[CORD-2350]
Don't use ENV vars when generating SSL certs
Change-Id: I82b4165a82fe20a5ac176ab251999d07658b5021
diff --git a/roles/pki-cert/tasks/main.yml b/roles/pki-cert/tasks/main.yml
index 80a9d65..1abf3fb 100644
--- a/roles/pki-cert/tasks/main.yml
+++ b/roles/pki-cert/tasks/main.yml
@@ -1,4 +1,4 @@
-
+---
# Copyright 2017-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,8 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-
----
# pki-cert/tasks/main.yml
- name: Generate server private key (no pw)
@@ -26,30 +24,32 @@
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
with_items: "{{ server_certs }}"
+- name: Generate server-specific openssl config
+ template:
+ src: server.cnf.j2
+ dest: "{{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf"
+ with_items: "{{ server_certs }}"
+
- name: Generate server CSR
command: >
- openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
+ openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf
-key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
-new -sha256 -subj "{{ item.subj }}"
-out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
- environment:
- KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ server_certs }}"
- name: Sign server cert
command: >
- openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
- -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
+ openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf
+ -batch -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
-extensions server_cert
-days {{ cert_days }} -md {{ cert_digest }}
-in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
-out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
- environment:
- KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ server_certs }}"
- name: Verify cert against root + im chain
@@ -97,30 +97,32 @@
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
with_items: "{{ client_certs }}"
+- name: Generate client-specific openssl config
+ template:
+ src: client.cnf.j2
+ dest: "{{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf"
+ with_items: "{{ client_certs }}"
+
- name: Generate client CSR
command: >
- openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
+ openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf
-key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
-new -sha256 -subj "{{ item.subj }}"
-out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
- environment:
- KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ client_certs }}"
- name: Sign client cert
command: >
- openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
- -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
- -extensions user_cert
+ openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf
+ -batch -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
+ -extensions client_cert
-days {{ cert_days }} -md {{ cert_digest }}
-in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
-out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
- environment:
- KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ client_certs }}"
- name: Verify cert against root + im chain
diff --git a/roles/pki-cert/templates/client.cnf.j2 b/roles/pki-cert/templates/client.cnf.j2
new file mode 100644
index 0000000..d9aba37
--- /dev/null
+++ b/roles/pki-cert/templates/client.cnf.j2
@@ -0,0 +1,95 @@
+{#
+Copyright 2017-present Open Networking Foundation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+# Created by client.cnf.j2, configured by ansible
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = {{ pki_dir }}/{{ site_name }}_im_ca
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.randfile
+
+private_key = $dir/private/im_key.pem
+certificate = $dir/certs/im_cert.pem
+
+crlnumber = $dir/crl/crlnumber
+crl = $dir/crl/im_crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# Make new requests easier to sign - allow two subjects with same name
+# (Or revoke the old certificate first.)
+unique_subject = no
+
+default_md = {{ ca_digest }}
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = {{ ca_im_days }}
+preserve = no
+
+# for CA that signs client certs
+policy = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign more types of certs
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = {{ ca_size }}
+default_md = {{ ca_digest }}
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+x509_extensions = client_cert
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Some defaults
+countryName_default = US
+stateOrProvinceName_default = California
+localityName_default = Menlo Park
+0.organizationName_default = ON.Lab
+organizationalUnitName_default = {{ site_humanname }}
+emailAddress_default = privateca@opencord.org
+
+[ client_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = clientAuth, emailProtection
+subjectAltName = {{ item.altnames | join(', ') }}
+
diff --git a/roles/pki-cert/templates/server.cnf.j2 b/roles/pki-cert/templates/server.cnf.j2
new file mode 100644
index 0000000..001d00f
--- /dev/null
+++ b/roles/pki-cert/templates/server.cnf.j2
@@ -0,0 +1,95 @@
+{#
+Copyright 2017-present Open Networking Foundation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+# Created by server.cnf.j2, configured by ansible
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = {{ pki_dir }}/{{ site_name }}_im_ca
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.randfile
+
+private_key = $dir/private/im_key.pem
+certificate = $dir/certs/im_cert.pem
+
+crlnumber = $dir/crl/crlnumber
+crl = $dir/crl/im_crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# Make new requests easier to sign - allow two subjects with same name
+# (Or revoke the old certificate first.)
+unique_subject = no
+
+default_md = {{ ca_digest }}
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = {{ ca_im_days }}
+preserve = no
+
+# for CA that signs client certs
+policy = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign more types of certs
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = {{ ca_size }}
+default_md = {{ ca_digest }}
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+x509_extensions = server_cert
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Some defaults
+countryName_default = US
+stateOrProvinceName_default = California
+localityName_default = Menlo Park
+0.organizationName_default = ON.Lab
+organizationalUnitName_default = {{ site_humanname }}
+emailAddress_default = privateca@opencord.org
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = {{ item.altnames | join(', ') }}
+
diff --git a/roles/pki-intermediate-ca/tasks/main.yml b/roles/pki-intermediate-ca/tasks/main.yml
index 1323a67..d312085 100644
--- a/roles/pki-intermediate-ca/tasks/main.yml
+++ b/roles/pki-intermediate-ca/tasks/main.yml
@@ -1,4 +1,4 @@
-
+---
# Copyright 2017-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,12 +13,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-
----
# pki-intermediate-ca/tasks/main.yml
# if the next two steps fail, may need to include `create-configdirs-become`
# role to create these directories using become.
+
- name: Create PKI directory
file:
dest: "{{ pki_dir }}"
@@ -45,9 +44,11 @@
state: directory
with_items:
- certs
+ - client_cnfs
- crl
- csr
- newcerts
+ - server_cnfs
- name: Create private CA directory
file:
@@ -96,8 +97,6 @@
-out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ site_name }}_im_ca_csr.pem"
- environment:
- KEY_ALTNAMES: ""
- name: Create intermediate cert from CSR with root CA
command: >
diff --git a/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2 b/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2
index 0f8c481..e373c8e 100644
--- a/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2
+++ b/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2
@@ -1,4 +1,3 @@
-
{#
Copyright 2017-present Open Networking Foundation
@@ -14,8 +13,6 @@
See the License for the specific language governing permissions and
limitations under the License.
#}
-
-
# Created by openssl_im.cnf.j2, configured by ansible
[ ca ]
@@ -94,32 +91,3 @@
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-[ server_cert ]
-# Extensions for server certificates (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
-basicConstraints = CA:FALSE
-keyUsage = critical, digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth
-subjectAltName = ${ENV::KEY_ALTNAMES}
-
-[ user_cert ]
-# Extensions for client certificates (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
-basicConstraints = CA:FALSE
-keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
-extendedKeyUsage = clientAuth, emailProtection
-
-[ crl_ext ]
-# Extension for CRLs (`man x509v3_config`).
-authorityKeyIdentifier=keyid:always
-
-[ ocsp ]
-# Extension for OCSP signing certificates (`man ocsp`).
-basicConstraints = CA:FALSE
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
-keyUsage = critical, digitalSignature
-extendedKeyUsage = critical, OCSPSigning
-