| --- |
| # Copyright 2017-present Open Networking Foundation |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| # pki-intermediate-ca/tasks/main.yml |
| |
| # if the next two steps fail, may need to include `create-configdirs-become` |
| # role to create these directories using become. |
| |
| - name: Create PKI directory |
| file: |
| dest: "{{ pki_dir }}" |
| state: directory |
| owner: "{{ ansible_user_id }}" |
| mode: 0755 |
| |
| - name: Create intermediate CA directory |
| file: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca" |
| state: directory |
| owner: "{{ ansible_user_id }}" |
| mode: 0755 |
| |
| - name: Create intermediate CA openssl.cnf from template |
| template: |
| src: openssl_im.cnf.j2 |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf" |
| force: no |
| |
| - name: Create subdirs for intermediate CA |
| file: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/{{ item }}" |
| state: directory |
| with_items: |
| - certs |
| - client_cnfs |
| - crl |
| - csr |
| - newcerts |
| - server_cnfs |
| |
| - name: Create private CA directory |
| file: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private" |
| state: directory |
| mode: 0700 |
| |
| - name: Create serial file |
| copy: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/serial" |
| content: "01" |
| force: no |
| |
| - name: Create empty index file if it doesn't exist |
| copy: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/index.txt" |
| content: "" |
| force: no |
| |
| - name: Save intermediate passphrase to sitename_im_ca/private/ca_im_phrase |
| copy: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase" |
| content: "{{ ca_im_phrase }}" |
| mode: 0400 |
| |
| - name: Generate intermediate key |
| command: > |
| openssl genrsa -aes256 |
| -out {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem |
| -passout file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase |
| {{ ca_size }} |
| args: |
| creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem" |
| |
| - name: Set permissions on intermediate key |
| file: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem" |
| mode: 0400 |
| |
| - name: Create intermediate CSR |
| command: > |
| openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf |
| -key {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem |
| -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase |
| -new -sha256 -subj "{{ ca_im_subj }}" |
| -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem |
| args: |
| creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ site_name }}_im_ca_csr.pem" |
| |
| - name: Create intermediate cert from CSR with root CA |
| command: > |
| openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch |
| -extensions v3_intermediate_ca |
| -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase |
| -days {{ ca_im_days }} -md {{ ca_digest }} |
| -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem |
| -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem |
| args: |
| creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem" |
| |
| - name: Verify intemediate cert |
| command: > |
| openssl verify |
| -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem |
| {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem |
| register: im_verify |
| tags: |
| - skip_ansible_lint # diagnostic command |
| |
| - name: Assert that verify of intermediate cert succeeded |
| assert: |
| that: "'OK' in '{{ im_verify.stdout }}'" |
| |
| - name: Get the root cert into ca_cert var |
| command: > |
| openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem |
| register: ca_cert |
| tags: |
| - skip_ansible_lint # concat of files |
| |
| - name: Get the intermediate cert into im_cert var |
| command: > |
| openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem |
| register: im_cert |
| tags: |
| - skip_ansible_lint # concat of files |
| |
| - name: Create intermediate cert chain |
| copy: |
| dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem" |
| content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}" |
| |