From a171adff47a79c5510d853ec3f934254067e698b Mon Sep 17 00:00:00 2001 From: nono Date: Wed, 21 Dec 2022 20:51:34 +0100 Subject: [PATCH] fix role --- defaults/main.yml | 17 ++-- tasks/main.yml | 3 + templates/cfssl.json.j2 | 123 +++++++++++++------------- templates/csr_ROOT_CA.json.j2 | 6 +- templates/csr_intermediate_CA.json.j2 | 7 +- 5 files changed, 78 insertions(+), 78 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2289c94..cf472ad 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,25 +1,24 @@ --- cfssl_version: 1.6.3 -cfssl_bin_directory: /usr/bin -cfssl_port: 8888 +cfssl_bin_directory: '/usr/bin' +cfssl_port: '8888' cfssl_auth_key: "0123456789ABCDEF0123456789ABCDEF" -pki_dir: /opt/cfssl +pki_dir: '/opt/cfssl' pki_key: - algo: rsa + algo: 'rsa' size: 4096 pki_names: - - C: FR + - C: 'FR' L: 'Paris' O: 'Acme' OU: 'IT' pki_ca: - cname: My Internal Certification Authority - expiry: 262800h + cname: 'My Internal Certification Authority' + expiry: '262800h' pki_intermediate_ca: - cname: My Intermediate Internal Certification Authority - expirity: 262800h \ No newline at end of file + cname: 'My Intermediate Internal Certification Authority' \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index a4c604b..1dd2646 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -92,16 +92,19 @@ shell: '{{cfssl_bin_directory}}/cfssl gencert -initca {{pki_dir}}/csr/csr_ROOT_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca' args: chdir: '{{pki_dir}}/CA/' + creates: '{{pki_dir}}/CA/ca-key.pem' - name: create intermediate certificate authority key pair and CSR, autosign it shell: '{{cfssl_bin_directory}}/cfssl gencert -ca {{pki_dir}}/CA/ca.pem -ca-key {{pki_dir}}/CA/ca-key.pem -config={{pki_dir}}/etc/cfssl.json -profile="intermediate_ca" {{pki_dir}}/csr/csr_intermediate_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca-server' args: chdir: '{{pki_dir}}/CA/' + creates: '{{pki_dir}}/CA/ca-server-key.pem' - name: create sqlite3 database shell: 'cat {{pki_dir}}/data/init.sql | sqlite3 {{pki_dir}}/data/certdb.db' args: chdir: '{{pki_dir}}/CA/' + creates: '{{pki_dir}}/data/certdb.db' - name: Change owner of ca-server.pem by cfssl diff --git a/templates/cfssl.json.j2 b/templates/cfssl.json.j2 index 7ef00f4..e07423d 100644 --- a/templates/cfssl.json.j2 +++ b/templates/cfssl.json.j2 @@ -1,72 +1,71 @@ { - "auth_keys": { - "key_srv": { - "type": "standard", - "key":"{{cfssl_auth_key}}" - } + "auth_keys": { + "key_srv": { + "type": "standard", + "key": "{{cfssl_auth_key}}" + } + }, + "signing": { + "default": { + "auth_key": "key_srv", + "crl_url": "http://{{inventory_hostname_short}}.{{vm_domain_name}}:8888/crl", + "expiry": "26280h", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] }, - "signing": { - "default": { - "auth_key": "key_srv", - "crl_url": "http://{{inventory_hostname_short}}.{{vm_domain_name}}:8888/crl", - "expiry": "26280h", - "usages": [ - "signing", - "key encipherment", - "client auth" - ] - }, - "profiles": { - "intermediate_ca": { - "auth_key": "key_srv", - "usages": [ - "signing", - "digital signature", - "key encipherment", - "cert sign", - "crl sign", - "server auth", - "client auth" - ], - "expiry": "87600h", - "ca_constraint": { - "is_ca": true, - "max_path_len": 0, - "max_path_len_zero": true - } - }, - "server_client": { - "auth_key": "key_srv", - "usages": [ + "profiles": { + "intermediate_ca": { + "auth_key": "key_srv", + "usages": [ "signing", - "digital signing", + "digital signature", "key encipherment", + "cert sign", + "crl sign", "server auth", "client auth" - ], - "expiry": "8760h" - }, - "server": { - "auth_key": "key_srv", - "usages": [ - "signing", - "digital signature", - "key encipherment", - "server auth" - ], - "expiry": "8760h" - }, - "client": { - "auth_key": "key_srv", - "usages": [ - "signing", - "digital signature", - "key encipherment", - "client auth" - ], - "expiry": "8760h" + ], + "expiry": "87600h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true } - } + }, + "server_client": { + "auth_key": "key_srv", + "usages": [ + "signing", + "digital signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "8760h" + }, + "server": { + "auth_key": "key_srv", + "usages": [ + "signing", + "digital signature", + "key encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "auth_key": "key_srv", + "usages": [ + "signing", + "digital signature", + "key encipherment", + "client auth" + ], + "expiry": "8760h" } } + } } \ No newline at end of file diff --git a/templates/csr_ROOT_CA.json.j2 b/templates/csr_ROOT_CA.json.j2 index 597c403..6a42977 100644 --- a/templates/csr_ROOT_CA.json.j2 +++ b/templates/csr_ROOT_CA.json.j2 @@ -1,6 +1,6 @@ { "CN": {{pki_ca.cname | to_json}}, - "key" : {{pki_key | to_json}}, - "names" : {{pki_names | to_json}}, - "ca": {"expiry": "{{pki_ca.expiry | to_json}}"} + "key": {{pki_key | to_json}}, + "names": {{pki_names | to_json}}, + "ca": {"expiry": {{pki_ca.expiry | to_json}}} } diff --git a/templates/csr_intermediate_CA.json.j2 b/templates/csr_intermediate_CA.json.j2 index aab8cec..e3a0d9e 100644 --- a/templates/csr_intermediate_CA.json.j2 +++ b/templates/csr_intermediate_CA.json.j2 @@ -1,6 +1,5 @@ { "CN": {{pki_intermediate_ca.cname | to_json}}, - "key" : {{pki_key | to_json}}, - "names" : {{pki_names | to_json}}, - "ca": {"expiry": "{{pki_intermediate_ca.expiry | to_json}}"} -} + "key": {{pki_key | to_json}}, + "names": {{pki_names | to_json}} +} \ No newline at end of file