openstack
/
ansible-role-pki
Code Issues Proposed changes
ansible-role-pki/tasks/standalone/create_cert.yml

87 lines
4.0 KiB
YAML
Raw Permalink Blame History

---
# Copyright 2021, BBC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create certificate {{ cert.name }}
vars:
ansible_python_interpreter: "{{ pki_setup_host_python_interpreter }}"
_cert_file: "{{ cert_dir ~ '/certs/' ~ cert.name ~ '.crt' }}"
_cert_chain_file: "{{ cert_dir ~ '/certs/' ~ cert.name ~ '-chain.crt' }}"
_ca_file: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/certs/' ~ cert.signed_by ~ '.crt' }}"
delegate_to: "{{ pki_setup_host }}"
block:
- name: Generate certificate private key for {{ cert.name }}
community.crypto.openssl_privatekey:
path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}"
passphrase: "{{ cert.key_passphrase | default(omit) }}"
cipher: "{{ ('key_passphrase' in cert and cert.key_passphrase) | ternary('auto', omit) }}"
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
format: "{{ cert.key_format | default(omit) }}"
register: cert_privkey
- name: Create the CSR for {{ cert.name }}
community.crypto.openssl_csr:
path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}"
privatekey_path: "{{ cert_privkey.filename }}"
privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}"
common_name: "{{ cert.cn | default(omit) }}"
basic_constraints_critical: yes
basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
key_usage: "{{ cert.key_usage | default(omit) }}"
extended_key_usage: "{{ cert.extended_key_usage | default(omit) }}"
subject_alt_name: "{{ cert.san | default(omit) }}"
country_name: "{{ cert.country_name | default(omit) }}"
state_or_province_name: "{{ cert.state_or_province_name | default(omit) }}"
locality_name: "{{ cert.locality_name | default(omit) }}"
organization_name: "{{ cert.organization_name | default(omit) }}"
organizational_unit_name: "{{ cert.organization_unit_name | default(omit) }}"
subject: "{{ cert.subject | default(omit) }}"
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
register: cert_csr
- name: Sign the certificate CSR for {{ cert.name }}
community.crypto.x509_certificate:
path: "{{ _cert_file }}"
csr_path: "{{ cert_csr.filename }}"
ownca_path: "{{ _ca_file }}"
ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}"
ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}"
provider: ownca
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
register: cert_crt
when:
- cert.provider == 'ownca'
- cert_csr is changed
notify:
- "{{ pki_handler_cert_changed }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: Get certificate info for {{ cert.name }}
community.crypto.x509_certificate_info:
path: "{{ cert_crt.filename }}"
register: cert_info
when: cert_crt is changed
- name: Save certificate info for {{ cert.name }}
copy:
content: "{{ cert_info | to_nice_yaml }}"
dest: "{{ cert_dir ~ '/certs/' ~ cert.name ~ '.info' }}"
when: cert_crt is changed
- name: Create certificate chain for {{ cert.name }}
shell:
cmd: "cat {{ _cert_file }} {{ _ca_file }} > {{ _cert_chain_file }}"
creates: "{{ (cert_crt is not changed) | ternary(_cert_chain_file, omit) }}"
View Git Blame Copy Permalink