roles/pki-root-ca/tasks/main.yml - platform-install - Gitiles

 ---
 # pki-root-ca/tasks/main.yml

 - name: Create PKI and credentials directories
   become: yes
   file:
     dest: "{{ item }}"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0700
   with_items:
     - "{{ credentials_dir }}"
     - "{{ pki_dir }}"

 - name: Create root CA directory
   become: yes
   file:
     dest: "{{ pki_dir }}/root_ca"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0755

 - name: Create root CA openssl.cnf from template
   template:
     src: openssl_root.cnf.j2
     dest: "{{ pki_dir }}/root_ca/openssl.cnf"
     force: no

 - name: Create subdirs for root CA
   file:
     dest: "{{ pki_dir }}/root_ca/{{ item }}"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0755
   with_items:
     - certs
     - crl
     - newcerts

 - name: Create private CA directory
   file:
     dest: "{{ pki_dir }}/root_ca/private"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0700

 - name: Create serial file
   copy:
     dest: "{{ pki_dir }}/root_ca/serial"
     content: "1000"
     force: no

 - name: Create empty index file if it doesn't exist
   copy:
     dest: "{{ pki_dir }}/root_ca/index.txt"
     content: ""
     force: no
     owner: "{{ ansible_user_id }}"
     mode: 0755

 - name: Save root passphrase to root_ca/private/ca_root_phrase
   copy:
     dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
     content: "{{ ca_root_phrase }}"
     owner: "{{ ansible_user_id }}"
     mode: 0400

 - name: Generate root key
   command: >
     openssl genrsa -aes256
       -out {{ pki_dir }}/root_ca/private/ca_key.pem
       -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
       {{ ca_size }}
   args:
     creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"

 - name: Set permissions on root key
   file:
     dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
     owner: "{{ ansible_user_id }}"
     mode: 0400

 - name: Create root certificate
   command: >
     openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
       -key {{ pki_dir }}/root_ca/private/ca_key.pem
       -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
       -new -x509 -days {{ ca_root_days }}
       -sha256 -extensions v3_ca
       -subj "{{ ca_root_subj }}"
       -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
   args:
     creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
	---
	# pki-root-ca/tasks/main.yml

	- name: Create PKI and credentials directories
	become: yes
	file:
	dest: "{{ item }}"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0700
	with_items:
	- "{{ credentials_dir }}"
	- "{{ pki_dir }}"

	- name: Create root CA directory
	become: yes
	file:
	dest: "{{ pki_dir }}/root_ca"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0755

	- name: Create root CA openssl.cnf from template
	template:
	src: openssl_root.cnf.j2
	dest: "{{ pki_dir }}/root_ca/openssl.cnf"
	force: no

	- name: Create subdirs for root CA
	file:
	dest: "{{ pki_dir }}/root_ca/{{ item }}"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0755
	with_items:
	- certs
	- crl
	- newcerts

	- name: Create private CA directory
	file:
	dest: "{{ pki_dir }}/root_ca/private"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0700

	- name: Create serial file
	copy:
	dest: "{{ pki_dir }}/root_ca/serial"
	content: "1000"
	force: no

	- name: Create empty index file if it doesn't exist
	copy:
	dest: "{{ pki_dir }}/root_ca/index.txt"
	content: ""
	force: no
	owner: "{{ ansible_user_id }}"
	mode: 0755

	- name: Save root passphrase to root_ca/private/ca_root_phrase
	copy:
	dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
	content: "{{ ca_root_phrase }}"
	owner: "{{ ansible_user_id }}"
	mode: 0400

	- name: Generate root key
	command: >
	openssl genrsa -aes256
	-out {{ pki_dir }}/root_ca/private/ca_key.pem
	-passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
	{{ ca_size }}
	args:
	creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"

	- name: Set permissions on root key
	file:
	dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
	owner: "{{ ansible_user_id }}"
	mode: 0400

	- name: Create root certificate
	command: >
	openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
	-key {{ pki_dir }}/root_ca/private/ca_key.pem
	-passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
	-new -x509 -days {{ ca_root_days }}
	-sha256 -extensions v3_ca
	-subj "{{ ca_root_subj }}"
	-out {{ pki_dir }}/root_ca/certs/ca_cert.pem
	args:
	creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"