-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerate_certificate.yaml
66 lines (59 loc) · 2.11 KB
/
generate_certificate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
- hosts: localhost
gather_facts: no
vars:
ca_path: /some/path
cert_path: "{{ ca_path }}/certs"
csr_path: "{{ ca_path }}/csrs"
key_path: "{{ ca_path }}/private"
san_list: ""
subject: "{{ san_list.split(',')[0] }}"
filename: "{{ san_list.split(',')[0] }}"
#passphrase: <password>
tasks:
- name: Validate a san_list has been provided
assert:
that:
- san_list != ''
fail_msg: You must define san_list as a comma-separated list of hosts to include in Subject Alternative Name
- name: Create directories for CA
file:
path: "{{ item }}"
state: directory
loop:
- "{{ ca_path }}"
- "{{ cert_path }}"
- "{{ csr_path }}"
- "{{ key_path }}"
- name: Adjust name of files if wildcard cert, i.e. starts with '*'
set_fact:
filename: "{{ filename.split('.')[1:] | join('.') }}"
when: filename.split('.')[0] == '*'
- name: Generate private key
community.crypto.openssl_privatekey:
path: "{{ key_path }}/{{ filename }}.key"
- name: Generate csr
community.crypto.openssl_csr:
path: "{{ csr_path }}/{{ filename }}.csr"
privatekey_path: "{{ key_path }}/{{ filename }}.key"
subject: "CN={{ subject }}"
key_usage:
- digitalSignature
- nonRepudiation
- keyEncipherment
- dataEncipherment
basic_constraints:
- CA:FALSE
subject_alt_name: "{{ item.value | map('regex_replace', '^', 'DNS:') | list }}"
with_dict:
dns_server: "{{ san_list.split(',') }}"
- name: Generate certificate
community.crypto.x509_certificate:
path: "{{ cert_path }}/{{ filename }}.pem"
csr_path: "{{ csr_path }}/{{ filename }}.csr"
ownca_path: "{{ ca_path }}/rootCA.pem"
ownca_privatekey_path: "{{ ca_path }}/rootCA.key"
ownca_privatekey_passphrase: "{{ passphrase | default(omit) }}"
ownca_create_authority_key_identifier: no
ownca_create_subject_key_identifier: never_create
ownca_not_after: "+825d"
provider: ownca