62 lines
1.7 KiB
Markdown
62 lines
1.7 KiB
Markdown
# Ansible Hacky PKI
|
|
|
|
Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.
|
|
|
|
The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.
|
|
|
|
## Dependencies
|
|
|
|
You need to have the `cryptography` python library available on the localhost and on the remote hosts.
|
|
|
|
## Generate a CA
|
|
|
|
### Generate a key
|
|
|
|
```
|
|
openssl genrsa -out ca.key -aes256 4096
|
|
```
|
|
|
|
It will ask a passphrase. Put the passphrase in a vault as `ca_passphrase`.
|
|
|
|
Then, put the content of `ca.key` in the vaul:
|
|
|
|
```
|
|
ca_key: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
Proc-Type: 4,ENCRYPTED
|
|
DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031
|
|
|
|
vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9
|
|
...
|
|
iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L
|
|
-----END RSA PRIVATE KEY-----
|
|
```
|
|
|
|
### Generate the certificate
|
|
|
|
```
|
|
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
|
|
```
|
|
|
|
You can replace `3650` by the validity periode you want for your certificate.
|
|
|
|
You will be ask questions for the content of the certificate, answer adequately.
|
|
|
|
Then, put the content of `ca.pem` in the variables as `ca_cert`:
|
|
|
|
```
|
|
ca_cert: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL
|
|
...
|
|
YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g
|
|
-----END CERTIFICATE-----
|
|
```
|
|
|
|
Then, don't forget to remode the file `ca.key`.
|
|
|
|
|
|
|
|
## How does it works ?
|
|
|
|
The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.
|