|
|
|
@ -1,8 +1,4 @@
|
|
|
|
|
---
|
|
|
|
|
- name: Test
|
|
|
|
|
ansible.builtin.debug:
|
|
|
|
|
msg: "Test"
|
|
|
|
|
|
|
|
|
|
- name: Ensure the directory containing the cert exist
|
|
|
|
|
file:
|
|
|
|
|
path: "{{ directory }}"
|
|
|
|
@ -22,6 +18,31 @@
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
when: not key_file.stat.exists
|
|
|
|
|
|
|
|
|
|
- name: Generate a Certificate Signing Request
|
|
|
|
|
become: false
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
|
|
|
|
private_key_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
|
|
|
|
common_name: "{{ cname }}"
|
|
|
|
|
country_name: "{{ country_name | default(omit) }}"
|
|
|
|
|
locality_name: "{{ locality_name | default(omit) }}"
|
|
|
|
|
state_or_province_name: "{{ state_or_province_name | default(omit) }}"
|
|
|
|
|
organization_name: "{{ organization_name | default(omit) }}"
|
|
|
|
|
organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
|
|
|
|
|
email_address: "{{ email_address | default(omit) }}"
|
|
|
|
|
basic_constraints:
|
|
|
|
|
- CA:FALSE # syntax?
|
|
|
|
|
basic_contraints_critical: yes
|
|
|
|
|
key_usage: # need more works on this
|
|
|
|
|
- digitalSignature
|
|
|
|
|
- keyEncipherment
|
|
|
|
|
- clientAuth
|
|
|
|
|
key_usage_critical: yes
|
|
|
|
|
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
|
|
|
|
|
# TODO: add a revocation methode, most probably crl, with crl_distribution_points
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
when: no key_file.stat exists
|
|
|
|
|
|
|
|
|
|
- name: Send private key to the server
|
|
|
|
|
copy:
|
|
|
|
|
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
|
|
|
@ -31,7 +52,6 @@
|
|
|
|
|
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
|
|
|
|
|
when: not key_file.stat.exists
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Clean up
|
|
|
|
|
- name: Remove the local cert key
|
|
|
|
|
become: false
|
|
|
|
|