Added support for toggling SAN-certs

2018-04-20 08:09:45 -04:00 · 2018-04-20 08:09:45 -04:00 · 15506285f3
parent f9c0be7195
commit 15506285f3
2 changed files with 6 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -42,3 +42,5 @@ tls_client_valid_days: 730
 # 2 years
 tls_server_valid_days: 730
 tls_server_key_size: 4096
+# Enable Subject Alternate Name (SAN)
+tls_server_enable_san: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -67,7 +67,9 @@
      module: template
      src: templates/server-cert-extfile.cnf.j2
      dest: "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"
-    when: generate_server_cert
+    when:
+      - generate_server_cert
+      - tls_server_enable_san

  - name: Sign server cert request by CA
    local_action:
@ -75,6 +77,6 @@
        shell openssl x509 -req -sha256 -days {{tls_server_valid_days}}
        -CA "{{cert_dir}}/{{tls_ca_cert}}" -CAkey "{{cert_dir}}/{{tls_ca_key}}" -set_serial {{ 999999999 | random }}
        -in "{{cert_dir}}/{{inventory_hostname_short}}.csr" -out "{{cert_dir}}/{{inventory_hostname_short}}.pem"
-        -extfile "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"
+        {% if tls_server_enable_san %}-extfile "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"{% endif %}
    ignore_errors: true
    when: generate_server_cert