ansible_hacky_pki/README.md

# Ansible Hacky PKI

Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.

The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.

## Dependencies

## Generate a CA

### Generate a key

```
openssl genrsa -out ca.key -aes256 4096
```

It will ask a passphrase. Put the passphrase in a vault as `ca_passphrase`.

Then, put the content of `ca.key` in the vaul:

```
ca_key: |
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031

  vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9
  ...
  iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L
  -----END RSA PRIVATE KEY-----
```

### Generate the certificate

```
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
```

You can replace `3650` by the validity periode you want for your certificate.

You will be ask questions for the content of the certificate, answer adequately.

Then, put the content of `ca.pem` in the variables as `ca_cert`:

```
ca_cert: |
  -----BEGIN CERTIFICATE-----
  MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL
  ...
  YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g
  -----END CERTIFICATE-----
```

Then, don't forget to remode the file `ca.key`.


## How does it works ?
create the directory structure 3 years ago			`# Ansible Hacky PKI`

			`Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.`

			`The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.`

			`## Dependencies`

			`## Generate a CA`

Explain how to generate a CA 3 years ago			`### Generate a key`

			```
			`openssl genrsa -out ca.key -aes256 4096`
			```

			It will ask a passphrase. Put the passphrase in a vault as `ca_passphrase`.

			Then, put the content of `ca.key` in the vaul:

			```
			`ca_key: \|`
			`-----BEGIN RSA PRIVATE KEY-----`
			`Proc-Type: 4,ENCRYPTED`
			`DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031`

			`vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9`
			`...`
			`iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L`
			`-----END RSA PRIVATE KEY-----`
			```

			`### Generate the certificate`

			```
			`openssl req -new -x509 -days 3650 -key ca.key -out ca.pem`
			```

			You can replace `3650` by the validity periode you want for your certificate.

			`You will be ask questions for the content of the certificate, answer adequately.`

			Then, put the content of `ca.pem` in the variables as `ca_cert`:

			```
			`ca_cert: \|`
			`-----BEGIN CERTIFICATE-----`
			`MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL`
			`...`
			`YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g`
			`-----END CERTIFICATE-----`
			```

			Then, don't forget to remode the file `ca.key`.



create the directory structure 3 years ago			`## How does it works ?`