blob: b1cc388a354994094a88c79b5e71c36a9c5e519a [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -07001---
Zack Williams44845c62017-04-21 13:57:14 -07002# pki-intermediate-ca/tasks/main.yml
Zack Williamsc047c872017-01-11 08:38:15 -07003
Zack Williams79286962017-07-10 12:24:37 -07004# if the next two steps fail, may need to include `create-configdirs-become`
5# role to create these directories using become.
Andy Bavier1cac0012017-03-13 10:06:18 -04006- name: Create PKI directory
Andy Bavier1cac0012017-03-13 10:06:18 -04007 file:
8 dest: "{{ pki_dir }}"
9 state: directory
10 owner: "{{ ansible_user_id }}"
11 mode: 0755
12
Zack Williamsc047c872017-01-11 08:38:15 -070013- name: Create intermediate CA directory
14 file:
Zack Williams44845c62017-04-21 13:57:14 -070015 dest: "{{ pki_dir }}/{{ site_name }}_im_ca"
Zack Williamsc047c872017-01-11 08:38:15 -070016 state: directory
Zack Williams43d62b52017-01-23 07:34:45 -070017 owner: "{{ ansible_user_id }}"
18 mode: 0755
Zack Williamsc047c872017-01-11 08:38:15 -070019
20- name: Create intermediate CA openssl.cnf from template
21 template:
22 src: openssl_im.cnf.j2
Zack Williams44845c62017-04-21 13:57:14 -070023 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf"
Zack Williamsc047c872017-01-11 08:38:15 -070024 force: no
25
26- name: Create subdirs for intermediate CA
27 file:
Zack Williams44845c62017-04-21 13:57:14 -070028 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/{{ item }}"
Zack Williamsc047c872017-01-11 08:38:15 -070029 state: directory
30 with_items:
31 - certs
32 - crl
33 - csr
34 - newcerts
35
36- name: Create private CA directory
37 file:
Zack Williams44845c62017-04-21 13:57:14 -070038 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private"
Zack Williamsc047c872017-01-11 08:38:15 -070039 state: directory
40 mode: 0700
41
42- name: Create serial file
43 copy:
Zack Williams44845c62017-04-21 13:57:14 -070044 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/serial"
Zack Williamsc047c872017-01-11 08:38:15 -070045 content: "01"
46 force: no
47
48- name: Create empty index file if it doesn't exist
49 copy:
Zack Williams44845c62017-04-21 13:57:14 -070050 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/index.txt"
Zack Williamsc047c872017-01-11 08:38:15 -070051 content: ""
52 force: no
53
Zack Williams44845c62017-04-21 13:57:14 -070054- name: Save intermediate passphrase to sitename_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -070055 copy:
Zack Williams44845c62017-04-21 13:57:14 -070056 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase"
Zack Williamsc047c872017-01-11 08:38:15 -070057 content: "{{ ca_im_phrase }}"
58 mode: 0400
59
60- name: Generate intermediate key
61 command: >
62 openssl genrsa -aes256
Zack Williams44845c62017-04-21 13:57:14 -070063 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
64 -passout file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -070065 {{ ca_size }}
66 args:
Zack Williams44845c62017-04-21 13:57:14 -070067 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070068
69- name: Set permissions on intermediate key
70 file:
Zack Williams44845c62017-04-21 13:57:14 -070071 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070072 mode: 0400
73
74- name: Create intermediate CSR
75 command: >
Zack Williams44845c62017-04-21 13:57:14 -070076 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/openssl.cnf
77 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/im_key.pem
78 -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -070079 -new -sha256 -subj "{{ ca_im_subj }}"
Zack Williams44845c62017-04-21 13:57:14 -070080 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
Zack Williamsc047c872017-01-11 08:38:15 -070081 args:
Zack Williams44845c62017-04-21 13:57:14 -070082 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ site_name }}_im_ca_csr.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070083 environment:
84 KEY_ALTNAMES: ""
85
86- name: Create intermediate cert from CSR with root CA
87 command: >
88 openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
89 -extensions v3_intermediate_ca
90 -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
91 -days {{ ca_im_days }} -md {{ ca_digest }}
Zack Williams44845c62017-04-21 13:57:14 -070092 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ site_name }}_im_ca_csr.pem
93 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -070094 args:
Zack Williams44845c62017-04-21 13:57:14 -070095 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem"
Zack Williamsc047c872017-01-11 08:38:15 -070096
97- name: Verify intemediate cert
98 command: >
99 openssl verify
100 -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
Zack Williams44845c62017-04-21 13:57:14 -0700101 {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700102 register: im_verify
103 tags:
104 - skip_ansible_lint # diagnostic command
105
106- name: Assert that verify of intermediate cert succeeded
107 assert:
108 that: "'OK' in '{{ im_verify.stdout }}'"
109
110- name: Get the root cert into ca_cert var
111 command: >
112 openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
113 register: ca_cert
114 tags:
115 - skip_ansible_lint # concat of files
116
117- name: Get the intermediate cert into im_cert var
118 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700119 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700120 register: im_cert
121 tags:
122 - skip_ansible_lint # concat of files
123
124- name: Create intermediate cert chain
125 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700126 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700127 content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
Zack Williams44845c62017-04-21 13:57:14 -0700128