Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / afd04a88572c13aa8b20ccc81b3c0099fa43b937 / . / roles / pki-cert / tasks / main.yml
blob: eff9183d0b192e5d9e4f15d016bf367c3a777a7a [file] [log] [blame]
Matteo Scandolo3896c472017-08-01 13:31:42 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]17---
18# pki-cert/tasks/main.yml
19
20- name: Generate server private key (no pw)
21 command: >
22 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]23 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]24 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]25 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]26 with_items: "{{ server_certs }}"
27
28- name: Generate server CSR
29 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]30 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
31 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]32 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]33 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]34 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]35 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]36 environment:
37 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
38 with_items: "{{ server_certs }}"
39
40- name: Sign server cert
41 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]42 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
43 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]44 -extensions server_cert
45 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]46 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
47 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]48 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]49 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]50 environment:
51 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
52 with_items: "{{ server_certs }}"
53
54- name: Verify cert against root + im chain
55 command: >
56 openssl verify -purpose sslserver
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]57 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
58 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]59 with_items: "{{ server_certs }}"
60 tags:
61 - skip_ansible_lint # diagnostic command
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]62 register: server_chain_verify
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]63
64- name: Assert that verify of cert succeeded
65 assert:
66 that: "'OK' in '{{ item.stdout }}'"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]67 with_items: "{{ server_chain_verify.results }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]68
69- name: Get the intermediate cert into im_cert var
70 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]71 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]72 register: im_cert
73 tags:
74 - skip_ansible_lint # concat of files
75
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]76- name: Get the certs into server_certs var
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]77 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]78 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]79 with_items: "{{ server_certs }}"
80 tags:
81 - skip_ansible_lint # concat of files
82 register: server_certs_raw
83
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]84- name: Create chained server certs
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]85 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]86 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]87 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
88 with_items: "{{ server_certs_raw.results }}"
89
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]90- name: Generate client private key (no pw)
91 command: >
92 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]93 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]94 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]95 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]96 with_items: "{{ client_certs }}"
97
98- name: Generate client CSR
99 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]100 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
101 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]102 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]103 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]104 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]105 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]106 environment:
107 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
108 with_items: "{{ client_certs }}"
109
110- name: Sign client cert
111 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]112 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
113 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]114 -extensions user_cert
115 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]116 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
117 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]118 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]119 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]120 environment:
121 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
122 with_items: "{{ client_certs }}"
123
124- name: Verify cert against root + im chain
125 command: >
126 openssl verify -purpose sslclient
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]127 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
128 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]129 with_items: "{{ client_certs }}"
130 tags:
131 - skip_ansible_lint # diagnostic command
132 register: client_chain_verify
133
134- name: Assert that verify of cert succeeded
135 assert:
136 that: "'OK' in '{{ item.stdout }}'"
137 with_items: "{{ client_chain_verify.results }}"
138
139- name: Get the certs into client_certs var
140 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]141 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]142 with_items: "{{ client_certs }}"
143 tags:
144 - skip_ansible_lint # concat of files
145 register: client_certs_raw
146
147- name: Create chained client cert
148 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]149 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]150 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
151 with_items: "{{ client_certs_raw.results }}"
152