Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / 2f3b40047ce6a44bb992fba908534399801021d5 / . / roles / pki-intermediate-ca / tasks / main.yml
blob: d312085fb45b88e4856e9663b6d2c62549a48d57 [file] [log] [blame]
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame^]1---
Matteo Scandolo3896c472017-08-01 13:31:42 -0700[diff] [blame]2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]16# pki-intermediate-ca/tasks/main.yml
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]17
Zack Williams79286962017-07-10 12:24:37 -0700[diff] [blame]18# if the next two steps fail, may need to include `create-configdirs-become`
19# role to create these directories using become.
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame^]20
Andy Bavier1cac0012017-03-13 10:06:18 -0400[diff] [blame]21- name: Create PKI directory
Andy Bavier1cac0012017-03-13 10:06:18 -0400[diff] [blame]22 file:
23 dest: "{{ pki_dir }}"
24 state: directory
25 owner: "{{ ansible_user_id }}"
26 mode: 0755
27
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]28- name: Create intermediate CA directory
29 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]30 dest: "{{ pki_dir }}/{{ site_name }}_im_ca"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]31 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]32 owner: "{{ ansible_user_id }}"
33 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]34
35- name: Create intermediate CA openssl.cnf from template
36 template:
37 src: openssl_im.cnf.j2
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]38 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]39 force: no
40
41- name: Create subdirs for intermediate CA
42 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]43 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/{{ item }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]44 state: directory
45 with_items:
46 - certs
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame^]47 - client_cnfs
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]48 - crl
49 - csr
50 - newcerts
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame^]51 - server_cnfs
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]52
53- name: Create private CA directory
54 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]55 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]56 state: directory
57 mode: 0700
58
59- name: Create serial file
60 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]61 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/serial"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]62 content: "01"
63 force: no
64
65- name: Create empty index file if it doesn't exist
66 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]67 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/index.txt"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]68 content: ""
69 force: no
70
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]71- name: Save intermediate passphrase to sitename_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]72 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]73 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]74 content: "{{ ca_im_phrase }}"
75 mode: 0400
76
77- name: Generate intermediate key
78 command: >
79 openssl genrsa -aes256
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]80 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
81 -passout file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]82 {{ ca_size }}
83 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]84 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]85
86- name: Set permissions on intermediate key
87 file:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]88 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]89 mode: 0400
90
91- name: Create intermediate CSR
92 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]93 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
94 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
95 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]96 -new -sha256 -subj "{{ ca_im_subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]97 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]98 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]99 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ site_name }}_im_ca_csr.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]100
101- name: Create intermediate cert from CSR with root CA
102 command: >
103 openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
104 -extensions v3_intermediate_ca
105 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
106 -days {{ ca_im_days }} -md {{ ca_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]107 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
108 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]109 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]110 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]111
112- name: Verify intemediate cert
113 command: >
114 openssl verify
115 -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]116 {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]117 register: im_verify
118 tags:
119 - skip_ansible_lint # diagnostic command
120
121- name: Assert that verify of intermediate cert succeeded
122 assert:
123 that: "'OK' in '{{ im_verify.stdout }}'"
124
125- name: Get the root cert into ca_cert var
126 command: >
127 openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
128 register: ca_cert
129 tags:
130 - skip_ansible_lint # concat of files
131
132- name: Get the intermediate cert into im_cert var
133 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]134 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]135 register: im_cert
136 tags:
137 - skip_ansible_lint # concat of files
138
139- name: Create intermediate cert chain
140 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]141 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]142 content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]143