diff --git a/defaults/main.yml b/defaults/main.yml index 5cc77ba..b528bd3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,11 +3,23 @@ cfssl_version: 1.6.3 cfssl_bin_directory: /usr/bin cfssl_serve_url: localhost:8888 cfssl_profile: server +cfssl_auth_key: "0123456789ABCDEF0123456789ABCDEF" -cnf_file: /etc/ssl/server.cnf -key_file: /etc/ssl/private/{{inventory_hostname_short}}.key -csr_file: /etc/ssl/{{inventory_hostname_short}}.csr -cert_file: /etc/ssl/certs/{{inventory_hostname_short}}.pem +crt_key: + algo: rsa + size: 4096 + +crt_names: + - C: FR + L: 'Paris' + O: 'Acme' + OU: 'IT' + +ssl_dir: /etc/ssl +cfssl_config_file: {{ssl_dir}}/cfssl.json +cfssl_csr_file : {{ssl_dir}}/csr.json +key_file: {{ssl_dir}}/private/{{inventory_hostname_short}}.key +cert_file: {{ssl_dir}}certs/{{inventory_hostname_short}}.pem integrate_ca: yes ca_filename : my_intermediate_ca.crt \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index a184f56..4406412 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,22 +1,32 @@ - name: include pre_requisite.yml import_tasks: pre_requisite.yml -- name: creating cnf file +- name: creating cfssl config file template: - src: server.cnf.j2 - dest: '{{cnf_file}}' + src: cfssl.json.j2 + dest: '{{cfssl_config_file}}' + owner: root + group: root + mode: 0600 + +- name: creating csr file + template: + src: csr.json.j2 + dest: '{{cfssl_csr_file}}' owner: root group: root mode: 0644 -- name: create csr and key with openssl - shell: 'openssl req -new -newkey rsa:2048 -nodes -sha256 -config {{cnf_file}} -out {{csr_file}} -keyout {{key_file}}' +- name: generate private key, csr and certificate + shell: '{{cfssl_bin_directory}}/cfssl gencert -config {{cfssl_config_file}} -profile "{{cfssl_profile}}" {{cfssl_csr_file}}| cfssljson -bare {{inventory_hostname_short}}' + args: + chdir: '{{ssl_dir}}' -- name: sign certificate - shell: '{{cfssl_bin_directory}}/cfssl sign -remote "{{cfssl_serve_url}}" -profile "{{cfssl_profile}}" {{csr_file}} | cfssljson -bare -stdout > {{cert_file}}' +- name: move key file to {{key_file}} + shell: 'mv {{ssl_dir}}/{{inventory_hostname_short}}-key.pem {{key_file}}' -- name: remove csr in content certificate - shell: 'openssl x509 -in {{cert_file}} -out {{cert_file}}' +- name: move cert file to {{cert_file}} + hell: 'mv {{ssl_dir}}/{{inventory_hostname_short}}.pem {{cert_file}}' - name: recuperate ca certificate shell: '{{cfssl_bin_directory}}/cfssl info -remote "{{cfssl_serve_url}}" | cfssljson -bare -stdout > /usr/local/share/ca-certificates/{{ca_filename}}' diff --git a/templates/cfssl.json.j2 b/templates/cfssl.json.j2 new file mode 100644 index 0000000..d6f374c --- /dev/null +++ b/templates/cfssl.json.j2 @@ -0,0 +1,19 @@ +{ + "signing": { + "default": { + "auth_remote":{ + "auth_key": "key-srv", + "remote": "remote-srv" + } + } + }, + "auth_keys": { + "key-srv": { + "type":"standard", + "key":"{{cfssl_auth_key}}" + } + }, + "remotes": { + "remote-srv": "{{cfssl_serve_url}}" + } +} \ No newline at end of file diff --git a/templates/csr.json.j2 b/templates/csr.json.j2 index 2419c3b..835c2b4 100644 --- a/templates/csr.json.j2 +++ b/templates/csr.json.j2 @@ -1,6 +1,9 @@ { - "CN": {{item.cname | to_json}}, - "hosts": {{ (item.sans|default([]) + item.altips|default([]) + item.cname.split(',')) | to_json}}, - "key" : {{item.key | default(pki_key) | to_json}}, - "names" : {{item.names | default(pki_names) | to_json}} -} + "CN": "{{inventory_hostname_short}}.{{vm_domain_name}}", + "hosts": [ + "{{inventory_hostname_short}}.{{vm_domain_name}}", + "{{inventory_hostname_short}}-adm.{{vm_domain_name}}" + ], + "key" : {{crt_key | to_json}}, + "names" : {{crt_names | to_json}} +} \ No newline at end of file diff --git a/templates/server.cnf.j2 b/templates/server.cnf.j2 deleted file mode 100644 index fa04612..0000000 --- a/templates/server.cnf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -[ req ] -prompt = no -distinguished_name = dn -req_extensions = req_ext - -[ dn ] -CN = {{inventory_hostname_short}}.{{vm_domain_name}} - -[ req_ext ] -subjectAltName = DNS:{{inventory_hostname_short}}.{{vm_domain_name}},DNS:{{inventory_hostname_short}}-adm.{{vm_domain_name}} - -[ alt_names ] -DNS.1 = {{inventory_hostname_short}}-adm.{{vm_domain_name}} \ No newline at end of file