From eaacbca6dcee38fc11af348940a23938a58287ee Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Wed, 8 Sep 2021 17:49:25 +0200 Subject: [PATCH] Explain how to generate a CA --- README.md | 47 +++++++++++++++++++++++ group_vars/all.yml | 95 ++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 139 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4107e9b..7b88813 100644 --- a/README.md +++ b/README.md @@ -8,4 +8,51 @@ The Public Certificate of the CA and its Private Key are ansible variables. Make ## Generate a CA +### Generate a key + +``` +openssl genrsa -out ca.key -aes256 4096 +``` + +It will ask a passphrase. Put the passphrase in a vault as `ca_passphrase`. + +Then, put the content of `ca.key` in the vaul: + +``` +ca_key: | + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031 + + vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9 + ... + iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L + -----END RSA PRIVATE KEY----- +``` + +### Generate the certificate + +``` +openssl req -new -x509 -days 3650 -key ca.key -out ca.pem +``` + +You can replace `3650` by the validity periode you want for your certificate. + +You will be ask questions for the content of the certificate, answer adequately. + +Then, put the content of `ca.pem` in the variables as `ca_cert`: + +``` +ca_cert: | + -----BEGIN CERTIFICATE----- + MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL + ... + YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g + -----END CERTIFICATE----- +``` + +Then, don't forget to remode the file `ca.key`. + + + ## How does it works ? diff --git a/group_vars/all.yml b/group_vars/all.yml index bbb8cca..52e520c 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,4 +1,93 @@ --- -ca_public: -# This variable HAS to be storred in a vault. -ca_private: +ca_cert: | + -----BEGIN CERTIFICATE----- + MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL + BQAwgYUxCzAJBgNVBAYTAkVYMRAwDgYDVQQIDAdleGFtcGxlMRAwDgYDVQQHDAdl + eGFtcGxlMRowGAYDVQQKDBFBbnNpYmxlIEhhY2t5IFBLSTEaMBgGA1UECwwRQW5z + aWJsZSBIYWNreSBQS0kxGjAYBgNVBAMMEWFuc2lsYmUtaGFja3ktcGtpMB4XDTIx + MDkwODE1NDQ0MVoXDTMxMDkwNjE1NDQ0MVowgYUxCzAJBgNVBAYTAkVYMRAwDgYD + VQQIDAdleGFtcGxlMRAwDgYDVQQHDAdleGFtcGxlMRowGAYDVQQKDBFBbnNpYmxl + IEhhY2t5IFBLSTEaMBgGA1UECwwRQW5zaWJsZSBIYWNreSBQS0kxGjAYBgNVBAMM + EWFuc2lsYmUtaGFja3ktcGtpMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC + AgEA2htZI/32cf2VJlzAkzEEBlaEul7l+pl5rM/i+sYr/1i0m6L1g0qQjAwnxw5g + 6PeiIxd8i9Ea12DyhmXfKVZBqZy8t6kqw97qbXe1duUuadwkb5OWGZvb/z5UbkuY + Q+EeqTfFdTkhNzB4Z6AfGW4C856tdEUYE1SfzLIQC77kXwJ4DJ4PrDaf5PeX8gMr + do2JL12Ns+SV75cJ/IiOaSwDPQLkvqwYqgCN7m3eYXFMs7vZLvvttBN3sQjnpCCF + IW62mW1CjnBwfbktjDRuLFve2h3rSvYFbd2KPsjpvhhB6xer1MJSBzHgxU+tIXXb + bOCsU/0hH5L9zLH4O5ncmfLeYovzDuAvYfxAQ+Mq/9x7cnrx0KOAA9BLMZzSz52d + h2eqHVIqmKrJAcyAdSZtBd7WJEZfcL3m7Dipe/byqLV7e1YhVlbavlZk+1rMDVBh + lbiP0KIfC5qTznmGuNZrkd3qavJPA7H9WCx16QdIeg9ZPqxKp3rHtcBfd9O8yVLj + Kho0jUw4gXjzUNZACnoip6k3GBsbz+Ennb2ZinKr0ov/wbWWGTpW4zxrptxL/5Yz + IFmFN2N1e7URg5iD1kS3A209jx38cPx3kTMZVuiuEwy3PBlfVJBd2FCc3g0sQh8g + IMhhC2J1EIz++gRx0zBPELJkbYSAVqBTxelEDQnP9syTjOECAwEAAaNTMFEwHQYD + VR0OBBYEFDQH2VvvQolBnW06yMTfTmrtUOhRMB8GA1UdIwQYMBaAFDQH2VvvQolB + nW06yMTfTmrtUOhRMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB + AJWK/icvN3aq8dm03I07393+o2olxJBJ9+1rugpz7HlpNhh4o3kuPKtn0FtVaKRN + LfmqI8FC2iunakfln4ew2gmt15hUnaT5QlMPz4Wp9Bs1jSdizpalttJ57kb6Rtkq + zgJshPjTwd0EsTI919Mu+m5jnE01bFuKa/mIZHuhS7YQE0VPjW1twfb0jE2Gxpn/ + aSVvT06zC9OAHsC8Ebc6+uIiQATkWMxT5sLrdddhpAg53fQckx4H+XLI5SwtZ2Md + tFxu55drDwFY2AVKyPKc+LQ7FnEDrlMVpd5FeUXb/bGOIcv1ZNh0fD2jMXa3C+/q + vQCKt2phTSOx/WsOHM0YfqIZef8Zcpt5TZSdHTKfxtLNItEHCHnFo7Zggx3RjZdr + 1yz+LdpmKfMZ8p6XRaRAH42kUwuSJkMr1/UGAc3Phund8ySM7lwpnqyE6tPGkNYX + xhUaAV0/fAbeVxRcgpbMOqAAhEdFFPySSipNgEzo1OUQfB7bIJuoZP5v44vna2fi + +q7vv/7miOJemb14ILp0kWvlOOFOnYnIn9F8lTVQosq1fzmxMcLsLiA5QV4ucvgk + UJnwkzvSx1cIg9o50RL81YyqAG5zFT3SoZIaHxrNM45FJVUBCRocgV+B48L2sRlE + YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g + -----END CERTIFICATE----- +# This variables HAVE to be storred in a vault. +ca_key: | + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031 + + vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9 + zbAPtLW5KCrmda8rf93NVRMC4sOr4+NVIxL3YUc49N3ziu82qETXxOUU1doXk+1k + U+h+LPU0jcVeqExcY5RZVHibC63T+3i50DmPH//WeaiXPrvzuJ5aNjGP6Ku7Odlo + SLWZOG1kLYL6y4iM6A2s15IA+8J/itSDACW4yp1cnLD96nkxU0L/vKQ+PEV9cuMi + 1UeLbUfAKMhQNJyaIOAB7OwJ+tDQQFsUIbqv0FKWlNYCanjqvRHjzyEj1jgTyBwH + t9KWHljJk5459ko9wbcdRwXisoTNuUMboEFqeJSPJAPpv0HN+kE4rlgaKXOKemtv + mQBuxm78BiUzdn9oWDBoRmSs6NP1YtZbAbdJ5HWdQtNy+zIMt3UT4gsVHBYijilJ + +YDeNMXsE9w735Hg4zx6AtDjfMlGAZrnUj7TWBDhRI81wtfZAgkPzFNo6dweQGwJ + dfSfU6kRyqhtO8jip/BzE0pxuqSZM7UwxZC4TwALTES2QHLvQj3r2yXwft5BoRry + Np5DtiMUqUafCuzlZJ1Uql7fgqWlfe0sL9FNnDo+6gBgIMu1oY+rfr5O7Q5ssFko + 01qTZjZtIaRs24RQnACpobXOMUxaqKdYjZ9/iknqyvVZKgolJUTjBXEoP+KxkDB5 + QaTjEPm/V/cLhmw1PpuHC7GbZAa+sCnlGfOfxenUqnlH+8g+BcqTP3H7sc8KvCNP + y/T0LurNZYu/BObIyvJlqfP8SVgt7jDBfVUFm5dQgNgOD2UdDyUJFW02dXIqQODg + 7GCIo0S9/5USDBhYmKyOA/WplxQuSWCzK/KS8O3FcegHRya3Ye6MHi5Ovsb+xvPh + dJWUjIkfQW75biVI42Vp3zpW6rVljzKx0WcGb2gCAWVVd6jP6m/bXPZpMRIGXdxh + e9r653PgC4E87vy6gyq8lx7OwXikvhePfPuNPshX0otTFQGuUa7O4Y0oJM447iAV + wL/q55pVCgzXZq5h7gxRdrEgQouGTfswYsD+75idkg+qomJ1iwORrPvm5QsWSnfF + n+uPSTxtqoXHVzoNzSzCxhSOTH7XHgsQGvgUVaZpUyH052ZN5WP7mHLMMJsva9io + 6cNhpCtOxGaG2YoffvTt8SvSZ0qpxoUUiGOBYLNl98K4ViEzV/E6KWt83iBdTTGT + VL19wnGkqpG98Zuw9F43bSjZAS08hnpflhy2xuUeQxuPk+ewvRjDR/u/WYll/h2J + 3ylvLzRKeWsYsAfiX8U9rwQsmDo5zqR/8hiIMivUC4QW/Y9hYGDNYlPrujthNVpc + pcEvLuO8ZRSpw4d/gS1junKa5J8H0rEVIRQKGr10xlZOrj9/+8Jl2PePV7e9/IWv + 9rQwI3gr9/rE8TSwYbeIfWizVFKZRqetEDhUFVwKZRwuV+70igoutTNF5qqq8A2G + 5ShSnHQqLbs/OWaM8cAPFOepVQ2JbzlVPTAa29zTAt+5z2n0zAGMaNPf404h4EqG + 6E3HBCRbJjefdbW/UQJp+kPQhOIh/mQKsxavBgE0v66fugKSD9dZcyY9ZeT5iUZL + TtG4p7Y6+0Wzk9C3zla45iTuvok7ayhHEEBAnRmoBMJGvvbiYG7KsgKzeeBUsExA + gEWFGVmCymkZ8wogTYF0KI6cpRQgOVgKnDFoSF6+YHFm/xdwJGP2y7shwRrFfPjQ + SJyWrdM5QiaDjDD5GN8eccIINRiRiLKnxA6fpUeV5VIPmcxTIgcldTicrtp2WJY/ + zX/qrCuEjRfJ4icDOxvyqJMglMuB5WV43hjzPIZSYGpk+G9g2WLep8kRroC24IuH + 4qRFfiJIKTCCc+JcanhlV3u6vHdmxYdEHXV6UO7297PiZ7dWp1uO9/9cM8KcaYl1 + KDjpcx2Rt8MmeS/7U6deXUyEpKJqhE6ee8wC0CEFZkD64BH9w4jKn0CcBMhmGY8+ + ZLKw8jZb6ixuWi3zfpLdGHupQW2fyi8aaPQRvmrRw83HUksIGesDFC7eVaU9qtsb + ZQvFM+9kkWyfT2P8rjTz0fcBXp7oO9v2u3sYUnhYJkhumxdcGlz5StZV/i+6LB0S + vKn8CtMNppJLpb8h/qGXdogTkQ7FLiDkt8aHPp7Mk6KhvQ+zgVIodIunj3ft+Fkv + fytb/VFVwekw3c2MqmKtfngCtCuA9PFPdXQrPq+0p02tzpLj/aNnJHrrIKQfySiD + 6n266HB0gO4XlVPS9kC0UjbVqMqP0Y2zaUt6IJPO6dflMqXAwHqLMByYTOOvjQAj + CpjFme+PoJGpwnU67qvYtHfNeWznC5Xg0pBXeDpHd9S/zD2LJdujI5v0MVOVaxps + nkA+pPg9u1Mxxeyh3poUcjR2tK2suA4jszuo5EG2pysRGA9HlkQdREfVyqha99pL + 4gTc3H7tcStOql1kudYOdQBmDnAr89vnJ3sxYQwV8tNNzssxd93oIF71ZqR31tlk + Lwl2RHKRml30tQucBDZhKowcy5PDdLKHohW3f9ldE02p7ykr9z08efYDUDtRRyST + lZdUSHQT48UvHsrxkjjLJcSESkNsFS0Aoda+/I4pPzcu0l7Lx1Mp9mrx0sfk3ICj + vP9eImtmYbeUF8pTpAehLbAsk9p9PjqGiKVq3AIVzVJ1rKMmYddr+qHHp0dNsdNJ + Vg4cLUISh7ZCRhr3JEs3Ldmt7pPcHjlE6fTjXDLojnc3CQdiNOkGgrXciIb0pkji + 5b4UMiAqfdrC5E1/QFBiuEp4VhX20kdVQmEMyfyvhfJX3tMfjKCTanehgYAsl7Fm + 17hyZ3DLPFhNtcZWLuBOsKr3fQxpBevbHDxn2rzN5vKAq7QbKN0mEvA5xgq0PU8W + UipW5ZkKnc8LWkkzhc4aAU6qtvVddqwZgSxAcdmum+0YM71Fw8+PWmrMaTe8myrz + v1JPtjVvj4mFeHNDmid6m3COqOpUpKLJTqTvR3d/7jpIEW3lTTOCzwtSP1csENXO + s5nq8xvZBmmXXV8CyolEKqTe3dqOeddLLZTTicXi15eZX3ZxlhY8HQmx3Ybffn7y + iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L + -----END RSA PRIVATE KEY----- +ca_passphrase: seCuREpaSsphRasE