Generate per-site SSL intermediate CA, fix cred/pki paths
Change-Id: I0bda0791d82142acac8c6af0e152d8d0954ef719
diff --git a/roles/pki-cert/defaults/main.yml b/roles/pki-cert/defaults/main.yml
index 4d55149..6c3de79 100644
--- a/roles/pki-cert/defaults/main.yml
+++ b/roles/pki-cert/defaults/main.yml
@@ -1,9 +1,12 @@
---
# pki-cert/defaults/main.yml
+pki_dir: "{{ playbook_dir }}/pki"
+
+# client/server cert parameters
cert_size: 2048
cert_digest: "sha256"
-cert_days: 180
+cert_days: 365
# lists of certificates to create
server_certs: []
diff --git a/roles/pki-cert/tasks/main.yml b/roles/pki-cert/tasks/main.yml
index b7cbdd3..c62f522 100644
--- a/roles/pki-cert/tasks/main.yml
+++ b/roles/pki-cert/tasks/main.yml
@@ -4,33 +4,33 @@
- name: Generate server private key (no pw)
command: >
openssl genrsa
- -out {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
+ -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
args:
- creates: "{{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem"
+ creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
with_items: "{{ server_certs }}"
- name: Generate server CSR
command: >
- openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
- -key {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
+ openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
+ -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
-new -sha256 -subj "{{ item.subj }}"
- -out {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
+ -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
args:
- creates: "{{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem"
+ creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
environment:
KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ server_certs }}"
- name: Sign server cert
command: >
- openssl ca -config {{ pki_dir }}/intermediate_ca/openssl.cnf -batch
- -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
+ openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
+ -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
-extensions server_cert
-days {{ cert_days }} -md {{ cert_digest }}
- -in {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
- -out {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
+ -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
+ -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
args:
- creates: "{{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem"
+ creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
environment:
KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ server_certs }}"
@@ -38,8 +38,8 @@
- name: Verify cert against root + im chain
command: >
openssl verify -purpose sslserver
- -CAfile {{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem
- {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
+ -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
+ {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ server_certs }}"
tags:
- skip_ansible_lint # diagnostic command
@@ -52,14 +52,14 @@
- name: Get the intermediate cert into im_cert var
command: >
- openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
+ openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
register: im_cert
tags:
- skip_ansible_lint # concat of files
- name: Get the certs into server_certs var
command: >
- openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
+ openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ server_certs }}"
tags:
- skip_ansible_lint # concat of files
@@ -67,40 +67,40 @@
- name: Create chained server certs
copy:
- dest: "{{ pki_dir }}/intermediate_ca/certs/{{ item.item.cn }}_cert_chain.pem"
+ dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
with_items: "{{ server_certs_raw.results }}"
- name: Generate client private key (no pw)
command: >
openssl genrsa
- -out {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
+ -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
args:
- creates: "{{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem"
+ creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
with_items: "{{ client_certs }}"
- name: Generate client CSR
command: >
- openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
- -key {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
+ openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
+ -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
-new -sha256 -subj "{{ item.subj }}"
- -out {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
+ -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
args:
- creates: "{{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem"
+ creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
environment:
KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ client_certs }}"
- name: Sign client cert
command: >
- openssl ca -config {{ pki_dir }}/intermediate_ca/openssl.cnf -batch
- -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
+ openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
+ -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
-extensions user_cert
-days {{ cert_days }} -md {{ cert_digest }}
- -in {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
- -out {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
+ -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
+ -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
args:
- creates: "{{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem"
+ creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
environment:
KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
with_items: "{{ client_certs }}"
@@ -108,8 +108,8 @@
- name: Verify cert against root + im chain
command: >
openssl verify -purpose sslclient
- -CAfile {{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem
- {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
+ -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
+ {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ client_certs }}"
tags:
- skip_ansible_lint # diagnostic command
@@ -122,7 +122,7 @@
- name: Get the certs into client_certs var
command: >
- openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
+ openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ client_certs }}"
tags:
- skip_ansible_lint # concat of files
@@ -130,7 +130,7 @@
- name: Create chained client cert
copy:
- dest: "{{ pki_dir }}/intermediate_ca/certs/{{ item.item.cn }}_cert_chain.pem"
+ dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
with_items: "{{ client_certs_raw.results }}"