summaryrefslogtreecommitdiff
path: root/roles/x509/managed-ca/ca/tasks/main.yml
blob: e675ad8cf19c931253775c8a115ab94783467a3b (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

---
- name: create mangaged-ca CA directories
  loop: "{{ managed_ca_authorities | list }}"
  file:
    path: "/etc/ssl/managed-ca/{{ item }}"
    state: directory
    owner: root
    group: root
    mode: 0700

- name: create managed-ca CA private keys
  loop: "{{ managed_ca_authorities | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  openssl_privatekey:
    path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
    type: "{{ item.value.key.type | default(omit) }}"
    size: "{{ item.value.key.size | default(omit) }}"
    owner: root
    group: root
    mode: 0600

- name: create signing request for managed-ca CA certificates
  loop: "{{ managed_ca_authorities | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  openssl_csr:
    path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
    common_name: "{{ item.value.cert.common_name | default(item.key) }}"
    use_common_name_for_san: no
    country_name: "{{ item.value.cert.country_name | default(omit) }}"
    locality_name: "{{ item.value.cert.locality_name | default(omit) }}"
    organization_name: "{{ item.value.cert.organization_name | default(omit) }}"
    organizational_unit_name: "{{ item.value.cert.organizational_unit_name | default(omit) }}"
    state_or_province_name: "{{ item.value.cert.state_or_province_name | default(omit) }}"
    key_usage:
    - cRLSign
    - keyCertSign
    key_usage_critical: yes
    basic_constraints:
    - 'CA:TRUE'
    - 'pathlen:0'
    basic_constraints_critical: yes

- name: create managed-ca CA certificates
  loop: "{{ managed_ca_authorities | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  openssl_certificate:
    path: "/etc/ssl/managed-ca/{{ item.key }}/crt.pem"
    csr_path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
    provider: selfsigned
    selfsigned_digest: "{{ item.value.cert.digest | default(omit) }}"
    selfsigned_not_before: "{{ item.value.cert.not_before | default(omit) }}"
    selfsigned_not_after: "{{ item.value.cert.not_after | default(omit) }}"
    selfsigned_create_subject_key_identifier: always_create
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-23 14:59:00 +0000