/
configure-certificate-authority.yml
77 lines (68 loc) · 2.64 KB
/
configure-certificate-authority.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
---
- name: Configure the root certificate authority (CA)
hosts: localhost
connection: local
become: true
# The high-level process for creating a self-hosted certificate authority is:
# 1. Create a strong private key.
# 2. Create a signing request using the private key.
# 3. Self-sign the request to create the certificate authority (CA) root.
# 4. Create an intermediate certificate signed by the CA root.
# 5. Use the intermediate certificate to sign everything else.
#
# This playbook covers steps 1 through 4.
tasks:
- name: Loading subject info
include_vars:
file: subject-info.yml
- name: Creating directory to store signing requests
file:
path: /etc/ssl/csrs
state: directory
- name: Generating the root certificate authority (CA) private key
openssl_privatekey:
path: /etc/ssl/private/{{ organization }}_Root_CA.key
type: RSA
size: 4096
- name: Generating a certificate signing request (CSR) for the root CA
openssl_csr:
path: "/etc/ssl/csrs/{{ organization }}_Root_CA.csr"
privatekey_path: "/etc/ssl/private/{{ organization }}_Root_CA.key"
common_name: "{{ organization }} Root CA"
use_common_name_for_san: false
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
key_usage:
- keyCertSign
key_usage_critical: true
- name: Signing the root certificate
openssl_certificate:
path: "/etc/ssl/certs/{{ organization }}_Root_CA.crt"
privatekey_path: "/etc/ssl/private/{{ organization }}_Root_CA.key"
csr_path: "/etc/ssl/csrs/{{ organization }}_Root_CA.csr"
provider: selfsigned
- name: Generating the intermediate certificate private key
openssl_privatekey:
path: /etc/ssl/private/{{ organization }}_Intermediate_CA.key
type: RSA
size: 2048
- name: Generating a CSR for the intermediate certificate
openssl_csr:
path: "/etc/ssl/csrs/{{ organization }}_Intermediate_CA.csr"
privatekey_path: "/etc/ssl/private/{{ organization }}_Intermediate_CA.key"
common_name: "{{ organization }} Intermediate CA"
use_common_name_for_san: false
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
key_usage:
- keyCertSign
key_usage_critical: true
- name: Signing the intermediate certificate
openssl_certificate:
path: "/etc/ssl/certs/{{ organization }}_Intermediate_CA.crt"
csr_path: "/etc/ssl/csrs/{{ organization }}_Intermediate_CA.csr"
ownca_path: /etc/ssl/certs/{{ organization }}_Root_CA.crt
ownca_privatekey_path: /etc/ssl/private/{{ organization }}_Root_CA.key
provider: ownca