Add role

2022-12-16 17:51:39 +01:00 · 2022-12-16 17:51:39 +01:00 · e48f14003f
commit e48f14003f
parent b9cce1be67
12 changed files with 350 additions and 6 deletions
--- a/roles/cfssl-server/templates/cfssl.json.j2
+++ b/roles/cfssl-server/templates/cfssl.json.j2
@ -0,0 +1,50 @@
+{
+    "signing": {
+      "default": {
+          "crl_url": "http://{{inventory_hostname_short}}.{{vm_domain_name}}:8888/crl",
+          "expiry": "26280h",
+          "usages": [
+              "signing",
+              "key encipherment",
+              "client auth"
+          ]
+        },
+      "profiles": {
+        "intermediate_ca": {
+          "usages": [
+              "signing",
+              "digital signature",
+              "key encipherment",
+              "cert sign",
+              "crl sign",
+              "server auth",
+              "client auth"
+          ],
+          "expiry": "87600h",
+          "ca_constraint": {
+              "is_ca": true,
+              "max_path_len": 0, 
+              "max_path_len_zero": true
+          }
+        },
+        "server": {
+          "usages": [
+            "signing",
+            "digital signing",
+            "key encipherment",
+            "server auth"
+          ],
+          "expiry": "8760h"
+        },
+        "client": {
+          "usages": [
+            "signing",
+            "digital signature",
+            "key encipherment", 
+            "client auth"
+          ],
+          "expiry": "8760h"
+        }
+      }
+    }
+}
--- a/roles/cfssl-server/templates/cfssl.service.j2
+++ b/roles/cfssl-server/templates/cfssl.service.j2
@ -0,0 +1,16 @@
+[Unit]
+Description=CFSSL PKI Server
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User=cfssl
+Group=cfssl
+WorkingDirectory={{pki_dir}}
+ExecStart={{cfssl_bin_directory}}/cfssl serve -address 0.0.0.0 -db-config {{pki_dir}}/etc/db.json -config {{pki_dir}}/etc/cfssl.json -ca {{pki_dir}}/CA/ca-server.pem -ca-key {{pki_dir}}/CA/ca-server-key.pem -port {{cfssl_port}}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/cfssl-server/templates/csr.json.j2
+++ b/roles/cfssl-server/templates/csr.json.j2
@ -0,0 +1,6 @@
+{
+    "CN": {{item.cname | to_json}},
+    "hosts": {{ (item.sans|default([]) + item.altips|default([]) + item.cname.split(',')) | to_json}},
+    "key" : {{item.key | default(pki_key) | to_json}},
+    "names" : {{item.names | default(pki_names) | to_json}}
+}
--- a/roles/cfssl-server/templates/csr_ROOT_CA.json.j2
+++ b/roles/cfssl-server/templates/csr_ROOT_CA.json.j2
@ -0,0 +1,6 @@
+{
+    "CN": {{pki_ca.cname | to_json}},
+    "key" : {{pki_key | to_json}},
+    "names" : {{pki_names | to_json}},
+    "ca": {"expiry": "{{pki_ca.expiry | to_json}}"}
+}
--- a/roles/cfssl-server/templates/csr_intermediate_CA.json.j2
+++ b/roles/cfssl-server/templates/csr_intermediate_CA.json.j2
@ -0,0 +1,6 @@
+{
+    "CN": {{pki_intermediate_ca.cname | to_json}},
+    "key" : {{pki_key | to_json}},
+    "names" : {{pki_names | to_json}},
+    "ca": {"expiry": "{{pki_intermediate_ca.expiry | to_json}}"}
+}
--- a/roles/cfssl-server/templates/db.json.j2
+++ b/roles/cfssl-server/templates/db.json.j2
@ -0,0 +1 @@
+{"driver":"sqlite3","data_source":"{{pki_dir}}/data/certdb.db"}
--- a/roles/cfssl-server/templates/init.sql.j2
+++ b/roles/cfssl-server/templates/init.sql.j2
@ -0,0 +1,26 @@
+CREATE TABLE certificates (
+  serial_number            blob NOT NULL,
+  authority_key_identifier blob NOT NULL,
+  ca_label                 blob,
+  status                   blob NOT NULL,
+  reason                   int,
+  expiry                   timestamp,
+  revoked_at               timestamp,
+  pem                      blob NOT NULL,
+  PRIMARY KEY(serial_number, authority_key_identifier)
+);
+
+CREATE TABLE ocsp_responses (
+  serial_number            blob NOT NULL,
+  authority_key_identifier blob NOT NULL,
+  body                     blob NOT NULL,
+  expiry                   timestamp,
+  PRIMARY KEY(serial_number, authority_key_identifier),
+  FOREIGN KEY(serial_number, authority_key_identifier) REFERENCES certificates(serial_number, authority_key_identifier)
+);
+
+ALTER TABLE certificates ADD COLUMN "issued_at" timestamp;
+ALTER TABLE certificates ADD COLUMN "not_before" timestamp;
+ALTER TABLE certificates ADD COLUMN "metadata" text;
+ALTER TABLE certificates ADD COLUMN "sans" text;
+ALTER TABLE certificates ADD COLUMN "common_name" text;
				`@ -0,0 +1 @@`
				`{"driver":"sqlite3","data_source":"{{pki_dir}}/data/certdb.db"}`