blob: 1abf3fb65ffa03923e8317438eed854f440359c0 [file] [log] [blame]
---
# Copyright 2017-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# pki-cert/tasks/main.yml
- name: Generate server private key (no pw)
command: >
openssl genrsa
-out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
{{ cert_size }}
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
with_items: "{{ server_certs }}"
- name: Generate server-specific openssl config
template:
src: server.cnf.j2
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf"
with_items: "{{ server_certs }}"
- name: Generate server CSR
command: >
openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf
-key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
-new -sha256 -subj "{{ item.subj }}"
-out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
with_items: "{{ server_certs }}"
- name: Sign server cert
command: >
openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf
-batch -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
-extensions server_cert
-days {{ cert_days }} -md {{ cert_digest }}
-in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
-out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
with_items: "{{ server_certs }}"
- name: Verify cert against root + im chain
command: >
openssl verify -purpose sslserver
-CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ server_certs }}"
tags:
- skip_ansible_lint # diagnostic command
register: server_chain_verify
- name: Assert that verify of cert succeeded
assert:
that: "'OK' in '{{ item.stdout }}'"
with_items: "{{ server_chain_verify.results }}"
- name: Get the intermediate cert into im_cert var
command: >
openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
register: im_cert
tags:
- skip_ansible_lint # concat of files
- name: Get the certs into server_certs var
command: >
openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ server_certs }}"
tags:
- skip_ansible_lint # concat of files
register: server_certs_raw
- name: Create chained server certs
copy:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
with_items: "{{ server_certs_raw.results }}"
- name: Generate client private key (no pw)
command: >
openssl genrsa
-out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
{{ cert_size }}
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
with_items: "{{ client_certs }}"
- name: Generate client-specific openssl config
template:
src: client.cnf.j2
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf"
with_items: "{{ client_certs }}"
- name: Generate client CSR
command: >
openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf
-key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
-new -sha256 -subj "{{ item.subj }}"
-out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
with_items: "{{ client_certs }}"
- name: Sign client cert
command: >
openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf
-batch -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
-extensions client_cert
-days {{ cert_days }} -md {{ cert_digest }}
-in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
-out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
args:
creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
with_items: "{{ client_certs }}"
- name: Verify cert against root + im chain
command: >
openssl verify -purpose sslclient
-CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ client_certs }}"
tags:
- skip_ansible_lint # diagnostic command
register: client_chain_verify
- name: Assert that verify of cert succeeded
assert:
that: "'OK' in '{{ item.stdout }}'"
with_items: "{{ client_chain_verify.results }}"
- name: Get the certs into client_certs var
command: >
openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
with_items: "{{ client_certs }}"
tags:
- skip_ansible_lint # concat of files
register: client_certs_raw
- name: Create chained client cert
copy:
dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
with_items: "{{ client_certs_raw.results }}"