You've already forked ansible-role-certificate-authority
							
							Compare commits
	
		
			20 Commits
		
	
	
		
			0.1.3
			...
			a416b01dd9
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| a416b01dd9 | |||
| 3432d1dc89 | |||
| 42b3e7a5db | |||
| 3344723187 | |||
| 085ad44e8f | |||
| 786a4e9385 | |||
| 75241aa759 | |||
| f9592e9a03 | |||
| a71af04b83 | |||
| 60e11b1276 | |||
| dfac82a1f8 | |||
| 594325b852 | |||
| f3e818b07c | |||
| 29c166acda | |||
| a14c799290 | |||
| 6208d55dcb | |||
| ac6f54d360 | |||
| 9267a743e7 | |||
| ef2c31e64e | |||
| 1c40b1d59b | 
| @@ -14,7 +14,7 @@ jobs: | ||||
|     steps: | ||||
|     - uses: actions/checkout@v4 | ||||
|     - name: Run ansible-lint | ||||
|       uses: ansible/ansible-lint@v25.6.1 | ||||
|       uses: ansible/ansible-lint@v25.9.0 | ||||
|       with: | ||||
|         args: "--config-file .ansible-lint" | ||||
|         setup_python: "true" | ||||
|   | ||||
| @@ -12,7 +12,7 @@ jobs: | ||||
|     runs-on: | ||||
|     - ubuntu-latest | ||||
|     steps: | ||||
|     - uses: actions/checkout@v4.2.2 | ||||
|     - uses: actions/checkout@v4.3.0 | ||||
|     - uses: DavidAnson/markdownlint-cli2-action@v20.0.0 | ||||
|       with: | ||||
|         globs: '**/*.md' | ||||
|   | ||||
							
								
								
									
										15
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										15
									
								
								README.md
									
									
									
									
									
								
							| @@ -28,6 +28,11 @@ certificate_authority_client_subject_alternative_names: | ||||
| | `certificate_authority_root_ca_import`                    | Import the TLS certificate of the root certificate authority into the systems trust store.                                                    | `true`                         | | ||||
| | `certificate_authority_root_ca_path`                      | Directory where the private and public TLS key of the root certificate authority should be stored.                                            | `/etc/ansible-playbook/pki/ca` | | ||||
| | `certificate_authority_root_ca_common_name`               | Common Name (CN) of the root certificate authority.                                                                                           | `Ansible Root CA`              | | ||||
| | `certificate_authority_root_ca_country_name`              | Common Name (CN) of the root certificate authority. For example `US`, `FR` or `DE`.                                                           | `""`                           | | ||||
| | `certificate_authority_root_ca_email_address`             | E-Mail Address of the root certificate authority owner.                                                                                       | `""`                           | | ||||
| | `certificate_authority_root_ca_organization_name`         | Organization name of the root certificate authority owner.                                                                                    | `""`                           | | ||||
| | `certificate_authority_root_ca_organizational_unit_name`  | Organizational unit name of the root certificate authority.                                                                                   | `""`                           | | ||||
| | `certificate_authority_root_ca_state_or_province_name`    | State or province name where the owner of the root certificate authority is located.                                                          | `""`                           | | ||||
| | `certificate_authority_root_ca_subject_alternative_names` | Subject Alternative Names (SAN) of the root certificate authority.                                                                            | `[]`                           | | ||||
| | `certificate_authority_root_ca_not_after`                 | Time in the future from now when the TLS certificate should expire                                                                            | `+3650d`                       | | ||||
| | `certificate_authority_root_ca_not_before`                | Time in the past from now when the TLS certificate should be valid.                                                                           | `+0s`                          | | ||||
| @@ -44,6 +49,11 @@ certificate_authority_client_subject_alternative_names: | ||||
| | `certificate_authority_intermediate_ca_create`                    | Create intermediate certificate from scratch or import via `certificate_authority_intermediate_ca_tls` prefixed variables.                            | `true`                                   | | ||||
| | `certificate_authority_intermediate_ca_path`                      | Directory where the private and public TLS key of the intermediate certificate authority should be stored.                                            | `/etc/ansible-playbook/pki/intermediate` | | ||||
| | `certificate_authority_intermediate_ca_common_name`               | Common Name (CN) of the intermediate certificate authority.                                                                                           | `Ansible Intermediate CA`                | | ||||
| | `certificate_authority_intermediate_ca_country_name`              | Country name of the intermediate certificate authority. For example `US`, `FR` or `DE`.                                                               | `""`                                     | | ||||
| | `certificate_authority_intermediate_ca_email_address`             | E-Mail Address of the intermediate certificate authority owner.                                                                                       | `""`                                     | | ||||
| | `certificate_authority_intermediate_ca_organization_name`         | Organization name of the intermediate certificate authority owner.                                                                                    | `""`                                     | | ||||
| | `certificate_authority_intermediate_ca_organizational_unit_name`  | Organizational unit name of the intermediate certificate authority.                                                                                   | `""`                                     | | ||||
| | `certificate_authority_intermediate_ca_state_or_province_name`    | State or province name where the owner of the intermediate certificate authority is located.                                                          | `""`                                     | | ||||
| | `certificate_authority_intermediate_ca_subject_alternative_names` | Subject Alternative Names (SAN) of the intermediate certificate authority.                                                                            | `[]`                                     | | ||||
| | `certificate_authority_intermediate_ca_not_after`                 | Time in the future from now when the TLS certificate should expire                                                                                    | `+1825d`                                 | | ||||
| | `certificate_authority_intermediate_ca_not_before`                | Time in the past from now when the TLS certificate should be valid.                                                                                   | `+0s`                                    | | ||||
| @@ -60,6 +70,11 @@ certificate_authority_client_subject_alternative_names: | ||||
| | `certificate_authority_client_create`                    | Create client certificate from scratch or import via `certificate_authority_client_tls` prefixed variables. | `true`                             | | ||||
| | `certificate_authority_client_path`                      | Directory where the private and public TLS key of the client certificate authority should be stored.        | `/etc/ansible-playbook/pki/client` | | ||||
| | `certificate_authority_client_common_name`               | Common Name (CN) of the client certificate.                                                                 | `Ansible Client Certificate`       | | ||||
| | `certificate_authority_client_country_name`              | Country Name (CN) of the client certificate. For example `US`, `FR` or `DE`.                                | `""`                               | | ||||
| | `certificate_authority_client_email_address`             | E-Mail Address of the client certificate owner.                                                             | `""`                               | | ||||
| | `certificate_authority_client_organization_name`         | Organization name of the client certificate owner.                                                          | `""`                               | | ||||
| | `certificate_authority_client_organizational_unit_name`  | Common Name (CN) of the client certificate.                                                                 | `""`                               | | ||||
| | `certificate_authority_client_state_or_province_name`    | State or province name where the owner of the client certificate is located.                                | `""`                               | | ||||
| | `certificate_authority_client_subject_alternative_names` | Subject Alternative Names (SAN) of the client certificate.                                                  | `[]`                               | | ||||
| | `certificate_authority_client_not_after`                 | Time in the future from now when the TLS certificate should expire                                          | `+397d`                            | | ||||
| | `certificate_authority_client_not_before`                | Time in the past from now when the TLS certificate should be valid.                                         | `+0s`                              | | ||||
|   | ||||
| @@ -10,11 +10,21 @@ certificate_authority_root_ca_import: true | ||||
|  | ||||
| ## @param certificate_authority_root_ca_path Directory where the private and public TLS key of the root certificate authority should be stored. | ||||
| ## @param certificate_authority_root_ca_common_name Common Name (CN) of the root certificate authority. | ||||
| ## @param certificate_authority_root_ca_country_name Common Name (CN) of the root certificate authority. For example `US`, `FR` or `DE`. | ||||
| ## @param certificate_authority_root_ca_email_address E-Mail Address of the root certificate authority owner. | ||||
| ## @param certificate_authority_root_ca_organization_name Organization name of the root certificate authority owner. | ||||
| ## @param certificate_authority_root_ca_organizational_unit_name Organizational unit name of the root certificate authority. | ||||
| ## @param certificate_authority_root_ca_state_or_province_name State or province name where the owner of the root certificate authority is located. | ||||
| ## @param certificate_authority_root_ca_subject_alternative_names Subject Alternative Names (SAN) of the root certificate authority. | ||||
| ## @param certificate_authority_root_ca_not_after Time in the future from now when the TLS certificate should expire | ||||
| ## @param certificate_authority_root_ca_not_before Time in the past from now when the TLS certificate should be valid. | ||||
| certificate_authority_root_ca_path: "/etc/ansible-playbook/pki/ca" | ||||
| certificate_authority_root_ca_common_name: "Ansible Root CA" | ||||
| certificate_authority_root_ca_country_name: "" | ||||
| certificate_authority_root_ca_email_address: "" | ||||
| certificate_authority_root_ca_organization_name: "" | ||||
| certificate_authority_root_ca_organizational_unit_name: "" | ||||
| certificate_authority_root_ca_state_or_province_name: "" | ||||
| certificate_authority_root_ca_subject_alternative_names: [] | ||||
| certificate_authority_root_ca_not_after: "+3650d" | ||||
| certificate_authority_root_ca_not_before: "+0s" | ||||
| @@ -38,11 +48,21 @@ certificate_authority_intermediate_ca_create: true | ||||
|  | ||||
| ## @param certificate_authority_intermediate_ca_path Directory where the private and public TLS key of the intermediate certificate authority should be stored. | ||||
| ## @param certificate_authority_intermediate_ca_common_name Common Name (CN) of the intermediate certificate authority. | ||||
| ## @param certificate_authority_intermediate_ca_country_name Country name of the intermediate certificate authority. For example `US`, `FR` or `DE`. | ||||
| ## @param certificate_authority_intermediate_ca_email_address E-Mail Address of the intermediate certificate authority owner. | ||||
| ## @param certificate_authority_intermediate_ca_organization_name Organization name of the intermediate certificate authority owner. | ||||
| ## @param certificate_authority_intermediate_ca_organizational_unit_name Organizational unit name of the intermediate certificate authority. | ||||
| ## @param certificate_authority_intermediate_ca_state_or_province_name State or province name where the owner of the intermediate certificate authority is located. | ||||
| ## @param certificate_authority_intermediate_ca_subject_alternative_names Subject Alternative Names (SAN) of the intermediate certificate authority. | ||||
| ## @param certificate_authority_intermediate_ca_not_after Time in the future from now when the TLS certificate should expire | ||||
| ## @param certificate_authority_intermediate_ca_not_before Time in the past from now when the TLS certificate should be valid. | ||||
| certificate_authority_intermediate_ca_path: "/etc/ansible-playbook/pki/intermediate" | ||||
| certificate_authority_intermediate_ca_common_name: "Ansible Intermediate CA" | ||||
| certificate_authority_intermediate_ca_country_name: "" | ||||
| certificate_authority_intermediate_ca_email_address: "" | ||||
| certificate_authority_intermediate_ca_organization_name: "" | ||||
| certificate_authority_intermediate_ca_organizational_unit_name: "" | ||||
| certificate_authority_intermediate_ca_state_or_province_name: "" | ||||
| certificate_authority_intermediate_ca_subject_alternative_names: [] | ||||
| certificate_authority_intermediate_ca_not_after: "+1825d" | ||||
| certificate_authority_intermediate_ca_not_before: "+0s" | ||||
| @@ -66,11 +86,21 @@ certificate_authority_client_create: true | ||||
|  | ||||
| ## @param certificate_authority_client_path Directory where the private and public TLS key of the client certificate authority should be stored. | ||||
| ## @param certificate_authority_client_common_name Common Name (CN) of the client certificate. | ||||
| ## @param certificate_authority_client_country_name Country Name (CN) of the client certificate. For example `US`, `FR` or `DE`. | ||||
| ## @param certificate_authority_client_email_address E-Mail Address of the client certificate owner. | ||||
| ## @param certificate_authority_client_organization_name Organization name of the client certificate owner. | ||||
| ## @param certificate_authority_client_organizational_unit_name Common Name (CN) of the client certificate. | ||||
| ## @param certificate_authority_client_state_or_province_name State or province name where the owner of the client certificate is located. | ||||
| ## @param certificate_authority_client_subject_alternative_names Subject Alternative Names (SAN) of the client certificate. | ||||
| ## @param certificate_authority_client_not_after Time in the future from now when the TLS certificate should expire | ||||
| ## @param certificate_authority_client_not_before Time in the past from now when the TLS certificate should be valid. | ||||
| certificate_authority_client_path: "/etc/ansible-playbook/pki/client" | ||||
| certificate_authority_client_common_name: "Ansible Client Certificate" | ||||
| certificate_authority_client_country_name: "" | ||||
| certificate_authority_client_email_address: "" | ||||
| certificate_authority_client_organization_name: "" | ||||
| certificate_authority_client_organizational_unit_name: "" | ||||
| certificate_authority_client_state_or_province_name: "" | ||||
| certificate_authority_client_subject_alternative_names: [] | ||||
| certificate_authority_client_not_after: "+397d" | ||||
| certificate_authority_client_not_before: "+0s" | ||||
|   | ||||
| @@ -1,25 +1,26 @@ | ||||
| dependencies: [] | ||||
| galaxy_info: | ||||
|   namespace: volker-raschek | ||||
|   role_name: "certificate_authority" | ||||
|   author: "Markus Pesch" | ||||
|   description: "Role to create and managed an existing PKI infrastructure" | ||||
|   company: "Cryptic Systems" | ||||
|   description: "Role to create and managed an existing PKI infrastructure" | ||||
|   galaxy_tags: | ||||
|   - ca | ||||
|   - ssl | ||||
|   - tls | ||||
|   license: "MIT" | ||||
|   min_ansible_version: "2.9" | ||||
|   namespace: volker-raschek | ||||
|   platforms: | ||||
|   - name: ArchLinux | ||||
|     versions: | ||||
|     - all | ||||
|   - name: EL | ||||
|     versions: | ||||
|     - all | ||||
|   - name: Fedora | ||||
|     versions: | ||||
|     - all | ||||
|   - name: Ubuntu | ||||
|     versions: | ||||
|     - all | ||||
|   - name: Fedora | ||||
|     versions: | ||||
|     - "35" | ||||
|   galaxy_tags: | ||||
|   - certificate-authority | ||||
|   - ca | ||||
|   - ssl | ||||
|   - tls | ||||
|  | ||||
| dependencies: [] | ||||
|   role_name: "certificate_authority" | ||||
|   | ||||
| @@ -10,12 +10,17 @@ | ||||
| - name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs) | ||||
|   community.crypto.openssl_csr: | ||||
|     common_name: "{{ certificate_authority_client_common_name }}" | ||||
|     countryName: "{{ certificate_authority_client_country_name }}" | ||||
|     email_address: "{{ certificate_authority_client_email_address }}" | ||||
|     extendedKeyUsage: | ||||
|     - clientAuth | ||||
|     - serverAuth | ||||
|     organization_name: "{{ certificate_authority_client_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_client_path }}/cert-req.pem" | ||||
|     privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}" | ||||
|     privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" | ||||
|     state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" | ||||
|   when: | | ||||
|     certificate_authority_client_subject_alternative_names is not defined or | ||||
|     (certificate_authority_client_subject_alternative_names is defined and | ||||
| @@ -24,12 +29,17 @@ | ||||
| - name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs) | ||||
|   community.crypto.openssl_csr: | ||||
|     common_name: "{{ certificate_authority_client_common_name }}" | ||||
|     countryName: "{{ certificate_authority_client_country_name }}" | ||||
|     email_address: "{{ certificate_authority_client_email_address }}" | ||||
|     extendedKeyUsage: | ||||
|     - clientAuth | ||||
|     - serverAuth | ||||
|     organization_name: "{{ certificate_authority_client_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_client_path }}/cert-req.pem" | ||||
|     privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" | ||||
|     privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}" | ||||
|     state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" | ||||
|     subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}" | ||||
|   when: certificate_authority_client_subject_alternative_names is defined and | ||||
|         certificate_authority_client_subject_alternative_names | length > 0 | ||||
|   | ||||
| @@ -8,11 +8,17 @@ | ||||
| - name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs) | ||||
|   community.crypto.openssl_csr: | ||||
|     common_name: "{{ certificate_authority_client_common_name }}" | ||||
|     countryName: "{{ certificate_authority_client_country_name }}" | ||||
|     email_address: "{{ certificate_authority_client_email_address }}" | ||||
|     extendedKeyUsage: | ||||
|     - clientAuth | ||||
|     - serverAuth | ||||
|     organization_name: "{{ certificate_authority_client_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_client_path }}/cert-req.pem" | ||||
|     privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}" | ||||
|     privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" | ||||
|     state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" | ||||
|   when: | | ||||
|     certificate_authority_client_subject_alternative_names is not defined or | ||||
|     (certificate_authority_client_subject_alternative_names is defined and | ||||
| @@ -21,11 +27,16 @@ | ||||
| - name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs) | ||||
|   community.crypto.openssl_csr: | ||||
|     common_name: "{{ certificate_authority_client_common_name }}" | ||||
|     countryName: "{{ certificate_authority_client_country_name }}" | ||||
|     email_address: "{{ certificate_authority_client_email_address }}" | ||||
|     extendedKeyUsage: | ||||
|     - clientAuth | ||||
|     - serverAuth | ||||
|     organization_name: "{{ certificate_authority_client_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_client_path }}/cert-req.pem" | ||||
|     privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem" | ||||
|     state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}" | ||||
|     subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}" | ||||
|   when: certificate_authority_client_subject_alternative_names is defined and | ||||
|         certificate_authority_client_subject_alternative_names | length > 0 | ||||
|   | ||||
| @@ -12,9 +12,14 @@ | ||||
|     basic_constraints: | ||||
|     - "CA:TRUE" | ||||
|     common_name: "{{ certificate_authority_intermediate_ca_common_name }}" | ||||
|     countryName: "{{ certificate_authority_intermediate_ca_country_name }}" | ||||
|     email_address: "{{ certificate_authority_intermediate_ca_email_address }}" | ||||
|     organization_name: "{{ certificate_authority_intermediate_ca_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_intermediate_ca_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem" | ||||
|     privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}" | ||||
|     privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem" | ||||
|     state_or_province_name: "{{ certificate_authority_intermediate_ca_state_or_province_name }}" | ||||
|     use_common_name_for_san: false | ||||
|  | ||||
| - name: Create signed client certificate - unprotected root Certificate Authority (CA) | ||||
|   | ||||
| @@ -10,8 +10,13 @@ | ||||
|     basic_constraints: | ||||
|     - "CA:TRUE" | ||||
|     common_name: "{{ certificate_authority_intermediate_ca_common_name }}" | ||||
|     countryName: "{{ certificate_authority_intermediate_ca_country_name }}" | ||||
|     email_address: "{{ certificate_authority_intermediate_ca_email_address }}" | ||||
|     organization_name: "{{ certificate_authority_intermediate_ca_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_intermediate_ca_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_intermediate_ca_path }}/cert-req.pem" | ||||
|     privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem" | ||||
|     state_or_province_name: "{{ certificate_authority_intermediate_ca_state_or_province_name }}" | ||||
|     use_common_name_for_san: false | ||||
|  | ||||
| - name: Create signed client certificate - unprotected root Certificate Authority (CA) | ||||
|   | ||||
| @@ -3,7 +3,7 @@ | ||||
| - name: Upgrade python package manager pip | ||||
|   ansible.builtin.pip: | ||||
|     name: pip | ||||
|     state: latest | ||||
|     state: present | ||||
|  | ||||
| - name: Install required python library cryptography | ||||
|   ansible.builtin.pip: | ||||
|   | ||||
| @@ -12,9 +12,14 @@ | ||||
|     basic_constraints: | ||||
|     - "CA:TRUE" | ||||
|     common_name: "{{ certificate_authority_root_ca_common_name }}" | ||||
|     countryName: "{{ certificate_authority_root_ca_country_name }}" | ||||
|     email_address: "{{ certificate_authority_root_ca_email_address }}" | ||||
|     organization_name: "{{ certificate_authority_root_ca_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_root_ca_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_root_ca_path }}/cert-req.pem" | ||||
|     privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem" | ||||
|     privatekey_passphrase: "{{ certificate_authority_root_ca_tls_key_passphrase }}" | ||||
|     privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem" | ||||
|     state_or_province_name: "{{ certificate_authority_root_ca_state_or_province_name }}" | ||||
|     use_common_name_for_san: false | ||||
|  | ||||
| - name: Create self-signed certificate for root CA | ||||
|   | ||||
| @@ -10,8 +10,13 @@ | ||||
|     basic_constraints: | ||||
|     - "CA:TRUE" | ||||
|     common_name: "{{ certificate_authority_root_ca_common_name }}" | ||||
|     countryName: "{{ certificate_authority_root_ca_country_name }}" | ||||
|     email_address: "{{ certificate_authority_root_ca_email_address }}" | ||||
|     organization_name: "{{ certificate_authority_root_ca_organization_name }}" | ||||
|     organizational_unit_name: "{{ certificate_authority_root_ca_organizational_unit_name }}" | ||||
|     path: "{{ certificate_authority_root_ca_path }}/cert-req.pem" | ||||
|     privatekey_path: "{{ certificate_authority_root_ca_path }}/privkey.pem" | ||||
|     state_or_province_name: "{{ certificate_authority_root_ca_state_or_province_name }}" | ||||
|     use_common_name_for_san: false | ||||
|  | ||||
| - name: Create self-signed certificate for root CA | ||||
|   | ||||
		Reference in New Issue
	
	Block a user