- include_tasks: common_cert.yml - name: store ca base path set_fact: capath: "{{ cert_backend.basepath }}/{{ cert_backend.name }}" - name: store ca sub paths set_fact: cacertpath: "{{ capath }}/ca.crt" cakeypath: "{{ capath }}/ca.key" cacsrpath: "{{ capath }}/ca.csr" casignedpath: "{{ capath }}/signed" remotecrtpath: "{{ capath }}/signed/{{ certname }}.crt" remotecsrpath: "{{ capath }}/signed/{{ certname }}.csr" - name: slurp csr for {{ certname }} slurp: src: "{{ cert.csrpath }}" register: csrfile - name: slurp key for {{ certname }} slurp: src: "{{ cert.keypath }}" register: keyfile - name: setup ca delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}" block: - name: "setup base path for {{ cert_backend.name }} ({{ certname }})" file: path: "{{ cert_backend.basepath }}" state: directory mode: 0755 owner: root group: root - name: "setup ca path for {{ cert_backend.name }} ({{ certname }})" file: path: "{{ capath }}" state: directory mode: 0755 owner: root group: root - name: "setup ca signed path for {{ cert_backend.name }} ({{ certname }})" file: path: "{{ casignedpath }}" state: directory mode: 0755 owner: root group: root - name: "setup ca key {{ cert_backend.name }} ({{ certname }})" openssl_privatekey: path: "{{ cakeypath }}" size: 4096 type: RSA mode: 0640 owner: root group: root - name: "setup ca csr for {{ cert_backend.name }} ({{ certname }})" openssl_csr: path: "{{ cacsrpath }}" privatekey_path: "{{ cakeypath }}" basic_constraints: "CA:TRUE" key_usage: - digitalSignature - keyCertSign - cRLSign key_usage_critical: yes basic_constraints_critical: yes use_common_name_for_san: false common_name: "Root CA: {{ cert_backend.name }}" - name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})" openssl_certificate: path: "{{ cacertpath }}" privatekey_path: "{{ cakeypath }}" csr_path: "{{ cacsrpath }}" provider: selfsigned selfsigned_not_after: "{{ cert_backend.ca_not_after }}" selfsigned_create_subject_key_identifier: always_create - name: "slurp ca crt for {{ cert_backend.name }} ({{ certname }})" slurp: src: "{{ cacertpath }}" register: cafile - name: "write csr to ca folder ({{ certname }})" copy: content: "{{ csrfile.content | b64decode }}" dest: "{{ remotecsrpath }}" mode: 0644 owner: root group: root - name: "sign certificate for {{ certname }}" register: casignedsign openssl_certificate: path: "{{ remotecrtpath }}" csr_path: "{{ remotecsrpath }}" ownca_path: "{{ cacertpath }}" ownca_privatekey_path: "{{ cakeypath }}" provider: ownca ownca_not_after: "{{ cert_backend.not_after }}" ownca_create_subject_key_identifier: always_create - name: "copy crt from ca for {{ certname }}" slurp: src: "{{ remotecrtpath }}" register: crtfile - name: "write crt ({{ certname }})" copy: content: "{{ crtfile.content | b64decode }}" dest: "{{ cert.certpath }}" mode: 0644 owner: root group: root - name: "write ca ({{ certname }})" copy: content: "{{ cafile.content | b64decode }}" dest: "{{ cert.capath }}" mode: 0644 owner: root group: root - name: "generate concatinated versions (chain) for {{ certname }}" copy: content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}" dest: "{{ cert.chainpath }}" mode: 0644 owner: root group: ssl-cert - name: "generate concatinated versions (full) for {{ certname }}" copy: content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}{{ keyfile.content | b64decode }}" dest: "{{ cert.fullpath }}" mode: 0640 owner: root group: ssl-cert - name: store if the cert was changed set_fact: certchanged: "{{ casignedsign is changed }}" - name: handle postflight include_tasks: common_post.yml