Merge "Allow to provide passphrase for keys"

2022-05-30 09:13:06 +00:00 · 2022-05-30 09:13:06 +00:00 · a36c3b328e
commit a36c3b328e
parent 9ea4a4380f 1a419a3f89
2 changed files with 9 additions and 0 deletions
--- a/tasks/standalone/create_ca.yml
+++ b/tasks/standalone/create_ca.yml
@ -45,6 +45,8 @@
    - name: Generate CA private key for {{ ca.name }}
      community.crypto.openssl_privatekey:
        path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}"
+        passphrase: "{{ ca.key_passphrase | default(omit) }}"
+        cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}"
      register: ca_privkey

    - name: Read the serial number for {{ ca.name }}
@ -56,6 +58,7 @@
      community.crypto.openssl_csr:
        path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no  }}.csr"
        privatekey_path: "{{ ca_privkey.filename }}"
+        privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
        common_name: "{{ ca.cn }}"
        basic_constraints_critical: yes
        basic_constraints: "{{ ca.basic_constraints }}"
@ -82,6 +85,7 @@
        csr_path: "{{ ca_csr.filename }}"
        provider: 'selfsigned'
        privatekey_path: "{{ ca_privkey.filename }}"
+        privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
        selfsigned_not_after: "{{ ca.not_after }}"
      register: ca_selfsigned_crt
      when:
@ -97,6 +101,7 @@
        csr_path: "{{ ca_csr.filename }}"
        provider: 'ownca'
        ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}"
+        ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}"
        ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}"
        ownca_not_after: "{{ ca.not_after }}"
      register: ca_ownca_crt
--- a/tasks/standalone/create_cert.yml
+++ b/tasks/standalone/create_cert.yml
@ -25,6 +25,8 @@
    - name: Generate certificate private key for {{ cert.name }}
      community.crypto.openssl_privatekey:
        path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}"
+        passphrase: "{{ cert.key_passphrase | default(omit) }}"
+        cipher: "{{ ('key_passphrase' in cert and cert.key_passphrase) | ternary('auto', omit) }}"
        force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
      register: cert_privkey

@ -32,6 +34,7 @@
      community.crypto.openssl_csr:
        path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}"
        privatekey_path: "{{ cert_privkey.filename }}"
+        privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}"
        common_name: "{{ cert.cn | default(omit) }}"
        basic_constraints_critical: yes
        basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
@ -53,6 +56,7 @@
        csr_path: "{{ cert_csr.filename }}"
        ownca_path: "{{ _ca_file }}"
        ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}"
+        ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}"
        provider: ownca
        force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
      register: cert_crt