47 lines
1.6 KiB
YAML
47 lines
1.6 KiB
YAML
---
|
|
|
|
- name: Generate client private key
|
|
local_action:
|
|
module: openssl_privatekey
|
|
path: "{{cert_dir}}/{{tls_client_key}}"
|
|
size: "{{tls_client_key_size}}"
|
|
run_once: true
|
|
when: generate_client_cert
|
|
|
|
- name: Generate CSR and key for client cert
|
|
local_action:
|
|
module: |
|
|
shell if [ ! -e {{cert_dir}}/{{tls_client_csr}} ]
|
|
then
|
|
openssl req -newkey rsa:{{tls_client_key_size}} -nodes -subj "/CN={{tls_client_commonname}}" \
|
|
-keyout "{{cert_dir}}/{{tls_client_key}}" -out "{{cert_dir}}/{{tls_client_csr}}"
|
|
fi
|
|
args:
|
|
executable: /bin/bash
|
|
ignore_errors: true
|
|
run_once: true
|
|
when: generate_client_cert
|
|
|
|
- name: Add required extension for client authentication
|
|
local_action:
|
|
module: >
|
|
shell echo extendedKeyUsage = clientAuth >> {{cert_dir}}/{{tls_client_extfile}}
|
|
ignore_errors: true
|
|
run_once: true
|
|
when: generate_client_cert
|
|
|
|
# @AB TODO: using OpenSSL CA serial file does not always generate unique serial when running playbook against multiple hosts
|
|
- name: Sign client cert request with CA
|
|
local_action:
|
|
module: |
|
|
shell if [ ! -e {{cert_dir}}/{{tls_client_cert}} ]
|
|
then
|
|
openssl x509 -req -sha256 -days {{tls_client_valid_days}} -CA {{cert_dir}}/{{tls_ca_cert}} -CAkey {{cert_dir}}/{{tls_ca_key}} \
|
|
-set_serial {{ 999999999 | random }} -in {{cert_dir}}/{{tls_client_csr}} -out {{cert_dir}}/{{tls_client_cert}} -extfile {{cert_dir}}/{{tls_client_extfile}}
|
|
fi
|
|
args:
|
|
executable: /bin/bash
|
|
ignore_errors: true
|
|
run_once: true
|
|
when: generate_client_cert
|