volker.raschek/ansible-role-certificate-authority
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Initial Commit
Some checks failed
Lint Markdown files / markdown-lint (push) Successful in 11s
Details
Ansible Linter / ansible-lint (push) Failing after 49s
Details

Browse Source
This commit is contained in:
Markus Pesch
2025-07-30 22:09:38 +02:00
commit a0ea59c528
27 changed files with 2808 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
tasks/client_certificate_protected.yaml Normal file
View File

@ -0,0 +1,59 @@
---
- name: Create private key for client
community.crypto.openssl_privatekey:
path: "{{ certificate_authority_client_path }}/privkey.pem"
type: "{{ certificate_authority_client_tls_key_type }}"
passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
- name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs)
community.crypto.openssl_csr:
common_name: "{{ certificate_authority_client_common_name }}"
extendedKeyUsage:
- clientAuth
- serverAuth
path: "{{ certificate_authority_client_path }}/cert-req.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
when: |
certificate_authority_client_subject_alternative_names is not defined or
(certificate_authority_client_subject_alternative_names is defined and
certificate_authority_client_subject_alternative_names | length <= 0)
- name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs)
community.crypto.openssl_csr:
common_name: "{{ certificate_authority_client_common_name }}"
extendedKeyUsage:
- clientAuth
- serverAuth
path: "{{ certificate_authority_client_path }}/cert-req.pem"
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}"
when: certificate_authority_client_subject_alternative_names is defined and
certificate_authority_client_subject_alternative_names | length > 0
- name: Create signed client certificate - unprotected intermediate Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_client_not_after }}"
ownca_not_before: "{{ certificate_authority_client_not_before }}"
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
path: "{{ certificate_authority_client_path }}/cert.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
provider: ownca
when: certificate_authority_intermediate_ca_tls_key_passphrase | length <= 0
- name: Create signed client certificate - passphrase protected intermediate Certificate Authority (CA)
community.crypto.x509_certificate:
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
ownca_not_after: "{{ certificate_authority_client_not_after }}"
ownca_not_before: "{{ certificate_authority_client_not_before }}"
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
ownca_privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
path: "{{ certificate_authority_client_path }}/cert.pem"
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
provider: ownca
when: certificate_authority_intermediate_ca_tls_key_passphrase | length > 0