| |
| # Copyright 2017-present Open Networking Foundation |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| |
| --- |
| # pki-root-ca/tasks/main.yml |
| |
| # if the next two steps fail, may need to include `create-configdirs-become` |
| # role to create these directories using become. |
| - name: Create PKI and credentials directories |
| file: |
| dest: "{{ item }}" |
| state: directory |
| owner: "{{ ansible_user_id }}" |
| mode: 0700 |
| with_items: |
| - "{{ credentials_dir }}" |
| - "{{ pki_dir }}" |
| |
| - name: Create root CA directory |
| file: |
| dest: "{{ pki_dir }}/root_ca" |
| state: directory |
| owner: "{{ ansible_user_id }}" |
| mode: 0755 |
| |
| - name: Create root CA openssl.cnf from template |
| template: |
| src: openssl_root.cnf.j2 |
| dest: "{{ pki_dir }}/root_ca/openssl.cnf" |
| force: no |
| |
| - name: Create subdirs for root CA |
| file: |
| dest: "{{ pki_dir }}/root_ca/{{ item }}" |
| state: directory |
| owner: "{{ ansible_user_id }}" |
| mode: 0755 |
| with_items: |
| - certs |
| - crl |
| - newcerts |
| |
| - name: Create private CA directory |
| file: |
| dest: "{{ pki_dir }}/root_ca/private" |
| state: directory |
| owner: "{{ ansible_user_id }}" |
| mode: 0700 |
| |
| - name: Create serial file |
| copy: |
| dest: "{{ pki_dir }}/root_ca/serial" |
| content: "1000" |
| force: no |
| |
| - name: Create empty index file if it doesn't exist |
| copy: |
| dest: "{{ pki_dir }}/root_ca/index.txt" |
| content: "" |
| force: no |
| owner: "{{ ansible_user_id }}" |
| mode: 0755 |
| |
| - name: Save root passphrase to root_ca/private/ca_root_phrase |
| copy: |
| dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase" |
| content: "{{ ca_root_phrase }}" |
| owner: "{{ ansible_user_id }}" |
| mode: 0400 |
| |
| - name: Generate root key |
| command: > |
| openssl genrsa -aes256 |
| -out {{ pki_dir }}/root_ca/private/ca_key.pem |
| -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase |
| {{ ca_size }} |
| args: |
| creates: "{{ pki_dir }}/root_ca/private/ca_key.pem" |
| |
| - name: Set permissions on root key |
| file: |
| dest: "{{ pki_dir }}/root_ca/private/ca_key.pem" |
| owner: "{{ ansible_user_id }}" |
| mode: 0400 |
| |
| - name: Create root certificate |
| command: > |
| openssl req -config {{ pki_dir }}/root_ca/openssl.cnf |
| -key {{ pki_dir }}/root_ca/private/ca_key.pem |
| -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase |
| -new -x509 -days {{ ca_root_days }} |
| -sha256 -extensions v3_ca |
| -subj "{{ ca_root_subj }}" |
| -out {{ pki_dir }}/root_ca/certs/ca_cert.pem |
| args: |
| creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem" |