volker.raschek/ansible-role-certificate-authority
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Initial Commit
Some checks failed
Lint Markdown files / markdown-lint (push) Successful in 11s
Details
Ansible Linter / ansible-lint (push) Failing after 49s
Details

Browse Source
This commit is contained in:
Markus Pesch
2025-07-30 22:09:38 +02:00
commit a0ea59c528
27 changed files with 2808 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
tasks/client_certificate.yaml Normal file
View File

@ -0,0 +1,112 @@
---
- name: Create directory to store tls keys and certificates of the client
ansible.builtin.file:
path: "{{ certificate_authority_client_path }}"
owner: "root"
group: "root"
mode: "0700"
state: directory
- name: Create unprotected client certificate
ansible.builtin.include_tasks: client_certificate_unprotected.yaml
when: certificate_authority_client_create is defined and
certificate_authority_client_create and
certificate_authority_client_tls_key_passphrase is defined and
certificate_authority_client_tls_key_passphrase | length <= 0
- name: Create passphrase protected client certificate
ansible.builtin.include_tasks: client_certificate_unprotected.yaml
when: certificate_authority_client_create is defined and
certificate_authority_client_create and
certificate_authority_client_tls_key_passphrase is defined and
certificate_authority_client_tls_key_passphrase | length > 0
- name: Import client certificate
ansible.builtin.include_tasks: client_certificate_import.yaml
when: certificate_authority_client_create is defined and
not certificate_authority_client_create
- name: Create certificate chain file
block:
- name: Check if intermediate certificate exists
ansible.builtin.stat:
path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
register: _stat_result
- name: Concatenate client certificate and intermediate certificate
vars:
_chain_files:
- "{{ certificate_authority_client_path }}/cert.pem"
- "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
ansible.builtin.command:
cmd: awk 1 {{ _chain_files | join(' ') }}
register: chain_content
changed_when: chain_content.rc == 0
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create concatenated chain file
ansible.builtin.copy:
content: "{{ chain_content.stdout_lines | join('\n') }}"
dest: "{{ certificate_authority_client_path }}/chain.pem"
owner: "root"
group: "root"
mode: "0644"
remote_src: true
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create certificate fullchain file
block:
- name: Check if intermediate chain exists
ansible.builtin.stat:
path: "{{ certificate_authority_intermediate_ca_path }}/chain.pem"
register: _stat_result
- name: Concatenate client certificate and intermediate chain file
vars:
_chain_files:
- "{{ certificate_authority_client_path }}/cert.pem"
- "{{ certificate_authority_intermediate_ca_path }}/chain.pem"
ansible.builtin.command:
cmd: awk 1 {{ _chain_files | join(' ') }}
register: chain_content
changed_when: chain_content.rc == 0
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create concatenated fullchain file
ansible.builtin.copy:
content: "{{ chain_content.stdout_lines | join('\n') }}"
dest: "{{ certificate_authority_client_path }}/fullchain.pem"
owner: "root"
group: "root"
mode: "0644"
remote_src: true
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create file with private key and fullchain file of the client
block:
- name: Check if fullchain exists
ansible.builtin.stat:
path: "{{ certificate_authority_client_path }}/fullchain.pem"
register: _stat_result
- name: Concatenate private key and fullchain file of the client
vars:
_chain_files:
- "{{ certificate_authority_client_path }}/privkey.pem"
- "{{ certificate_authority_client_path }}/fullchain.pem"
ansible.builtin.command:
cmd: awk 1 {{ _chain_files | join(' ') }}
register: chain_content
changed_when: chain_content.rc == 0
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create concatenated file
ansible.builtin.copy:
content: "{{ chain_content.stdout_lines | join('\n') }}"
dest: "{{ certificate_authority_client_path }}/all.pem"
owner: "root"
group: "root"
mode: "0600"
remote_src: true
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists

19
tasks/client_certificate_import.yaml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Import private key of a client
ansible.builtin.copy:
content: "{{ certificate_authority_client_tls_key_content }}"
dest: "{{ certificate_authority_client_ca_path }}/privkey.pem"
owner: "root"
group: "root"
mode: "0600"
when: certificate_authority_client_tls_key_content | length > 0
- name: Import certificate of a client
ansible.builtin.copy:
content: "{{ certificate_authority_client_tls_crt_content }}"
dest: "{{ certificate_authority_client_tls_crt_content }}/cert.pem"
owner: "root"
group: "root"
mode: "0644"
when: certificate_authority_client_tls_crt_content | length > 0

59
tasks/client_certificate_protected.yaml Normal file
View File

@ -0,0 +1,59 @@
---
- name: Create private key for client
community.crypto.openssl_privatekey:
path: "{{ certificate_authority_client_path }}/privkey.pem"
type: "{{ certificate_authority_client_tls_key_type }}"
passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
- name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs)
community.crypto.openssl_csr:
common_name: "{{ certificate_authority_client_common_name }}"
extendedKeyUsage:
- clientAuth
- serverAuth
path: "{{ certificate_authority_client_path }}/cert-req.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
when: |
certificate_authority_client_subject_alternative_names is not defined or
(certificate_authority_client_subject_alternative_names is defined and
certificate_authority_client_subject_alternative_names | length <= 0)
- name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs)
community.crypto.openssl_csr:
common_name: "{{ certificate_authority_client_common_name }}"
extendedKeyUsage:
- clientAuth
- serverAuth
path: "{{ certificate_authority_client_path }}/cert-req.pem"
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}"
when: certificate_authority_client_subject_alternative_names is defined and
certificate_authority_client_subject_alternative_names | length > 0
- name: Create signed client certificate - unprotected intermediate Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_client_not_after }}"
ownca_not_before: "{{ certificate_authority_client_not_before }}"
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
path: "{{ certificate_authority_client_path }}/cert.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
provider: ownca
when: certificate_authority_intermediate_ca_tls_key_passphrase | length <= 0
- name: Create signed client certificate - passphrase protected intermediate Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_client_not_after }}"
ownca_not_before: "{{ certificate_authority_client_not_before }}"
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
ownca_privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
path: "{{ certificate_authority_client_path }}/cert.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
provider: ownca
when: certificate_authority_intermediate_ca_tls_key_passphrase | length > 0

54
tasks/client_certificate_unprotected.yaml Normal file
View File

@ -0,0 +1,54 @@
---
- name: Create private key for client
community.crypto.openssl_privatekey:
path: "{{ certificate_authority_client_path }}/privkey.pem"
type: "{{ certificate_authority_client_tls_key_type }}"
- name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs)
community.crypto.openssl_csr:
common_name: "{{ certificate_authority_client_common_name }}"
extendedKeyUsage:
- clientAuth
- serverAuth
path: "{{ certificate_authority_client_path }}/cert-req.pem"
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
when: |
certificate_authority_client_subject_alternative_names is not defined or
(certificate_authority_client_subject_alternative_names is defined and
certificate_authority_client_subject_alternative_names | length <= 0)
- name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs)
community.crypto.openssl_csr:
common_name: "{{ certificate_authority_client_common_name }}"
extendedKeyUsage:
- clientAuth
- serverAuth
path: "{{ certificate_authority_client_path }}/cert-req.pem"
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}"
when: certificate_authority_client_subject_alternative_names is defined and
certificate_authority_client_subject_alternative_names | length > 0
- name: Create signed client certificate - unprotected intermediate Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_client_not_after }}"
ownca_not_before: "{{ certificate_authority_client_not_before }}"
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
path: "{{ certificate_authority_client_path }}/cert.pem"
provider: ownca
when: certificate_authority_intermediate_ca_tls_key_passphrase | length <= 0
- name: Create signed client certificate - passphrase protected intermediate Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_client_not_after }}"
ownca_not_before: "{{ certificate_authority_client_not_before }}"
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
ownca_privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
path: "{{ certificate_authority_client_path }}/cert.pem"
provider: ownca
when: certificate_authority_intermediate_ca_tls_key_passphrase | length > 0

112
tasks/intermediate_certificate_authority.yaml Normal file
View File

@ -0,0 +1,112 @@
---
- name: Create directory to store tls keys and certificates of the intermediate CA
ansible.builtin.file:
path: "{{ certificate_authority_intermediate_ca_path }}"
owner: "root"
group: "root"
mode: "0700"
state: "directory"
- name: Create unprotected intermediate Certificate Authority (CA)
ansible.builtin.include_tasks: intermediate_certificate_authority_unprotected.yaml
when: certificate_authority_intermediate_ca_create is defined and
certificate_authority_intermediate_ca_create and
certificate_authority_intermediate_ca_tls_key_passphrase is defined and
certificate_authority_intermediate_ca_tls_key_passphrase | length <= 0
- name: Create passphrase protected intermediate Certificate Authority (CA)
ansible.builtin.include_tasks: intermediate_certificate_authority_unprotected.yaml
when: certificate_authority_intermediate_ca_create is defined and
certificate_authority_intermediate_ca_create and
certificate_authority_intermediate_ca_tls_key_passphrase is defined and
certificate_authority_intermediate_ca_tls_key_passphrase | length > 0
- name: Import intermediate Certificate Authority (CA)
ansible.builtin.include_tasks: intermediate_certificate_authority_import.yaml
when: certificate_authority_intermediate_ca_create is defined and
not certificate_authority_intermediate_ca_create
- name: Create certificate chain file
block:
- name: Check if root certificate exists
ansible.builtin.stat:
path: "{{ certificate_authority_root_ca_path }}/cert.pem"
register: _stat_result
- name: Concatenate intermediate certificate and root certificate
vars:
_chain_files:
- "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
- "{{ certificate_authority_root_ca_path }}/cert.pem"
ansible.builtin.command:
cmd: awk 1 {{ _chain_files | join(' ') }}
register: chain_content
changed_when: chain_content.rc == 0
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create concatenated chain file
ansible.builtin.copy:
content: "{{ chain_content.stdout_lines | join('\n') }}"
dest: "{{ certificate_authority_intermediate_ca_path }}/chain.pem"
owner: "root"
group: "root"
mode: "0644"
remote_src: true
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create certificate fullchain file
block:
- name: Check if root chain exists
ansible.builtin.stat:
path: "{{ certificate_authority_root_ca_path }}/chain.pem"
register: _stat_result
- name: Concatenate intermediate certificate and root chain file
vars:
_chain_files:
- "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
- "{{ certificate_authority_root_ca_path }}/chain.pem"
ansible.builtin.command:
cmd: awk 1 {{ _chain_files | join(' ') }}
register: chain_content
changed_when: chain_content.rc == 0
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create concatenated fullchain file
ansible.builtin.copy:
content: "{{ chain_content.stdout_lines | join('\n') }}"
dest: "{{ certificate_authority_intermediate_ca_path }}/fullchain.pem"
owner: "root"
group: "root"
mode: "0644"
remote_src: true
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create file with private key and fullchain file of intermediate Certificate Authority (CA)
block:
- name: Check if private key exists
ansible.builtin.stat:
path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
register: _stat_result
- name: Concatenate private key and fullchain file of intermediate Certificate Authority (CA)
vars:
_chain_files:
- "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
- "{{ certificate_authority_intermediate_ca_path }}/fullchain.pem"
ansible.builtin.command:
cmd: awk 1 {{ _chain_files | join(' ') }}
register: chain_content
changed_when: chain_content.rc == 0
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create concatenated file
ansible.builtin.copy:
content: "{{ chain_content.stdout_lines | join('\n') }}"
dest: "{{ certificate_authority_intermediate_ca_path }}/all.pem"
owner: "root"
group: "root"
mode: "0600"
remote_src: true
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists

19
tasks/intermediate_certificate_authority_import.yaml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Import private key of intermediate Certificate Authority (CA)
ansible.builtin.copy:
content: "{{ certificate_authority_intermediate_ca_tls_key_content }}"
dest: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
owner: root
group: root
mode: "0600"
when: certificate_authority_intermediate_ca_tls_key_content | length > 0
- name: Import certificate of intermediate Certificate Authority (CA)
ansible.builtin.copy:
content: "{{ certificate_authority_intermediate_ca_tls_crt_content }}"
dest: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
owner: root
group: root
mode: "0644"
when: certificate_authority_intermediate_ca_tls_crt_content | length > 0

44
tasks/intermediate_certificate_authority_protected.yaml Normal file
View File

@ -0,0 +1,44 @@
---
- name: Create private key for intermediate CA
community.crypto.openssl_privatekey:
passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
type: "{{ certificate_authority_intermediate_ca_tls_key_type }}"
- name: Create a certificate signing request (CSR) for intermediate CA
community.crypto.openssl_csr:
basic_constraints:
- "CA:TRUE"
common_name: "{{ certificate_authority_intermediate_ca_common_name }}"
path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
use_common_name_for_san: false
- name: Create signed client certificate - unprotected root Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_intermediate_ca_not_after }}"
ownca_not_before: "{{ certificate_authority_intermediate_ca_not_before }}"
ownca_path: "{{ certificate_authority_root_ca_path }}/cert.pem"
ownca_privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
provider: ownca
when: certificate_authority_root_ca_tls_key_passphrase is defined and
certificate_authority_root_ca_tls_key_passphrase | length <= 0
- name: Create signed client certificate - passphrase protected root Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_intermediate_ca_not_after }}"
ownca_not_before: "{{ certificate_authority_intermediate_ca_not_before }}"
ownca_path: "{{ certificate_authority_root_ca_path }}/cert.pem"
ownca_privatekey_passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}"
ownca_privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
provider: ownca
when: certificate_authority_root_ca_tls_key_passphrase is defined and
certificate_authority_root_ca_tls_key_passphrase | length > 0

38
tasks/intermediate_certificate_authority_unprotected.yaml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Create private key for intermediate CA
community.crypto.openssl_privatekey:
path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
type: "{{ certificate_authority_intermediate_ca_tls_key_type }}"
- name: Create a certificate signing request (CSR) for intermediate CA
community.crypto.openssl_csr:
basic_constraints:
- "CA:TRUE"
common_name: "{{ certificate_authority_intermediate_ca_common_name }}"
path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
use_common_name_for_san: false
- name: Create signed client certificate - unprotected root Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_intermediate_ca_not_after }}"
ownca_not_before: "{{ certificate_authority_intermediate_ca_not_before }}"
ownca_path: "{{ certificate_authority_root_ca_path }}/cert.pem"
ownca_privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
provider: ownca
when: certificate_authority_root_ca_tls_key_passphrase | length <= 0
- name: Create signed client certificate - passphrase protected root Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_intermediate_ca_not_after }}"
ownca_not_before: "{{ certificate_authority_intermediate_ca_not_before }}"
ownca_path: "{{ certificate_authority_root_ca_path }}/cert.pem"
ownca_privatekey_passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}"
ownca_privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
provider: ownca
when: certificate_authority_root_ca_tls_key_passphrase | length > 0

26
tasks/main.yaml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Upgrade python package manager pip
ansible.builtin.pip:
name: pip
state: latest
- name: Install required python library cryptography
ansible.builtin.pip:
name: cryptography>=1.2.3
state: present
- name: Create or import a root Certificate Authority (CA)
ansible.builtin.include_tasks: root_certificate_authority.yaml
when: certificate_authority_root_ca_skip is defined and
not certificate_authority_root_ca_skip
- name: Create or import a intermediate Certificate Authority (CA)
ansible.builtin.include_tasks: intermediate_certificate_authority.yaml
when: certificate_authority_intermediate_ca_skip is defined and
not certificate_authority_intermediate_ca_skip
- name: Create or import a client certificate
ansible.builtin.include_tasks: client_certificate.yaml
when: certificate_authority_client_skip is defined and
not certificate_authority_client_skip

84
tasks/root_certificate_authority.yaml Normal file
View File

@ -0,0 +1,84 @@
---
- name: Create directory to store tls keys and certificates of the root CA
ansible.builtin.file:
path: "{{ certificate_authority_root_ca_path }}"
owner: "root"
group: "root"
mode: "0700"
state: "directory"
- name: Create unprotected root Certificate Authority (CA)
ansible.builtin.include_tasks: root_certificate_authority_unprotected.yaml
when: certificate_authority_root_ca_create is defined and
certificate_authority_root_ca_create and
certificate_authority_root_ca_tls_key_passphrase is defined and
certificate_authority_root_ca_tls_key_passphrase | length <= 0
- name: Create passphrase protected root Certificate Authority (CA)
ansible.builtin.include_tasks: root_certificate_authority_unprotected.yaml
when: certificate_authority_root_ca_create is defined and
certificate_authority_root_ca_create and
certificate_authority_root_ca_tls_key_passphrase is defined and
certificate_authority_root_ca_tls_key_passphrase | length > 0
- name: Import protected root Certificate Authority (CA)
ansible.builtin.include_tasks: root_certificate_authority_import.yaml
when: certificate_authority_root_ca_create is defined and
not certificate_authority_root_ca_create
- name: Create symbolic link for signed root certificate
ansible.builtin.file:
src: "{{ certificate_authority_root_ca_path }}/cert.pem"
dest: "{{ certificate_authority_root_ca_path }}/{{ item }}"
state: link
with_items:
- ca.pem
- chain.pem
- fullchain.pem
- name: Create file with private key and fullchain file of root Certificate Authority (CA)
block:
- name: Check if private key exists
ansible.builtin.stat:
path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
register: _stat_result
- name: Concatenate private key and fullchain file of root Certificate Authority (CA)
vars:
_chain_files:
- "{{ certificate_authority_root_ca_path }}/privkey.pem"
- "{{ certificate_authority_root_ca_path }}/fullchain.pem"
ansible.builtin.command:
cmd: awk 1 {{ _chain_files | join(' ') }}
register: chain_content
changed_when: chain_content.rc == 0
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Create concatenated file
ansible.builtin.copy:
content: "{{ chain_content.stdout_lines | join('\n') }}"
dest: "{{ certificate_authority_root_ca_path }}/all.pem"
owner: "root"
group: "root"
mode: "0600"
remote_src: true
when: _stat_result.stat.exists is defined and
_stat_result.stat.exists
- name: Import certificate of root Certificate Authority (CA) into systems trust store
when: certificate_authority_root_ca_import is defined and
certificate_authority_root_ca_import
block:
- name: Create symolic link
ansible.builtin.file:
src: "{{ certificate_authority_root_ca_path }}/cert.pem"
dest: "/etc/pki/ca-trust/source/anchors/{{ certificate_authority_root_ca_common_name | replace(' ', '_') }}.pem"
owner: root
group: root
state: link
- name: Update systems SSL/TLS trust store
ansible.builtin.command:
cmd: /usr/bin/update-ca-trust
register: _update_ca_trust
changed_when: _update_ca_trust.rc == 0
failed_when: _update_ca_trust.rc > 0

19
tasks/root_certificate_authority_import.yaml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Import private key of root Certificate Authority (CA)
ansible.builtin.copy:
content: "{{ certificate_authority_root_ca_tls_key_content }}"
dest: "{{ certificate_authority_root_ca_path }}/privkey.pem"
owner: root
group: root
mode: "0600"
when: certificate_authority_root_ca_tls_key_content | length > 0
- name: Import certificate of root Certificate Authority (CA)
ansible.builtin.copy:
content: "{{ certificate_authority_root_ca_tls_crt_content }}"
dest: "{{ certificate_authority_root_ca_path }}/cert.pem"
owner: "root"
group: "root"
mode: "0644"
when: certificate_authority_root_ca_tls_crt_content | length > 0

26
tasks/root_certificate_authority_protected.yaml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Create private key for root CA
community.crypto.openssl_privatekey:
passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}"
path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
type: "{{ certificate_authority_root_ca_tls_key_type }}"
- name: Create a certificate signing request (CSR) for root CA
community.crypto.openssl_csr:
basic_constraints:
- "CA:TRUE"
common_name: "{{ certificate_authority_root_ca_common_name }}"
path: "{{ certificate_authority_root_ca_path }}/cert-req.pem"
privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
use_common_name_for_san: false
- name: Create self-signed certificate for root CA
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_root_ca_path }}/cert-req.pem"
path: "{{ certificate_authority_root_ca_path }}/cert.pem"
privatekey_passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}"
privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
provider: selfsigned
selfsigned_not_after: "{{ certificate_authority_root_ca_not_after }}"
selfsigned_not_before: "{{ certificate_authority_root_ca_not_before }}"

24
tasks/root_certificate_authority_unprotected.yaml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Create private key for root CA
community.crypto.openssl_privatekey:
path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
type: "{{ certificate_authority_root_ca_tls_key_type }}"
- name: Create a certificate signing request (CSR) for root CA
community.crypto.openssl_csr:
basic_constraints:
- "CA:TRUE"
common_name: "{{ certificate_authority_root_ca_common_name }}"
path: "{{ certificate_authority_root_ca_path }}/cert-req.pem"
privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
use_common_name_for_san: false
- name: Create self-signed certificate for root CA
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_root_ca_path }}/cert-req.pem"
path: "{{ certificate_authority_root_ca_path }}/cert.pem"
privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
provider: selfsigned
selfsigned_not_after: "{{ certificate_authority_root_ca_not_after }}"
selfsigned_not_before: "{{ certificate_authority_root_ca_not_before }}"