Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / 3e58914dc7fe60fb67c7476489b22a0f23e58849 / . / roles / pki-root-ca / tasks / main.yml
blob: 8c2f34dba0c2dbe704a3ac119d0bb5b99975d0bf [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]1---
2# pki-root-ca/tasks/main.yml
3
Andy Bavier1cac0012017-03-13 10:06:18 -0400[diff] [blame]4- name: Create credentials directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]5 become: yes
6 file:
7 dest: "{{ credentials_dir }}"
8 state: directory
9 owner: "{{ ansible_user_id }}"
10 mode: 0700
11
Andy Bavier1cac0012017-03-13 10:06:18 -0400[diff] [blame]12- name: Create PKI directory
13 become: yes
14 file:
15 dest: "{{ pki_dir }}"
16 state: directory
17 owner: "{{ ansible_user_id }}"
18 mode: 0755
19
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]20- name: Create root CA directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]21 become: yes
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]22 file:
23 dest: "{{ pki_dir }}/root_ca"
24 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]25 owner: "{{ ansible_user_id }}"
26 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]27
28- name: Create root CA openssl.cnf from template
29 template:
30 src: openssl_root.cnf.j2
31 dest: "{{ pki_dir }}/root_ca/openssl.cnf"
32 force: no
33
34- name: Create subdirs for root CA
35 file:
36 dest: "{{ pki_dir }}/root_ca/{{ item }}"
37 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]38 owner: "{{ ansible_user_id }}"
39 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]40 with_items:
41 - certs
42 - crl
43 - newcerts
44
45- name: Create private CA directory
46 file:
47 dest: "{{ pki_dir }}/root_ca/private"
48 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]49 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]50 mode: 0700
51
52- name: Create serial file
53 copy:
54 dest: "{{ pki_dir }}/root_ca/serial"
55 content: "1000"
56 force: no
57
58- name: Create empty index file if it doesn't exist
59 copy:
60 dest: "{{ pki_dir }}/root_ca/index.txt"
61 content: ""
62 force: no
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]63 owner: "{{ ansible_user_id }}"
64 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]65
66- name: Save root passphrase to root_ca/private/ca_root_phrase
67 copy:
68 dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
69 content: "{{ ca_root_phrase }}"
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]70 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]71 mode: 0400
72
73- name: Generate root key
74 command: >
75 openssl genrsa -aes256
76 -out {{ pki_dir }}/root_ca/private/ca_key.pem
77 -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
78 {{ ca_size }}
79 args:
80 creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"
81
82- name: Set permissions on root key
83 file:
84 dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]85 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]86 mode: 0400
87
88- name: Create root certificate
89 command: >
90 openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
91 -key {{ pki_dir }}/root_ca/private/ca_key.pem
92 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
93 -new -x509 -days {{ ca_root_days }}
94 -sha256 -extensions v3_ca
95 -subj "{{ ca_root_subj }}"
96 -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
97 args:
98 creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"