blob: fd526e4e2c7fe9c0d143bab623a22571b0b4725c [file] [log] [blame]
---
# pki-root-ca/tasks/main.yml
- name: Create PKI and credentials directories
become: yes
file:
dest: "{{ item }}"
state: directory
owner: "{{ ansible_user_id }}"
mode: 0700
with_items:
- "{{ credentials_dir }}"
- "{{ pki_dir }}"
- name: Create root CA directory
become: yes
file:
dest: "{{ pki_dir }}/root_ca"
state: directory
owner: "{{ ansible_user_id }}"
mode: 0755
- name: Create root CA openssl.cnf from template
template:
src: openssl_root.cnf.j2
dest: "{{ pki_dir }}/root_ca/openssl.cnf"
force: no
- name: Create subdirs for root CA
file:
dest: "{{ pki_dir }}/root_ca/{{ item }}"
state: directory
owner: "{{ ansible_user_id }}"
mode: 0755
with_items:
- certs
- crl
- newcerts
- name: Create private CA directory
file:
dest: "{{ pki_dir }}/root_ca/private"
state: directory
owner: "{{ ansible_user_id }}"
mode: 0700
- name: Create serial file
copy:
dest: "{{ pki_dir }}/root_ca/serial"
content: "1000"
force: no
- name: Create empty index file if it doesn't exist
copy:
dest: "{{ pki_dir }}/root_ca/index.txt"
content: ""
force: no
owner: "{{ ansible_user_id }}"
mode: 0755
- name: Save root passphrase to root_ca/private/ca_root_phrase
copy:
dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
content: "{{ ca_root_phrase }}"
owner: "{{ ansible_user_id }}"
mode: 0400
- name: Generate root key
command: >
openssl genrsa -aes256
-out {{ pki_dir }}/root_ca/private/ca_key.pem
-passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
{{ ca_size }}
args:
creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"
- name: Set permissions on root key
file:
dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
owner: "{{ ansible_user_id }}"
mode: 0400
- name: Create root certificate
command: >
openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
-key {{ pki_dir }}/root_ca/private/ca_key.pem
-passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
-new -x509 -days {{ ca_root_days }}
-sha256 -extensions v3_ca
-subj "{{ ca_root_subj }}"
-out {{ pki_dir }}/root_ca/certs/ca_cert.pem
args:
creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"