You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
155 lines
4.4 KiB
155 lines
4.4 KiB
2 years ago
|
- name: ensure cryptography toolkit is installed
|
||
|
include_tasks: tasks/install_packages.yml
|
||
|
vars:
|
||
|
package:
|
||
|
- alpine: py3-cryptography
|
||
|
debian: python3-cryptography
|
||
|
|
||
|
|
||
|
- name: early check to ensure ca variables are defined
|
||
|
fail:
|
||
|
msg: "\"{{ item }}\" is not defined"
|
||
|
when: item is not defined
|
||
|
loop:
|
||
|
- ca_dir
|
||
|
- ca_key_types
|
||
|
- ca_rp
|
||
|
- ca_ip
|
||
|
- ca_crt_ext
|
||
|
- ca_csr_ext
|
||
|
- ca_key_ext
|
||
|
|
||
|
|
||
|
- name: create ca directories
|
||
|
file:
|
||
|
path: "{{ ca_dir }}"
|
||
|
state: directory
|
||
|
mode: 0700
|
||
|
|
||
|
|
||
|
- name: generate root private keys
|
||
|
community.crypto.openssl_privatekey:
|
||
|
path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
|
||
|
size: "{{ item.size | d(omit) }}"
|
||
|
curve: "{{ item.curve | d(omit) }}"
|
||
|
type: "{{ item.type }}"
|
||
|
backup: yes
|
||
|
cipher: auto
|
||
|
force: no
|
||
|
format: pkcs8
|
||
|
format_mismatch: convert
|
||
|
passphrase: "{{ ca_pk_password }}"
|
||
|
regenerate: never
|
||
|
mode: 0600
|
||
|
loop: "{{ ca_key_types }}"
|
||
|
|
||
|
|
||
|
- name: generate csr requests for all root keys
|
||
|
community.crypto.openssl_csr:
|
||
|
path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_csr_ext }}"
|
||
|
basic_constraints:
|
||
|
- 'CA:TRUE'
|
||
|
basic_constraints_critical: yes
|
||
|
common_name: "{{ org }} Root CA ({{ item.type | upper }})"
|
||
|
digest: "{{ item.digest | d(omit) }}"
|
||
|
key_usage:
|
||
|
- keyCertSign
|
||
|
- cRLSign
|
||
|
key_usage_critical: yes
|
||
|
privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
|
||
|
privatekey_passphrase: "{{ ca_pk_password }}"
|
||
|
use_common_name_for_san: no
|
||
|
mode: 0600
|
||
|
loop: "{{ ca_key_types }}"
|
||
|
|
||
|
|
||
|
- name: generate root certificates
|
||
|
community.crypto.x509_certificate:
|
||
|
path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_crt_ext }}"
|
||
|
csr_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_csr_ext }}"
|
||
|
privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
|
||
|
privatekey_passphrase: "{{ ca_pk_password }}"
|
||
|
provider: selfsigned
|
||
|
selfsigned_not_after: "{{ ca_root_valid_until | mandatory }}"
|
||
|
selfsigned_digest: "{{ item.digest | d(omit) }}"
|
||
|
mode: 0600
|
||
|
loop: "{{ ca_key_types }}"
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
- name: generate inter private keys
|
||
|
community.crypto.openssl_privatekey:
|
||
|
path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}"
|
||
|
size: "{{ item.size | d(omit) }}"
|
||
|
curve: "{{ item.curve | d(omit) }}"
|
||
|
type: "{{ item.type }}"
|
||
|
backup: yes
|
||
|
cipher: auto
|
||
|
force: no
|
||
|
format: pkcs8
|
||
|
format_mismatch: convert
|
||
|
passphrase: "{{ ca_pk_inter_password }}"
|
||
|
regenerate: never
|
||
|
mode: 0600
|
||
|
loop: "{{ ca_key_types }}"
|
||
|
|
||
|
|
||
|
- name: generate csr requests for all inter keys
|
||
|
community.crypto.openssl_csr:
|
||
|
path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_csr_ext }}"
|
||
|
basic_constraints:
|
||
|
- 'CA:TRUE'
|
||
|
- 'pathlen:0'
|
||
|
basic_constraints_critical: yes
|
||
|
common_name: "{{ org }} Intermediate CA ({{ item.type | upper }})"
|
||
|
digest: "{{ item.digest | d(omit) }}"
|
||
|
key_usage:
|
||
|
- digitalSignature
|
||
|
- keyCertSign
|
||
|
- cRLSign
|
||
|
key_usage_critical: yes
|
||
|
privatekey_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}"
|
||
|
privatekey_passphrase: "{{ ca_pk_inter_password }}"
|
||
|
use_common_name_for_san: no
|
||
|
|
||
|
crl_distribution_points:
|
||
|
- full_name: "URI:http://crl.{{ int_tld }}/{{ item.name }}.crl"
|
||
|
crl_issuer: "URI:http://crl.{{ int_tld }}"
|
||
|
name_constraints_permitted:
|
||
|
- "DNS:{{ tld }}"
|
||
|
- "email:{{ tld }}"
|
||
|
name_constraints_excluded:
|
||
|
- "IP:0.0.0.0/0"
|
||
|
mode: 0600
|
||
|
loop: "{{ ca_key_types }}"
|
||
|
|
||
|
|
||
|
- name: generate inter certificates
|
||
|
community.crypto.x509_certificate:
|
||
|
path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_crt_ext }}"
|
||
|
csr_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_csr_ext }}"
|
||
|
privatekey_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}"
|
||
|
privatekey_passphrase: "{{ ca_pk_inter_password }}"
|
||
|
provider: ownca
|
||
|
ownca_not_after: "{{ ca_inter_valid_until | mandatory }}"
|
||
|
ownca_digest: "{{ item.digest | d(omit) }}"
|
||
|
ownca_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_crt_ext }}"
|
||
|
ownca_privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
|
||
|
ownca_privatekey_passphrase: "{{ ca_pk_password }}"
|
||
|
mode: 0600
|
||
|
loop: "{{ ca_key_types }}"
|
||
|
|
||
|
|
||
|
- name: install acme
|
||
|
include_tasks: install_acme.yml
|
||
|
|
||
|
|
||
|
- name: add directories to backup plan
|
||
|
include_role:
|
||
|
name: backup
|
||
|
vars:
|
||
|
function: add
|
||
|
backup_items:
|
||
|
- "{{ ca_dir }}"
|