--- argument_specs: main: short_description: "Role to create and manage an existing PKI infrastructure" description: - "This Ansible role can be used to create a root and intermediate certificate authority and issue client certificates from them." - "Additionally offers the ansible role the feature to import the certificates of the authority into the systems trust store." author: "Markus Pesch" options: # Root Certificate Authority (CA) certificate_authority_root_ca_skip: description: "Skip creation or import of a root certificate authority in general." type: bool default: false certificate_authority_root_ca_create: description: "Create root certificate from scratch or import via certificate_authority_root_ca_tls prefixed variables." type: bool default: true certificate_authority_root_ca_import: description: "Import the TLS certificate of the root certificate authority into the systems trust store." type: bool default: true certificate_authority_root_ca_path: description: "Directory where the private and public TLS key of the root certificate authority should be stored." type: str default: "/etc/ansible-playbook/pki/ca" certificate_authority_root_ca_common_name: description: "Common Name (CN) of the root certificate authority." type: str default: "Ansible Root CA" certificate_authority_root_ca_country_name: description: "Common Name (CN) of the root certificate authority. For example US, FR or DE." type: str default: "" certificate_authority_root_ca_email_address: description: "E-Mail Address of the root certificate authority owner." type: str default: "" certificate_authority_root_ca_organization_name: description: "Organization name of the root certificate authority owner." type: str default: "" certificate_authority_root_ca_organizational_unit_name: description: "Organizational unit name of the root certificate authority." type: str default: "" certificate_authority_root_ca_state_or_province_name: description: "State or province name where the owner of the root certificate authority is located." type: str default: "" certificate_authority_root_ca_subject_alternative_names: description: "Subject Alternative Names (SAN) of the root certificate authority." type: list elements: str default: [] certificate_authority_root_ca_not_after: description: "Time in the future from now when the TLS certificate should expire" type: str default: "+3650d" certificate_authority_root_ca_not_before: description: "Time in the past from now when the TLS certificate should be valid." type: str default: "+0s" certificate_authority_root_ca_tls_key_content: description: "Content of a custom used root certificate authority. Will only be imported, when certificate_authority_root_ca_create: false." type: str default: "" certificate_authority_root_ca_tls_crt_content: description: "Content of a custom used certificate of the certificate authority. Will only be imported, when certificate_authority_root_ca_create: false." type: str default: "" certificate_authority_root_ca_tls_key_passphrase: description: "Passphrase for the private key of the generated or imported root certificate authority." type: str default: "" no_log: true certificate_authority_root_ca_tls_key_type: description: "Algorithm of the private key of the root certificate authority." type: str default: "RSA" choices: - RSA - DSA - ECC # Intermediate Certificate Authority (CA) certificate_authority_intermediate_ca_skip: description: "Skip creation or import of a intermediate certificate authority in general." type: bool default: false certificate_authority_intermediate_ca_create: description: "Create intermediate certificate from scratch or import via certificate_authority_intermediate_ca_tls prefixed variables." type: bool default: true certificate_authority_intermediate_ca_path: description: "Directory where the private and public TLS key of the intermediate certificate authority should be stored." type: str default: "/etc/ansible-playbook/pki/intermediate" certificate_authority_intermediate_ca_common_name: description: "Common Name (CN) of the intermediate certificate authority." type: str default: "Ansible Intermediate CA" certificate_authority_intermediate_ca_country_name: description: "Country name of the intermediate certificate authority. For example US, FR or DE." type: str default: "" certificate_authority_intermediate_ca_email_address: description: "E-Mail Address of the intermediate certificate authority owner." type: str default: "" certificate_authority_intermediate_ca_organization_name: description: "Organization name of the intermediate certificate authority owner." type: str default: "" certificate_authority_intermediate_ca_organizational_unit_name: description: "Organizational unit name of the intermediate certificate authority." type: str default: "" certificate_authority_intermediate_ca_state_or_province_name: description: "State or province name where the owner of the intermediate certificate authority is located." type: str default: "" certificate_authority_intermediate_ca_subject_alternative_names: description: "Subject Alternative Names (SAN) of the intermediate certificate authority." type: list elements: str default: [] certificate_authority_intermediate_ca_not_after: description: "Time in the future from now when the TLS certificate should expire" type: str default: "+1825d" certificate_authority_intermediate_ca_not_before: description: "Time in the past from now when the TLS certificate should be valid." type: str default: "+0s" certificate_authority_intermediate_ca_tls_key_content: description: "Content of a custom used intermediate certificate authority. Will only be imported, when certificate_authority_intermediate_ca_create: false." type: str default: "" certificate_authority_intermediate_ca_tls_crt_content: description: "Content of a custom used certificate of the certificate authority. Will only be imported, when certificate_authority_intermediate_ca_create: false." type: str default: "" certificate_authority_intermediate_ca_tls_key_passphrase: description: "Passphrase for the private key of the generated or imported intermediate certificate authority." type: str default: "" no_log: true certificate_authority_intermediate_ca_tls_key_type: description: "Algorithm of the private key of the intermediate certificate authority." type: str default: "RSA" choices: - RSA - DSA - ECC # Client Certificate certificate_authority_client_skip: description: "Skip creation or import of a client certificate in general." type: bool default: true certificate_authority_client_create: description: "Create client certificate from scratch or import via certificate_authority_client_tls prefixed variables." type: bool default: true certificate_authority_client_path: description: "Directory where the private and public TLS key of the client certificate authority should be stored." type: str default: "/etc/ansible-playbook/pki/client" certificate_authority_client_common_name: description: "Common Name (CN) of the client certificate." type: str default: "Ansible Client Certificate" certificate_authority_client_country_name: description: "Country Name (CN) of the client certificate. For example US, FR or DE." type: str default: "" certificate_authority_client_email_address: description: "E-Mail Address of the client certificate owner." type: str default: "" certificate_authority_client_organization_name: description: "Organization name of the client certificate owner." type: str default: "" certificate_authority_client_organizational_unit_name: description: "Common Name (CN) of the client certificate." type: str default: "" certificate_authority_client_state_or_province_name: description: "State or province name where the owner of the client certificate is located." type: str default: "" certificate_authority_client_subject_alternative_names: description: "Subject Alternative Names (SAN) of the client certificate." type: list elements: str default: [] certificate_authority_client_not_after: description: "Time in the future from now when the TLS certificate should expire" type: str default: "+397d" certificate_authority_client_not_before: description: "Time in the past from now when the TLS certificate should be valid." type: str default: "+0s" certificate_authority_client_tls_key_passphrase: description: "Passphrase for the private key of the generated or imported client certificate." type: str default: "" no_log: true certificate_authority_client_tls_key_type: description: "Algorithm of the private key of the client certificate." type: str default: "RSA" choices: - RSA - DSA - ECC certificate_authority_client_tls_crt_content: description: "Passphrase for the private key of the generated or imported client certificate." type: str default: "" certificate_authority_client_tls_key_content: description: "Algorithm of the private key of the client certificate" type: str default: ""