ansible_hacky_pki/README.md

# Ansible Hacky PKI

Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.

## Warning

You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
please contact me to see if we can find a patch.


## Dependencies

You need to have the `cryptography` python library available on the localhost and on the remote hosts.

## How to use it

Copy the roles of the repo in the role folder of your ansible projet. Define in you projet the variables you want/need to modify (cf the section Generate a CA).

After that you can use the role in your playbooks, as shown in the example playbook.

## Generate a CA

The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.

### Generate a key

```
openssl genrsa -out ca.key -aes256 4096
```

It will ask a passphrase. Put the passphrase in a vault as `ca_passphrase`.

Then, put the content of `ca.key` in the vaul:

```
ca_key: |
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031

  vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9
  ...
  iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L
  -----END RSA PRIVATE KEY-----
```

### Generate the certificate

```
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
```

You can replace `3650` by the validity periode you want for your certificate.

You will be ask questions for the content of the certificate, answer adequately.

Then, put the content of `ca.pem` in the variables as `ca_cert`:

```
ca_cert: |
  -----BEGIN CERTIFICATE-----
  MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL
  ...
  YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g
  -----END CERTIFICATE-----
```

Then, don't forget to remode the file `ca.key`.

## How does it works ?

The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.

## Add a CRL endpoint

If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`.

```
crl_distribution_points:
  - full_name: "URI:https://ca.example.com/revocations.crl"
    reasons:
      - key_compromise
      - ca_compromise
      - affiliation_changed
      - superseded
      - cessation_of_operation
      - certificate_hold
      - privilege_withdrawn
      - aa_compromise
```

## Copyright

Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
create the directory structure 2021-09-08 15:59:32 +02:00			`# Ansible Hacky PKI`

			`Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.`

copyright and stuff 2021-09-19 23:07:37 +02:00			`## Warning`

			`You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed WITHOUT ANY WARRANTY.`
			`In particular, the security of the pki generated and the process of generated the pki is not guaranteed. If you find any vulnerability,`
			`please contact me to see if we can find a patch.`

create the directory structure 2021-09-08 15:59:32 +02:00
			`## Dependencies`

Document a litle 2021-09-08 21:11:43 +02:00			You need to have the `cryptography` python library available on the localhost and on the remote hosts.

copyright and stuff 2021-09-19 23:07:37 +02:00			`## How to use it`

			`Copy the roles of the repo in the role folder of your ansible projet. Define in you projet the variables you want/need to modify (cf the section Generate a CA).`

			`After that you can use the role in your playbooks, as shown in the example playbook.`

create the directory structure 2021-09-08 15:59:32 +02:00			`## Generate a CA`

copyright and stuff 2021-09-19 23:07:37 +02:00			`The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.`

Explain how to generate a CA 2021-09-08 17:49:25 +02:00			`### Generate a key`

			```
			`openssl genrsa -out ca.key -aes256 4096`
			```

			It will ask a passphrase. Put the passphrase in a vault as `ca_passphrase`.

			Then, put the content of `ca.key` in the vaul:

			```
			`ca_key: \|`
			`-----BEGIN RSA PRIVATE KEY-----`
			`Proc-Type: 4,ENCRYPTED`
			`DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031`

			`vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9`
			`...`
			`iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L`
			`-----END RSA PRIVATE KEY-----`
			```

			`### Generate the certificate`

			```
			`openssl req -new -x509 -days 3650 -key ca.key -out ca.pem`
			```

			You can replace `3650` by the validity periode you want for your certificate.

			`You will be ask questions for the content of the certificate, answer adequately.`

			Then, put the content of `ca.pem` in the variables as `ca_cert`:

			```
			`ca_cert: \|`
			`-----BEGIN CERTIFICATE-----`
			`MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL`
			`...`
			`YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g`
			`-----END CERTIFICATE-----`
			```

			Then, don't forget to remode the file `ca.key`.

create the directory structure 2021-09-08 15:59:32 +02:00			`## How does it works ?`
Document a litle 2021-09-08 21:11:43 +02:00
			`The role check if the certificate already exist and is valid. If not, it will generate on the localhost the certificates and then copy them to the remote host and delate the local version.`
add crl endpoint support 2021-09-19 22:42:31 +02:00
			`## Add a CRL endpoint`

			If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`.

			```
			`crl_distribution_points:`
			`- full_name: "URI:https://ca.example.com/revocations.crl"`
			`reasons:`
			`- key_compromise`
			`- ca_compromise`
			`- affiliation_changed`
			`- superseded`
			`- cessation_of_operation`
			`- certificate_hold`
			`- privilege_withdrawn`
			`- aa_compromise`
			```
copyright and stuff 2021-09-19 23:07:37 +02:00
			`## Copyright`

			`Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>`