This is an Ansible role for configuring trust of DHS CA certificates at the OS level.
This role makes use of the community.general.json_query Ansible
filter,
which requires that the jmespath Python
package be installed on the local
host.
| Variable | Description | Default | Required |
|---|---|---|---|
| cer_filename | The filename to use for the DHS certificate cer bundle (translated from the p7b bundle). | dhsca.cer |
No |
| cert_url | The URL where the DHS certificate p7b bundle can be downloaded. | https://pki.treas.gov/dhsca_fullpath.p7b |
No |
| p7b_filename | The filename to use for the DHS certificate p7b bundle after it is downloaded from cert\_url. |
dhsca.p7b |
No |
| single_cert_filename_prefix | The prefix to use when creating the individual certificate files extracted from the DHS certificate p7b bundle. If the prefix is "zz-" then individual certificate files will be named "zz-00", "zz-01", etc. | dhs-cert- |
No |
None.
This role can be installed via the command:
ansible-galaxy install --role-file path/to/requirements.ymlwhere requirements.yml looks like:
---
- name: dhs_certificates
src: https://github.com/cisagov/ansible-role-dhs-certificatesand may contain other roles as well.
For more information about installing Ansible roles via a YAML file,
please see the ansible-galaxy
documentation.
Here's how to use it in a playbook:
- hosts: all
become: true
become_method: sudo
tasks:
- name: Install and trust DHS certificates
ansible.builtin.include_role:
name: dhs_certificatesWe welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.
Shane Frasier - jeremy.frasier@gwe.cisa.dhs.gov