Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / ba5549cd543f050b57c535b0f8c4507354b664e7 / . / roles / pki-cert / tasks / main.yml
blob: b7cbdd380508a697aab17deba05bcac0bde4a809 [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]1---
2# pki-cert/tasks/main.yml
3
4- name: Generate server private key (no pw)
5 command: >
6 openssl genrsa
7 -out {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
8 args:
9 creates: "{{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem"
10 with_items: "{{ server_certs }}"
11
12- name: Generate server CSR
13 command: >
14 openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
15 -key {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
16 -new -sha256 -subj "{{ item.subj }}"
17 -out {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
18 args:
19 creates: "{{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem"
20 environment:
21 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
22 with_items: "{{ server_certs }}"
23
24- name: Sign server cert
25 command: >
26 openssl ca -config {{ pki_dir }}/intermediate_ca/openssl.cnf -batch
27 -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
28 -extensions server_cert
29 -days {{ cert_days }} -md {{ cert_digest }}
30 -in {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
31 -out {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
32 args:
33 creates: "{{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem"
34 environment:
35 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
36 with_items: "{{ server_certs }}"
37
38- name: Verify cert against root + im chain
39 command: >
40 openssl verify -purpose sslserver
41 -CAfile {{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem
42 {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
43 with_items: "{{ server_certs }}"
44 tags:
45 - skip_ansible_lint # diagnostic command
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame^]46 register: server_chain_verify
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]47
48- name: Assert that verify of cert succeeded
49 assert:
50 that: "'OK' in '{{ item.stdout }}'"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame^]51 with_items: "{{ server_chain_verify.results }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]52
53- name: Get the intermediate cert into im_cert var
54 command: >
55 openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
56 register: im_cert
57 tags:
58 - skip_ansible_lint # concat of files
59
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame^]60- name: Get the certs into server_certs var
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]61 command: >
62 openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
63 with_items: "{{ server_certs }}"
64 tags:
65 - skip_ansible_lint # concat of files
66 register: server_certs_raw
67
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame^]68- name: Create chained server certs
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]69 copy:
70 dest: "{{ pki_dir }}/intermediate_ca/certs/{{ item.item.cn }}_cert_chain.pem"
71 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
72 with_items: "{{ server_certs_raw.results }}"
73
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame^]74- name: Generate client private key (no pw)
75 command: >
76 openssl genrsa
77 -out {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
78 args:
79 creates: "{{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem"
80 with_items: "{{ client_certs }}"
81
82- name: Generate client CSR
83 command: >
84 openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
85 -key {{ pki_dir }}/intermediate_ca/private/{{ item.cn }}_key.pem
86 -new -sha256 -subj "{{ item.subj }}"
87 -out {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
88 args:
89 creates: "{{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem"
90 environment:
91 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
92 with_items: "{{ client_certs }}"
93
94- name: Sign client cert
95 command: >
96 openssl ca -config {{ pki_dir }}/intermediate_ca/openssl.cnf -batch
97 -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
98 -extensions user_cert
99 -days {{ cert_days }} -md {{ cert_digest }}
100 -in {{ pki_dir }}/intermediate_ca/csr/{{ item.cn }}_csr.pem
101 -out {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
102 args:
103 creates: "{{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem"
104 environment:
105 KEY_ALTNAMES: "{{ item.altnames | join(', ') }}"
106 with_items: "{{ client_certs }}"
107
108- name: Verify cert against root + im chain
109 command: >
110 openssl verify -purpose sslclient
111 -CAfile {{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem
112 {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
113 with_items: "{{ client_certs }}"
114 tags:
115 - skip_ansible_lint # diagnostic command
116 register: client_chain_verify
117
118- name: Assert that verify of cert succeeded
119 assert:
120 that: "'OK' in '{{ item.stdout }}'"
121 with_items: "{{ client_chain_verify.results }}"
122
123- name: Get the certs into client_certs var
124 command: >
125 openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/{{ item.cn }}_cert.pem
126 with_items: "{{ client_certs }}"
127 tags:
128 - skip_ansible_lint # concat of files
129 register: client_certs_raw
130
131- name: Create chained client cert
132 copy:
133 dest: "{{ pki_dir }}/intermediate_ca/certs/{{ item.item.cn }}_cert_chain.pem"
134 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
135 with_items: "{{ client_certs_raw.results }}"
136