Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / 43d62b5b09aadc05b1f708f1c5ed276612b63721 / . / roles / pki-intermediate-ca / tasks / main.yml
blob: ac066acd03f0e1393ce00930d1624a6e66fb6593 [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]1---
2# pki-ca/tasks/main.yml
3
4- name: Create intermediate CA directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame^]5 become: yes
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]6 file:
7 dest: "{{ pki_dir }}/intermediate_ca"
8 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame^]9 owner: "{{ ansible_user_id }}"
10 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]11
12- name: Create intermediate CA openssl.cnf from template
13 template:
14 src: openssl_im.cnf.j2
15 dest: "{{ pki_dir }}/intermediate_ca/openssl.cnf"
16 force: no
17
18- name: Create subdirs for intermediate CA
19 file:
20 dest: "{{ pki_dir }}/intermediate_ca/{{ item }}"
21 state: directory
22 with_items:
23 - certs
24 - crl
25 - csr
26 - newcerts
27
28- name: Create private CA directory
29 file:
30 dest: "{{ pki_dir }}/intermediate_ca/private"
31 state: directory
32 mode: 0700
33
34- name: Create serial file
35 copy:
36 dest: "{{ pki_dir }}/intermediate_ca/serial"
37 content: "01"
38 force: no
39
40- name: Create empty index file if it doesn't exist
41 copy:
42 dest: "{{ pki_dir }}/intermediate_ca/index.txt"
43 content: ""
44 force: no
45
46- name: Save intermediate passphrase to intermediate_ca/private/ca_im_phrase
47 copy:
48 dest: "{{ pki_dir }}/intermediate_ca/private/ca_im_phrase"
49 content: "{{ ca_im_phrase }}"
50 mode: 0400
51
52- name: Generate intermediate key
53 command: >
54 openssl genrsa -aes256
55 -out {{ pki_dir }}/intermediate_ca/private/im_key.pem
56 -passout file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
57 {{ ca_size }}
58 args:
59 creates: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"
60
61- name: Set permissions on intermediate key
62 file:
63 dest: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"
64 mode: 0400
65
66- name: Create intermediate CSR
67 command: >
68 openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
69 -key {{ pki_dir }}/intermediate_ca/private/im_key.pem
70 -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
71 -new -sha256 -subj "{{ ca_im_subj }}"
72 -out {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
73 args:
74 creates: "{{ pki_dir }}/intermediate_ca/certs/intermediate_ca_csr.pem"
75 environment:
76 KEY_ALTNAMES: ""
77
78- name: Create intermediate cert from CSR with root CA
79 command: >
80 openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
81 -extensions v3_intermediate_ca
82 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
83 -days {{ ca_im_days }} -md {{ ca_digest }}
84 -in {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
85 -out {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
86 args:
87 creates: "{{ pki_dir }}/intermediate_ca/certs/im_cert.pem"
88
89- name: Verify intemediate cert
90 command: >
91 openssl verify
92 -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
93 {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
94 register: im_verify
95 tags:
96 - skip_ansible_lint # diagnostic command
97
98- name: Assert that verify of intermediate cert succeeded
99 assert:
100 that: "'OK' in '{{ im_verify.stdout }}'"
101
102- name: Get the root cert into ca_cert var
103 command: >
104 openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
105 register: ca_cert
106 tags:
107 - skip_ansible_lint # concat of files
108
109- name: Get the intermediate cert into im_cert var
110 command: >
111 openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
112 register: im_cert
113 tags:
114 - skip_ansible_lint # concat of files
115
116- name: Create intermediate cert chain
117 copy:
118 dest: "{{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem"
119 content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
120