You've already forked ansible-role-certificate-authority
229 lines
10 KiB
YAML
229 lines
10 KiB
YAML
---
|
|
argument_specs:
|
|
main:
|
|
short_description: "Role to create and manage an existing PKI infrastructure"
|
|
description:
|
|
- "This Ansible role can be used to create a root and intermediate certificate authority and issue client certificates from them."
|
|
- "Additionally offers the ansible role the feature to import the certificates of the authority into the systems trust store."
|
|
author: "Markus Pesch"
|
|
options:
|
|
# Root Certificate Authority (CA)
|
|
certificate_authority_root_ca_skip:
|
|
description: "Skip creation or import of a root certificate authority in general."
|
|
type: bool
|
|
default: false
|
|
certificate_authority_root_ca_create:
|
|
description: "Create root certificate from scratch or import via certificate_authority_root_ca_tls prefixed variables."
|
|
type: bool
|
|
default: true
|
|
certificate_authority_root_ca_import:
|
|
description: "Import the TLS certificate of the root certificate authority into the systems trust store."
|
|
type: bool
|
|
default: true
|
|
certificate_authority_root_ca_path:
|
|
description: "Directory where the private and public TLS key of the root certificate authority should be stored."
|
|
type: str
|
|
default: "/etc/ansible-playbook/pki/ca"
|
|
certificate_authority_root_ca_common_name:
|
|
description: "Common Name (CN) of the root certificate authority."
|
|
type: str
|
|
default: "Ansible Root CA"
|
|
certificate_authority_root_ca_country_name:
|
|
description: "Common Name (CN) of the root certificate authority. For example US, FR or DE."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_root_ca_email_address:
|
|
description: "E-Mail Address of the root certificate authority owner."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_root_ca_organization_name:
|
|
description: "Organization name of the root certificate authority owner."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_root_ca_organizational_unit_name:
|
|
description: "Organizational unit name of the root certificate authority."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_root_ca_state_or_province_name:
|
|
description: "State or province name where the owner of the root certificate authority is located."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_root_ca_subject_alternative_names:
|
|
description: "Subject Alternative Names (SAN) of the root certificate authority."
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
certificate_authority_root_ca_not_after:
|
|
description: "Time in the future from now when the TLS certificate should expire"
|
|
type: str
|
|
default: "+3650d"
|
|
certificate_authority_root_ca_not_before:
|
|
description: "Time in the past from now when the TLS certificate should be valid."
|
|
type: str
|
|
default: "+0s"
|
|
certificate_authority_root_ca_tls_key_content:
|
|
description: "Content of a custom used root certificate authority. Will only be imported, when certificate_authority_root_ca_create: false."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_root_ca_tls_crt_content:
|
|
description: "Content of a custom used certificate of the certificate authority. Will only be imported, when certificate_authority_root_ca_create: false."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_root_ca_tls_key_passphrase:
|
|
description: "Passphrase for the private key of the generated or imported root certificate authority."
|
|
type: str
|
|
default: ""
|
|
no_log: true
|
|
certificate_authority_root_ca_tls_key_type:
|
|
description: "Algorithm of the private key of the root certificate authority."
|
|
type: str
|
|
default: "RSA"
|
|
choices:
|
|
- RSA
|
|
- DSA
|
|
- ECC
|
|
|
|
# Intermediate Certificate Authority (CA)
|
|
certificate_authority_intermediate_ca_skip:
|
|
description: "Skip creation or import of a intermediate certificate authority in general."
|
|
type: bool
|
|
default: false
|
|
certificate_authority_intermediate_ca_create:
|
|
description: "Create intermediate certificate from scratch or import via certificate_authority_intermediate_ca_tls prefixed variables."
|
|
type: bool
|
|
default: true
|
|
certificate_authority_intermediate_ca_path:
|
|
description: "Directory where the private and public TLS key of the intermediate certificate authority should be stored."
|
|
type: str
|
|
default: "/etc/ansible-playbook/pki/intermediate"
|
|
certificate_authority_intermediate_ca_common_name:
|
|
description: "Common Name (CN) of the intermediate certificate authority."
|
|
type: str
|
|
default: "Ansible Intermediate CA"
|
|
certificate_authority_intermediate_ca_country_name:
|
|
description: "Country name of the intermediate certificate authority. For example US, FR or DE."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_intermediate_ca_email_address:
|
|
description: "E-Mail Address of the intermediate certificate authority owner."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_intermediate_ca_organization_name:
|
|
description: "Organization name of the intermediate certificate authority owner."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_intermediate_ca_organizational_unit_name:
|
|
description: "Organizational unit name of the intermediate certificate authority."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_intermediate_ca_state_or_province_name:
|
|
description: "State or province name where the owner of the intermediate certificate authority is located."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_intermediate_ca_subject_alternative_names:
|
|
description: "Subject Alternative Names (SAN) of the intermediate certificate authority."
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
certificate_authority_intermediate_ca_not_after:
|
|
description: "Time in the future from now when the TLS certificate should expire"
|
|
type: str
|
|
default: "+1825d"
|
|
certificate_authority_intermediate_ca_not_before:
|
|
description: "Time in the past from now when the TLS certificate should be valid."
|
|
type: str
|
|
default: "+0s"
|
|
certificate_authority_intermediate_ca_tls_key_content:
|
|
description: "Content of a custom used intermediate certificate authority. Will only be imported, when certificate_authority_intermediate_ca_create: false."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_intermediate_ca_tls_crt_content:
|
|
description: "Content of a custom used certificate of the certificate authority. Will only be imported, when certificate_authority_intermediate_ca_create: false."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_intermediate_ca_tls_key_passphrase:
|
|
description: "Passphrase for the private key of the generated or imported intermediate certificate authority."
|
|
type: str
|
|
default: ""
|
|
no_log: true
|
|
certificate_authority_intermediate_ca_tls_key_type:
|
|
description: "Algorithm of the private key of the intermediate certificate authority."
|
|
type: str
|
|
default: "RSA"
|
|
choices:
|
|
- RSA
|
|
- DSA
|
|
- ECC
|
|
|
|
# Client Certificate
|
|
certificate_authority_client_skip:
|
|
description: "Skip creation or import of a client certificate in general."
|
|
type: bool
|
|
default: true
|
|
certificate_authority_client_create:
|
|
description: "Create client certificate from scratch or import via certificate_authority_client_tls prefixed variables."
|
|
type: bool
|
|
default: true
|
|
certificate_authority_client_path:
|
|
description: "Directory where the private and public TLS key of the client certificate authority should be stored."
|
|
type: str
|
|
default: "/etc/ansible-playbook/pki/client"
|
|
certificate_authority_client_common_name:
|
|
description: "Common Name (CN) of the client certificate."
|
|
type: str
|
|
default: "Ansible Client Certificate"
|
|
certificate_authority_client_country_name:
|
|
description: "Country Name (CN) of the client certificate. For example US, FR or DE."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_client_email_address:
|
|
description: "E-Mail Address of the client certificate owner."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_client_organization_name:
|
|
description: "Organization name of the client certificate owner."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_client_organizational_unit_name:
|
|
description: "Common Name (CN) of the client certificate."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_client_state_or_province_name:
|
|
description: "State or province name where the owner of the client certificate is located."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_client_subject_alternative_names:
|
|
description: "Subject Alternative Names (SAN) of the client certificate."
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
certificate_authority_client_not_after:
|
|
description: "Time in the future from now when the TLS certificate should expire"
|
|
type: str
|
|
default: "+397d"
|
|
certificate_authority_client_not_before:
|
|
description: "Time in the past from now when the TLS certificate should be valid."
|
|
type: str
|
|
default: "+0s"
|
|
certificate_authority_client_tls_key_passphrase:
|
|
description: "Passphrase for the private key of the generated or imported client certificate."
|
|
type: str
|
|
default: ""
|
|
no_log: true
|
|
certificate_authority_client_tls_key_type:
|
|
description: "Algorithm of the private key of the client certificate."
|
|
type: str
|
|
default: "RSA"
|
|
choices:
|
|
- RSA
|
|
- DSA
|
|
- ECC
|
|
certificate_authority_client_tls_crt_content:
|
|
description: "Passphrase for the private key of the generated or imported client certificate."
|
|
type: str
|
|
default: ""
|
|
certificate_authority_client_tls_key_content:
|
|
description: "Algorithm of the private key of the client certificate"
|
|
type: str
|
|
default: ""
|