step_ca_certificate: add state parameter
#188
Labels
enhancement
New feature or improvement to an existing one
modules
Something affecting one or more module
Milestone
Comments
maxhoesel
added
enhancement
maxhoesel
changed the title
maxhoesel
changed the title
step_ca_certificate: rework state
maxhoesel
changed the title
step_ca_certificate: rework statestep_ca_certificate: add state parameter, enable renewal
This was referenced Oct 10, 2023
maxhoesel
changed the title
step_ca_certificate: add state parameter, enable renewalstep_ca_certificate: add state parameter
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, the
step_ca_certificatemodule simply callsstep-cliwithout checking for any existing certificates.This results in the following behavior:
forceisfalse: On the second run,step-cliasks for confirmation for overwriting the existing cert, causing the module to fail.true: The certificate is always overwritten, even when this is not needed.Neither of these are really ideal from a user POV.
As a user, I would like the
step_ca_certificatemodule to ensure that a valid certificate with the desired properties exists on the system, regardless of the underlying details.Such a valid certificate must:
It should be
step_ca_certificates job to ensure that these conditions are met, whether that includes creating a new certificate or not.I propose the following approach to accomplish this:
serial_numberparameter and other parameters fromstep_ca_revokerevoke_on_deleteparameterstateparameter with the following options:present- If the certificate doesn't exist, is expired or has a SAN parameter mismatch, create a new certificate
- Else, do nothing
revokedabsentrevoke_on_deleteis true, revoke the certificate firstforceparameter behavior: Instead of passingforceon the command line to replace existing files (which we pretty much always want given the above model), use offorcewithpresentwill now generate a new certificate on every single run.Implementing this feature would require a few steps:
step_ca_certificate_revokemoduleThe text was updated successfully, but these errors were encountered: