- name: ensure cryptography toolkit is installed include_tasks: tasks/install_packages.yml vars: package: - alpine: py3-cryptography debian: python3-cryptography - name: early check to ensure ca variables are defined fail: msg: "\"{{ item }}\" is not defined" when: item is not defined loop: - ca_dir - ca_key_types - ca_rp - ca_ip - ca_crt_ext - ca_csr_ext - ca_key_ext - name: create ca directories file: path: "{{ ca_dir }}" state: directory mode: 0700 - name: generate root private keys community.crypto.openssl_privatekey: path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}" size: "{{ item.size | d(omit) }}" curve: "{{ item.curve | d(omit) }}" type: "{{ item.type }}" backup: yes cipher: auto force: no format: pkcs8 format_mismatch: convert passphrase: "{{ ca_pk_password }}" regenerate: never mode: 0600 loop: "{{ ca_key_types }}" - name: generate csr requests for all root keys community.crypto.openssl_csr: path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_csr_ext }}" basic_constraints: - 'CA:TRUE' basic_constraints_critical: yes common_name: "{{ org }} Root CA ({{ item.type | upper }})" digest: "{{ item.digest | d(omit) }}" key_usage: - keyCertSign - cRLSign key_usage_critical: yes privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}" privatekey_passphrase: "{{ ca_pk_password }}" use_common_name_for_san: no mode: 0600 loop: "{{ ca_key_types }}" - name: generate root certificates community.crypto.x509_certificate: path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_crt_ext }}" csr_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_csr_ext }}" privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}" privatekey_passphrase: "{{ ca_pk_password }}" provider: selfsigned selfsigned_not_after: "{{ ca_root_valid_until | mandatory }}" selfsigned_digest: "{{ item.digest | d(omit) }}" mode: 0600 loop: "{{ ca_key_types }}" - name: generate inter private keys community.crypto.openssl_privatekey: path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}" size: "{{ item.size | d(omit) }}" curve: "{{ item.curve | d(omit) }}" type: "{{ item.type }}" backup: yes cipher: auto force: no format: pkcs8 format_mismatch: convert passphrase: "{{ ca_pk_inter_password }}" regenerate: never mode: 0600 loop: "{{ ca_key_types }}" - name: generate csr requests for all inter keys community.crypto.openssl_csr: path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_csr_ext }}" basic_constraints: - 'CA:TRUE' - 'pathlen:0' basic_constraints_critical: yes common_name: "{{ org }} Intermediate CA ({{ item.type | upper }})" digest: "{{ item.digest | d(omit) }}" key_usage: - digitalSignature - keyCertSign - cRLSign key_usage_critical: yes privatekey_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}" privatekey_passphrase: "{{ ca_pk_inter_password }}" use_common_name_for_san: no crl_distribution_points: - full_name: "URI:http://crl.{{ int_tld }}/{{ item.name }}.crl" crl_issuer: "URI:http://crl.{{ int_tld }}" name_constraints_permitted: - "DNS:{{ tld }}" - "email:{{ tld }}" name_constraints_excluded: - "IP:0.0.0.0/0" mode: 0600 loop: "{{ ca_key_types }}" - name: generate inter certificates community.crypto.x509_certificate: path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_crt_ext }}" csr_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_csr_ext }}" privatekey_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}" privatekey_passphrase: "{{ ca_pk_inter_password }}" provider: ownca ownca_not_after: "{{ ca_inter_valid_until | mandatory }}" ownca_digest: "{{ item.digest | d(omit) }}" ownca_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_crt_ext }}" ownca_privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}" ownca_privatekey_passphrase: "{{ ca_pk_password }}" mode: 0600 loop: "{{ ca_key_types }}" - name: install acme include_tasks: install_acme.yml - name: add directories to backup plan include_role: name: backup vars: function: add backup_items: - "{{ ca_dir }}"