forked from datasmid/buildserver
-
-
Notifications
You must be signed in to change notification settings - Fork 21
/
trust_me.yml
executable file
·167 lines (146 loc) · 5.29 KB
/
trust_me.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#!/usr/bin/env ansible-playbook
# Establish self-signed certificate authority for test components
#
# ./trust_me.yml # to use Safari or Chrome with your own CA
# To create new certificate requests for local testing:
# make clean_certs csr
- name: "trust_me.yml"
hosts: localhost
connection: local
gather_facts: True
tasks:
- name: 'set HOME'
set_fact:
HOME: "{{ lookup('ENV','HOME') }}"
tags:
- openssl
- osx
- name: 'set USER'
set_fact:
USER: "{{ lookup('ENV','USER') }}"
tags:
- openssl
- osx
- name: 'restrict permissions on directory for our files'
become: no
file:
name: "{{ item }}"
mode: go-rwx
recurse: yes
with_items:
- files
tags:
- openssl
- name: generate internal_ca key
command: openssl genrsa -out files/private/internal_ca.key 2048
- name: sign private CA key
command: "openssl req -x509 \
-new -nodes \
-key files/private/internal_ca.key \
-config files/templates/openssl.cnf \
-extensions ca_extensions \
-days 1024 \
-out files/ca-certificates/internal_ca.cer \
-subj '/CN=internal_ca/O=IT/OU=Development/C=IO'"
- name: 'check the CSRs'
command: "openssl req -text -noout -verify -in files/certrequests/{{ item }}.csr"
with_inventory_hostnames: all:!localhost:!win_slave
no_log: no
changed_when: no
ignore_errors: yes
tags:
- openssl
- name: 'CA sign the signing requests for test'
command: "/bin/bash -c 'openssl x509 -req \
-CA files/ca-certificates/internal_ca.cer \
-CAkey files/private/internal_ca.key \
-CAcreateserial \
-extfile files/certrequests/{{ item }}.cnf \
-extensions server_cert \
-in files/certrequests/{{ item }}.csr \
-out files/ca-certificates/{{ item }}.cer \
-days 365'"
with_inventory_hostnames: all:!localhost:win_slave
ignore_errors: yes
no_log: yes
tags:
- openssl
- test
- name: 'append the root cert to the server cert'
shell: "cat files/ca-certificates/internal_ca.cer >> files/ca-certificates/{{ item }}.cer"
with_inventory_hostnames: all:!localhost:!win_slave
changed_when: yes
tags:
- openssl
- name: "create p12 stores for testing"
command: "/bin/bash -c 'openssl pkcs12 -export \
-password pass:{{ p12_password | default('p12_password') }} \
-out files/private/{{ item }}.p12 \
-inkey files/private/{{ item }}.key \
-in files/ca-certificates/{{ item }}.cer'"
with_inventory_hostnames: all:!localhost:!win_slave
ignore_errors: yes
no_log: yes
tags:
- openssl
# The internal_ca can be stale in a new git clone
- name: "remove internal_ca from keychain"
shell: "security delete-identity -c internal_ca"
register: get_local_ca
ignore_errors: yes
changed_when: no
tags:
- osx
- name: "extract public key of internal_ca"
become: no
command: "openssl rsa -in files/private/internal_ca.key -pubout -out files/pubkeys/internal_ca.pem"
tags:
- osx
- name: "create an encrypted store internal_ca.p12"
command: "/bin/bash -c 'openssl pkcs12 -export \
-password pass:{{ p12_password | default('p12_password') }} \
-out files/private/internal_ca.p12 \
-inkey files/private/internal_ca.key \
-in files/ca-certificates/internal_ca.cer'"
tags:
- osx
- name: "import internal_ca.cer in OSX login keychain with the one-time password 'p12_password'"
command: "open files/private/internal_ca.p12"
tags:
- osx
- name: 'ensure directory for CA config exists'
file:
path: "{{ HOME }}/Library/Application Support/Certificate Authority/internal_ca"
state: directory
tags:
- osx
- name: "binary hash of public key of internal_ca"
become: no
command: "openssl dgst -binary -sha256 -keyform PEM files/pubkeys/internal_ca.pem"
register: binary_hash
tags:
- osx
- name: 'set issuer_public_key_hash'
set_fact:
issuer_public_key_hash: "{{ binary_hash.stdout }}"
tags:
- osx
- name: 'store CA template in Library/Application Support/Certificate Authority'
template:
src: 'files/templates/certAuthorityConfig'
dest: "{{ HOME }}/Library/Application Support/Certificate Authority/internal_ca/internal_ca.certAuthorityConfig"
tags:
- osx
- name: "store files/ca-certificates/internal_ca.cer in Application Support/Certificate Authority"
copy:
src: "files/ca-certificates/internal_ca.cer"
dest: "{{ HOME }}/Library/Application Support/Certificate Authority/internal_ca/internal_ca certificates.pem"
tags:
- osx
- name: "removing plaintext keys for test"
file:
path: "files/private/{{ item }}.key"
state: absent
with_inventory_hostnames: all:!localhost:!win_slave
tags:
- openssl