Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / 36b1956a0ee4732965d180628cf412e1ebed11bf / . / roles / pki-cert / tasks / main.yml
blob: 80a9d65e176aed0da10a56a1487f6607bcfb2a8d [file] [log] [blame]
Matteo Scandolo3896c472017-08-01 13:31:42 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]17---
18# pki-cert/tasks/main.yml
19
20- name: Generate server private key (no pw)
21 command: >
22 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]23 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williams36b19562017-09-18 16:51:28 -0700[diff] [blame^]24 {{ cert_size }}
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]25 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]26 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]27 with_items: "{{ server_certs }}"
28
29- name: Generate server CSR
30 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]31 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
32 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]33 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]34 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]35 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]36 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]37 environment:
38 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
39 with_items: "{{ server_certs }}"
40
41- name: Sign server cert
42 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]43 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
44 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]45 -extensions server_cert
46 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]47 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
48 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]49 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]50 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]51 environment:
52 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
53 with_items: "{{ server_certs }}"
54
55- name: Verify cert against root + im chain
56 command: >
57 openssl verify -purpose sslserver
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]58 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
59 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]60 with_items: "{{ server_certs }}"
61 tags:
62 - skip_ansible_lint # diagnostic command
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]63 register: server_chain_verify
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]64
65- name: Assert that verify of cert succeeded
66 assert:
67 that: "'OK' in '{{ item.stdout }}'"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]68 with_items: "{{ server_chain_verify.results }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]69
70- name: Get the intermediate cert into im_cert var
71 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]72 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]73 register: im_cert
74 tags:
75 - skip_ansible_lint # concat of files
76
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]77- name: Get the certs into server_certs var
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]78 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]79 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]80 with_items: "{{ server_certs }}"
81 tags:
82 - skip_ansible_lint # concat of files
83 register: server_certs_raw
84
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]85- name: Create chained server certs
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]86 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]87 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]88 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
89 with_items: "{{ server_certs_raw.results }}"
90
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]91- name: Generate client private key (no pw)
92 command: >
93 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]94 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williams36b19562017-09-18 16:51:28 -0700[diff] [blame^]95 {{ cert_size }}
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]96 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]97 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]98 with_items: "{{ client_certs }}"
99
100- name: Generate client CSR
101 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]102 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
103 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]104 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]105 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]106 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]107 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]108 environment:
109 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
110 with_items: "{{ client_certs }}"
111
112- name: Sign client cert
113 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]114 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
115 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]116 -extensions user_cert
117 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]118 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
119 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]120 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]121 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]122 environment:
123 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
124 with_items: "{{ client_certs }}"
125
126- name: Verify cert against root + im chain
127 command: >
128 openssl verify -purpose sslclient
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]129 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
130 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]131 with_items: "{{ client_certs }}"
132 tags:
133 - skip_ansible_lint # diagnostic command
134 register: client_chain_verify
135
136- name: Assert that verify of cert succeeded
137 assert:
138 that: "'OK' in '{{ item.stdout }}'"
139 with_items: "{{ client_chain_verify.results }}"
140
141- name: Get the certs into client_certs var
142 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]143 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]144 with_items: "{{ client_certs }}"
145 tags:
146 - skip_ansible_lint # concat of files
147 register: client_certs_raw
148
149- name: Create chained client cert
150 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]151 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]152 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
153 with_items: "{{ client_certs_raw.results }}"
154