From f0718f3ceceec13a03b54b8d6d0abd2dac929fc3 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 20 Dec 2023 11:53:07 +0100
Subject: x509: add new role managed-ca

---
 roles/x509/managed-ca/ca/tasks/main.yml | 58 +++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 roles/x509/managed-ca/ca/tasks/main.yml

(limited to 'roles/x509/managed-ca/ca/tasks/main.yml')

diff --git a/roles/x509/managed-ca/ca/tasks/main.yml b/roles/x509/managed-ca/ca/tasks/main.yml
new file mode 100644
index 00000000..e675ad8c
--- /dev/null
+++ b/roles/x509/managed-ca/ca/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+- name: create mangaged-ca CA directories
+  loop: "{{ managed_ca_authorities | list }}"
+  file:
+    path: "/etc/ssl/managed-ca/{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: create managed-ca CA private keys
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_privatekey:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    type: "{{ item.value.key.type | default(omit) }}"
+    size: "{{ item.value.key.size | default(omit) }}"
+    owner: root
+    group: root
+    mode: 0600
+
+- name: create signing request for managed-ca CA certificates
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_csr:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
+    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    common_name: "{{ item.value.cert.common_name | default(item.key) }}"
+    use_common_name_for_san: no
+    country_name: "{{ item.value.cert.country_name | default(omit) }}"
+    locality_name: "{{ item.value.cert.locality_name | default(omit) }}"
+    organization_name: "{{ item.value.cert.organization_name | default(omit) }}"
+    organizational_unit_name: "{{ item.value.cert.organizational_unit_name | default(omit) }}"
+    state_or_province_name: "{{ item.value.cert.state_or_province_name | default(omit) }}"
+    key_usage:
+    - cRLSign
+    - keyCertSign
+    key_usage_critical: yes
+    basic_constraints:
+    - 'CA:TRUE'
+    - 'pathlen:0'
+    basic_constraints_critical: yes
+
+- name: create managed-ca CA certificates
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_certificate:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/crt.pem"
+    csr_path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
+    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    provider: selfsigned
+    selfsigned_digest: "{{ item.value.cert.digest | default(omit) }}"
+    selfsigned_not_before: "{{ item.value.cert.not_before | default(omit) }}"
+    selfsigned_not_after: "{{ item.value.cert.not_after | default(omit) }}"
+    selfsigned_create_subject_key_identifier: always_create
-- 
cgit v1.2.3