Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / refs/heads/master / . / roles / pki-cert / tasks / main.yml
blob: 1abf3fb65ffa03923e8317438eed854f440359c0 [file] [log] [blame]
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame]1---
Matteo Scandolo3896c472017-08-01 13:31:42 -0700[diff] [blame]2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]16# pki-cert/tasks/main.yml
17
18- name: Generate server private key (no pw)
19 command: >
20 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]21 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williams79ddf4b2017-09-18 16:51:28 -0700[diff] [blame]22 {{ cert_size }}
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]23 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]24 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]25 with_items: "{{ server_certs }}"
26
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame]27- name: Generate server-specific openssl config
28 template:
29 src: server.cnf.j2
30 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf"
31 with_items: "{{ server_certs }}"
32
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]33- name: Generate server CSR
34 command: >
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame]35 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]36 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]37 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]38 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]39 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]40 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]41 with_items: "{{ server_certs }}"
42
43- name: Sign server cert
44 command: >
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame]45 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/server_cnfs/{{ item.cn }}.cnf
46 -batch -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]47 -extensions server_cert
48 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]49 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
50 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]51 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]52 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]53 with_items: "{{ server_certs }}"
54
55- name: Verify cert against root + im chain
56 command: >
57 openssl verify -purpose sslserver
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]58 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
59 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]60 with_items: "{{ server_certs }}"
61 tags:
62 - skip_ansible_lint # diagnostic command
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]63 register: server_chain_verify
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]64
65- name: Assert that verify of cert succeeded
66 assert:
67 that: "'OK' in '{{ item.stdout }}'"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]68 with_items: "{{ server_chain_verify.results }}"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]69
70- name: Get the intermediate cert into im_cert var
71 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]72 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]73 register: im_cert
74 tags:
75 - skip_ansible_lint # concat of files
76
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]77- name: Get the certs into server_certs var
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]78 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]79 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]80 with_items: "{{ server_certs }}"
81 tags:
82 - skip_ansible_lint # concat of files
83 register: server_certs_raw
84
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]85- name: Create chained server certs
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]86 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]87 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]88 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
89 with_items: "{{ server_certs_raw.results }}"
90
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]91- name: Generate client private key (no pw)
92 command: >
93 openssl genrsa
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]94 -out {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williams79ddf4b2017-09-18 16:51:28 -0700[diff] [blame]95 {{ cert_size }}
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]96 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]97 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]98 with_items: "{{ client_certs }}"
99
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame]100- name: Generate client-specific openssl config
101 template:
102 src: client.cnf.j2
103 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf"
104 with_items: "{{ client_certs }}"
105
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]106- name: Generate client CSR
107 command: >
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame]108 openssl req -config {{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]109 -key {{ pki_dir }}/{{ site_name }}_im_ca/private/{{ item.cn }}_key.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]110 -new -sha256 -subj "{{ item.subj }}"
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]111 -out {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]112 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]113 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]114 with_items: "{{ client_certs }}"
115
116- name: Sign client cert
117 command: >
Zack Williams2f3b4002017-12-05 14:05:49 -0700[diff] [blame]118 openssl ca -config {{ pki_dir }}/{{ site_name }}_im_ca/client_cnfs/{{ item.cn }}.cnf
119 -batch -passin file:{{ pki_dir }}/{{ site_name }}_im_ca/private/ca_im_phrase
120 -extensions client_cert
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]121 -days {{ cert_days }} -md {{ cert_digest }}
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]122 -in {{ pki_dir }}/{{ site_name }}_im_ca/csr/{{ item.cn }}_csr.pem
123 -out {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]124 args:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]125 creates: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]126 with_items: "{{ client_certs }}"
127
128- name: Verify cert against root + im chain
129 command: >
130 openssl verify -purpose sslclient
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]131 -CAfile {{ pki_dir }}/{{ site_name }}_im_ca/certs/im_cert_chain.pem
132 {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]133 with_items: "{{ client_certs }}"
134 tags:
135 - skip_ansible_lint # diagnostic command
136 register: client_chain_verify
137
138- name: Assert that verify of cert succeeded
139 assert:
140 that: "'OK' in '{{ item.stdout }}'"
141 with_items: "{{ client_chain_verify.results }}"
142
143- name: Get the certs into client_certs var
144 command: >
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]145 openssl x509 -in {{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.cn }}_cert.pem
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]146 with_items: "{{ client_certs }}"
147 tags:
148 - skip_ansible_lint # concat of files
149 register: client_certs_raw
150
151- name: Create chained client cert
152 copy:
Zack Williams44845c62017-04-21 13:57:14 -0700[diff] [blame]153 dest: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/{{ item.item.cn }}_cert_chain.pem"
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]154 content: "{{ item.stdout }}\n{{ im_cert.stdout }}"
155 with_items: "{{ client_certs_raw.results }}"
156