|
|
|
|
@ -1,26 +1,8 @@
|
|
|
|
|
---
|
|
|
|
|
- name: Create directories for storing certificates
|
|
|
|
|
become: true
|
|
|
|
|
file:
|
|
|
|
|
path: "/etc/{{ item.name }}"
|
|
|
|
|
state: directory
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: "{{ item.mode }}"
|
|
|
|
|
loop:
|
|
|
|
|
- name: ssl
|
|
|
|
|
mode: u=rwx,g=rx,o=rx
|
|
|
|
|
- name: ssl/private
|
|
|
|
|
mode: u=rwx,g=,o=
|
|
|
|
|
- name: ssl/csr
|
|
|
|
|
mode: u=rwx,g=,o=
|
|
|
|
|
- name: ssl/certs
|
|
|
|
|
mode: u=rwx,g=rx,o=rx
|
|
|
|
|
|
|
|
|
|
- name: Generate a private key for the root CA
|
|
|
|
|
- name: Generate a private key for root CA
|
|
|
|
|
become: true
|
|
|
|
|
openssl_privatekey:
|
|
|
|
|
path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
|
|
|
|
|
path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: u=r,g=,o=
|
|
|
|
|
@ -30,44 +12,45 @@
|
|
|
|
|
- name: Generate a CSR for the root CA private key
|
|
|
|
|
become: true
|
|
|
|
|
openssl_csr:
|
|
|
|
|
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
|
|
|
|
|
path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
|
|
|
|
|
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
|
|
|
|
path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: u=r,g=,o=
|
|
|
|
|
common_name: "{{ root_ca_common_name }}"
|
|
|
|
|
country_name: "{{ root_ca_country_name }}"
|
|
|
|
|
locality_name: "{{ root_ca_locality_name }}"
|
|
|
|
|
organization_name: "{{ root_ca_organization_name }}"
|
|
|
|
|
state_or_province_name: "{{ root_ca_state_name }}"
|
|
|
|
|
email_address: "{{ root_ca_email }}"
|
|
|
|
|
common_name: "{{ root_ca.common_name }}"
|
|
|
|
|
country_name: "{{ root_ca.country_name }}"
|
|
|
|
|
locality_name: "{{ root_ca.locality_name }}"
|
|
|
|
|
organization_name: "{{ root_ca.organization_name }}"
|
|
|
|
|
state_or_province_name: "{{ root_ca.state_name }}"
|
|
|
|
|
email_address: "{{ root_ca.email }}"
|
|
|
|
|
use_common_name_for_san: false
|
|
|
|
|
basic_constraints_critical: true
|
|
|
|
|
basic_constraints:
|
|
|
|
|
- CA:TRUE
|
|
|
|
|
- pathlen:1
|
|
|
|
|
- pathlen:0 # FIXME: sub CA personnes ?
|
|
|
|
|
key_usage:
|
|
|
|
|
- keyCertSign
|
|
|
|
|
- cRLSign
|
|
|
|
|
key_usage_critical: true
|
|
|
|
|
|
|
|
|
|
# FIXME: regénérer quand le certificat n'est plus à jour
|
|
|
|
|
# FIXME: regénérer quand le certificat est expiré (ne semble pas
|
|
|
|
|
# le cas actuellement)
|
|
|
|
|
- name: Generate the root CA certificate
|
|
|
|
|
become: true
|
|
|
|
|
openssl_certificate:
|
|
|
|
|
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
|
|
|
|
|
csr_path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
|
|
|
|
|
path: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
|
|
|
|
|
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
|
|
|
|
csr_path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
|
|
|
|
|
path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: u=r,g=r,o=r
|
|
|
|
|
provider: selfsigned
|
|
|
|
|
selfsigned_not_before: "{{ root_ca_not_before }}"
|
|
|
|
|
selfsigned_not_after: "{{ root_ca_not_after }}"
|
|
|
|
|
selfsigned_not_before: "{{ root_ca.not_before }}"
|
|
|
|
|
selfsigned_not_after: "{{ root_ca.not_after }}"
|
|
|
|
|
|
|
|
|
|
- name: Retrieve the root CA certificate
|
|
|
|
|
fetch:
|
|
|
|
|
src: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
|
|
|
|
|
dest: "loot/certs/{{ root_ca_slug }}.pem"
|
|
|
|
|
src: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
|
|
|
|
|
dest: "loot/certs/{{ root_ca.slug }}.pem"
|
|
|
|
|
flat: yes
|
|
|
|
|
...
|
