Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / 843b4f2cf1239fdd02ff9925fa6683201e6837d5 / . / roles / pki-intermediate-ca / tasks / main.yml
blob: 8485dc2c6fbc5828545ae47e7da938187aa4c34f [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]1---
2# pki-ca/tasks/main.yml
3
4- name: Create intermediate CA directory
5 file:
6 dest: "{{ pki_dir }}/intermediate_ca"
7 state: directory
8
9- name: Create intermediate CA openssl.cnf from template
10 template:
11 src: openssl_im.cnf.j2
12 dest: "{{ pki_dir }}/intermediate_ca/openssl.cnf"
13 force: no
14
15- name: Create subdirs for intermediate CA
16 file:
17 dest: "{{ pki_dir }}/intermediate_ca/{{ item }}"
18 state: directory
19 with_items:
20 - certs
21 - crl
22 - csr
23 - newcerts
24
25- name: Create private CA directory
26 file:
27 dest: "{{ pki_dir }}/intermediate_ca/private"
28 state: directory
29 mode: 0700
30
31- name: Create serial file
32 copy:
33 dest: "{{ pki_dir }}/intermediate_ca/serial"
34 content: "01"
35 force: no
36
37- name: Create empty index file if it doesn't exist
38 copy:
39 dest: "{{ pki_dir }}/intermediate_ca/index.txt"
40 content: ""
41 force: no
42
43- name: Save intermediate passphrase to intermediate_ca/private/ca_im_phrase
44 copy:
45 dest: "{{ pki_dir }}/intermediate_ca/private/ca_im_phrase"
46 content: "{{ ca_im_phrase }}"
47 mode: 0400
48
49- name: Generate intermediate key
50 command: >
51 openssl genrsa -aes256
52 -out {{ pki_dir }}/intermediate_ca/private/im_key.pem
53 -passout file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
54 {{ ca_size }}
55 args:
56 creates: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"
57
58- name: Set permissions on intermediate key
59 file:
60 dest: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"
61 mode: 0400
62
63- name: Create intermediate CSR
64 command: >
65 openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
66 -key {{ pki_dir }}/intermediate_ca/private/im_key.pem
67 -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
68 -new -sha256 -subj "{{ ca_im_subj }}"
69 -out {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
70 args:
71 creates: "{{ pki_dir }}/intermediate_ca/certs/intermediate_ca_csr.pem"
72 environment:
73 KEY_ALTNAMES: ""
74
75- name: Create intermediate cert from CSR with root CA
76 command: >
77 openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
78 -extensions v3_intermediate_ca
79 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
80 -days {{ ca_im_days }} -md {{ ca_digest }}
81 -in {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
82 -out {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
83 args:
84 creates: "{{ pki_dir }}/intermediate_ca/certs/im_cert.pem"
85
86- name: Verify intemediate cert
87 command: >
88 openssl verify
89 -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
90 {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
91 register: im_verify
92 tags:
93 - skip_ansible_lint # diagnostic command
94
95- name: Assert that verify of intermediate cert succeeded
96 assert:
97 that: "'OK' in '{{ im_verify.stdout }}'"
98
99- name: Get the root cert into ca_cert var
100 command: >
101 openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
102 register: ca_cert
103 tags:
104 - skip_ansible_lint # concat of files
105
106- name: Get the intermediate cert into im_cert var
107 command: >
108 openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
109 register: im_cert
110 tags:
111 - skip_ansible_lint # concat of files
112
113- name: Create intermediate cert chain
114 copy:
115 dest: "{{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem"
116 content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
117