diff --git a/.gitignore b/.gitignore index c160bb7..055265d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ loot/certs/* !loot/certs/.gitkeep +loot/csr/* +!loot/csr/.gitkeep \ No newline at end of file diff --git a/roles/openssl-cert-builder/meta/main.yml b/roles/openssl-cert-builder/meta/main.yml new file mode 100644 index 0000000..2e3a25a --- /dev/null +++ b/roles/openssl-cert-builder/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: openssl-common +... \ No newline at end of file diff --git a/roles/openssl-cert-builder/tasks/main.yml b/roles/openssl-cert-builder/tasks/main.yml new file mode 100644 index 0000000..dfecdc8 --- /dev/null +++ b/roles/openssl-cert-builder/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Generate the private key + become: yes + openssl_privatekey: + path: "/etc/ssl/private/{{ certificate.slug }}.pem" + owner: root + group: root + mode: u=r,g=,o= + type: ECC + curve: secp384r1 + +- name: Generate the CSR + become: yes + openssl_csr: + privatekey_path: "/etc/ssl/private/{{ certificate.slug }}.pem" + path: "/etc/ssl/csr/{{ certificate.slug }}.csr" + owner: root + group: root + mode: u=r,g=r,o=r + common_name: "{{ certificate.common_name }}" + # À terme, tous les champs seront définis via les overrides + # directement à la génération du certificat. + # On ne veut pas le faire ici, car c'est effectué sur des hôtes + # potentiellement compromis, et ils pourraient exploiter une + # race condition pour envoyer leur CSR et la faire signer à + # l'AC. + use_common_name_for_san: true + basic_constraints: + - CA:FALSE + basic_constraints_critical: true + key_usage: + - digitalSignature + - keyEncipherment + key_usage_critical: true + extended_key_usage: + - serverAuth + extended_key_usage_critical: true + +- name: Download the CSR to local + fetch: + src: "/etc/ssl/csr/{{ certificate.slug }}.csr" + dest: "loot/csr/{{ certificate.slug }}.csr" + flat: yes + +- name: Upload the CSR to CA server + become: true + copy: + # FIXME: on devrait faire un répertoire "incoming" pour + # pas réecrire la CSR et le certificat de l'AC ! + src: "loot/csr/{{ certificate.slug }}.csr" + dest: "/etc/ssl/csr/{{ certificate.slug }}.csr" + owner: root + group: root + mode: u=r,g=r,o=r + +- name: Generate the certificate from CSR + become: yes + openssl_certificate: + ownca_privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem" + ownca_path: "/etc/ssl/certs/{{ root_ca.slug }}.pem" + csr_path: "/etc/ssl/csr/{{ certificate.slug }}.csr" + path: "/etc/ssl/certs/{{ certificate.slug }}.pem" + owner: root + group: root + mode: u=r,g=r,o=r + provider: ownca + ownca_not_before: "{{ certificate.not_before }}" + ownca_not_after: "{{ certificate.not_after }}" + ownca_locality_name: "{{ root_ca.locality_name }}" + ownca_country_name: "{{ root_ca.country_name }}" + ownca_organization_name: "{{ root_ca.organization_name }}" + delegate_to: "{{ openssl_ca_host }}" + +- name: Retrieve the certificate + fetch: + src: "/etc/ssl/certs/{{ certificate.slug }}.pem" + dest: "loot/certs/{{ certificate.slug }}.pem" + flat: yes + delegate_to: "{{ openssl_ca_host }}" + +- name: Send the certificate to host + become: yes + copy: + src: "loot/certs/{{ certificate.slug }}.pem" + dest: "/etc/ssl/certs/{{ certificate.slug }}.pem" + owner: root + group: root + mode: u=r,g=r,o=r +... \ No newline at end of file