| Zack Williams | c047c87 | 2017-01-11 08:38:15 -0700 | [diff] [blame] | 1 | --- |
| 2 | # pki-cert/tasks/main.yml |
| 3 | |
| 4 | - name: Generate server private key (no pw) |
| 5 | command: > |
| 6 | openssl genrsa |
| 7 | -out {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem |
| 8 | args: |
| 9 | creates: "{{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem" |
| 10 | with_items: "{{ server_certs }}" |
| 11 | |
| 12 | - name: Generate server CSR |
| 13 | command: > |
| 14 | openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf |
| 15 | -key {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem |
| 16 | -new -sha256 -subj "{{ item.subj }}" |
| 17 | -out {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem |
| 18 | args: |
| 19 | creates: "{{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem" |
| 20 | environment: |
| 21 | KEY_ALTNAMES: "{{ item.altnames | join(', ') }}" |
| 22 | with_items: "{{ server_certs }}" |
| 23 | |
| 24 | - name: Sign server cert |
| 25 | command: > |
| 26 | openssl ca -config {{ pki_dir }}/intermediate_ca/openssl.cnf -batch |
| 27 | -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase |
| 28 | -extensions server_cert |
| 29 | -days {{ cert_days }} -md {{ cert_digest }} |
| 30 | -in {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem |
| 31 | -out {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem |
| 32 | args: |
| 33 | creates: "{{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem" |
| 34 | environment: |
| 35 | KEY_ALTNAMES: "{{ item.altnames | join(', ') }}" |
| 36 | with_items: "{{ server_certs }}" |
| 37 | |
| 38 | - name: Verify cert against root + im chain |
| 39 | command: > |
| 40 | openssl verify -purpose sslserver |
| 41 | -CAfile {{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem |
| 42 | {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem |
| 43 | with_items: "{{ server_certs }}" |
| 44 | tags: |
| 45 | - skip_ansible_lint # diagnostic command |
| 46 | register: chain_verify |
| 47 | |
| 48 | - name: Assert that verify of cert succeeded |
| 49 | assert: |
| 50 | that: "'OK' in '{{ item.stdout }}'" |
| 51 | with_items: "{{ chain_verify.results }}" |
| 52 | |
| 53 | - name: Get the intermediate cert into im_cert var |
| 54 | command: > |
| 55 | openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/im_cert.pem |
| 56 | register: im_cert |
| 57 | tags: |
| 58 | - skip_ansible_lint # concat of files |
| 59 | |
| 60 | - name: Get the cert into server_cert var |
| 61 | command: > |
| 62 | openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem |
| 63 | with_items: "{{ server_certs }}" |
| 64 | tags: |
| 65 | - skip_ansible_lint # concat of files |
| 66 | register: server_certs_raw |
| 67 | |
| 68 | - name: Create chained server cert |
| 69 | copy: |
| 70 | dest: "{{ pki_dir }}/intermediate_ca/certs/{{ item.item.cn }}_cert_chain.pem" |
| 71 | content: "{{ item.stdout }}\n{{ im_cert.stdout }}" |
| 72 | with_items: "{{ server_certs_raw.results }}" |
| 73 | |