Go to file
2021-01-24 13:07:02 +01:00
certs Update with community.crypto collection modules 2021-01-24 12:50:53 +01:00
defaults Parametrize remote directories 2021-01-24 13:07:02 +01:00
meta Added supported platforms 2018-04-20 04:52:41 -04:00
tasks Parametrize remote directories 2021-01-24 13:07:02 +01:00
.gitignore Update with community.crypto collection modules 2021-01-24 12:50:53 +01:00
ansible.cfg Update with community.crypto collection modules 2021-01-24 12:50:53 +01:00
inventory.yml Optionally fill /etc/hosts 2021-01-24 12:54:18 +01:00
playbook.yml Update with community.crypto collection modules 2021-01-24 12:50:53 +01:00
README.md Optionally fill /etc/hosts 2021-01-24 12:54:18 +01:00
requirements.yml Update with community.crypto collection modules 2021-01-24 12:50:53 +01:00
Vagrantfile Update with community.crypto collection modules 2021-01-24 12:50:53 +01:00

Generate TLS certificates

Generates self-signed CA, client and server certificates. Runs locally on control machine.

Notes:

  • Will not overwrite any files in output cert dir
  • Will not copy the files to the remote servers if the local files are unchanged
  • Will optionally (see populate_etc_hosts variable) add to each machine's /etc/hosts a line for each host in the inventory.

Requirements

  • For server certificates, must specify Ansible inventory file; FQDN must also be set as hostname in inventory file

Role Variables

See defaults/main.yml

Dependencies

Install dependencies via

$ ansible-galaxy collection install community.crypto

Example Playbook

The provided example playbook.yml targets two hosts (take a look at the Vagrantfile).

All the cryptographic relevant operations are performed on the host machine and the resulting relevant files are copyed to the remote target machine.

  • playbook.yml
---
- name: Run role
  hosts: all
  roles:
    - role: generate-tls-certs
  • inventory.yml
---
all:
  hosts:
    srv1:
      ansible_host: 192.168.123.30
    srv2:
      ansible_host: 192.168.123.31
  vars:
    cert_dir: ./certs
    generate_ca_cert: true
    generate_client_cert: true
    generate_server_cert: true
    tls_ca_email: me@example.org
    tls_ca_country: EU
    tls_ca_state: Italy
    tls_ca_locality: Rome
    tls_ca_organization: Example Inc.
    tls_ca_organizationalunit: SysAdmins
    populate_etc_hosts: yes

If you want to tinker, you can use vagrant with the provided Vagrantfile. It assumes vagrant-libvirt is installed (along with libvirt, of course).

Run it like this:

$ vagrant up --provider=libvirt --provision