Pains-Perdus
/
ansible_hacky_pki
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 Commits
1 Branch
0 Tags
98 KiB
INI 100%
 
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Go to file
histausse 49bc9d74b1
update readme 		2 years ago
group_vars add crl endpoint support 3 years ago
roles add submodule 2 years ago
.gitmodules add submodule 2 years ago
LICENSE use the LGPL licence 3 years ago
README.md update readme 2 years ago
ansible.cfg create the directory structure 3 years ago
example.yml add an example for copying the CA cert 3 years ago
hosts create the directory structure 3 years ago

README.md

Ansible Hacky PKI

Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.

Warning

You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed WITHOUT ANY WARRANTY. In particular, the security of the pki generated and the process of generated the pki is not guaranteed. If you find any vulnerability, please contact me to see if we can find a patch.

Dependencies

You need to have the cryptography python library available on the localhost and on the remote hosts.

How to use it

Add the submodule of the role you want to use in your role folder:

git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/generate-cert.git roles/generate-cert
git submodule init

Define in you projet the variables you want/need to modify (cf the section Generate a CA).

After that you can use the role in your playbooks, as shown in the example playbook.

Generate a CA

The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.

Generate a key

openssl genrsa -out ca.key -aes256 4096

It will ask a passphrase. Put the passphrase in a vault as ca_passphrase.

Then, put the content of ca.key in the vaul:

ca_key: |
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031

  vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9
  ...
  iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L
  -----END RSA PRIVATE KEY-----

Generate the certificate

openssl req -new -x509 -days 3650 -key ca.key -out ca.pem

You can replace 3650 by the validity periode you want for your certificate.

You will be ask questions for the content of the certificate, answer adequately.

Then, put the content of ca.pem in the variables as ca_cert:

ca_cert: |
  -----BEGIN CERTIFICATE-----
  MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL
  ...
  YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g
  -----END CERTIFICATE-----

Then, don't forget to remode the file ca.key.

How does it works ?

The role check if the certificate already exist and is valid. If not, it will generate on the localhost the certificates and then copy them to the remote host and delate the local version.

Add a CRL endpoint

If you use a CRL to revocate your certifiates, you can add the variable crl_distribution_points to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about crl_distribution_points.

crl_distribution_points:
  - full_name: "URI:https://ca.example.com/revocations.crl"
    reasons:
      - key_compromise
      - ca_compromise
      - affiliation_changed
      - superseded
      - cessation_of_operation
      - certificate_hold
      - privilege_withdrawn
      - aa_compromise

Copyright

Copyright 2021 Jean-Marie Mineau histausse@protonmail.com