first draft for the crs

2021-09-09 18:02:00 +02:00 · 2021-09-09 18:02:00 +02:00 · 7368a241f2
commit 7368a241f2
parent 7746ec1079
1 changed files with 25 additions and 5 deletions
--- a/roles/generate-cert/tasks/main.yml
+++ b/roles/generate-cert/tasks/main.yml
@ -1,8 +1,4 @@
 ---
- name: Test
-  ansible.builtin.debug:
-    msg: "Test"
-
 - name: Ensure the directory containing the cert exist
  file:
    path: "{{ directory }}"
@ -22,6 +18,31 @@
  delegate_to: localhost
  when: not key_file.stat.exists

+- name: Generate a Certificate Signing Request
+  become: false
+  openssl_csr:
+    path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+    private_key_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+    common_name: "{{ cname }}"
+    country_name: "{{ country_name | default(omit) }}"
+    locality_name: "{{ locality_name | default(omit) }}"
+    state_or_province_name: "{{ state_or_province_name | default(omit) }}"
+    organization_name: "{{ organization_name | default(omit) }}"
+    organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
+    email_address: "{{ email_address | default(omit) }}"
+    basic_constraints:
+      - CA:FALSE # syntax?
+    basic_contraints_critical: yes
+    key_usage: # need more works on this
+      - digitalSignature
+      - keyEncipherment
+      - clientAuth
+    key_usage_critical: yes
+    subject_alt_name: "{{ subject_alt_name | default(omit) }}"
+    # TODO: add a revocation methode, most probably crl, with crl_distribution_points
+  delegate_to: localhost
+  when: no key_file.stat exists
+
 - name: Send private key to the server
  copy:
    src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
@ -31,7 +52,6 @@
    mode: "{{ key_mode | default('u=rw,g=,o=') }}"
  when: not key_file.stat.exists

-
 # Clean up
 - name: Remove the local cert key
  become: false