You've already forked ansible-role-certificate-authority
Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
1c40b1d59b
|
|||
|
c3fb49bbd4
|
|||
|
61b0a7c9ec
|
|||
|
dbbaacdc69
|
|||
|
505f0450d4
|
18
README.md
18
README.md
@ -28,6 +28,12 @@ certificate_authority_client_subject_alternative_names:
|
||||
| `certificate_authority_root_ca_import` | Import the TLS certificate of the root certificate authority into the systems trust store. | `true` |
|
||||
| `certificate_authority_root_ca_path` | Directory where the private and public TLS key of the root certificate authority should be stored. | `/etc/ansible-playbook/pki/ca` |
|
||||
| `certificate_authority_root_ca_common_name` | Common Name (CN) of the root certificate authority. | `Ansible Root CA` |
|
||||
| `certificate_authority_root_ca_country_name` | Common Name (CN) of the root certificate authority. | `""` |
|
||||
| `certificate_authority_root_ca_email_address` | E-Mail Address of the root certificate authority owner. | `""` |
|
||||
| `certificate_authority_root_ca_organization_name` | Organization name of the root certificate authority owner. | `""` |
|
||||
| `certificate_authority_root_ca_organizational_unit_name` | Organizational unit name of the root certificate authority. | `""` |
|
||||
| `certificate_authority_root_ca_state_or_province_name` | State or province name where the owner of the root certificate authority is located. | `""` |
|
||||
| `certificate_authority_root_ca_state` | State where the owner of the root certificate authority is located | `""` |
|
||||
| `certificate_authority_root_ca_subject_alternative_names` | Subject Alternative Names (SAN) of the root certificate authority. | `[]` |
|
||||
| `certificate_authority_root_ca_not_after` | Time in the future from now when the TLS certificate should expire | `+3650d` |
|
||||
| `certificate_authority_root_ca_not_before` | Time in the past from now when the TLS certificate should be valid. | `+0s` |
|
||||
@ -44,6 +50,12 @@ certificate_authority_client_subject_alternative_names:
|
||||
| `certificate_authority_intermediate_ca_create` | Create intermediate certificate from scratch or import via `certificate_authority_intermediate_ca_tls` prefixed variables. | `true` |
|
||||
| `certificate_authority_intermediate_ca_path` | Directory where the private and public TLS key of the intermediate certificate authority should be stored. | `/etc/ansible-playbook/pki/intermediate` |
|
||||
| `certificate_authority_intermediate_ca_common_name` | Common Name (CN) of the intermediate certificate authority. | `Ansible Intermediate CA` |
|
||||
| `certificate_authority_intermediate_ca_country_name` | Country name of the intermediate certificate authority. | `""` |
|
||||
| `certificate_authority_intermediate_ca_email_address` | E-Mail Address of the intermediate certificate authority owner. | `""` |
|
||||
| `certificate_authority_intermediate_ca_organization_name` | Organization name of the intermediate certificate authority owner. | `""` |
|
||||
| `certificate_authority_intermediate_ca_organizational_unit_name` | Organizational unit name of the intermediate certificate authority. | `""` |
|
||||
| `certificate_authority_intermediate_ca_state_or_province_name` | State or province name where the owner of the intermediate certificate authority is located. | `""` |
|
||||
| `certificate_authority_intermediate_ca_state` | State where the owner of the intermediate certificate authority is located. | `""` |
|
||||
| `certificate_authority_intermediate_ca_subject_alternative_names` | Subject Alternative Names (SAN) of the intermediate certificate authority. | `[]` |
|
||||
| `certificate_authority_intermediate_ca_not_after` | Time in the future from now when the TLS certificate should expire | `+1825d` |
|
||||
| `certificate_authority_intermediate_ca_not_before` | Time in the past from now when the TLS certificate should be valid. | `+0s` |
|
||||
@ -60,6 +72,12 @@ certificate_authority_client_subject_alternative_names:
|
||||
| `certificate_authority_client_create` | Create client certificate from scratch or import via `certificate_authority_client_tls` prefixed variables. | `true` |
|
||||
| `certificate_authority_client_path` | Directory where the private and public TLS key of the client certificate authority should be stored. | `/etc/ansible-playbook/pki/client` |
|
||||
| `certificate_authority_client_common_name` | Common Name (CN) of the client certificate. | `Ansible Client Certificate` |
|
||||
| `certificate_authority_client_country_name` | Country Name (CN) of the client certificate. | `""` |
|
||||
| `certificate_authority_client_email_address` | E-Mail Address of the client certificate owner. | `""` |
|
||||
| `certificate_authority_client_organization_name` | Organization name of the client certificate owner. | `""` |
|
||||
| `certificate_authority_client_organizational_unit_name` | Common Name (CN) of the client certificate. | `""` |
|
||||
| `certificate_authority_client_state_or_province_name` | State or province name where the owner of the client certificate is located. | `""` |
|
||||
| `certificate_authority_client_state` | State where the owner of the client certificate is located. | `""` |
|
||||
| `certificate_authority_client_subject_alternative_names` | Subject Alternative Names (SAN) of the client certificate. | `[]` |
|
||||
| `certificate_authority_client_not_after` | Time in the future from now when the TLS certificate should expire | `+397d` |
|
||||
| `certificate_authority_client_not_before` | Time in the past from now when the TLS certificate should be valid. | `+0s` |
|
||||
|
||||
@ -10,11 +10,23 @@ certificate_authority_root_ca_import: true
|
||||
|
||||
## @param certificate_authority_root_ca_path Directory where the private and public TLS key of the root certificate authority should be stored.
|
||||
## @param certificate_authority_root_ca_common_name Common Name (CN) of the root certificate authority.
|
||||
## @param certificate_authority_root_ca_country_name Common Name (CN) of the root certificate authority.
|
||||
## @param certificate_authority_root_ca_email_address E-Mail Address of the root certificate authority owner.
|
||||
## @param certificate_authority_root_ca_organization_name Organization name of the root certificate authority owner.
|
||||
## @param certificate_authority_root_ca_organizational_unit_name Organizational unit name of the root certificate authority.
|
||||
## @param certificate_authority_root_ca_state_or_province_name State or province name where the owner of the root certificate authority is located.
|
||||
## @param certificate_authority_root_ca_state State where the owner of the root certificate authority is located
|
||||
## @param certificate_authority_root_ca_subject_alternative_names Subject Alternative Names (SAN) of the root certificate authority.
|
||||
## @param certificate_authority_root_ca_not_after Time in the future from now when the TLS certificate should expire
|
||||
## @param certificate_authority_root_ca_not_before Time in the past from now when the TLS certificate should be valid.
|
||||
certificate_authority_root_ca_path: "/etc/ansible-playbook/pki/ca"
|
||||
certificate_authority_root_ca_common_name: "Ansible Root CA"
|
||||
certificate_authority_root_ca_country_name: ""
|
||||
certificate_authority_root_ca_email_address: ""
|
||||
certificate_authority_root_ca_organization_name: ""
|
||||
certificate_authority_root_ca_organizational_unit_name: ""
|
||||
certificate_authority_root_ca_state_or_province_name: ""
|
||||
certificate_authority_root_ca_state: ""
|
||||
certificate_authority_root_ca_subject_alternative_names: []
|
||||
certificate_authority_root_ca_not_after: "+3650d"
|
||||
certificate_authority_root_ca_not_before: "+0s"
|
||||
@ -38,11 +50,23 @@ certificate_authority_intermediate_ca_create: true
|
||||
|
||||
## @param certificate_authority_intermediate_ca_path Directory where the private and public TLS key of the intermediate certificate authority should be stored.
|
||||
## @param certificate_authority_intermediate_ca_common_name Common Name (CN) of the intermediate certificate authority.
|
||||
## @param certificate_authority_intermediate_ca_country_name Country name of the intermediate certificate authority.
|
||||
## @param certificate_authority_intermediate_ca_email_address E-Mail Address of the intermediate certificate authority owner.
|
||||
## @param certificate_authority_intermediate_ca_organization_name Organization name of the intermediate certificate authority owner.
|
||||
## @param certificate_authority_intermediate_ca_organizational_unit_name Organizational unit name of the intermediate certificate authority.
|
||||
## @param certificate_authority_intermediate_ca_state_or_province_name State or province name where the owner of the intermediate certificate authority is located.
|
||||
## @param certificate_authority_intermediate_ca_state State where the owner of the intermediate certificate authority is located.
|
||||
## @param certificate_authority_intermediate_ca_subject_alternative_names Subject Alternative Names (SAN) of the intermediate certificate authority.
|
||||
## @param certificate_authority_intermediate_ca_not_after Time in the future from now when the TLS certificate should expire
|
||||
## @param certificate_authority_intermediate_ca_not_before Time in the past from now when the TLS certificate should be valid.
|
||||
certificate_authority_intermediate_ca_path: "/etc/ansible-playbook/pki/intermediate"
|
||||
certificate_authority_intermediate_ca_common_name: "Ansible Intermediate CA"
|
||||
certificate_authority_intermediate_ca_country_name: ""
|
||||
certificate_authority_intermediate_ca_email_address: ""
|
||||
certificate_authority_intermediate_ca_organization_name: ""
|
||||
certificate_authority_intermediate_ca_organizational_unit_name: ""
|
||||
certificate_authority_intermediate_ca_state_or_province_name: ""
|
||||
certificate_authority_intermediate_ca_state: ""
|
||||
certificate_authority_intermediate_ca_subject_alternative_names: []
|
||||
certificate_authority_intermediate_ca_not_after: "+1825d"
|
||||
certificate_authority_intermediate_ca_not_before: "+0s"
|
||||
@ -66,11 +90,23 @@ certificate_authority_client_create: true
|
||||
|
||||
## @param certificate_authority_client_path Directory where the private and public TLS key of the client certificate authority should be stored.
|
||||
## @param certificate_authority_client_common_name Common Name (CN) of the client certificate.
|
||||
## @param certificate_authority_client_country_name Country Name (CN) of the client certificate.
|
||||
## @param certificate_authority_client_email_address E-Mail Address of the client certificate owner.
|
||||
## @param certificate_authority_client_organization_name Organization name of the client certificate owner.
|
||||
## @param certificate_authority_client_organizational_unit_name Common Name (CN) of the client certificate.
|
||||
## @param certificate_authority_client_state_or_province_name State or province name where the owner of the client certificate is located.
|
||||
## @param certificate_authority_client_state State where the owner of the client certificate is located.
|
||||
## @param certificate_authority_client_subject_alternative_names Subject Alternative Names (SAN) of the client certificate.
|
||||
## @param certificate_authority_client_not_after Time in the future from now when the TLS certificate should expire
|
||||
## @param certificate_authority_client_not_before Time in the past from now when the TLS certificate should be valid.
|
||||
certificate_authority_client_path: "/etc/ansible-playbook/pki/client"
|
||||
certificate_authority_client_common_name: "Ansible Client Certificate"
|
||||
certificate_authority_client_country_name: ""
|
||||
certificate_authority_client_email_address: ""
|
||||
certificate_authority_client_organization_name: ""
|
||||
certificate_authority_client_organizational_unit_name: ""
|
||||
certificate_authority_client_state_or_province_name: ""
|
||||
certificate_authority_client_state: ""
|
||||
certificate_authority_client_subject_alternative_names: []
|
||||
certificate_authority_client_not_after: "+397d"
|
||||
certificate_authority_client_not_before: "+0s"
|
||||
|
||||
@ -5,16 +5,23 @@
|
||||
path: "{{ certificate_authority_client_path }}/privkey.pem"
|
||||
type: "{{ certificate_authority_client_tls_key_type }}"
|
||||
passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
|
||||
cipher: auto
|
||||
|
||||
- name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs)
|
||||
community.crypto.openssl_csr:
|
||||
common_name: "{{ certificate_authority_client_common_name }}"
|
||||
countryName: "{{ certificate_authority_client_country_name }}"
|
||||
email_address: "{{ certificate_authority_client_email_address }}"
|
||||
extendedKeyUsage:
|
||||
- clientAuth
|
||||
- serverAuth
|
||||
organization_name: "{{ certificate_authority_client_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
||||
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
|
||||
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
|
||||
state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_client_state }}"
|
||||
when: |
|
||||
certificate_authority_client_subject_alternative_names is not defined or
|
||||
(certificate_authority_client_subject_alternative_names is defined and
|
||||
@ -23,12 +30,18 @@
|
||||
- name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs)
|
||||
community.crypto.openssl_csr:
|
||||
common_name: "{{ certificate_authority_client_common_name }}"
|
||||
countryName: "{{ certificate_authority_client_country_name }}"
|
||||
email_address: "{{ certificate_authority_client_email_address }}"
|
||||
extendedKeyUsage:
|
||||
- clientAuth
|
||||
- serverAuth
|
||||
organization_name: "{{ certificate_authority_client_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
||||
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
|
||||
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
|
||||
state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_client_state }}"
|
||||
subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}"
|
||||
when: certificate_authority_client_subject_alternative_names is defined and
|
||||
certificate_authority_client_subject_alternative_names | length > 0
|
||||
|
||||
@ -8,11 +8,18 @@
|
||||
- name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs)
|
||||
community.crypto.openssl_csr:
|
||||
common_name: "{{ certificate_authority_client_common_name }}"
|
||||
countryName: "{{ certificate_authority_client_country_name }}"
|
||||
email_address: "{{ certificate_authority_client_email_address }}"
|
||||
extendedKeyUsage:
|
||||
- clientAuth
|
||||
- serverAuth
|
||||
organization_name: "{{ certificate_authority_client_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
||||
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
|
||||
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
|
||||
state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_client_state }}"
|
||||
when: |
|
||||
certificate_authority_client_subject_alternative_names is not defined or
|
||||
(certificate_authority_client_subject_alternative_names is defined and
|
||||
@ -21,11 +28,17 @@
|
||||
- name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs)
|
||||
community.crypto.openssl_csr:
|
||||
common_name: "{{ certificate_authority_client_common_name }}"
|
||||
countryName: "{{ certificate_authority_client_country_name }}"
|
||||
email_address: "{{ certificate_authority_client_email_address }}"
|
||||
extendedKeyUsage:
|
||||
- clientAuth
|
||||
- serverAuth
|
||||
organization_name: "{{ certificate_authority_client_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
||||
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
|
||||
state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_client_state }}"
|
||||
subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}"
|
||||
when: certificate_authority_client_subject_alternative_names is defined and
|
||||
certificate_authority_client_subject_alternative_names | length > 0
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
certificate_authority_intermediate_ca_tls_key_passphrase | length <= 0
|
||||
|
||||
- name: Create passphrase protected intermediate Certificate Authority (CA)
|
||||
ansible.builtin.include_tasks: intermediate_certificate_authority_unprotected.yaml
|
||||
ansible.builtin.include_tasks: intermediate_certificate_authority_protected.yaml
|
||||
when: certificate_authority_intermediate_ca_create is defined and
|
||||
certificate_authority_intermediate_ca_create and
|
||||
certificate_authority_intermediate_ca_tls_key_passphrase is defined and
|
||||
|
||||
@ -5,15 +5,22 @@
|
||||
passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
|
||||
path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
|
||||
type: "{{ certificate_authority_intermediate_ca_tls_key_type }}"
|
||||
cipher: auto
|
||||
|
||||
- name: Create a certificate signing request (CSR) for intermediate CA
|
||||
community.crypto.openssl_csr:
|
||||
basic_constraints:
|
||||
- "CA:TRUE"
|
||||
common_name: "{{ certificate_authority_intermediate_ca_common_name }}"
|
||||
countryName: "{{ certificate_authority_intermediate_ca_country_name }}"
|
||||
email_address: "{{ certificate_authority_intermediate_ca_email_address }}"
|
||||
organization_name: "{{ certificate_authority_intermediate_ca_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_intermediate_ca_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
|
||||
privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
|
||||
privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
|
||||
state_or_province_name: "{{ certificate_authority_intermediate_ca_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_intermediate_ca_state }}"
|
||||
use_common_name_for_san: false
|
||||
|
||||
- name: Create signed client certificate - unprotected root Certificate Authority (CA)
|
||||
|
||||
@ -10,8 +10,14 @@
|
||||
basic_constraints:
|
||||
- "CA:TRUE"
|
||||
common_name: "{{ certificate_authority_intermediate_ca_common_name }}"
|
||||
countryName: "{{ certificate_authority_intermediate_ca_country_name }}"
|
||||
email_address: "{{ certificate_authority_intermediate_ca_email_address }}"
|
||||
organization_name: "{{ certificate_authority_intermediate_ca_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_intermediate_ca_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem"
|
||||
privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
|
||||
state_or_province_name: "{{ certificate_authority_intermediate_ca_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_intermediate_ca_state }}"
|
||||
use_common_name_for_san: false
|
||||
|
||||
- name: Create signed client certificate - unprotected root Certificate Authority (CA)
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
certificate_authority_root_ca_tls_key_passphrase | length <= 0
|
||||
|
||||
- name: Create passphrase protected root Certificate Authority (CA)
|
||||
ansible.builtin.include_tasks: root_certificate_authority_unprotected.yaml
|
||||
ansible.builtin.include_tasks: root_certificate_authority_protected.yaml
|
||||
when: certificate_authority_root_ca_create is defined and
|
||||
certificate_authority_root_ca_create and
|
||||
certificate_authority_root_ca_tls_key_passphrase is defined and
|
||||
|
||||
@ -5,14 +5,22 @@
|
||||
passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}"
|
||||
path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
|
||||
type: "{{ certificate_authority_root_ca_tls_key_type }}"
|
||||
cipher: auto
|
||||
|
||||
- name: Create a certificate signing request (CSR) for root CA
|
||||
community.crypto.openssl_csr:
|
||||
basic_constraints:
|
||||
- "CA:TRUE"
|
||||
common_name: "{{ certificate_authority_root_ca_common_name }}"
|
||||
countryName: "{{ certificate_authority_root_ca_country_name }}"
|
||||
email_address: "{{ certificate_authority_root_ca_email_address }}"
|
||||
organization_name: "{{ certificate_authority_root_ca_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_root_ca_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_root_ca_path }}/cert-req.pem"
|
||||
privatekey_passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}"
|
||||
privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
|
||||
state_or_province_name: "{{ certificate_authority_root_ca_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_root_ca_state }}"
|
||||
use_common_name_for_san: false
|
||||
|
||||
- name: Create self-signed certificate for root CA
|
||||
|
||||
@ -10,8 +10,14 @@
|
||||
basic_constraints:
|
||||
- "CA:TRUE"
|
||||
common_name: "{{ certificate_authority_root_ca_common_name }}"
|
||||
countryName: "{{ certificate_authority_root_ca_country_name }}"
|
||||
email_address: "{{ certificate_authority_root_ca_email_address }}"
|
||||
organization_name: "{{ certificate_authority_root_ca_organization_name }}"
|
||||
organizational_unit_name: "{{ certificate_authority_root_ca_organizational_unit_name }}"
|
||||
path: "{{ certificate_authority_root_ca_path }}/cert-req.pem"
|
||||
privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem"
|
||||
state_or_province_name: "{{ certificate_authority_root_ca_state_or_province_name }}"
|
||||
state: "{{ certificate_authority_root_ca_state }}"
|
||||
use_common_name_for_san: false
|
||||
|
||||
- name: Create self-signed certificate for root CA
|
||||
|
||||
Reference in New Issue
Block a user