diff --git a/defaults/main.yml b/defaults/main.yml index 3614add..f2841f0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- # defaults file for generate-tls-certs - +generate_tls_certs: true # Do not put trailing slash "/" cert_dir: ./certs generate_ca_cert: false diff --git a/tasks/generate-ca-cert.yaml b/tasks/generate-ca-cert.yaml new file mode 100644 index 0000000..2c21fcc --- /dev/null +++ b/tasks/generate-ca-cert.yaml @@ -0,0 +1,15 @@ +--- + - name: Generate CA private key + local_action: + module: openssl_privatekey + path: "{{cert_dir}}/{{tls_ca_key}}" + size: "{{tls_ca_key_size}}" + run_once: true + + - name: Generate self-signed cert for CA + local_action: + module: > + shell openssl req -x509 -new -days {{tls_ca_valid_days}} -sha256 -nodes -key {{cert_dir}}/{{tls_ca_key}} -out {{cert_dir}}/{{tls_ca_cert}} + -subj "{% if tls_ca_country is defined%}/C={{tls_ca_country}}{% endif %}{% if tls_ca_state is defined%}/ST={{tls_ca_state}}{% endif %}{% if tls_ca_locality is defined %}/L={{tls_ca_locality}}{% endif %}{% if tls_ca_organization is defined %}/O={{tls_ca_organization}}{% endif %}{% if tls_ca_organizationalunit is defined %}/OU={{tls_ca_organizationalunit}}{% endif %}/CN={{tls_ca_commonname}}{% if tls_ca_email is defined %}/emailAddress={{tls_ca_email}}{% endif %}" + ignore_errors: true + run_once: true diff --git a/tasks/generate-client-cert.yaml b/tasks/generate-client-cert.yaml new file mode 100644 index 0000000..079f1c9 --- /dev/null +++ b/tasks/generate-client-cert.yaml @@ -0,0 +1,36 @@ +--- + + - name: Generate client private key + local_action: + module: openssl_privatekey + path: "{{cert_dir}}/{{tls_client_key}}" + size: "{{tls_client_key_size}}" + run_once: true + when: generate_client_cert + + - name: Generate CSR and key for client cert + local_action: + module: > + shell openssl req -newkey rsa:{{tls_client_key_size}} -nodes -subj "/CN={{tls_client_commonname}}" + -keyout "{{cert_dir}}/{{tls_client_key}}" -out "{{cert_dir}}/{{tls_client_csr}}" + ignore_errors: true + run_once: true + when: generate_client_cert + + - name: Add required extension for client authentication + local_action: + module: > + shell echo extendedKeyUsage = clientAuth >> {{cert_dir}}/{{tls_client_extfile}} + ignore_errors: true + run_once: true + when: generate_client_cert + + # @AB TODO: using OpenSSL CA serial file does not always generate unique serial when running playbook against multiple hosts + - name: Sign client cert request with CA + local_action: + module: > + shell openssl x509 -req -sha256 -days {{tls_client_valid_days}} -CA {{cert_dir}}/{{tls_ca_cert}} -CAkey {{cert_dir}}/{{tls_ca_key}} + -set_serial {{ 999999999 | random }} -in {{cert_dir}}/{{tls_client_csr}} -out {{cert_dir}}/{{tls_client_cert}} -extfile {{cert_dir}}/{{tls_client_extfile}} + ignore_errors: true + run_once: true + when: generate_client_cert diff --git a/tasks/generate-server-cert.yaml b/tasks/generate-server-cert.yaml new file mode 100644 index 0000000..75c47b3 --- /dev/null +++ b/tasks/generate-server-cert.yaml @@ -0,0 +1,28 @@ +--- + # Generate server cert + - name: Create CSR for server cert + local_action: + module: > + shell openssl req -newkey rsa:{{tls_server_key_size}} -nodes -subj "/CN={{inventory_hostname}}" + -keyout "{{cert_dir}}/{{inventory_hostname_short}}.key" -out "{{cert_dir}}/{{inventory_hostname_short}}.csr" + ignore_errors: true + when: generate_server_cert + + - name: Generate certificate extensions file + local_action: + module: template + src: templates/server-cert-extfile.cnf.j2 + dest: "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf" + when: + - generate_server_cert + - tls_server_enable_san + + - name: Sign server cert request by CA + local_action: + module: > + shell openssl x509 -req -sha256 -days {{tls_server_valid_days}} + -CA "{{cert_dir}}/{{tls_ca_cert}}" -CAkey "{{cert_dir}}/{{tls_ca_key}}" -set_serial {{ 999999999 | random }} + -in "{{cert_dir}}/{{inventory_hostname_short}}.csr" -out "{{cert_dir}}/{{inventory_hostname_short}}.pem" + {% if tls_server_enable_san %}-extfile "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"{% endif %} + ignore_errors: true + when: generate_server_cert diff --git a/tasks/main.yml b/tasks/main.yml index 2ec2238..54579e6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,82 +1,20 @@ --- # tasks file for generate-tls-certs - - name: Generate CA private key - local_action: - module: openssl_privatekey - path: "{{cert_dir}}/{{tls_ca_key}}" - size: "{{tls_ca_key_size}}" - run_once: true - when: generate_ca_cert + - name: Generate CA cert + import_tasks: generate-ca-cert.yaml + when: + - generate_tls_certs + - generate_ca_cert|bool - - name: Generate self-signed cert for CA - local_action: - module: > - shell openssl req -x509 -new -days {{tls_ca_valid_days}} -sha256 -nodes -key {{cert_dir}}/{{tls_ca_key}} -out {{cert_dir}}/{{tls_ca_cert}} - -subj "{% if tls_ca_country is defined%}/C={{tls_ca_country}}{% endif %}{% if tls_ca_state is defined%}/ST={{tls_ca_state}}{% endif %}{% if tls_ca_locality is defined %}/L={{tls_ca_locality}}{% endif %}{% if tls_ca_organization is defined %}/O={{tls_ca_organization}}{% endif %}{% if tls_ca_organizationalunit is defined %}/OU={{tls_ca_organizationalunit}}{% endif %}/CN={{tls_ca_commonname}}{% if tls_ca_email is defined %}/emailAddress={{tls_ca_email}}{% endif %}" - ignore_errors: true - run_once: true - when: generate_ca_cert + - name: Generate client cert + import_tasks: generate-client-cert.yaml + when: + - generate_tls_certs + - generate_client_cert|bool - - name: Generate client private key - local_action: - module: openssl_privatekey - path: "{{cert_dir}}/{{tls_client_key}}" - size: "{{tls_client_key_size}}" - run_once: true - when: generate_client_cert - - - name: Generate CSR and key for client cert - local_action: - module: > - shell openssl req -newkey rsa:{{tls_client_key_size}} -nodes -subj "/CN={{tls_client_commonname}}" - -keyout "{{cert_dir}}/{{tls_client_key}}" -out "{{cert_dir}}/{{tls_client_csr}}" - ignore_errors: true - run_once: true - when: generate_client_cert - - - name: Add required extension for client authentication - local_action: - module: > - shell echo extendedKeyUsage = clientAuth >> {{cert_dir}}/{{tls_client_extfile}} - ignore_errors: true - run_once: true - when: generate_client_cert - - # @AB TODO: using OpenSSL CA serial file does not always generate unique serial when running playbook against multiple hosts - - name: Sign client cert request with CA - local_action: - module: > - shell openssl x509 -req -sha256 -days {{tls_client_valid_days}} -CA {{cert_dir}}/{{tls_ca_cert}} -CAkey {{cert_dir}}/{{tls_ca_key}} - -set_serial {{ 999999999 | random }} -in {{cert_dir}}/{{tls_client_csr}} -out {{cert_dir}}/{{tls_client_cert}} -extfile {{cert_dir}}/{{tls_client_extfile}} - ignore_errors: true - run_once: true - when: generate_client_cert - - # Generate server cert - - name: Create CSR for server cert - local_action: - module: > - shell openssl req -newkey rsa:{{tls_server_key_size}} -nodes -subj "/CN={{inventory_hostname}}" - -keyout "{{cert_dir}}/{{inventory_hostname_short}}.key" -out "{{cert_dir}}/{{inventory_hostname_short}}.csr" - ignore_errors: true - when: generate_server_cert - - - name: Generate certificate extensions file - local_action: - module: template - src: templates/server-cert-extfile.cnf.j2 - dest: "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf" - when: - - generate_server_cert - - tls_server_enable_san - - - name: Sign server cert request by CA - local_action: - module: > - shell openssl x509 -req -sha256 -days {{tls_server_valid_days}} - -CA "{{cert_dir}}/{{tls_ca_cert}}" -CAkey "{{cert_dir}}/{{tls_ca_key}}" -set_serial {{ 999999999 | random }} - -in "{{cert_dir}}/{{inventory_hostname_short}}.csr" -out "{{cert_dir}}/{{inventory_hostname_short}}.pem" - {% if tls_server_enable_san %}-extfile "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"{% endif %} - ignore_errors: true - when: generate_server_cert + - name: Generate server cert + import_tasks: generate-server-cert.yaml + when: + - generate_tls_certs + - generate_server_cert|bool