ansible/cfssl-server-role
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix role

Browse source
This commit is contained in:
nono 2022-12-21 20:51:34 +01:00
parent f2816881b3
commit a171adff47
5 changed files with 78 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
defaults/main.yml
View file

@ -1,25 +1,24 @@
--- ---
cfssl_version: 1.6.3 cfssl_version: 1.6.3
cfssl_bin_directory: /usr/bin cfssl_bin_directory: '/usr/bin'
cfssl_port: 8888 cfssl_port: '8888'
cfssl_auth_key: "0123456789ABCDEF0123456789ABCDEF" cfssl_auth_key: "0123456789ABCDEF0123456789ABCDEF"
pki_dir: /opt/cfssl pki_dir: '/opt/cfssl'
pki_key: pki_key:
algo: rsa algo: 'rsa'
size: 4096 size: 4096
pki_names: pki_names:
- C: FR - C: 'FR'
L: 'Paris' L: 'Paris'
O: 'Acme' O: 'Acme'
OU: 'IT' OU: 'IT'
pki_ca: pki_ca:
cname: My Internal Certification Authority cname: 'My Internal Certification Authority'
expiry: 262800h expiry: '262800h'
pki_intermediate_ca: pki_intermediate_ca:
cname: My Intermediate Internal Certification Authority cname: 'My Intermediate Internal Certification Authority'
expirity: 262800h

3
tasks/main.yml
View file

@ -92,16 +92,19 @@
shell: '{{cfssl_bin_directory}}/cfssl gencert -initca {{pki_dir}}/csr/csr_ROOT_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca' shell: '{{cfssl_bin_directory}}/cfssl gencert -initca {{pki_dir}}/csr/csr_ROOT_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca'
args: args:
chdir: '{{pki_dir}}/CA/' chdir: '{{pki_dir}}/CA/'
creates: '{{pki_dir}}/CA/ca-key.pem'
- name: create intermediate certificate authority key pair and CSR, autosign it - name: create intermediate certificate authority key pair and CSR, autosign it
shell: '{{cfssl_bin_directory}}/cfssl gencert -ca {{pki_dir}}/CA/ca.pem -ca-key {{pki_dir}}/CA/ca-key.pem -config={{pki_dir}}/etc/cfssl.json -profile="intermediate_ca" {{pki_dir}}/csr/csr_intermediate_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca-server' shell: '{{cfssl_bin_directory}}/cfssl gencert -ca {{pki_dir}}/CA/ca.pem -ca-key {{pki_dir}}/CA/ca-key.pem -config={{pki_dir}}/etc/cfssl.json -profile="intermediate_ca" {{pki_dir}}/csr/csr_intermediate_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca-server'
args: args:
chdir: '{{pki_dir}}/CA/' chdir: '{{pki_dir}}/CA/'
creates: '{{pki_dir}}/CA/ca-server-key.pem'
- name: create sqlite3 database - name: create sqlite3 database
shell: 'cat {{pki_dir}}/data/init.sql | sqlite3 {{pki_dir}}/data/certdb.db' shell: 'cat {{pki_dir}}/data/init.sql | sqlite3 {{pki_dir}}/data/certdb.db'
args: args:
chdir: '{{pki_dir}}/CA/' chdir: '{{pki_dir}}/CA/'
creates: '{{pki_dir}}/data/certdb.db'
- name: Change owner of ca-server.pem by cfssl - name: Change owner of ca-server.pem by cfssl

123
templates/cfssl.json.j2
View file

@ -1,72 +1,71 @@
{ {
"auth_keys": { "auth_keys": {
"key_srv": { "key_srv": {
"type": "standard", "type": "standard",
"key":"{{cfssl_auth_key}}" "key": "{{cfssl_auth_key}}"
} }
},
"signing": {
"default": {
"auth_key": "key_srv",
"crl_url": "http://{{inventory_hostname_short}}.{{vm_domain_name}}:8888/crl",
"expiry": "26280h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}, },
"signing": { "profiles": {
"default": { "intermediate_ca": {
"auth_key": "key_srv", "auth_key": "key_srv",
"crl_url": "http://{{inventory_hostname_short}}.{{vm_domain_name}}:8888/crl", "usages": [
"expiry": "26280h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"profiles": {
"intermediate_ca": {
"auth_key": "key_srv",
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign",
"server auth",
"client auth"
],
"expiry": "87600h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0,
"max_path_len_zero": true
}
},
"server_client": {
"auth_key": "key_srv",
"usages": [
"signing", "signing",
"digital signing", "digital signature",
"key encipherment", "key encipherment",
"cert sign",
"crl sign",
"server auth", "server auth",
"client auth" "client auth"
], ],
"expiry": "8760h" "expiry": "87600h",
}, "ca_constraint": {
"server": { "is_ca": true,
"auth_key": "key_srv", "max_path_len": 0,
"usages": [ "max_path_len_zero": true
"signing",
"digital signature",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"client": {
"auth_key": "key_srv",
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth"
],
"expiry": "8760h"
} }
} },
"server_client": {
"auth_key": "key_srv",
"usages": [
"signing",
"digital signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
},
"server": {
"auth_key": "key_srv",
"usages": [
"signing",
"digital signature",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"client": {
"auth_key": "key_srv",
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth"
],
"expiry": "8760h"
} }
} }
}
} }

6
templates/csr_ROOT_CA.json.j2
View file

@ -1,6 +1,6 @@
{ {
"CN": {{pki_ca.cname | to_json}}, "CN": {{pki_ca.cname | to_json}},
"key" : {{pki_key | to_json}}, "key": {{pki_key | to_json}},
"names" : {{pki_names | to_json}}, "names": {{pki_names | to_json}},
"ca": {"expiry": "{{pki_ca.expiry | to_json}}"} "ca": {"expiry": {{pki_ca.expiry | to_json}}}
} }

5
templates/csr_intermediate_CA.json.j2
View file

@ -1,6 +1,5 @@
{ {
"CN": {{pki_intermediate_ca.cname | to_json}}, "CN": {{pki_intermediate_ca.cname | to_json}},
"key" : {{pki_key | to_json}}, "key": {{pki_key | to_json}},
"names" : {{pki_names | to_json}}, "names": {{pki_names | to_json}}
"ca": {"expiry": "{{pki_intermediate_ca.expiry | to_json}}"}
} }