blob: d312085fb45b88e4856e9663b6d2c62549a48d57 [file] [log] [blame]
---
# Copyright 2017-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# pki-intermediate-ca/tasks/main.yml
# if the next two steps fail, may need to include `create-configdirs-become`
# role to create these directories using become.
- name: Create PKI directory
file:
dest: "{{ pki_dir }}"
state: directory
owner: "{{ ansible_user_id }}"
mode: 0755
- name: Create intermediate CA directory
file:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca"
state: directory
owner: "{{ ansible_user_id }}"
mode: 0755
- name: Create intermediate CA openssl.cnf from template
template:
src: openssl_im.cnf.j2
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf"
force: no
- name: Create subdirs for intermediate CA
file:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/{{ item }}"
state: directory
with_items:
- certs
- client_cnfs
- crl
- csr
- newcerts
- server_cnfs
- name: Create private CA directory
file:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private"
state: directory
mode: 0700
- name: Create serial file
copy:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/serial"
content: "01"
force: no
- name: Create empty index file if it doesn't exist
copy:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/index.txt"
content: ""
force: no
- name: Save intermediate passphrase to sitename_im_ca/private/ca_im_phrase
copy:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase"
content: "{{ ca_im_phrase }}"
mode: 0400
- name: Generate intermediate key
command: >
openssl genrsa -aes256
-out {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
-passout file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
{{ ca_size }}
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
- name: Set permissions on intermediate key
file:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
mode: 0400
- name: Create intermediate CSR
command: >
openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
-key {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
-passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
-new -sha256 -subj "{{ ca_im_subj }}"
-out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ site_name }}_im_ca_csr.pem"
- name: Create intermediate cert from CSR with root CA
command: >
openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
-extensions v3_intermediate_ca
-passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
-days {{ ca_im_days }} -md {{ ca_digest }}
-in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
-out {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem"
- name: Verify intemediate cert
command: >
openssl verify
-CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
register: im_verify
tags:
- skip_ansible_lint # diagnostic command
- name: Assert that verify of intermediate cert succeeded
assert:
that: "'OK' in '{{ im_verify.stdout }}'"
- name: Get the root cert into ca_cert var
command: >
openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
register: ca_cert
tags:
- skip_ansible_lint # concat of files
- name: Get the intermediate cert into im_cert var
command: >
openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
register: im_cert
tags:
- skip_ansible_lint # concat of files
- name: Create intermediate cert chain
copy:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem"
content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"