Version: 1.3.0
This role installs and configures a Windows machine as a Active Directory Certificate Services Certification Authority.
| Platform | Versions |
|---|---|
| Windows |
|
| Role |
|---|
| trippsc2.windows.install_psgallery |
| Collection |
|---|
| ansible.windows |
| community.windows |
| trippsc2.windows |
| Option | Description | Type | Required | Choices | Default |
|---|---|---|---|---|---|
| winca_is_root_ca | Whether to install the Certificate Authority as a Root CA. |
bool | no | True | |
| winca_is_ad_integrated | Whether to integrate the Certificate Authority with Active Directory. If |
bool | no | False | |
| winca_certificate_type | The type of CA certificate. If winca_is_root_ca is set to If set to If set to |
str | no |
|
existing |
| winca_install_management_tools | Whether to install the Remote Server Administration Tools (RSAT) for the Certificate Authority and IIS roles, if applicable. |
bool | no | True | |
| winca_username | The username to use when configuring the Certificate Authority. This account must have administrative rights on the target system. If winca_is_ad_integrated is |
str | yes | ||
| winca_password | The password for the |
str | yes | ||
| winca_ca_cert_common_name | The common name for the Certificate Authority certificate. If winca_is_root_ca is set to If winca_is_root_ca is set to If winca_is_root_ca is set to |
str | yes | ||
| winca_ca_distinguished_name_suffix | The distinguished name suffix for the Certificate Authority. If winca_is_root_ca is set to If winca_is_root_ca is set to |
str | no | ||
| winca_crypto_provider_name | The cryptographic provider name to use when generating the CA key pair. This will be combined with winca_crypto_provider_algorithm to determine the cryptographic provider. If winca_is_root_ca is set to |
str | no | Microsoft Software Key Storage Provider | |
| winca_crypto_provider_algorithm | The cryptographic provider algorithm to use when generating the CA key pair. This will be combined with winca_crypto_provider_algorithm to determine the cryptographic provider. If winca_is_root_ca is set to |
str | no |
|
rsa |
| winca_database_directory | The directory to store the Certificate Authority database. |
str | no | C:\Windows\system32\CertLog | |
| winca_hash_algorithm_name | The hash algorithm name to use when generating the CA key pair. If winca_is_root_ca is set to |
str | no |
|
sha256 |
| winca_ignore_unicode | Whether to ignore Unicode characters in the distinguished name. If winca_is_root_ca is set to |
bool | no | False | |
| winca_key_length | The key length to use when generating the CA key pair. If winca_crypto_provider_algorithm is If winca_crypto_provider_algorithm is If winca_crypto_provider_algorithm is If winca_is_root_ca is set to |
int | no |
|
|
| winca_overwrite_existing_ca_in_domain | Whether to overwrite the existing Certificate Authority in the domain. If winca_is_ad_integrated is set to |
bool | no | False | |
| winca_overwrite_existing_database | Whether to overwrite an existing Certificate Authority database, if one exists. |
bool | no | False | |
| winca_overwrite_existing_key | Whether to overwrite the existing CA key pair. If winca_is_root_ca is set to |
bool | no | False | |
| winca_ca_cert_validity_period | The validity period for the CA certificate. If winca_is_root_ca is set to |
int | no | 5 | |
| winca_ca_cert_validity_period_unit | The validity period unit for the CA certificate. If winca_is_root_ca is set to |
str | no |
|
Years |
| winca_add_certenroll_virtual_directory | Whether to install Internet Information Services (IIS) and add the CertEnroll virtual directory to the default website. Installing the Certification Authority Web Enrollment feature handles this for you. If this is not an offline Root CA, it is recommended to set this to |
bool | no | False | |
| winca_parent_ca_config | The parent CA configuration to use when generating the CA certificate. This should be formatted as If winca_is_root_ca is set to |
str | no | ||
| winca_log_directory | The directory to store the Certificate Authority log files. |
str | no | C:\Windows\system32\CertLog | |
| winca_ca_cert_publication_urls | The URLs for the Certificate Authority certificate publication. Refer to this Technet article for formatting: https://social.technet.microsoft.com/wiki/contents/articles/18590.recommended-windows-ca-publication-urls-flags-two-tier-small-scale-internal-cas.aspx |
list of 'str' | no | ||
| winca_crl_publication_urls | The URLs for the Certificate Revocation List publication. Refer to this Technet article for formatting: https://social.technet.microsoft.com/wiki/contents/articles/18590.recommended-windows-ca-publication-urls-flags-two-tier-small-scale-internal-cas.aspx |
list of 'str' | no | ||
| winca_issued_cert_validity_period | The maximum validity period for issued certificates. |
int | no | 5 | |
| winca_issued_cert_validity_period_unit | The maximum validity period unit for issued certificates. |
str | no |
|
Years |
| winca_ad_config_distinguished_name | The distinguished name for the Active Directory configuration. This must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates. |
str | no | ||
| winca_ad_base_distinguished_name | The base distinguished name for the Active Directory configuration. This must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates. |
str | no | ||
| winca_audit_filter | The types of event types to log for the Certificate Authority. |
list of 'str' | no |
|
['StartAndStopADCS', 'BackupAndRestoreCADatabase', 'IssueAndManageCertificateRequests', 'RevokeCertificatesAndPublishCRLs', 'ChangeCASecuritySettings', 'StoreAndRetrieveArchivedKeys', 'ChangeCAConfiguration'] |
| winca_crl_overlap_period | The overlap period for the Certificate Revocation List deltas to be published. |
int | no | 1 | |
| winca_crl_overlap_period_unit | The overlap period unit for the Certificate Revocation List deltas to be published. |
str | no |
|
Days |
| winca_crl_period | The period for the full Certificate Revocation List to be published. |
int | no | 1 | |
| winca_crl_period_unit | The period unit for the full Certificate Revocation List to be published. |
str | no |
|
Days |
MIT
Jim Tarpley (@trippsc2)