Réorganisation de openssl-ca et openssl-common.
This commit is contained in:
parent
665cc7bfb1
commit
09cfa80d77
3 changed files with 48 additions and 46 deletions
|
|
@ -1,11 +1,12 @@
|
||||||
---
|
---
|
||||||
root_ca_slug: aurore-root-ca
|
root_ca:
|
||||||
root_ca_common_name: Aurore Test Root CA
|
slug: aurore-root-ca
|
||||||
root_ca_country_name: FR
|
common_name: Aurore Test Root CA
|
||||||
root_ca_locality_name: Gif-sur-Yvette
|
country_name: FR
|
||||||
root_ca_state_name: Essone
|
locality_name: Gif-sur-Yvette
|
||||||
root_ca_organization_name: Aurore
|
state_name: Essone
|
||||||
root_ca_email: pki@aurore.local
|
organization_name: Aurore
|
||||||
root_ca_not_before: +0s
|
email: pki@aurore.local
|
||||||
root_ca_not_after: +3650d
|
not_before: +0s
|
||||||
|
not_after: +3650d
|
||||||
...
|
...
|
||||||
|
|
@ -1,26 +1,8 @@
|
||||||
---
|
---
|
||||||
- name: Create directories for storing certificates
|
- name: Generate a private key for root CA
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
path: "/etc/{{ item.name }}"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "{{ item.mode }}"
|
|
||||||
loop:
|
|
||||||
- name: ssl
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
- name: ssl/private
|
|
||||||
mode: u=rwx,g=,o=
|
|
||||||
- name: ssl/csr
|
|
||||||
mode: u=rwx,g=,o=
|
|
||||||
- name: ssl/certs
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
- name: Generate a private key for the root CA
|
|
||||||
become: true
|
become: true
|
||||||
openssl_privatekey:
|
openssl_privatekey:
|
||||||
path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
|
path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: u=r,g=,o=
|
mode: u=r,g=,o=
|
||||||
|
|
@ -30,44 +12,45 @@
|
||||||
- name: Generate a CSR for the root CA private key
|
- name: Generate a CSR for the root CA private key
|
||||||
become: true
|
become: true
|
||||||
openssl_csr:
|
openssl_csr:
|
||||||
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
|
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
||||||
path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
|
path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: u=r,g=,o=
|
mode: u=r,g=,o=
|
||||||
common_name: "{{ root_ca_common_name }}"
|
common_name: "{{ root_ca.common_name }}"
|
||||||
country_name: "{{ root_ca_country_name }}"
|
country_name: "{{ root_ca.country_name }}"
|
||||||
locality_name: "{{ root_ca_locality_name }}"
|
locality_name: "{{ root_ca.locality_name }}"
|
||||||
organization_name: "{{ root_ca_organization_name }}"
|
organization_name: "{{ root_ca.organization_name }}"
|
||||||
state_or_province_name: "{{ root_ca_state_name }}"
|
state_or_province_name: "{{ root_ca.state_name }}"
|
||||||
email_address: "{{ root_ca_email }}"
|
email_address: "{{ root_ca.email }}"
|
||||||
use_common_name_for_san: false
|
use_common_name_for_san: false
|
||||||
basic_constraints_critical: true
|
basic_constraints_critical: true
|
||||||
basic_constraints:
|
basic_constraints:
|
||||||
- CA:TRUE
|
- CA:TRUE
|
||||||
- pathlen:1
|
- pathlen:0 # FIXME: sub CA personnes ?
|
||||||
key_usage:
|
key_usage:
|
||||||
- keyCertSign
|
- keyCertSign
|
||||||
- cRLSign
|
- cRLSign
|
||||||
key_usage_critical: true
|
key_usage_critical: true
|
||||||
|
|
||||||
# FIXME: regénérer quand le certificat n'est plus à jour
|
# FIXME: regénérer quand le certificat est expiré (ne semble pas
|
||||||
|
# le cas actuellement)
|
||||||
- name: Generate the root CA certificate
|
- name: Generate the root CA certificate
|
||||||
become: true
|
become: true
|
||||||
openssl_certificate:
|
openssl_certificate:
|
||||||
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
|
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
||||||
csr_path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
|
csr_path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
|
||||||
path: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
|
path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: u=r,g=r,o=r
|
mode: u=r,g=r,o=r
|
||||||
provider: selfsigned
|
provider: selfsigned
|
||||||
selfsigned_not_before: "{{ root_ca_not_before }}"
|
selfsigned_not_before: "{{ root_ca.not_before }}"
|
||||||
selfsigned_not_after: "{{ root_ca_not_after }}"
|
selfsigned_not_after: "{{ root_ca.not_after }}"
|
||||||
|
|
||||||
- name: Retrieve the root CA certificate
|
- name: Retrieve the root CA certificate
|
||||||
fetch:
|
fetch:
|
||||||
src: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
|
src: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
|
||||||
dest: "loot/certs/{{ root_ca_slug }}.pem"
|
dest: "loot/certs/{{ root_ca.slug }}.pem"
|
||||||
flat: yes
|
flat: yes
|
||||||
...
|
...
|
||||||
|
|
@ -4,4 +4,22 @@
|
||||||
apt:
|
apt:
|
||||||
name: python3-cryptography
|
name: python3-cryptography
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Create directories for storing certificates
|
||||||
|
become: true
|
||||||
|
file:
|
||||||
|
path: "/etc/{{ item.name }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
loop:
|
||||||
|
- name: ssl
|
||||||
|
mode: u=rwx,g=rx,o=rx
|
||||||
|
- name: ssl/private
|
||||||
|
mode: u=rwx,g=,o=
|
||||||
|
- name: ssl/csr
|
||||||
|
mode: u=rwx,g=,o=
|
||||||
|
- name: ssl/certs
|
||||||
|
mode: u=rwx,g=rx,o=rx
|
||||||
...
|
...
|
||||||
Loading…
Reference in a new issue