jeltz
/
aurore-logs
1
0
Fork 0
Code Issues Pull Requests Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '56d81f0344'
${ noResults }
aurore-logs/roles/openssl-ca/tasks/main.yml

73 lines
2.0 KiB
YAML
Raw Blame History

---
- name: Create directories for storing certificates
become: true
file:
path: "/etc/{{ item.name }}"
state: directory
owner: root
group: root
mode: "{{ item.mode }}"
with_items:
- name: ssl
mode: u=rwx,g=rx,o=rx
- name: ssl/private
mode: u=rwx,g=,o=
- name: ssl/csr
mode: u=rwx,g=,o=
- name: ssl/certs
mode: u=rwx,g=rx,o=rx
- name: Generate a private key for the root CA
become: true
openssl_privatekey:
path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
owner: root
group: root
mode: u=r,g=,o=
type: ECC
curve: secp384r1
- name: Generate a CSR for the root CA private key
become: true
openssl_csr:
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
owner: root
group: root
mode: u=r,g=,o=
common_name: "{{ root_ca_common_name }}"
country_name: "{{ root_ca_country_name }}"
locality_name: "{{ root_ca_locality_name }}"
organization_name: "{{ root_ca_organization_name }}"
state_or_province_name: "{{ root_ca_state_name }}"
email_address: "{{ root_ca_email }}"
use_common_name_for_san: false
basic_constraints_critical: true
basic_constraints:
- CA:TRUE
- pathlen:1
key_usage:
- keyCertSign
- cRLSign
key_usage_critical: true
# FIXME: regénérer quand le certificat n'est plus à jour
- name: Generate the root CA certificate
become: true
openssl_certificate:
privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
csr_path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
path: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
owner: root
group: root
mode: u=r,g=r,o=r
provider: selfsigned
selfsigned_not_before: "{{ root_ca_not_before }}"
selfsigned_not_after: "{{ root_ca_not_after }}"
- name: Retrieve the root CA certificate
fetch:
src: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
dest: "loot/certs/{{ root_ca_slug }}.pem"
flat: yes
...
Reference in New Issue View Git Blame Copy Permalink