#!/usr/bin/env python3 from cryptography import x509 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.x509.oid import NameOID import datetime import argparse parser = argparse.ArgumentParser("spreadspace ansible CA-generator") parser.add_argument("-n", "--variable-name", dest='varname', help="ansible variable name to be used", type=str, required=True) parser.add_argument("-CN", "--common-name", dest='CN', help="Common Name field of the CA's subject", type=str, required=True) parser.add_argument("-O", "--organization-name", dest='O', help="Organization Name field of the CA's subject", type=str) parser.add_argument("-OU", "--organizational-unit", dest='OU', help="Organizational Unit field of the CA's subject", type=str) parser.add_argument("-C", "--country-name", dest='C', help="Country Name field of the CA's subject", type=str) parser.add_argument("-ST", "--state-or-provice", dest='ST', help="State-or-Province field of the CA's subject", type=str) parser.add_argument("-L", "--locality", dest='L', help="Locality Name field of the CA's subject", type=str) args = parser.parse_args() subject_fields = [] if args.CN: subject_fields.append(x509.NameAttribute(NameOID.COMMON_NAME, args.CN)) if args.O: subject_fields.append(x509.NameAttribute(NameOID.ORGANIZATION_NAME, args.O)) if args.OU: subject_fields.append(x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, args.OU)) if args.C: subject_fields.append(x509.NameAttribute(NameOID.COUNTRY_NAME, args.C)) if args.ST: subject_fields.append(x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, args.ST)) if args.L: subject_fields.append(x509.NameAttribute(NameOID.LOCALITY_NAME, args.L)) subject = issuer = x509.Name(subject_fields) private_key = rsa.generate_private_key( public_exponent=65537, key_size=4096, ) public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name(subject) builder = builder.issuer_name(issuer) builder = builder.not_valid_before(datetime.datetime.today() - datetime.timedelta(days=1)) builder = builder.not_valid_after(datetime.datetime.today() + datetime.timedelta(weeks=2080)) # about 20years builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(public_key) builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=1), critical=True) certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256()) private_key_pem = private_key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) certificate_pem = certificate.public_bytes(serialization.Encoding.PEM) print("## Add this to vault file") print("") print("vault_%s_key: |" % (args.varname)) for line in private_key_pem.splitlines(): print(" {}".format(line.decode('utf-8'))) print("") print("") print("") print("") print("## Add this to vars file") print("") print("%s_key: \"{{ vault_%s_key }}\"" % (args.varname, args.varname)) print("%s_cert: |" % (args.varname)) for line in certificate_pem.splitlines(): print(" {}".format(line.decode('utf-8')))