Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / 864ba25e78d296d59d37f268394464d1b1ba58ce / . / roles / pki-intermediate-ca / tasks / main.yml
blob: 1323a67d98afd7d2baa5d1e71e8cbb051feaadae [file] [log] [blame]
Matteo Scandolo3896c472017-08-01 13:31:42 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]17---
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]18# pki-intermediate-ca/tasks/main.yml
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]19
Zack Williams79286962017-07-10 12:24:37 -0700[diff] [blame]20# if the next two steps fail, may need to include `create-configdirs-become`
21# role to create these directories using become.
Andy Bavier1cac0012017-03-13 10:06:18 -0400[diff] [blame]22- name: Create PKI directory
Andy Bavier1cac0012017-03-13 10:06:18 -0400[diff] [blame]23 file:
24 dest: "{{ pki_dir }}"
25 state: directory
26 owner: "{{ ansible_user_id }}"
27 mode: 0755
28
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]29- name: Create intermediate CA directory
30 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]31 dest: "{{ pki_dir }}/{{ site_name }}_im_ca"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]32 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]33 owner: "{{ ansible_user_id }}"
34 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]35
36- name: Create intermediate CA openssl.cnf from template
37 template:
38 src: openssl_im.cnf.j2
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]39 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]40 force: no
41
42- name: Create subdirs for intermediate CA
43 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]44 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/{{ item }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]45 state: directory
46 with_items:
47 - certs
48 - crl
49 - csr
50 - newcerts
51
52- name: Create private CA directory
53 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]54 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]55 state: directory
56 mode: 0700
57
58- name: Create serial file
59 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]60 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/serial"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]61 content: "01"
62 force: no
63
64- name: Create empty index file if it doesn't exist
65 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]66 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/index.txt"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]67 content: ""
68 force: no
69
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]70- name: Save intermediate passphrase to sitename_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]71 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]72 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]73 content: "{{ ca_im_phrase }}"
74 mode: 0400
75
76- name: Generate intermediate key
77 command: >
78 openssl genrsa -aes256
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]79 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
80 -passout file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]81 {{ ca_size }}
82 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]83 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]84
85- name: Set permissions on intermediate key
86 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]87 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]88 mode: 0400
89
90- name: Create intermediate CSR
91 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]92 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
93 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
94 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]95 -new -sha256 -subj "{{ ca_im_subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]96 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]97 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]98 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ site_name }}_im_ca_csr.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]99 environment:
100 KEY_ALTNAMES: ""
101
102- name: Create intermediate cert from CSR with root CA
103 command: >
104 openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
105 -extensions v3_intermediate_ca
106 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
107 -days {{ ca_im_days }} -md {{ ca_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]108 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
109 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]110 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]111 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]112
113- name: Verify intemediate cert
114 command: >
115 openssl verify
116 -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]117 {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]118 register: im_verify
119 tags:
120 - skip_ansible_lint # diagnostic command
121
122- name: Assert that verify of intermediate cert succeeded
123 assert:
124 that: "'OK' in '{{ im_verify.stdout }}'"
125
126- name: Get the root cert into ca_cert var
127 command: >
128 openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
129 register: ca_cert
130 tags:
131 - skip_ansible_lint # concat of files
132
133- name: Get the intermediate cert into im_cert var
134 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]135 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]136 register: im_cert
137 tags:
138 - skip_ansible_lint # concat of files
139
140- name: Create intermediate cert chain
141 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]142 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]143 content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]144