switch to csr.json mode

defaults/main.yml

@@ -3,11 +3,23 @@ cfssl_version: 1.6.3
 cfssl_bin_directory: /usr/bin
 cfssl_serve_url: localhost:8888
 cfssl_profile: server
+cfssl_auth_key: "0123456789ABCDEF0123456789ABCDEF"
 
-cnf_file: /etc/ssl/server.cnf
-key_file: /etc/ssl/private/{{inventory_hostname_short}}.key
-csr_file: /etc/ssl/{{inventory_hostname_short}}.csr
-cert_file: /etc/ssl/certs/{{inventory_hostname_short}}.pem
+crt_key:
+    algo: rsa
+    size: 4096
+
+crt_names:
+  - C: FR
+    L: 'Paris'
+    O: 'Acme'
+    OU: 'IT'
+
+ssl_dir: /etc/ssl
+cfssl_config_file: {{ssl_dir}}/cfssl.json
+cfssl_csr_file : {{ssl_dir}}/csr.json
+key_file: {{ssl_dir}}/private/{{inventory_hostname_short}}.key
+cert_file: {{ssl_dir}}certs/{{inventory_hostname_short}}.pem
 
 integrate_ca: yes
 ca_filename : my_intermediate_ca.crt

tasks/main.yml

@@ -1,22 +1,32 @@
 - name: include pre_requisite.yml
   import_tasks: pre_requisite.yml
 
-- name: creating cnf file
+- name: creating cfssl config file
   template:
-    src: server.cnf.j2
-    dest: '{{cnf_file}}'
+    src: cfssl.json.j2
+    dest: '{{cfssl_config_file}}'
+    owner: root
+    group: root
+    mode: 0600
+
+- name: creating csr file
+  template:
+    src: csr.json.j2
+    dest: '{{cfssl_csr_file}}'
     owner: root
     group: root
     mode: 0644
 
-- name: create csr and key with openssl
-  shell: 'openssl req -new -newkey rsa:2048 -nodes -sha256 -config {{cnf_file}} -out {{csr_file}} -keyout {{key_file}}'
+- name: generate private key, csr and certificate
+  shell: '{{cfssl_bin_directory}}/cfssl gencert -config {{cfssl_config_file}} -profile "{{cfssl_profile}}" {{cfssl_csr_file}}| cfssljson -bare {{inventory_hostname_short}}'
+  args:
+    chdir: '{{ssl_dir}}'
 
-- name: sign certificate
-  shell: '{{cfssl_bin_directory}}/cfssl sign -remote "{{cfssl_serve_url}}" -profile "{{cfssl_profile}}" {{csr_file}} | cfssljson -bare -stdout > {{cert_file}}'
+- name: move key file to {{key_file}}
+  shell: 'mv {{ssl_dir}}/{{inventory_hostname_short}}-key.pem {{key_file}}'
 
-- name: remove csr in content certificate
-  shell: 'openssl x509 -in {{cert_file}} -out {{cert_file}}'
+- name: move cert file to {{cert_file}}
+  hell: 'mv {{ssl_dir}}/{{inventory_hostname_short}}.pem {{cert_file}}'
 
 - name: recuperate ca certificate
   shell: '{{cfssl_bin_directory}}/cfssl info -remote "{{cfssl_serve_url}}"  | cfssljson -bare -stdout > /usr/local/share/ca-certificates/{{ca_filename}}'

templates/cfssl.json.j2

@@ -0,0 +1,19 @@
+{
+  "signing": {
+    "default": {
+      "auth_remote":{
+        "auth_key": "key-srv",
+        "remote": "remote-srv"
+      }
+    }
+  },
+  "auth_keys": {
+    "key-srv": {
+      "type":"standard",
+      "key":"{{cfssl_auth_key}}"
+    }
+  },
+  "remotes": {
+    "remote-srv": "{{cfssl_serve_url}}"
+  }
+}

templates/csr.json.j2

@@ -1,6 +1,9 @@
 {
-    "CN": {{item.cname | to_json}},
-    "hosts": {{ (item.sans|default([]) + item.altips|default([]) + item.cname.split(',')) | to_json}},
-    "key" : {{item.key | default(pki_key) | to_json}},
-    "names" : {{item.names | default(pki_names) | to_json}}
-}
+    "CN": "{{inventory_hostname_short}}.{{vm_domain_name}}",
+    "hosts": [
+        "{{inventory_hostname_short}}.{{vm_domain_name}}",
+        "{{inventory_hostname_short}}-adm.{{vm_domain_name}}"
+    ],
+    "key" : {{crt_key | to_json}},
+    "names" : {{crt_names | to_json}}
+}

templates/server.cnf.j2

@@ -1,13 +0,0 @@
-[ req ]
-prompt = no
-distinguished_name = dn
-req_extensions = req_ext
-
-[ dn ]
-CN = {{inventory_hostname_short}}.{{vm_domain_name}}
-
-[ req_ext ]
-subjectAltName = DNS:{{inventory_hostname_short}}.{{vm_domain_name}},DNS:{{inventory_hostname_short}}-adm.{{vm_domain_name}}
-
-[ alt_names ]
-DNS.1 = {{inventory_hostname_short}}-adm.{{vm_domain_name}}