57 lines
No EOL
1.7 KiB
YAML
57 lines
No EOL
1.7 KiB
YAML
---
|
|
- name: Generate a private key for root CA
|
|
become: true
|
|
openssl_privatekey:
|
|
path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=,o=
|
|
type: ECC
|
|
curve: secp384r1
|
|
|
|
- name: Generate a CSR for the root CA private key
|
|
become: true
|
|
openssl_csr:
|
|
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
|
path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=,o=
|
|
common_name: "{{ root_ca.common_name }}"
|
|
country_name: "{{ root_ca.country_name }}"
|
|
locality_name: "{{ root_ca.locality_name }}"
|
|
organization_name: "{{ root_ca.organization_name }}"
|
|
state_or_province_name: "{{ root_ca.state_name }}"
|
|
email_address: "{{ root_ca.email }}"
|
|
use_common_name_for_san: false
|
|
basic_constraints_critical: true
|
|
basic_constraints:
|
|
- CA:TRUE
|
|
- pathlen:0 # FIXME: sub CA personnes ?
|
|
key_usage:
|
|
- keyCertSign
|
|
- digitalSignature
|
|
- cRLSign
|
|
key_usage_critical: true
|
|
|
|
# FIXME: regénérer quand le certificat est expiré (ne semble pas
|
|
# le cas actuellement)
|
|
- name: Generate the root CA certificate
|
|
become: true
|
|
openssl_certificate:
|
|
privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
|
|
csr_path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
|
|
path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=r,o=r
|
|
provider: selfsigned
|
|
selfsigned_not_before: "{{ root_ca.not_before }}"
|
|
selfsigned_not_after: "{{ root_ca.not_after }}"
|
|
|
|
- name: Retrieve the root CA certificate
|
|
fetch:
|
|
src: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
|
|
dest: "loot/certs/{{ root_ca.slug }}.pem"
|
|
flat: yes
|
|
... |