Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / a7ae651ac44fbceddae2ad8cf182081547d112ce / . / roles / pki-root-ca / tasks / main.yml
blob: 6da6e9b48c40e109dc85d01e8e2cf91d1bf9eef1 [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]1---
2# pki-root-ca/tasks/main.yml
3
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]4- name: Make sure credentials directory has proper ownership
5 become: yes
6 file:
7 dest: "{{ credentials_dir }}"
8 state: directory
9 owner: "{{ ansible_user_id }}"
10 mode: 0700
11
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]12- name: Create root CA directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]13 become: yes
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]14 file:
15 dest: "{{ pki_dir }}/root_ca"
16 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]17 owner: "{{ ansible_user_id }}"
18 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]19
20- name: Create root CA openssl.cnf from template
21 template:
22 src: openssl_root.cnf.j2
23 dest: "{{ pki_dir }}/root_ca/openssl.cnf"
24 force: no
25
26- name: Create subdirs for root CA
27 file:
28 dest: "{{ pki_dir }}/root_ca/{{ item }}"
29 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]30 owner: "{{ ansible_user_id }}"
31 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]32 with_items:
33 - certs
34 - crl
35 - newcerts
36
37- name: Create private CA directory
38 file:
39 dest: "{{ pki_dir }}/root_ca/private"
40 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]41 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]42 mode: 0700
43
44- name: Create serial file
45 copy:
46 dest: "{{ pki_dir }}/root_ca/serial"
47 content: "1000"
48 force: no
49
50- name: Create empty index file if it doesn't exist
51 copy:
52 dest: "{{ pki_dir }}/root_ca/index.txt"
53 content: ""
54 force: no
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]55 owner: "{{ ansible_user_id }}"
56 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]57
58- name: Save root passphrase to root_ca/private/ca_root_phrase
59 copy:
60 dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
61 content: "{{ ca_root_phrase }}"
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]62 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]63 mode: 0400
64
65- name: Generate root key
66 command: >
67 openssl genrsa -aes256
68 -out {{ pki_dir }}/root_ca/private/ca_key.pem
69 -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
70 {{ ca_size }}
71 args:
72 creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"
73
74- name: Set permissions on root key
75 file:
76 dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]77 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]78 mode: 0400
79
80- name: Create root certificate
81 command: >
82 openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
83 -key {{ pki_dir }}/root_ca/private/ca_key.pem
84 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
85 -new -x509 -days {{ ca_root_days }}
86 -sha256 -extensions v3_ca
87 -subj "{{ ca_root_subj }}"
88 -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
89 args:
90 creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
91