Allow to provide passphrase for keys
In order to provide more security, allow to define key passphrases while generating CA or certificate keys. This can be a requirement or highly anticipated option for some systems. Change-Id: I0eeadb687b4fa6c5392951581dfbdf6b0db574f7
This commit is contained in:
parent
bf68f7b11f
commit
1a419a3f89
@ -45,6 +45,8 @@
|
||||
- name: Generate CA private key for {{ ca.name }}
|
||||
openssl_privatekey:
|
||||
path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}"
|
||||
passphrase: "{{ ca.key_passphrase | default(omit) }}"
|
||||
cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}"
|
||||
register: ca_privkey
|
||||
|
||||
- name: Read the serial number for {{ ca.name }}
|
||||
@ -56,6 +58,7 @@
|
||||
openssl_csr:
|
||||
path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no }}.csr"
|
||||
privatekey_path: "{{ ca_privkey.filename }}"
|
||||
privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
|
||||
common_name: "{{ ca.cn }}"
|
||||
basic_constraints_critical: yes
|
||||
basic_constraints: "{{ ca.basic_constraints }}"
|
||||
@ -82,6 +85,7 @@
|
||||
csr_path: "{{ ca_csr.filename }}"
|
||||
provider: 'selfsigned'
|
||||
privatekey_path: "{{ ca_privkey.filename }}"
|
||||
privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
|
||||
selfsigned_not_after: "{{ ca.not_after }}"
|
||||
register: ca_selfsigned_crt
|
||||
when:
|
||||
@ -97,6 +101,7 @@
|
||||
csr_path: "{{ ca_csr.filename }}"
|
||||
provider: 'ownca'
|
||||
ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}"
|
||||
ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}"
|
||||
ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}"
|
||||
ownca_not_after: "{{ ca.not_after }}"
|
||||
register: ca_ownca_crt
|
||||
|
@ -25,6 +25,8 @@
|
||||
- name: Generate certificate private key for {{ cert.name }}
|
||||
openssl_privatekey:
|
||||
path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}"
|
||||
passphrase: "{{ cert.key_passphrase | default(omit) }}"
|
||||
cipher: "{{ ('key_passphrase' in cert and cert.key_passphrase) | ternary('auto', omit) }}"
|
||||
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
|
||||
register: cert_privkey
|
||||
|
||||
@ -32,6 +34,7 @@
|
||||
openssl_csr:
|
||||
path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}"
|
||||
privatekey_path: "{{ cert_privkey.filename }}"
|
||||
privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}"
|
||||
common_name: "{{ cert.cn | default(omit) }}"
|
||||
basic_constraints_critical: yes
|
||||
basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
|
||||
@ -53,6 +56,7 @@
|
||||
csr_path: "{{ cert_csr.filename }}"
|
||||
ownca_path: "{{ _ca_file }}"
|
||||
ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}"
|
||||
ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}"
|
||||
provider: ownca
|
||||
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
|
||||
register: cert_crt
|
||||
|
Loading…
x
Reference in New Issue
Block a user