add crl endpoint support

master
histausse 3 years ago
parent ec297a7dd3
commit b41a2b1bc2
Signed by: histausse
GPG Key ID: 67486F107F62E9E9

@ -60,3 +60,21 @@ Then, don't forget to remode the file `ca.key`.
## How does it works ?
The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.
## Add a CRL endpoint
If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`.
```
crl_distribution_points:
- full_name: "URI:https://ca.example.com/revocations.crl"
reasons:
- key_compromise
- ca_compromise
- affiliation_changed
- superseded
- cessation_of_operation
- certificate_hold
- privilege_withdrawn
- aa_compromise
```

@ -1,4 +1,15 @@
---
crl_distribution_points:
- full_name: "URI:https://ca.example.com/revocations.crl"
reasons:
- key_compromise
- ca_compromise
- affiliation_changed
- superseded
- cessation_of_operation
- certificate_hold
- privilege_withdrawn
- aa_compromise
ca_cert: |
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL

@ -32,7 +32,6 @@
size: "{{ key_size | default(omit) }}"
delegate_to: localhost
# TODO: add a revocation methode, most probably crl, with crl_distribution_points
- name: Generate a Certificate Signing Request
become: false
openssl_csr:
@ -51,6 +50,7 @@
key_usage: "{{ key_usage }}"
key_usage_critical: yes
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
delegate_to: localhost
- name: Put the CA in a file

Loading…
Cancel
Save