Réorganisation de openssl-ca et openssl-common.

This commit is contained in:
jeltz 2020-09-20 00:12:35 +02:00
parent 665cc7bfb1
commit 09cfa80d77
3 changed files with 48 additions and 46 deletions

View file

@ -1,11 +1,12 @@
---
root_ca_slug: aurore-root-ca
root_ca_common_name: Aurore Test Root CA
root_ca_country_name: FR
root_ca_locality_name: Gif-sur-Yvette
root_ca_state_name: Essone
root_ca_organization_name: Aurore
root_ca_email: pki@aurore.local
root_ca_not_before: +0s
root_ca_not_after: +3650d
root_ca:
slug: aurore-root-ca
common_name: Aurore Test Root CA
country_name: FR
locality_name: Gif-sur-Yvette
state_name: Essone
organization_name: Aurore
email: pki@aurore.local
not_before: +0s
not_after: +3650d
...

View file

@ -1,26 +1,8 @@
---
- name: Create directories for storing certificates
become: true
file:
path: "/etc/{{ item.name }}"
state: directory
owner: root
group: root
mode: "{{ item.mode }}"
loop:
- name: ssl
mode: u=rwx,g=rx,o=rx
- name: ssl/private
mode: u=rwx,g=,o=
- name: ssl/csr
mode: u=rwx,g=,o=
- name: ssl/certs
mode: u=rwx,g=rx,o=rx
- name: Generate a private key for the root CA
- name: Generate a private key for root CA
become: true
openssl_privatekey:
path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
owner: root
group: root
mode: u=r,g=,o=
@ -30,44 +12,45 @@
- name: Generate a CSR for the root CA private key
become: true
openssl_csr:
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
owner: root
group: root
mode: u=r,g=,o=
common_name: "{{ root_ca_common_name }}"
country_name: "{{ root_ca_country_name }}"
locality_name: "{{ root_ca_locality_name }}"
organization_name: "{{ root_ca_organization_name }}"
state_or_province_name: "{{ root_ca_state_name }}"
email_address: "{{ root_ca_email }}"
common_name: "{{ root_ca.common_name }}"
country_name: "{{ root_ca.country_name }}"
locality_name: "{{ root_ca.locality_name }}"
organization_name: "{{ root_ca.organization_name }}"
state_or_province_name: "{{ root_ca.state_name }}"
email_address: "{{ root_ca.email }}"
use_common_name_for_san: false
basic_constraints_critical: true
basic_constraints:
- CA:TRUE
- pathlen:1
- pathlen:0 # FIXME: sub CA personnes ?
key_usage:
- keyCertSign
- cRLSign
key_usage_critical: true
# FIXME: regénérer quand le certificat n'est plus à jour
# FIXME: regénérer quand le certificat est expiré (ne semble pas
# le cas actuellement)
- name: Generate the root CA certificate
become: true
openssl_certificate:
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
csr_path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
path: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
csr_path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
owner: root
group: root
mode: u=r,g=r,o=r
provider: selfsigned
selfsigned_not_before: "{{ root_ca_not_before }}"
selfsigned_not_after: "{{ root_ca_not_after }}"
selfsigned_not_before: "{{ root_ca.not_before }}"
selfsigned_not_after: "{{ root_ca.not_after }}"
- name: Retrieve the root CA certificate
fetch:
src: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
dest: "loot/certs/{{ root_ca_slug }}.pem"
src: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
dest: "loot/certs/{{ root_ca.slug }}.pem"
flat: yes
...

View file

@ -4,4 +4,22 @@
apt:
name: python3-cryptography
state: present
- name: Create directories for storing certificates
become: true
file:
path: "/etc/{{ item.name }}"
state: directory
owner: root
group: root
mode: "{{ item.mode }}"
loop:
- name: ssl
mode: u=rwx,g=rx,o=rx
- name: ssl/private
mode: u=rwx,g=,o=
- name: ssl/csr
mode: u=rwx,g=,o=
- name: ssl/certs
mode: u=rwx,g=rx,o=rx
...