roles/pki-root-ca/tasks/main.yml

# Copyright 2017-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


---
# pki-root-ca/tasks/main.yml

# if the next two steps fail, may need to include `create-configdirs-become`
# role to create these directories using become.
- name: Create PKI and credentials directories
  file:
    dest: "{{ item }}"
    state: directory
    owner: "{{ ansible_user_id }}"
    mode: 0700
  with_items:
    - "{{ credentials_dir }}"
    - "{{ pki_dir }}"

- name: Create root CA directory
  file:
    dest: "{{ pki_dir }}/root_ca"
    state: directory
    owner: "{{ ansible_user_id }}"
    mode: 0755

- name: Create root CA openssl.cnf from template
  template:
    src: openssl_root.cnf.j2
    dest: "{{ pki_dir }}/root_ca/openssl.cnf"
    force: no

- name: Create subdirs for root CA
  file:
    dest: "{{ pki_dir }}/root_ca/{{ item }}"
    state: directory
    owner: "{{ ansible_user_id }}"
    mode: 0755
  with_items:
    - certs
    - crl
    - newcerts

- name: Create private CA directory
  file:
    dest: "{{ pki_dir }}/root_ca/private"
    state: directory
    owner: "{{ ansible_user_id }}"
    mode: 0700

- name: Create serial file
  copy:
    dest: "{{ pki_dir }}/root_ca/serial"
    content: "1000"
    force: no

- name: Create empty index file if it doesn't exist
  copy:
    dest: "{{ pki_dir }}/root_ca/index.txt"
    content: ""
    force: no
    owner: "{{ ansible_user_id }}"
    mode: 0755

- name: Save root passphrase to root_ca/private/ca_root_phrase
  copy:
    dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
    content: "{{ ca_root_phrase }}"
    owner: "{{ ansible_user_id }}"
    mode: 0400

- name: Generate root key
  command: >
    openssl genrsa -aes256
      -out {{ pki_dir }}/root_ca/private/ca_key.pem
      -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
      {{ ca_size }}
  args:
    creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"

- name: Set permissions on root key
  file:
    dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
    owner: "{{ ansible_user_id }}"
    mode: 0400

- name: Create root certificate
  command: >
    openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
      -key {{ pki_dir }}/root_ca/private/ca_key.pem
      -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
      -new -x509 -days {{ ca_root_days }}
      -sha256 -extensions v3_ca
      -subj "{{ ca_root_subj }}"
      -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
  args:
    creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"