blob: c62f522dc69bb4d04f5b6f6aa19031229817f9cc [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -07001---
2# pki-cert/tasks/main.yml
3
4- name: Generate server private key (no pw)
5 command: >
6 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -07007 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsc047c872017-01-11 08:38:15 -07008 args:
Zack Williams44845c62017-04-21 13:57:14 -07009 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070010 with_items: "{{ server_certs }}"
11
12- name: Generate server CSR
13 command: >
Zack Williams44845c62017-04-21 13:57:14 -070014 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
15 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsc047c872017-01-11 08:38:15 -070016 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -070017 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsc047c872017-01-11 08:38:15 -070018 args:
Zack Williams44845c62017-04-21 13:57:14 -070019 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070020 environment:
21 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
22 with_items: "{{ server_certs }}"
23
24- name: Sign server cert
25 command: >
Zack Williams44845c62017-04-21 13:57:14 -070026 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
27 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -070028 -extensions server_cert
29 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -070030 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
31 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -070032 args:
Zack Williams44845c62017-04-21 13:57:14 -070033 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070034 environment:
35 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
36 with_items: "{{ server_certs }}"
37
38- name: Verify cert against root + im chain
39 command: >
40 openssl verify -purpose sslserver
Zack Williams44845c62017-04-21 13:57:14 -070041 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
42 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -070043 with_items: "{{ server_certs }}"
44 tags:
45 - skip_ansible_lint # diagnostic command
Zack Williamsba5549c2017-03-25 15:04:45 -070046 register: server_chain_verify
Zack Williamsc047c872017-01-11 08:38:15 -070047
48- name: Assert that verify of cert succeeded
49 assert:
50 that: "'OK' in '{{ item.stdout }}'"
Zack Williamsba5549c2017-03-25 15:04:45 -070051 with_items: "{{ server_chain_verify.results }}"
Zack Williamsc047c872017-01-11 08:38:15 -070052
53- name: Get the intermediate cert into im_cert var
54 command: >
Zack Williams44845c62017-04-21 13:57:14 -070055 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -070056 register: im_cert
57 tags:
58 - skip_ansible_lint # concat of files
59
Zack Williamsba5549c2017-03-25 15:04:45 -070060- name: Get the certs into server_certs var
Zack Williamsc047c872017-01-11 08:38:15 -070061 command: >
Zack Williams44845c62017-04-21 13:57:14 -070062 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -070063 with_items: "{{ server_certs }}"
64 tags:
65 - skip_ansible_lint # concat of files
66 register: server_certs_raw
67
Zack Williamsba5549c2017-03-25 15:04:45 -070068- name: Create chained server certs
Zack Williamsc047c872017-01-11 08:38:15 -070069 copy:
Zack Williams44845c62017-04-21 13:57:14 -070070 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070071 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
72 with_items: "{{ server_certs_raw.results }}"
73
Zack Williamsba5549c2017-03-25 15:04:45 -070074- name: Generate client private key (no pw)
75 command: >
76 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -070077 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsba5549c2017-03-25 15:04:45 -070078 args:
Zack Williams44845c62017-04-21 13:57:14 -070079 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -070080 with_items: "{{ client_certs }}"
81
82- name: Generate client CSR
83 command: >
Zack Williams44845c62017-04-21 13:57:14 -070084 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
85 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsba5549c2017-03-25 15:04:45 -070086 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -070087 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsba5549c2017-03-25 15:04:45 -070088 args:
Zack Williams44845c62017-04-21 13:57:14 -070089 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -070090 environment:
91 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
92 with_items: "{{ client_certs }}"
93
94- name: Sign client cert
95 command: >
Zack Williams44845c62017-04-21 13:57:14 -070096 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf -batch
97 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsba5549c2017-03-25 15:04:45 -070098 -extensions user_cert
99 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700100 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
101 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700102 args:
Zack Williams44845c62017-04-21 13:57:14 -0700103 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700104 environment:
105 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
106 with_items: "{{ client_certs }}"
107
108- name: Verify cert against root + im chain
109 command: >
110 openssl verify -purpose sslclient
Zack Williams44845c62017-04-21 13:57:14 -0700111 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
112 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700113 with_items: "{{ client_certs }}"
114 tags:
115 - skip_ansible_lint # diagnostic command
116 register: client_chain_verify
117
118- name: Assert that verify of cert succeeded
119 assert:
120 that: "'OK' in '{{ item.stdout }}'"
121 with_items: "{{ client_chain_verify.results }}"
122
123- name: Get the certs into client_certs var
124 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700125 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700126 with_items: "{{ client_certs }}"
127 tags:
128 - skip_ansible_lint # concat of files
129 register: client_certs_raw
130
131- name: Create chained client cert
132 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700133 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700134 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
135 with_items: "{{ client_certs_raw.results }}"
136