diff --git a/README.md b/README.md index eca11cb..6413ba2 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ Generates self-signed CA, client and server certificates. Runs locally on contro Notes: - Will not overwrite any files in output cert dir - Will not copy the files to the remote servers if the local files are unchanged -- Will optionally (see `populate_etc_hosts` variable) add to each machine's `/etc/hosts` +- Will optionally (see `gen_tls_populate_etc_hosts` variable) add to each machine's `/etc/hosts` a line for each host in the inventory. @@ -56,17 +56,17 @@ the resulting relevant files are `copy`ed to the remote target machine. srv2: ansible_host: 192.168.123.31 vars: - cert_dir: ./certs - generate_ca_cert: true - generate_client_cert: true - generate_server_cert: true - tls_ca_email: me@example.org - tls_ca_country: EU - tls_ca_state: Italy - tls_ca_locality: Rome - tls_ca_organization: Example Inc. - tls_ca_organizationalunit: SysAdmins - populate_etc_hosts: yes + gen_tls_cert_dir: ./certs + gen_tls_generate_ca_cert: true + gen_tls_generate_client_cert: true + gen_tls_generate_server_cert: true + gen_tls_ca_email: me@example.org + gen_tls_ca_country: EU + gen_tls_ca_state: Italy + gen_tls_ca_locality: Rome + gen_tls_ca_organization: Example Inc. + gen_tls_ca_organizationalunit: SysAdmins + gen_tls_populate_etc_hosts: yes ``` If you want to tinker, you can use `vagrant` with the provided `Vagrantfile`. diff --git a/defaults/main.yml b/defaults/main.yml index b87b9d1..d975f0e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,52 +1,52 @@ --- # defaults file for generate-tls-certs -generate_tls_certs: true +gen_tls_generate_certs: true # Do not put trailing slash "/" -cert_dir: ./certs -remote_certs_dir: /etc/ssl -remote_ca_certs_dir: /etc/ssl/certs -generate_ca_cert: false -generate_client_cert: false -generate_server_cert: false +gen_tls_cert_dir: ./certs +gen_tls_remote_certs_dir: /etc/ssl +gen_tls_remote_ca_certs_dir: /etc/ssl/certs +gen_tls_generate_ca_cert: false +gen_tls_generate_client_cert: false +gen_tls_generate_server_cert: false # ------- # CA CERT # ------- -tls_ca_cert: ca.pem -tls_ca_csr: ca.csr -tls_ca_key: ca.key -tls_ca_key_size: 4096 +gen_tls_ca_cert: ca.pem +gen_tls_ca_csr: ca.csr +gen_tls_ca_key: ca.key +gen_tls_ca_key_size: 4096 # 10 years -tls_ca_valid_days: 3650 -# tls_ca_country: -# tls_ca_state: -# tls_ca_locality: -# tls_ca_organization: -# tls_ca_organizationalunit: -tls_ca_commonname: Certificate Authority -#tls_ca_email: +gen_tls_ca_valid_days: 3650 +# gen_tls_ca_country: +# gen_tls_ca_state: +# gen_tls_ca_locality: +# gen_tls_ca_organization: +# gen_tls_ca_organizationalunit: +gen_tls_ca_commonname: Certificate Authority +#gen_tls_ca_email: # ----------- # CLIENT CERT # ----------- -tls_client_cert: client.pem -tls_client_key: client.key -tls_client_csr: client.csr -tls_client_key_size: 4096 -tls_client_commonname: Client +gen_tls_client_cert: client.pem +gen_tls_client_key: client.key +gen_tls_client_csr: client.csr +gen_tls_client_key_size: 4096 +gen_tls_client_commonname: Client # 2 years -tls_client_valid_days: 730 +gen_tls_client_valid_days: 730 # ----------- # SERVER CERT # ----------- # 2 years -tls_server_valid_days: 730 -tls_server_key_size: 4096 +gen_tls_server_valid_days: 730 +gen_tls_server_key_size: 4096 # Enable Subject Alternate Name (SAN) -tls_server_enable_san: true +gen_tls_server_enable_san: true # ------------------- # POPULATE /etc/hosts # ------------------- -populate_etc_hosts: false +gen_tls_populate_etc_hosts: false diff --git a/inventory.yml b/inventory.yml index b4ca4b4..d0b3a0e 100644 --- a/inventory.yml +++ b/inventory.yml @@ -6,14 +6,14 @@ all: srv2: ansible_host: 192.168.123.31 vars: - cert_dir: ./certs - generate_ca_cert: true - generate_client_cert: true - generate_server_cert: true - tls_ca_email: me@example.org - tls_ca_country: EU - tls_ca_state: Italy - tls_ca_locality: Rome - tls_ca_organization: Example Inc. - tls_ca_organizationalunit: SysAdmins - populate_etc_hosts: yes + gen_tls_cert_dir: ./certs + gen_tls_generate_ca_cert: true + gen_tls_generate_client_cert: true + gen_tls_generate_server_cert: true + gen_tls_ca_email: me@example.org + gen_tls_ca_country: EU + gen_tls_ca_state: Italy + gen_tls_ca_locality: Rome + gen_tls_ca_organization: Example Inc. + gen_tls_ca_organizationalunit: SysAdmins + gen_tls_populate_etc_hosts: yes diff --git a/tasks/generate-ca-cert.yaml b/tasks/generate-ca-cert.yaml index 8c79920..f61d719 100644 --- a/tasks/generate-ca-cert.yaml +++ b/tasks/generate-ca-cert.yaml @@ -2,61 +2,61 @@ - name: Check if the CA private key exists delegate_to: localhost ansible.builtin.stat: - path: "{{ cert_dir }}/{{ tls_ca_key }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}" register: ca_key - name: Generate CA private key delegate_to: localhost community.crypto.openssl_privatekey: - path: "{{ cert_dir }}/{{ tls_ca_key }}" - size: "{{ tls_ca_key_size }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}" + size: "{{ gen_tls_ca_key_size }}" run_once: true when: not ca_key.stat.exists - name: Check if the CA CSR exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ tls_ca_csr }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_csr }}" register: ca_csr - name: Create CSR for CA delegate_to: localhost community.crypto.openssl_csr: - path: "{{ cert_dir }}/{{ tls_ca_csr }}" - privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_csr }}" + privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}" basic_constraints: - "CA:TRUE" - common_name: "{{ tls_ca_commonname|default('') }}" - country_name: "{{ tls_ca_country|default('') }}" - state_or_province_name: "{{ tls_ca_state|default('') }}" - locality_name: "{{ tls_ca_locality|default('') }}" - organization_name: "{{ tls_ca_organization|default('') }}" - organizational_unit_name: "{{ tls_ca_organizationalunit|default('') }}" - email_address: "{{ tls_ca_email }}" + common_name: "{{ gen_tls_ca_commonname|default('') }}" + country_name: "{{ gen_tls_ca_country|default('') }}" + state_or_province_name: "{{ gen_tls_ca_state|default('') }}" + locality_name: "{{ gen_tls_ca_locality|default('') }}" + organization_name: "{{ gen_tls_ca_organization|default('') }}" + organizational_unit_name: "{{ gen_tls_ca_organizationalunit|default('') }}" + email_address: "{{ gen_tls_ca_email }}" use_common_name_for_san: no when: not ca_csr.stat.exists - name: Check if the CA cert exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ tls_ca_cert }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}" register: ca_cert - name: Create and sign server cert for CA delegate_to: localhost community.crypto.x509_certificate: - path: "{{ cert_dir }}/{{ tls_ca_cert }}" - privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}" - csr_path: "{{ cert_dir }}/{{ tls_ca_csr }}" - selfsigned_not_after: "+{{ tls_ca_valid_days }}d" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}" + privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}" + csr_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_csr }}" + selfsigned_not_after: "+{{ gen_tls_ca_valid_days }}d" provider: selfsigned when: not ca_cert.stat.exists register: ca_cert_file - name: Copy the CA certificate to the remote machine copy: - src: "{{ cert_dir }}/{{ tls_ca_cert }}" - dest: "{{ remote_ca_certs_dir }}" + src: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}" + dest: "{{ gen_tls_remote_ca_certs_dir }}" mode: 0644 owner: root group: root diff --git a/tasks/generate-client-cert.yaml b/tasks/generate-client-cert.yaml index f1d7245..795e1cb 100644 --- a/tasks/generate-client-cert.yaml +++ b/tasks/generate-client-cert.yaml @@ -4,7 +4,7 @@ file: state: directory recurse: yes - path: "{{ remote_certs_dir }}/{{ item.path }}" + path: "{{ gen_tls_remote_certs_dir }}/{{ item.path }}" mode: "{{ item.mode }}" owner: root group: root @@ -15,14 +15,14 @@ - name: Check if the client private key exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ tls_client_key }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}" register: client_key - name: Generate client private key delegate_to: localhost community.crypto.openssl_privatekey: - path: "{{ cert_dir }}/{{ tls_client_key }}" - size: "{{ tls_client_key_size}}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}" + size: "{{ gen_tls_client_key_size}}" when: - not client_key.stat.exists - generate_client_cert @@ -31,8 +31,8 @@ - name: Copy the key on the server become: yes copy: - src: "{{ cert_dir }}/{{ tls_client_key}}" - dest: "{{ remote_certs_dir }}/local/certs/" + src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key}}" + dest: "{{ gen_tls_remote_certs_dir }}/local/certs/" mode: 0644 owner: root group: root @@ -41,15 +41,15 @@ - name: Check if the client CSR exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ tls_client_csr }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}" register: client_csr - name: Generate CSR and key for client cert delegate_to: localhost community.crypto.openssl_csr: - path: "{{ cert_dir }}/{{ tls_client_csr }}" - privatekey_path: "{{ cert_dir }}/{{ tls_client_key }}" - common_name: "{{ tls_client_commonname }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}" + privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}" + common_name: "{{ gen_tls_client_commonname }}" extended_key_usage: - clientAuth when: @@ -59,17 +59,17 @@ - name: Check if the client cert exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ tls_client_cert }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}" register: client_crt - name: Create and sign server cert request by CA delegate_to: localhost community.crypto.x509_certificate: - path: "{{ cert_dir }}/{{ tls_client_cert }}" - csr_path: "{{ cert_dir }}/{{ tls_client_csr }}" - ownca_not_after: "+{{ tls_client_valid_days }}d" - ownca_path: "{{ cert_dir }}/{{ tls_ca_cert }}" - ownca_privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}" + path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}" + csr_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}" + ownca_not_after: "+{{ gen_tls_client_valid_days }}d" + ownca_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}" + ownca_privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}" provider: ownca when: - not client_crt.stat.exists @@ -79,8 +79,8 @@ - name: Copy the certificate to the remote machine become: yes copy: - src: "{{ cert_dir }}/{{ tls_client_cert }}" - dest: "{{ remote_certs_dir }}/local/private" + src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}" + dest: "{{ gen_tls_remote_certs_dir }}/local/private" mode: 0600 owner: root group: root diff --git a/tasks/generate-server-cert.yaml b/tasks/generate-server-cert.yaml index 70c4b00..025ae36 100644 --- a/tasks/generate-server-cert.yaml +++ b/tasks/generate-server-cert.yaml @@ -4,7 +4,7 @@ file: state: directory recurse: yes - path: "{{ remote_certs_dir }}/{{ item.path }}" + path: "{{ gen_tls_remote_certs_dir }}/{{ item.path }}" mode: "{{ item.mode }}" owner: root group: root @@ -15,21 +15,21 @@ - name: Check if the server private key exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key" + path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key" register: server_key - name: Create PEM private key for server delegate_to: localhost community.crypto.openssl_privatekey: - path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key" + path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key" when: not server_key.stat.exists register: server_key_file - name: Copy the key on the server become: yes copy: - src: "{{ cert_dir }}/{{ inventory_hostname_short }}.key" - dest: "{{ remote_certs_dir }}/local/certs/" + src: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key" + dest: "{{ gen_tls_remote_certs_dir }}/local/certs/" mode: 0644 owner: root group: root @@ -38,58 +38,58 @@ - name: Check if the server CSR exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr" + path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr" register: server_csr - name: Create CSR for server cert delegate_to: localhost community.crypto.openssl_csr: - path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr" - privatekey_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key" + path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr" + privatekey_path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key" common_name: "{{ inventory_hostname_short }}" when: - not server_csr.stat.exists - - generate_server_cert - - not tls_server_enable_san + - gen_tls_generate_server_cert + - not gen_tls_server_enable_san - name: Create CSR for server cert delegate_to: localhost community.crypto.openssl_csr: - path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr" - privatekey_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key" + path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr" + privatekey_path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key" common_name: "{{inventory_hostname_short}}" subject_alt_name: "DNS:{{inventory_hostname}},DNS:{{inventory_hostname_short}},IP:{{(alt_interface_ip is defined) | ternary(alt_interface_ip, ansible_default_ipv4.address)}},IP:0.0.0.0,IP:127.0.0.1" when: - not server_csr.stat.exists - - generate_server_cert - - tls_server_enable_san + - gen_tls_generate_server_cert + - gen_tls_server_enable_san - name: Check if the server cert exists delegate_to: localhost stat: - path: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem" + path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem" register: server_crt - name: Create and sign server cert request by CA delegate_to: localhost community.crypto.x509_certificate: - path: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem" - csr_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr" - ownca_not_after: "+{{ tls_server_valid_days }}d" - ownca_path: "{{ cert_dir }}/{{ tls_ca_cert }}" - ownca_privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}" + path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem" + csr_path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr" + ownca_not_after: "+{{ gen_tls_server_valid_days }}d" + ownca_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}" + ownca_privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}" provider: ownca ignore_errors: true when: - not server_crt.stat.exists - - generate_server_cert + - gen_tls_generate_server_cert register: server_cert_file - name: Copy the certificate to the remote machine become: yes copy: - src: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem" - dest: "{{ remote_certs_dir }}/local/private" + src: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem" + dest: "{{ gen_tls_remote_certs_dir }}/local/private" mode: 0600 owner: root group: root diff --git a/tasks/main.yml b/tasks/main.yml index 653c8cf..9e3a078 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,21 +3,21 @@ - name: Generate CA cert include_tasks: generate-ca-cert.yaml when: - - generate_tls_certs - - generate_ca_cert|bool + - gen_tls_generate_certs + - gen_tls_generate_ca_cert|bool - name: Generate client cert include_tasks: generate-client-cert.yaml when: - - generate_tls_certs - - generate_client_cert|bool + - gen_tls_generate_certs + - gen_tls_generate_client_cert|bool - name: Generate server cert include_tasks: generate-server-cert.yaml when: - - generate_tls_certs - - generate_server_cert|bool + - gen_tls_generate_certs + - gen_tls_generate_server_cert|bool - name: Populate /etc/hosts with inventory's hosts include_tasks: populate-etc-hosts.yaml - when: populate_etc_hosts|bool + when: gen_tls_populate_etc_hosts|bool