You've already forked ansible-role-certificate-authority
66 lines
3.8 KiB
YAML
66 lines
3.8 KiB
YAML
---
|
|
|
|
- name: Create private key for client
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ certificate_authority_client_path }}/privkey.pem"
|
|
type: "{{ certificate_authority_client_tls_key_type }}"
|
|
|
|
- name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs)
|
|
community.crypto.openssl_csr:
|
|
common_name: "{{ certificate_authority_client_common_name }}"
|
|
countryName: "{{ certificate_authority_client_country_name }}"
|
|
email_address: "{{ certificate_authority_client_email_address }}"
|
|
extendedKeyUsage:
|
|
- clientAuth
|
|
- serverAuth
|
|
organization_name: "{{ certificate_authority_client_organization_name }}"
|
|
organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}"
|
|
path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
|
privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
|
|
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
|
|
state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}"
|
|
when: |
|
|
certificate_authority_client_subject_alternative_names is not defined or
|
|
(certificate_authority_client_subject_alternative_names is defined and
|
|
certificate_authority_client_subject_alternative_names | length <= 0)
|
|
|
|
- name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs)
|
|
community.crypto.openssl_csr:
|
|
common_name: "{{ certificate_authority_client_common_name }}"
|
|
countryName: "{{ certificate_authority_client_country_name }}"
|
|
email_address: "{{ certificate_authority_client_email_address }}"
|
|
extendedKeyUsage:
|
|
- clientAuth
|
|
- serverAuth
|
|
organization_name: "{{ certificate_authority_client_organization_name }}"
|
|
organizational_unit_name: "{{ certificate_authority_client_organizational_unit_name }}"
|
|
path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
|
privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
|
|
state_or_province_name: "{{ certificate_authority_client_state_or_province_name }}"
|
|
subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}"
|
|
when: certificate_authority_client_subject_alternative_names is defined and
|
|
certificate_authority_client_subject_alternative_names | length > 0
|
|
|
|
- name: Create signed client certificate - unprotected intermediate Certificate Authority (CA)
|
|
community.crypto.x509_certificate:
|
|
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
|
ownca_not_after: "{{ certificate_authority_client_not_after }}"
|
|
ownca_not_before: "{{ certificate_authority_client_not_before }}"
|
|
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
|
|
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
|
|
path: "{{ certificate_authority_client_path }}/cert.pem"
|
|
provider: ownca
|
|
when: certificate_authority_intermediate_ca_tls_key_passphrase | length <= 0
|
|
|
|
- name: Create signed client certificate - passphrase protected intermediate Certificate Authority (CA)
|
|
community.crypto.x509_certificate:
|
|
csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
|
|
ownca_not_after: "{{ certificate_authority_client_not_after }}"
|
|
ownca_not_before: "{{ certificate_authority_client_not_before }}"
|
|
ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
|
|
ownca_privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
|
|
ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
|
|
path: "{{ certificate_authority_client_path }}/cert.pem"
|
|
provider: ownca
|
|
when: certificate_authority_intermediate_ca_tls_key_passphrase | length > 0
|