From 1c40b1d59b75dcfba6a8e4ae35d5501c1fac145b Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Thu, 31 Jul 2025 18:46:19 +0200 Subject: [PATCH] feat: support further TLS certification properties --- README.md | 18 ++++++++++ defaults/main.yaml | 36 +++++++++++++++++++ tasks/client_certificate_protected.yaml | 12 +++++++ tasks/client_certificate_unprotected.yaml | 13 +++++++ ...diate_certificate_authority_protected.yaml | 6 ++++ ...ate_certificate_authority_unprotected.yaml | 6 ++++ .../root_certificate_authority_protected.yaml | 8 ++++- ...oot_certificate_authority_unprotected.yaml | 6 ++++ 8 files changed, 104 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6bb8f21..e116bdf 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,12 @@ certificate_authority_client_subject_alternative_names: | `certificate_authority_root_ca_import` | Import the TLS certificate of the root certificate authority into the systems trust store. | `true` | | `certificate_authority_root_ca_path` | Directory where the private and public TLS key of the root certificate authority should be stored. | `/etc/ansible-playbook/pki/ca` | | `certificate_authority_root_ca_common_name` | Common Name (CN) of the root certificate authority. | `Ansible Root CA` | +| `certificate_authority_root_ca_country_name` | Common Name (CN) of the root certificate authority. | `""` | +| `certificate_authority_root_ca_email_address` | E-Mail Address of the root certificate authority owner. | `""` | +| `certificate_authority_root_ca_organization_name` | Organization name of the root certificate authority owner. | `""` | +| `certificate_authority_root_ca_organizational_unit_name` | Organizational unit name of the root certificate authority. | `""` | +| `certificate_authority_root_ca_state_or_province_name` | State or province name where the owner of the root certificate authority is located. | `""` | +| `certificate_authority_root_ca_state` | State where the owner of the root certificate authority is located | `""` | | `certificate_authority_root_ca_subject_alternative_names` | Subject Alternative Names (SAN) of the root certificate authority. | `[]` | | `certificate_authority_root_ca_not_after` | Time in the future from now when the TLS certificate should expire | `+3650d` | | `certificate_authority_root_ca_not_before` | Time in the past from now when the TLS certificate should be valid. | `+0s` | @@ -44,6 +50,12 @@ certificate_authority_client_subject_alternative_names: | `certificate_authority_intermediate_ca_create` | Create intermediate certificate from scratch or import via `certificate_authority_intermediate_ca_tls` prefixed variables. | `true` | | `certificate_authority_intermediate_ca_path` | Directory where the private and public TLS key of the intermediate certificate authority should be stored. | `/etc/ansible-playbook/pki/intermediate` | | `certificate_authority_intermediate_ca_common_name` | Common Name (CN) of the intermediate certificate authority. | `Ansible Intermediate CA` | +| `certificate_authority_intermediate_ca_country_name` | Country name of the intermediate certificate authority. | `""` | +| `certificate_authority_intermediate_ca_email_address` | E-Mail Address of the intermediate certificate authority owner. | `""` | +| `certificate_authority_intermediate_ca_organization_name` | Organization name of the intermediate certificate authority owner. | `""` | +| `certificate_authority_intermediate_ca_organizational_unit_name` | Organizational unit name of the intermediate certificate authority. | `""` | +| `certificate_authority_intermediate_ca_state_or_province_name` | State or province name where the owner of the intermediate certificate authority is located. | `""` | +| `certificate_authority_intermediate_ca_state` | State where the owner of the intermediate certificate authority is located. | `""` | | `certificate_authority_intermediate_ca_subject_alternative_names` | Subject Alternative Names (SAN) of the intermediate certificate authority. | `[]` | | `certificate_authority_intermediate_ca_not_after` | Time in the future from now when the TLS certificate should expire | `+1825d` | | `certificate_authority_intermediate_ca_not_before` | Time in the past from now when the TLS certificate should be valid. | `+0s` | @@ -60,6 +72,12 @@ certificate_authority_client_subject_alternative_names: | `certificate_authority_client_create` | Create client certificate from scratch or import via `certificate_authority_client_tls` prefixed variables. | `true` | | `certificate_authority_client_path` | Directory where the private and public TLS key of the client certificate authority should be stored. | `/etc/ansible-playbook/pki/client` | | `certificate_authority_client_common_name` | Common Name (CN) of the client certificate. | `Ansible Client Certificate` | +| `certificate_authority_client_country_name` | Country Name (CN) of the client certificate. | `""` | +| `certificate_authority_client_email_address` | E-Mail Address of the client certificate owner. | `""` | +| `certificate_authority_client_organization_name` | Organization name of the client certificate owner. | `""` | +| `certificate_authority_client_organizational_unit_name` | Common Name (CN) of the client certificate. | `""` | +| `certificate_authority_client_state_or_province_name` | State or province name where the owner of the client certificate is located. | `""` | +| `certificate_authority_client_state` | State where the owner of the client certificate is located. | `""` | | `certificate_authority_client_subject_alternative_names` | Subject Alternative Names (SAN) of the client certificate. | `[]` | | `certificate_authority_client_not_after` | Time in the future from now when the TLS certificate should expire | `+397d` | | `certificate_authority_client_not_before` | Time in the past from now when the TLS certificate should be valid. | `+0s` | diff --git a/defaults/main.yaml b/defaults/main.yaml index baed009..dded4ee 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -10,11 +10,23 @@ certificate_authority_root_ca_import: true ## @param certificate_authority_root_ca_path Directory where the private and public TLS key of the root certificate authority should be stored. ## @param certificate_authority_root_ca_common_name Common Name (CN) of the root certificate authority. +## @param certificate_authority_root_ca_country_name Common Name (CN) of the root certificate authority. +## @param certificate_authority_root_ca_email_address E-Mail Address of the root certificate authority owner. +## @param certificate_authority_root_ca_organization_name Organization name of the root certificate authority owner. +## @param certificate_authority_root_ca_organizational_unit_name Organizational unit name of the root certificate authority. +## @param certificate_authority_root_ca_state_or_province_name State or province name where the owner of the root certificate authority is located. +## @param certificate_authority_root_ca_state State where the owner of the root certificate authority is located ## @param certificate_authority_root_ca_subject_alternative_names Subject Alternative Names (SAN) of the root certificate authority. ## @param certificate_authority_root_ca_not_after Time in the future from now when the TLS certificate should expire ## @param certificate_authority_root_ca_not_before Time in the past from now when the TLS certificate should be valid. certificate_authority_root_ca_path: "/etc/ansible-playbook/pki/ca" certificate_authority_root_ca_common_name: "Ansible Root CA" +certificate_authority_root_ca_country_name: "" +certificate_authority_root_ca_email_address: "" +certificate_authority_root_ca_organization_name: "" +certificate_authority_root_ca_organizational_unit_name: "" +certificate_authority_root_ca_state_or_province_name: "" +certificate_authority_root_ca_state: "" certificate_authority_root_ca_subject_alternative_names: [] certificate_authority_root_ca_not_after: "+3650d" certificate_authority_root_ca_not_before: "+0s" @@ -38,11 +50,23 @@ certificate_authority_intermediate_ca_create: true ## @param certificate_authority_intermediate_ca_path Directory where the private and public TLS key of the intermediate certificate authority should be stored. ## @param certificate_authority_intermediate_ca_common_name Common Name (CN) of the intermediate certificate authority. +## @param certificate_authority_intermediate_ca_country_name Country name of the intermediate certificate authority. +## @param certificate_authority_intermediate_ca_email_address E-Mail Address of the intermediate certificate authority owner. +## @param certificate_authority_intermediate_ca_organization_name Organization name of the intermediate certificate authority owner. +## @param certificate_authority_intermediate_ca_organizational_unit_name Organizational unit name of the intermediate certificate authority. +## @param certificate_authority_intermediate_ca_state_or_province_name State or province name where the owner of the intermediate certificate authority is located. +## @param certificate_authority_intermediate_ca_state State where the owner of the intermediate certificate authority is located. ## @param certificate_authority_intermediate_ca_subject_alternative_names Subject Alternative Names (SAN) of the intermediate certificate authority. ## @param certificate_authority_intermediate_ca_not_after Time in the future from now when the TLS certificate should expire ## @param certificate_authority_intermediate_ca_not_before Time in the past from now when the TLS certificate should be valid. certificate_authority_intermediate_ca_path: "/etc/ansible-playbook/pki/intermediate" certificate_authority_intermediate_ca_common_name: "Ansible Intermediate CA" +certificate_authority_intermediate_ca_country_name: "" +certificate_authority_intermediate_ca_email_address: "" +certificate_authority_intermediate_ca_organization_name: "" +certificate_authority_intermediate_ca_organizational_unit_name: "" +certificate_authority_intermediate_ca_state_or_province_name: "" +certificate_authority_intermediate_ca_state: "" certificate_authority_intermediate_ca_subject_alternative_names: [] certificate_authority_intermediate_ca_not_after: "+1825d" certificate_authority_intermediate_ca_not_before: "+0s" @@ -66,11 +90,23 @@ certificate_authority_client_create: true ## @param certificate_authority_client_path Directory where the private and public TLS key of the client certificate authority should be stored. ## @param certificate_authority_client_common_name Common Name (CN) of the client certificate. +## @param certificate_authority_client_country_name Country Name (CN) of the client certificate. +## @param certificate_authority_client_email_address E-Mail Address of the client certificate owner. +## @param certificate_authority_client_organization_name Organization name of the client certificate owner. +## @param certificate_authority_client_organizational_unit_name Common Name (CN) of the client certificate. +## @param certificate_authority_client_state_or_province_name State or province name where the owner of the client certificate is located. +## @param certificate_authority_client_state State where the owner of the client certificate is located. ## @param certificate_authority_client_subject_alternative_names Subject Alternative Names (SAN) of the client certificate. ## @param certificate_authority_client_not_after Time in the future from now when the TLS certificate should expire ## @param certificate_authority_client_not_before Time in the past from now when the TLS certificate should be valid. certificate_authority_client_path: "/etc/ansible-playbook/pki/client" certificate_authority_client_common_name: "Ansible Client Certificate" +certificate_authority_client_country_name: "" +certificate_authority_client_email_address: "" +certificate_authority_client_organization_name: "" +certificate_authority_client_organizational_unit_name: "" +certificate_authority_client_state_or_province_name: "" +certificate_authority_client_state: "" certificate_authority_client_subject_alternative_names: [] certificate_authority_client_not_after: "+397d" certificate_authority_client_not_before: "+0s" diff --git a/tasks/client_certificate_protected.yaml b/tasks/client_certificate_protected.yaml index 2f4e8d6..c9027e4 100644 --- a/tasks/client_certificate_protected.yaml +++ b/tasks/client_certificate_protected.yaml @@ -10,12 +10,18 @@ - name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs) community.crypto.openssl_csr: common_name: "{{ certificate_authority_client_common_name }}" + countryName: "{{ certificate_authority_client_country_name }}" + email_address: "{{ certificate_authority_client_email_address }}" extendedKeyUsage: - clientAuth - serverAuth + organization_name: "{{ certificate_authority_client_organization_name }}" + organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" path: "{{ certificate_authority_client_path }}/cert-req.pem" privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}" privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" + state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" + state: "{{ certificate_authority_client_state }}" when: | certificate_authority_client_subject_alternative_names is not defined or (certificate_authority_client_subject_alternative_names is defined and @@ -24,12 +30,18 @@ - name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs) community.crypto.openssl_csr: common_name: "{{ certificate_authority_client_common_name }}" + countryName: "{{ certificate_authority_client_country_name }}" + email_address: "{{ certificate_authority_client_email_address }}" extendedKeyUsage: - clientAuth - serverAuth + organization_name: "{{ certificate_authority_client_organization_name }}" + organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" path: "{{ certificate_authority_client_path }}/cert-req.pem" privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}" + state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" + state: "{{ certificate_authority_client_state }}" subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}" when: certificate_authority_client_subject_alternative_names is defined and certificate_authority_client_subject_alternative_names | length > 0 diff --git a/tasks/client_certificate_unprotected.yaml b/tasks/client_certificate_unprotected.yaml index 4b95fbb..b6d0e63 100644 --- a/tasks/client_certificate_unprotected.yaml +++ b/tasks/client_certificate_unprotected.yaml @@ -8,11 +8,18 @@ - name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs) community.crypto.openssl_csr: common_name: "{{ certificate_authority_client_common_name }}" + countryName: "{{ certificate_authority_client_country_name }}" + email_address: "{{ certificate_authority_client_email_address }}" extendedKeyUsage: - clientAuth - serverAuth + organization_name: "{{ certificate_authority_client_organization_name }}" + organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" path: "{{ certificate_authority_client_path }}/cert-req.pem" + privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}" privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" + state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" + state: "{{ certificate_authority_client_state }}" when: | certificate_authority_client_subject_alternative_names is not defined or (certificate_authority_client_subject_alternative_names is defined and @@ -21,11 +28,17 @@ - name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs) community.crypto.openssl_csr: common_name: "{{ certificate_authority_client_common_name }}" + countryName: "{{ certificate_authority_client_country_name }}" + email_address: "{{ certificate_authority_client_email_address }}" extendedKeyUsage: - clientAuth - serverAuth + organization_name: "{{ certificate_authority_client_organization_name }}" + organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" path: "{{ certificate_authority_client_path }}/cert-req.pem" privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" + state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" + state: "{{ certificate_authority_client_state }}" subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}" when: certificate_authority_client_subject_alternative_names is defined and certificate_authority_client_subject_alternative_names | length > 0 diff --git a/tasks/intermediate_certificate_authority_protected.yaml b/tasks/intermediate_certificate_authority_protected.yaml index 5f914c0..affd8d4 100644 --- a/tasks/intermediate_certificate_authority_protected.yaml +++ b/tasks/intermediate_certificate_authority_protected.yaml @@ -12,9 +12,15 @@ basic_constraints: - "CA:TRUE" common_name: "{{ certificate_authority_intermediate_ca_common_name }}" + countryName: "{{ certificate_authority_intermediate_ca_country_name }}" + email_address: "{{ certificate_authority_intermediate_ca_email_address }}" + organization_name: "{{ certificate_authority_intermediate_ca_organization_name }}" + organizational_unit_name: "{{ certificate_authority_intermediate_ca_organizational_unit_name }}" path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem" privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}" privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem" + state_or_province_name: "{{ certificate_authority_intermediate_ca_state_or_province_name }}" + state: "{{ certificate_authority_intermediate_ca_state }}" use_common_name_for_san: false - name: Create signed client certificate - unprotected root Certificate Authority (CA) diff --git a/tasks/intermediate_certificate_authority_unprotected.yaml b/tasks/intermediate_certificate_authority_unprotected.yaml index 65fce1b..f6da7d0 100644 --- a/tasks/intermediate_certificate_authority_unprotected.yaml +++ b/tasks/intermediate_certificate_authority_unprotected.yaml @@ -10,8 +10,14 @@ basic_constraints: - "CA:TRUE" common_name: "{{ certificate_authority_intermediate_ca_common_name }}" + countryName: "{{ certificate_authority_intermediate_ca_country_name }}" + email_address: "{{ certificate_authority_intermediate_ca_email_address }}" + organization_name: "{{ certificate_authority_intermediate_ca_organization_name }}" + organizational_unit_name: "{{ certificate_authority_intermediate_ca_organizational_unit_name }}" path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem" privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem" + state_or_province_name: "{{ certificate_authority_intermediate_ca_state_or_province_name }}" + state: "{{ certificate_authority_intermediate_ca_state }}" use_common_name_for_san: false - name: Create signed client certificate - unprotected root Certificate Authority (CA) diff --git a/tasks/root_certificate_authority_protected.yaml b/tasks/root_certificate_authority_protected.yaml index c754799..2e5dd72 100644 --- a/tasks/root_certificate_authority_protected.yaml +++ b/tasks/root_certificate_authority_protected.yaml @@ -12,9 +12,15 @@ basic_constraints: - "CA:TRUE" common_name: "{{ certificate_authority_root_ca_common_name }}" + countryName: "{{ certificate_authority_root_ca_country_name }}" + email_address: "{{ certificate_authority_root_ca_email_address }}" + organization_name: "{{ certificate_authority_root_ca_organization_name }}" + organizational_unit_name: "{{ certificate_authority_root_ca_organizational_unit_name }}" path: "{{ certificate_authority_root_ca_path }}/cert-req.pem" - privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem" privatekey_passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}" + privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem" + state_or_province_name: "{{ certificate_authority_root_ca_state_or_province_name }}" + state: "{{ certificate_authority_root_ca_state }}" use_common_name_for_san: false - name: Create self-signed certificate for root CA diff --git a/tasks/root_certificate_authority_unprotected.yaml b/tasks/root_certificate_authority_unprotected.yaml index cde9d22..ab17030 100644 --- a/tasks/root_certificate_authority_unprotected.yaml +++ b/tasks/root_certificate_authority_unprotected.yaml @@ -10,8 +10,14 @@ basic_constraints: - "CA:TRUE" common_name: "{{ certificate_authority_root_ca_common_name }}" + countryName: "{{ certificate_authority_root_ca_country_name }}" + email_address: "{{ certificate_authority_root_ca_email_address }}" + organization_name: "{{ certificate_authority_root_ca_organization_name }}" + organizational_unit_name: "{{ certificate_authority_root_ca_organizational_unit_name }}" path: "{{ certificate_authority_root_ca_path }}/cert-req.pem" privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem" + state_or_province_name: "{{ certificate_authority_root_ca_state_or_province_name }}" + state: "{{ certificate_authority_root_ca_state }}" use_common_name_for_san: false - name: Create self-signed certificate for root CA