ansible_hacky_pki/README.md

95 lines
2.9 KiB
Markdown

# Ansible Hacky PKI
Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.
## Warning
You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
please contact me to see if we can find a patch.
## Dependencies
You need to have the `cryptography` python library available on the localhost and on the remote hosts.
## How to use it
Copy the roles of the repo in the role folder of your ansible projet. Define in you projet the variables you want/need to modify (cf the section Generate a CA).
After that you can use the role in your playbooks, as shown in the example playbook.
## Generate a CA
The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.
### Generate a key
```
openssl genrsa -out ca.key -aes256 4096
```
It will ask a passphrase. Put the passphrase in a vault as `ca_passphrase`.
Then, put the content of `ca.key` in the vaul:
```
ca_key: |
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,EABBE7D2AC7D31F05392F733E9F9B031
vbKyyhou4oJIZEXL1U4ESbUJ/r5Im9lZNatJwZISOnD3E//+Vf3QaIb+sQ2xNym9
...
iKkhjgSIm7tWWR5lxd/dpeoEM/+tvcZ0KJqFsbPv9jmZPl4/PfBf7O185K7KCY9L
-----END RSA PRIVATE KEY-----
```
### Generate the certificate
```
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
```
You can replace `3650` by the validity periode you want for your certificate.
You will be ask questions for the content of the certificate, answer adequately.
Then, put the content of `ca.pem` in the variables as `ca_cert`:
```
ca_cert: |
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL
...
YRj4p9wG46WoMCvnNxdgL2/MQfp+Y8rinDEk1BG1Zb8g
-----END CERTIFICATE-----
```
Then, don't forget to remode the file `ca.key`.
## How does it works ?
The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.
## Add a CRL endpoint
If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`.
```
crl_distribution_points:
- full_name: "URI:https://ca.example.com/revocations.crl"
reasons:
- key_compromise
- ca_compromise
- affiliation_changed
- superseded
- cessation_of_operation
- certificate_hold
- privilege_withdrawn
- aa_compromise
```
## Copyright
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>