Allow to supply ttl for ownca certificates

At the moment we have no way of making "shorter" lived certificates with
the role, which may be an important factor for
security considerations, given that default value is 10 years.

Change-Id: I7ce88c8163ec9ad0beca59e6b49a75f2f375390a
Signed-off-by: Dmitriy Rabotyagov <noonedeadpunk@gmail.com>

defaults/main.yml

@@ -92,6 +92,7 @@ pki_search_certificates_pattern: "pki_certificates_"
 #     provider: ownca
 #     cn: "imap.snakeoil.com"
 #     signed_by: "SnakeRootIntermediate"
+#     ttl: 30d
 
 # Example variable defining a server certificate from ansible host variables
 # pki_certificates_default:

molecule/default/group_vars/all.yml

@@ -115,6 +115,7 @@ foo_certificates_variable:
     cn: "{{ ansible_facts['hostname'] }}"
     san: "{{ 'DNS:' ~ ansible_facts['hostname'] }}"
     signed_by: "ExampleCorpIntermediate"
+    ttl: 30d
     condition: true
   - name: "{{ ansible_facts['hostname'] }}_3"
     provider: ownca
@@ -168,7 +169,7 @@ pki_install_certificates:
 # Custom certificate installation search pattern
 pki_search_install_certificates_pattern: "foo_install_certificates_"
 
-# Certificates to isntall from a custom variable, with conditionals
+# Certificates to install from a custom variable, with conditionals
 functional_install_cert_2_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_2.crt' }}"
 functional_install_chain_2_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_2-chain.crt' }}"
 functional_install_ca_bundle_2_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_2-ca_bundle.crt' }}"

molecule/default/verify.yml

@@ -144,3 +144,22 @@
     - name: Validate server certificate against system trust store
       ansible.builtin.command: certtool --verify --infile "{{ functional_install_chain_2_dest }}"
       changed_when: false
+
+    - name: Fetch server certificate details
+      community.crypto.x509_certificate_info:
+        path: "{{ functional_install_chain_1_dest }}"
+      register: _functional_chain_1_dest
+
+    - name: Fetch server certificate details
+      community.crypto.x509_certificate_info:
+        path: "{{ functional_install_chain_2_dest }}"
+      register: _functional_chain_2_dest
+
+    - debug:
+        var: (_functional_chain_1_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days
+
+    - name: Ensure validity period for certificates
+      ansible.builtin.assert:
+        that:
+          - (_functional_chain_1_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days == 3649
+          - (_functional_chain_2_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days == 29

releasenotes/notes/ownca_cert_ttl-23505b58c9340cb4.yaml

@@ -0,0 +1,18 @@
+---
+features:
+  - |
+    Added key ``ttl`` to the ``pki_create_certificates``. The value can be
+    defined as a timespec, without leading `+`. For example:
+
+    .. code::yaml
+
+      - name: "SnakeMail"
+        signed_by: "SnakeRootIntermediate"
+        provider: ownca
+        cn: "imap.snakeoil.com"
+        signed_by: "SnakeRootIntermediate"
+        ttl: 30d
+
+    Default value is defined by the
+    `community.crypto.x509_certificate <https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html#parameter-ownca_not_after>`_
+    module.

tasks/standalone/sign_cert.yml

@@ -68,6 +68,7 @@
         ownca_path: "{{ _ca_file }}"
         ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}"
         ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}"
+        ownca_not_after: "{{ ('ttl' in cert) | ternary('+' ~ cert.get('ttl'), omit) }}"
         provider: ownca
         force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
       register: cert_crt