after: "+3650d"
 ```
 
+#### Own CA
+
+*ownca-backend-config*
+
+```
+# how long should the certificate be valid?
+not_after: "+3650d"
+
+# how long should the ca itself be valid?
+ca_not_after: "+3650d"
+
+# delegate the CA to another host. Set to Null to disable and have the ca on the same host this role runs
+remote: Null
+
+# base path to store the ca in
+basepatht: "/etc/ssl/ca"
+
+# name of the ca, used in paths
+name: "ownca"
+```
+
 ## Paths
 
 Certificates are stored at a defined location:
@@ -99,3 +123,12 @@ Certificates are stored at a defined location:
 * CSR: `/etc/ssl/<certname>.csr`
 * chain: `/etc/ssl/<certname>.chain.crt`
 * key, certificate and chain combined: `/etc/ssl/private/<certname>.complete.pem`
+
+Please note that "chain" contains the ca for self signed and "ownca" certificates to work around some stupid bugs.
+
+On the CA host for self signed certs those paths are used:
+
+* ca base path: `<ownca.basepath>/<ownca.name>`
+* ca key: `<basepath>/ca.key`
+* ca cert: `<basepath>/ca.crt`
+* all signed certs: `<basepath>/signed/<certname>`