pki work, and keystone cert generated
ignore retry files
load variables for localhost as wel
split root/intermediate generation
use array for creating server certs
configure openstack with certs from server via lookup('file',...
move root CA cert to old location, testing
indent ssl info
more places where the CA cert is used
don't have juju self-manage certs
juju requires certs be base64 encoded (not documented)
install both root/intermediate CA certs, as juju/trusty apache is too old to support chaining
provide ca/im chain to juju keystone config
yaml error
updated name for onos source per jono
fixed the onos-fabric-install role
whitespace
copy CA certs to compute node
stop wasting time
diagnostically print contents of /usr/local/share/ca-certificates/ dir
Change-Id: Idbd4891736b07690a260bf3d117c547de1ae7424
diff --git a/roles/pki-root-ca/defaults/main.yml b/roles/pki-root-ca/defaults/main.yml
new file mode 100644
index 0000000..ebfd5ed
--- /dev/null
+++ b/roles/pki-root-ca/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+# pki-root-ca/defaults/main.yml
+pki_dir: "{{ playbook_dir }}/pki"
+
+# ca parameters
+ca_digest: "sha256"
+ca_size: 4096
+ca_root_days: 3650
+
+# passphrases for the key
+ca_root_phrase: "{{ lookup('password', 'credentials/ca_root_phrase length=64') }}"
+
+# noninteractive csr subject
+ca_root_subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=CORD Test Deployment Root CA"
diff --git a/roles/pki-root-ca/tasks/main.yml b/roles/pki-root-ca/tasks/main.yml
new file mode 100644
index 0000000..eb23d09
--- /dev/null
+++ b/roles/pki-root-ca/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+# pki-root-ca/tasks/main.yml
+
+- name: Create root CA directory
+ file:
+ dest: "{{ pki_dir }}/root_ca"
+ state: directory
+
+- name: Create root CA openssl.cnf from template
+ template:
+ src: openssl_root.cnf.j2
+ dest: "{{ pki_dir }}/root_ca/openssl.cnf"
+ force: no
+
+- name: Create subdirs for root CA
+ file:
+ dest: "{{ pki_dir }}/root_ca/{{ item }}"
+ state: directory
+ with_items:
+ - certs
+ - crl
+ - newcerts
+
+- name: Create private CA directory
+ file:
+ dest: "{{ pki_dir }}/root_ca/private"
+ state: directory
+ mode: 0700
+
+- name: Create serial file
+ copy:
+ dest: "{{ pki_dir }}/root_ca/serial"
+ content: "1000"
+ force: no
+
+- name: Create empty index file if it doesn't exist
+ copy:
+ dest: "{{ pki_dir }}/root_ca/index.txt"
+ content: ""
+ force: no
+
+- name: Save root passphrase to root_ca/private/ca_root_phrase
+ copy:
+ dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
+ content: "{{ ca_root_phrase }}"
+ mode: 0400
+
+- name: Generate root key
+ command: >
+ openssl genrsa -aes256
+ -out {{ pki_dir }}/root_ca/private/ca_key.pem
+ -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
+ {{ ca_size }}
+ args:
+ creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"
+
+- name: Set permissions on root key
+ file:
+ dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
+ mode: 0400
+
+- name: Create root certificate
+ command: >
+ openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
+ -key {{ pki_dir }}/root_ca/private/ca_key.pem
+ -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
+ -new -x509 -days {{ ca_root_days }}
+ -sha256 -extensions v3_ca
+ -subj "{{ ca_root_subj }}"
+ -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
+ args:
+ creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
+
diff --git a/roles/pki-root-ca/templates/openssl_root.cnf.j2 b/roles/pki-root-ca/templates/openssl_root.cnf.j2
new file mode 100644
index 0000000..a7ffced
--- /dev/null
+++ b/roles/pki-root-ca/templates/openssl_root.cnf.j2
@@ -0,0 +1,95 @@
+# Created by openssl_root.cnf.j2, configured by ansible
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = {{ pki_dir }}/root_ca
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.randfile
+
+private_key = $dir/private/ca_key.pem
+certificate = $dir/certs/ca_cert.pem
+
+crlnumber = $dir/crl/crlnumber
+crl = $dir/crl/ca_crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# Make new requests easier to sign - allow two subjects with same name
+# (Or revoke the old certificate first.)
+unique_subject = no
+
+default_md = {{ ca_digest }}
+name_opt = ca_default
+cert_opt = ca_default
+default_days = {{ ca_root_days }}
+preserve = no
+
+# for CA that only signs intermediate CA certs
+policy = policy_strict
+
+[ policy_strict ]
+# Used by root CA to sign intermediate CA's, should match
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = {{ ca_size }}
+default_md = {{ ca_digest }}
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Some defaults
+countryName_default = US
+stateOrProvinceName_default = California
+localityName_default = Menlo Park
+0.organizationName_default = ON.Lab
+organizationalUnitName_default = Test Deployment
+emailAddress_default = privateca@opencord.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+