2 files changed, 74 insertions, 0 deletions

diff --git a/roles/x509/managed-ca/ca/defaults/main.yml b/roles/x509/managed-ca/ca/defaults/main.yml
new file mode 100644
index 00000000..09d021d1
--- /dev/null
+++ b/roles/x509/managed-ca/ca/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+# managed_ca_authorities:
+#   foo:
+#     key:
+#       type: RSA
+#       size: 4096
+#     cert:
+#       common_name: foo CA
+#       country_name: "AT"
+#       locality_name: "Graz"
+#       organization_name: "spreadspace"
+#       organizational_unit_name: "ansible"
+#       state_or_province_name: "Styria"
+#       digest: sha256
+#       not_before: +0h
+#       not_after: +520w
diff --git a/roles/x509/managed-ca/ca/tasks/main.yml b/roles/x509/managed-ca/ca/tasks/main.yml
new file mode 100644
index 00000000..e675ad8c
--- /dev/null
+++ b/roles/x509/managed-ca/ca/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+- name: create mangaged-ca CA directories
+  loop: "{{ managed_ca_authorities | list }}"
+  file:
+    path: "/etc/ssl/managed-ca/{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: create managed-ca CA private keys
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_privatekey:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    type: "{{ item.value.key.type | default(omit) }}"
+    size: "{{ item.value.key.size | default(omit) }}"
+    owner: root
+    group: root
+    mode: 0600
+
+- name: create signing request for managed-ca CA certificates
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_csr:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
+    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    common_name: "{{ item.value.cert.common_name | default(item.key) }}"
+    use_common_name_for_san: no
+    country_name: "{{ item.value.cert.country_name | default(omit) }}"
+    locality_name: "{{ item.value.cert.locality_name | default(omit) }}"
+    organization_name: "{{ item.value.cert.organization_name | default(omit) }}"
+    organizational_unit_name: "{{ item.value.cert.organizational_unit_name | default(omit) }}"
+    state_or_province_name: "{{ item.value.cert.state_or_province_name | default(omit) }}"
+    key_usage:
+    - cRLSign
+    - keyCertSign
+    key_usage_critical: yes
+    basic_constraints:
+    - 'CA:TRUE'
+    - 'pathlen:0'
+    basic_constraints_critical: yes
+
+- name: create managed-ca CA certificates
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_certificate:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/crt.pem"
+    csr_path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
+    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    provider: selfsigned
+    selfsigned_digest: "{{ item.value.cert.digest | default(omit) }}"
+    selfsigned_not_before: "{{ item.value.cert.not_before | default(omit) }}"
+    selfsigned_not_after: "{{ item.value.cert.not_after | default(omit) }}"
+    selfsigned_create_subject_key_identifier: always_create