Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / c989f26c89e1b2e829810bf359da4c59f7db474a / . / roles / pki-root-ca / tasks / main.yml
blob: fd526e4e2c7fe9c0d143bab623a22571b0b4725c [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]1---
2# pki-root-ca/tasks/main.yml
3
Zack Williamsc989f262017-05-11 13:02:59 -0700[diff] [blame^]4- name: Create PKI and credentials directories
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]5 become: yes
6 file:
Zack Williamsc989f262017-05-11 13:02:59 -0700[diff] [blame^]7 dest: "{{ item }}"
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]8 state: directory
9 owner: "{{ ansible_user_id }}"
10 mode: 0700
Zack Williamsc989f262017-05-11 13:02:59 -0700[diff] [blame^]11 with_items:
12 - "{{ credentials_dir }}"
13 - "{{ pki_dir }}"
Andy Bavier1cac0012017-03-13 10:06:18 -0400[diff] [blame]14
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]15- name: Create root CA directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]16 become: yes
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]17 file:
18 dest: "{{ pki_dir }}/root_ca"
19 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]20 owner: "{{ ansible_user_id }}"
21 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]22
23- name: Create root CA openssl.cnf from template
24 template:
25 src: openssl_root.cnf.j2
26 dest: "{{ pki_dir }}/root_ca/openssl.cnf"
27 force: no
28
29- name: Create subdirs for root CA
30 file:
31 dest: "{{ pki_dir }}/root_ca/{{ item }}"
32 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]33 owner: "{{ ansible_user_id }}"
34 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]35 with_items:
36 - certs
37 - crl
38 - newcerts
39
40- name: Create private CA directory
41 file:
42 dest: "{{ pki_dir }}/root_ca/private"
43 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]44 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]45 mode: 0700
46
47- name: Create serial file
48 copy:
49 dest: "{{ pki_dir }}/root_ca/serial"
50 content: "1000"
51 force: no
52
53- name: Create empty index file if it doesn't exist
54 copy:
55 dest: "{{ pki_dir }}/root_ca/index.txt"
56 content: ""
57 force: no
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]58 owner: "{{ ansible_user_id }}"
59 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]60
61- name: Save root passphrase to root_ca/private/ca_root_phrase
62 copy:
63 dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
64 content: "{{ ca_root_phrase }}"
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]65 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]66 mode: 0400
67
68- name: Generate root key
69 command: >
70 openssl genrsa -aes256
71 -out {{ pki_dir }}/root_ca/private/ca_key.pem
72 -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
73 {{ ca_size }}
74 args:
75 creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"
76
77- name: Set permissions on root key
78 file:
79 dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
Zack Williams43d62b52017-01-23 07:34:45 -0700[diff] [blame]80 owner: "{{ ansible_user_id }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]81 mode: 0400
82
83- name: Create root certificate
84 command: >
85 openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
86 -key {{ pki_dir }}/root_ca/private/ca_key.pem
87 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
88 -new -x509 -days {{ ca_root_days }}
89 -sha256 -extensions v3_ca
90 -subj "{{ ca_root_subj }}"
91 -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
92 args:
93 creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"