88 lines
2.5 KiB
YAML
88 lines
2.5 KiB
YAML
---
|
|
- name: Ensure the custom directories to host certificates are present
|
|
become: yes
|
|
file:
|
|
state: directory
|
|
recurse: yes
|
|
path: "{{ gen_tls_remote_certs_dir }}/{{ item.path }}"
|
|
mode: "{{ item.mode }}"
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- {path: local/certs, mode: "0755"}
|
|
- {path: local/private, mode: "0700"}
|
|
|
|
- name: Check if the client private key exists
|
|
delegate_to: localhost
|
|
stat:
|
|
path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}"
|
|
register: client_key
|
|
|
|
- name: Generate client private key
|
|
delegate_to: localhost
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}"
|
|
size: "{{ gen_tls_client_key_size}}"
|
|
when:
|
|
- not client_key.stat.exists
|
|
- generate_client_cert
|
|
register: client_key_file
|
|
|
|
- name: Copy the key on the server
|
|
become: yes
|
|
copy:
|
|
src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key}}"
|
|
dest: "{{ gen_tls_remote_certs_dir }}/local/certs/"
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
when: client_key_file.changed
|
|
|
|
- name: Check if the client CSR exists
|
|
delegate_to: localhost
|
|
stat:
|
|
path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}"
|
|
register: client_csr
|
|
|
|
- name: Generate CSR and key for client cert
|
|
delegate_to: localhost
|
|
community.crypto.openssl_csr:
|
|
path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}"
|
|
privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}"
|
|
common_name: "{{ gen_tls_client_commonname }}"
|
|
extended_key_usage:
|
|
- clientAuth
|
|
when:
|
|
- not client_csr.stat.exists
|
|
- generate_client_cert
|
|
|
|
- name: Check if the client cert exists
|
|
delegate_to: localhost
|
|
stat:
|
|
path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}"
|
|
register: client_crt
|
|
|
|
- name: Create and sign server cert request by CA
|
|
delegate_to: localhost
|
|
community.crypto.x509_certificate:
|
|
path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}"
|
|
csr_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}"
|
|
ownca_not_after: "+{{ gen_tls_client_valid_days }}d"
|
|
ownca_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}"
|
|
ownca_privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
|
|
provider: ownca
|
|
when:
|
|
- not client_crt.stat.exists
|
|
- generate_client_cert
|
|
register: client_cert_file
|
|
|
|
- name: Copy the certificate to the remote machine
|
|
become: yes
|
|
copy:
|
|
src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}"
|
|
dest: "{{ gen_tls_remote_certs_dir }}/local/private"
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
when: client_cert_file.changed
|