Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

211 lines
7.4 KiB

---
- name: Create global certificates
command: >
openssl req
-config {{ pki_root_dir }}/etc/openssl.cnf
-extensions v3_ca
-x509
-newkey rsa:{{ pki_realm_conf.keysize * 2 }}
-keyout {{ pki_root_dir }}/etc/ssl/root/{{ item.name }}-key-1.pem
-out {{ pki_root_dir }}/etc/ssl/root/{{ item.name }}-cert-1.pem
-sha256
-days {{ pki_realm_conf.validity * 2 }}
-subj '/C={{ pki_realm_conf.subj_c }}/ST={{ pki_realm_conf.subj_st }}/L={{ pki_realm_conf.subj_l }}/O={{ pki_realm_conf.subj_o }}/OU={{ pki_realm_conf.subj_ou }}/CN={{ item.cn }}'
-passout stdin
args:
creates: "{{ pki_root_dir }}/etc/ssl/root/{{ item.name }}-cert-1.pem"
stdin: "{{ pki_secret }}"
with_items:
- name: signer
cn: "{{ pki_root_ca_cn }}"
- name: vault
cn: "{{ pki_vault_cn }}"
- name: scep
cn: "{{ pki_scep_cn }}"
register: pki_root_created
tags: pki
- name: Check if the index file for the root CA exists
stat: path={{ pki_root_dir }}/etc/ssl/root/index.txt
register: pki_root_ca_index
tags: pki
- name: Create the index file
file: path={{ pki_root_dir }}/etc/ssl/root/index.txt state=touch
when: not pki_root_ca_index.stat.exists
tags: pki
- name: Create the serial file
shell: echo 1000 > {{ pki_root_dir }}/etc/ssl/root/serial
args:
creates: "{{ pki_root_dir }}/etc/ssl/root/serial"
tags: pki
- name: Import the certificates in the global namespace of OpenXPKI DB
command: >
{{ pki_root_dir }}/bin/openxpkiadm certificate import
--file {{ pki_root_dir }}/etc/ssl/root/{{ item.item.name }}-cert-1.pem
--config={{ pki_root_dir }}/etc/config.d/
environment:
- PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
with_items: "{{ pki_root_created.results }}"
#no_log: True
when: item.changed
tags: pki
# Vault and SCEP certificates are global, so just link them from the root dir in every realm dir
- name: Link vault and SCEP keys from the root to the realms
file: src=../root/{{ item.1 }}-key-1.pem dest={{ pki_root_dir }}/etc/ssl/{{ item.0.name }}/{{ item.1 }}-key-1.pem state=link
with_nested:
- "{{ pki_realms }}"
- [vault,scep]
tags: pki
# For each realm, we create only the signer CA. Vault and SCEP will use the global ones
- name: Create issuing CA's private keys
command: >
openssl genrsa
-out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-key-1.pem
-aes256
-passout stdin
{{ item.keysize }}
args:
creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-key-1.pem"
stdin: "{{ pki_secret }}"
with_items: "{{ pki_realms }}"
#no_log: True
tags: pki
- name: Create issuing CA's CSR
command: >
openssl req
-config {{ pki_root_dir }}/etc/openssl.cnf
-new
-sha256
-key {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-key-1.pem
-out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem
-subj '/C={{ item.subj_c | default(pki_realm_conf.subj_c) }}/ST={{ item.subj_st | default(pki_realm_conf.subj_st) }}/L={{ item.subj_l | default(pki_realm_conf.subj_l) }}/O={{ item.subj_o | default(pki_realm_conf.subj_o) }}/OU={{ item.subj_ou | default(pki_realm_conf.subj_ou) }}/CN={{ item.name }}'
-extensions v3_intermediate_ca
-passin stdin
args:
creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem"
stdin: "{{ pki_secret }}"
with_items: "{{ pki_realms }}"
#no_log: True
tags: pki
# Now we create issuing CA. First, iterate over those who do not have a parent defined. Which means they are a child of the root CA
- name: Sign intermediate CA with the Root CA
command: >
openssl ca
-config {{ pki_root_dir }}/etc/openssl.cnf
-keyfile {{ pki_root_dir }}/etc/ssl/root/signer-key-1.pem
-cert {{ pki_root_dir }}/etc/ssl/root/signer-cert-1.pem
-in {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem
-out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem
-passin stdin
-extensions v3_intermediate_ca
-days {{ item.validity | default('3650') }}
-notext
-batch
args:
creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem"
stdin: "{{ pki_secret }}"
when: item.parent is not defined
register: pki_ca_issuing_created
with_items: "{{ pki_realms }}"
#no_log: True
tags: pki
- name: Import certificates for CA signed by the Root CA in OpenXPKI DB
command: >
{{ pki_root_dir }}/bin/openxpkiadm certificate import
--file {{ pki_root_dir }}/etc/ssl/{{ item.item.name }}/signer-cert-1.pem
--realm {{ item.item.name }}
--token certsign
--config={{ pki_root_dir }}/etc/config.d/
when: item.changed
with_items: "{{ pki_ca_issuing_created.results }}"
environment:
- PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
#no_log: True
tags: pki
# And now the same with intermediate CA
- name: Sign intermediate CA with their parent CA
command: >
openssl ca
-config {{ pki_root_dir }}/etc/openssl.cnf
-keyfile {{ pki_root_dir }}/etc/ssl/{{ item.parent }}/signer-key-1.pem
-cert {{ pki_root_dir }}/etc/ssl/{{ item.parent }}/signer-cert-1.pem
-in {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem
-out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem
-passin stdin
-extensions v3_intermediate_ca
-days {{ item.validity | default('3650') }}
-notext
-batch
args:
creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem"
stdin: "{{ pki_secret }}"
when: item.parent is defined
register: pki_ca_intermediate_created
with_items: "{{ pki_realms }}"
tags: pki
# Once added in the DB, each certs gets an ID. We need to get this ID for
# the two global certs (vault and scep) so we can create an alias for each realm
- name: Get ID of the global vault certificate
command: >
{{ pki_root_dir }}/bin/openxpkiadm certificate id
--file {{ pki_root_dir }}/etc/ssl/root/vault-cert-1.pem
--config={{ pki_root_dir }}/etc/config.d/
environment:
- PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
register: pki_global_vault_id
changed_when: False
tags: pki
- name: Get ID of the global scep certificate
command: >
{{ pki_root_dir }}/bin/openxpkiadm certificate id
--file {{ pki_root_dir }}/etc/ssl/root/scep-cert-1.pem
--config={{ pki_root_dir }}/etc/config.d/
environment:
- PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
register: pki_global_scep_id
changed_when: False
tags: pki
- name: Create an alias for the vault
command: >
{{ pki_root_dir }}/bin/openxpkiadm alias --realm {{ item.item.name }}
--token datasafe --identifier {{ pki_global_vault_id.stdout }}
--config {{ pki_root_dir }}/etc/config.d/
environment:
- PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
with_items: "{{ pki_ca_issuing_created.results + pki_ca_intermediate_created.results }}"
when: item.changed
tags: pki
- name: Create an alias for the scep certificate
command: >
{{ pki_root_dir }}/bin/openxpkiadm alias --realm {{ item.item.name }}
--token scep --identifier {{ pki_global_scep_id.stdout }}
--config {{ pki_root_dir }}/etc/config.d/
environment:
- PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
with_items: "{{ pki_ca_issuing_created.results + pki_ca_intermediate_created.results }}"
#no_log: True
when: item.changed
tags: pki
- name: Deploy permission script
template: src=perms.sh.j2 dest={{ pki_root_dir }}/bin/perms.sh mode=755
tags: pki
- name: Fix permissions on key files
command: "{{ pki_root_dir }}/bin/perms.sh }}"
changed_when: False
tags: pki