diff --git a/galaxy.yml b/galaxy.yml
index 5dae652..2748105 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,7 +1,7 @@
---
namespace: trippsc2
name: adcs
-version: 1.1.4
+version: 1.1.5
readme: README.md
authors:
- Jim Tarpley
diff --git a/roles/certificate_authority/README.md b/roles/certificate_authority/README.md
index 68072ab..bff8340 100644
--- a/roles/certificate_authority/README.md
+++ b/roles/certificate_authority/README.md
@@ -1,7 +1,7 @@
# Ansible Role: trippsc2.adcs.certificate_authority
-Version: 1.1.4
+Version: 1.1.5
This role installs and configures a Windows machine as a Active Directory Certificate Services Certification Authority.
@@ -27,31 +27,32 @@ This role installs and configures a Windows machine as a Active Directory Certif
|---|---|---|---|---|---|
| winca_is_root_ca | Whether to install the Certificate Authority as a Root CA.
| bool | no | | true |
| winca_is_ad_integrated | Whether to integrate the Certificate Authority with Active Directory.
If `true`, the system must be joined to an Active Directory domain and the account used must be an Enterprise Admin.
| bool | no | | false |
-| winca_certificate_type | The type of CA certificate.
If `winca_is_root_ca` is set to `true` or `winca_is_ad_integrated` is set to `false`, this is ignored.
If set to `existing`, an existing CA certificate matching `winca_ca_cert_common_name` is used.
If set to `enterprise_parent`, a new CA certificate is generated and signed by the parent.
| str | no | - existing
- enterprise_parent
| existing |
-| winca_install_management_tools | Whether to install the Remote Server Administration Tools (RSAT) for Certificate Authority feature.
| bool | no | | true |
-| winca_username | The username to use when installing the Certificate Authority.
This account must have administrative rights on the target system.
If `winca_is_ad_integrated` is `true`, this account must be an Enterprise Admin.
| str | yes | | |
+| winca_certificate_type | The type of CA certificate.
If *winca_is_root_ca* is set to `true` or *winca_is_ad_integrated* is set to `false`, this is ignored.
If set to `existing`, an existing CA certificate matching *winca_ca_cert_common_name* is used.
If set to `enterprise_parent`, a new CA certificate is generated and signed by the parent.
| str | no | - existing
- enterprise_parent
| existing |
+| winca_install_management_tools | Whether to install the Remote Server Administration Tools (RSAT) for the Certificate Authority and IIS roles, if applicable.
| bool | no | | true |
+| winca_username | The username to use when configuring the Certificate Authority.
This account must have administrative rights on the target system.
If *winca_is_ad_integrated* is `true`, this account must have Enterprise Admin rights in the AD forest.
| str | yes | | |
| winca_password | The password for the `winca_username` account.
| str | yes | | |
-| winca_ca_cert_common_name | The common name for the Certificate Authority certificate.
If `winca_is_root_ca` is set to `true`, this is the common name for the generated Root CA certificate.
If `winca_is_root_ca` is set to `false` and either `winca_is_ad_integrated` is set to `false` or `winca_certificate_type` is set to `existing`, this is used to lookup the existing CA certificate by common name.
If `winca_is_root_ca` is set to `false`, `winca_is_ad_integrated` is set to `true`, and `winca_certificate_type` is set to `enterprise_parent`, this is used as the CA certificate common name to be signed by the parent.
| str | yes | | |
-| winca_ca_distinguished_name_suffix | The distinguished name suffix for the Certificate Authority.
If `winca_is_root_ca` is set to `true`, this is the distinguished name suffix for the generated Root CA certificate.
If `winca_is_root_ca` is set to `false`, `winca_is_ad_integrated` is set to `true`, and `winca_certificate_type` is set to `enterprise_parent`, this is used as the CA certificate distinguished name suffix to be signed by the parent.
| str | no | | |
-| winca_crypto_provider_name | The cryptographic provider name to use when generating the CA key pair.
This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
| str | no | | RSA#Microsoft Software Key Storage Provider |
+| winca_ca_cert_common_name | The common name for the Certificate Authority certificate.
If *winca_is_root_ca* is set to `true`, this is the common name for the generated Root CA certificate.
If *winca_is_root_ca* is set to `false` and either *winca_is_ad_integrated* is set to `false` or *winca_certificate_type* is set to `existing`, this is used to lookup the existing CA certificate by common name.
If *winca_is_root_ca* is set to `false`, *winca_is_ad_integrated* is set to `true`, and *winca_certificate_type* is set to `enterprise_parent`, this is used as the CA certificate common name to be signed by the parent.
| str | yes | | |
+| winca_ca_distinguished_name_suffix | The distinguished name suffix for the Certificate Authority.
If *winca_is_root_ca* is set to `true`, this is the distinguished name suffix for the generated Root CA certificate.
If *winca_is_root_ca* is set to `false`, *winca_is_ad_integrated* is set to `true`, and *winca_certificate_type* is set to `enterprise_parent`, this is used as the CA certificate distinguished name suffix to be signed by the parent.
| str | no | | |
+| winca_crypto_provider_name | The cryptographic provider name to use when generating the CA key pair.
This will be combined with *winca_crypto_provider_algorithm* to determine the cryptographic provider.
If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
| str | no | | Microsoft Software Key Storage Provider |
+| winca_crypto_provider_algorithm | The cryptographic provider algorithm to use when generating the CA key pair.
This will be combined with *winca_crypto_provider_algorithm* to determine the cryptographic provider.
If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
| str | no | | rsa |
| winca_database_directory | The directory to store the Certificate Authority database.
| str | no | | C:\Windows\system32\CertLog |
-| winca_hash_algorithm_name | The hash algorithm name to use when generating the CA key pair.
This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
| str | no | - sha256
- sha3_256
- sha3_384
- sha3_512
- sha384
- sha512
| sha256 |
-| winca_ignore_unicode | Whether to ignore Unicode characters in the distinguished name.
This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
| bool | no | | false |
-| winca_key_length | The key length to use when generating the CA key pair.
This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
| int | no | | 2048 |
-| winca_overwrite_existing_ca_in_domain | Whether to overwrite the existing Certificate Authority in the domain.
This is only used when `winca_is_ad_integrated` is set to `true`.
| bool | no | | false |
-| winca_overwrite_existing_database | Whether to overwrite the existing Certificate Authority database.
| bool | no | | false |
-| winca_overwrite_existing_key | Whether to overwrite the existing CA key pair.
This is only used when `winca_is_root_ca` is set to `true`.
| bool | no | | false |
-| winca_ca_cert_validity_period | The validity period for the CA certificate.
This is only used when `winca_is_root_ca` is set to `true`.
| int | no | | 5 |
-| winca_ca_cert_validity_period_unit | The validity period unit for the CA certificate.
This is only used when `winca_is_root_ca` is set to `true`.
| str | no | - Hours
- Days
- Weeks
- Months
- Years
| Years |
+| winca_hash_algorithm_name | The hash algorithm name to use when generating the CA key pair.
If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
| str | no | | sha256 |
+| winca_ignore_unicode | Whether to ignore Unicode characters in the distinguished name.
If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
| bool | no | | false |
+| winca_key_length | The key length to use when generating the CA key pair.
If *winca_crypto_provider_algorithm* is `rsa`, this must be one of `1024`, `2048`, or `4096`.
If *winca_crypto_provider_algorithm* is `ecdsa_p256`, this must be `256`.
If *winca_crypto_provider_algorithm* is `ecdsa_p521`, this must be `521`.
If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
| int | no | | 2048 |
+| winca_overwrite_existing_ca_in_domain | Whether to overwrite the existing Certificate Authority in the domain.
If *winca_is_ad_integrated* is set to `false`, this is ignored.
| bool | no | | false |
+| winca_overwrite_existing_database | Whether to overwrite an existing Certificate Authority database, if one exists.
| bool | no | | false |
+| winca_overwrite_existing_key | Whether to overwrite the existing CA key pair.
If *winca_is_root_ca* is set to `false`, this is ignored.
| bool | no | | false |
+| winca_ca_cert_validity_period | The validity period for the CA certificate.
If *winca_is_root_ca* is set to `false`, this is ignored.
| int | no | | 5 |
+| winca_ca_cert_validity_period_unit | The validity period unit for the CA certificate.
If *winca_is_root_ca* is set to `false`, this is ignored.
| str | no | - Hours
- Days
- Weeks
- Months
- Years
| Years |
| winca_add_certenroll_virtual_directory | Whether to install Internet Information Services (IIS) and add the CertEnroll virtual directory to the default website.
Installing the Certification Authority Web Enrollment feature handles this for you.
If this is not an offline Root CA, it is recommended to set this to `true` or the Certification Authority Web Enrollment feature is installed and configured.
| bool | no | | false |
-| winca_parent_ca_config | The parent CA configuration to use when generating the CA certificate.
This is only used when `winca_certificate_type` is set to `enterprise_parent`.
This should be formatted as `\`.
| str | no | | |
+| winca_parent_ca_config | The parent CA configuration to use when generating the CA certificate.
This should be formatted as `\`.
If *winca_is_root_ca* is set to `true`, *winca_is_ad_integrated* is set to `false`, or *winca_certificate_type* is set to `existing`, this is ignored.
| str | no | | |
| winca_log_directory | The directory to store the Certificate Authority log files.
| str | no | | C:\Windows\system32\CertLog |
| winca_ca_cert_publication_urls | The URLs for the Certificate Authority certificate publication.
Refer to this Technet article for formatting: https://social.technet.microsoft.com/wiki/contents/articles/18590.recommended-windows-ca-publication-urls-flags-two-tier-small-scale-internal-cas.aspx
| list of 'str' | no | | |
| winca_crl_publication_urls | The URLs for the Certificate Revocation List publication.
Refer to this Technet article for formatting: https://social.technet.microsoft.com/wiki/contents/articles/18590.recommended-windows-ca-publication-urls-flags-two-tier-small-scale-internal-cas.aspx
| list of 'str' | no | | |
| winca_issued_cert_validity_period | The maximum validity period for issued certificates.
| int | no | | 5 |
| winca_issued_cert_validity_period_unit | The maximum validity period unit for issued certificates.
| str | no | - Hours
- Days
- Weeks
- Months
- Years
| Years |
-| winca_ad_config_distinguished_name | The distinguished name for the Active Directory configuration.
This is must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
| str | no | | |
-| winca_ad_base_distinguished_name | The base distinguished name for the Active Directory configuration.
This is must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
| str | no | | |
+| winca_ad_config_distinguished_name | The distinguished name for the Active Directory configuration.
This must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
| str | no | | |
+| winca_ad_base_distinguished_name | The base distinguished name for the Active Directory configuration.
This must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
| str | no | | |
| winca_audit_filter | The types of event types to log for the Certificate Authority.
| list of 'str' | no | - StartAndStopADCS
- BackupAndRestoreCADatabase
- IssueAndManageCertificateRequests
- RevokeCertificatesAndPublishCRLs
- ChangeCASecuritySettings
- StoreAndRetrieveArchivedKeys
- ChangeCAConfiguration
| ["StartAndStopADCS", "BackupAndRestoreCADatabase", "IssueAndManageCertificateRequests", "RevokeCertificatesAndPublishCRLs", "ChangeCASecuritySettings", "StoreAndRetrieveArchivedKeys", "ChangeCAConfiguration"] |
| winca_crl_overlap_period | The overlap period for the Certificate Revocation List deltas to be published.
| int | no | | 1 |
| winca_crl_overlap_period_unit | The overlap period unit for the Certificate Revocation List deltas to be published.
| str | no | - Hours
- Days
- Weeks
- Months
- Years
| Days |
diff --git a/roles/certificate_authority/defaults/main.yml b/roles/certificate_authority/defaults/main.yml
index 1ac70f2..e5e5501 100644
--- a/roles/certificate_authority/defaults/main.yml
+++ b/roles/certificate_authority/defaults/main.yml
@@ -6,9 +6,12 @@ winca_is_ad_integrated: false
winca_add_certenroll_virtual_directory: false
-winca_crypto_provider_name: RSA#Microsoft Software Key Storage Provider
+winca_certificate_type: existing
+
+winca_crypto_provider_name: Microsoft Software Key Storage Provider
+winca_crypto_provider_algorithm: rsa
winca_hash_algorithm_name: sha256
-winca_key_length: 2048
+winca_key_length: "{{ _winca_default_key_length }}"
winca_overwrite_existing_key: false
winca_ignore_unicode: false
diff --git a/roles/certificate_authority/meta/argument_specs.yml b/roles/certificate_authority/meta/argument_specs.yml
index 62a9388..f8970ec 100644
--- a/roles/certificate_authority/meta/argument_specs.yml
+++ b/roles/certificate_authority/meta/argument_specs.yml
@@ -29,22 +29,22 @@ argument_specs:
- enterprise_parent
description:
- The type of CA certificate.
- - If `winca_is_root_ca` is set to `true` or `winca_is_ad_integrated` is set to `false`, this is ignored.
- - If set to `existing`, an existing CA certificate matching `winca_ca_cert_common_name` is used.
+ - If *winca_is_root_ca* is set to `true` or *winca_is_ad_integrated* is set to `false`, this is ignored.
+ - If set to `existing`, an existing CA certificate matching *winca_ca_cert_common_name* is used.
- If set to `enterprise_parent`, a new CA certificate is generated and signed by the parent.
winca_install_management_tools:
type: bool
required: false
default: true
description:
- - Whether to install the Remote Server Administration Tools (RSAT) for Certificate Authority feature.
+ - Whether to install the Remote Server Administration Tools (RSAT) for the Certificate Authority and IIS roles, if applicable.
winca_username:
type: str
required: true
description:
- - The username to use when installing the Certificate Authority.
+ - The username to use when configuring the Certificate Authority.
- This account must have administrative rights on the target system.
- - If `winca_is_ad_integrated` is `true`, this account must be an Enterprise Admin.
+ - If *winca_is_ad_integrated* is `true`, this account must have Enterprise Admin rights in the AD forest.
winca_password:
type: str
required: true
@@ -55,23 +55,36 @@ argument_specs:
required: true
description:
- The common name for the Certificate Authority certificate.
- - If `winca_is_root_ca` is set to `true`, this is the common name for the generated Root CA certificate.
- - If `winca_is_root_ca` is set to `false` and either `winca_is_ad_integrated` is set to `false` or `winca_certificate_type` is set to `existing`, this is used to lookup the existing CA certificate by common name.
- - If `winca_is_root_ca` is set to `false`, `winca_is_ad_integrated` is set to `true`, and `winca_certificate_type` is set to `enterprise_parent`, this is used as the CA certificate common name to be signed by the parent.
+ - If *winca_is_root_ca* is set to `true`, this is the common name for the generated Root CA certificate.
+ - If *winca_is_root_ca* is set to `false` and either *winca_is_ad_integrated* is set to `false` or *winca_certificate_type* is set to `existing`, this is used to lookup the existing CA certificate by common name.
+ - If *winca_is_root_ca* is set to `false`, *winca_is_ad_integrated* is set to `true`, and *winca_certificate_type* is set to `enterprise_parent`, this is used as the CA certificate common name to be signed by the parent.
winca_ca_distinguished_name_suffix:
type: str
required: false
description:
- The distinguished name suffix for the Certificate Authority.
- - If `winca_is_root_ca` is set to `true`, this is the distinguished name suffix for the generated Root CA certificate.
- - If `winca_is_root_ca` is set to `false`, `winca_is_ad_integrated` is set to `true`, and `winca_certificate_type` is set to `enterprise_parent`, this is used as the CA certificate distinguished name suffix to be signed by the parent.
+ - If *winca_is_root_ca* is set to `true`, this is the distinguished name suffix for the generated Root CA certificate.
+ - If *winca_is_root_ca* is set to `false`, *winca_is_ad_integrated* is set to `true`, and *winca_certificate_type* is set to `enterprise_parent`, this is used as the CA certificate distinguished name suffix to be signed by the parent.
winca_crypto_provider_name:
type: str
required: false
- default: RSA#Microsoft Software Key Storage Provider
+ default: Microsoft Software Key Storage Provider
description:
- The cryptographic provider name to use when generating the CA key pair.
- - This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
+ - This will be combined with *winca_crypto_provider_algorithm* to determine the cryptographic provider.
+ - If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
+ winca_crypto_provider_algorithm:
+ type: str
+ required: false
+ default: rsa
+ choices:
+ - rsa
+ - ecdsa_p256
+ - ecdsa_p521
+ description:
+ - The cryptographic provider algorithm to use when generating the CA key pair.
+ - This will be combined with *winca_crypto_provider_algorithm* to determine the cryptographic provider.
+ - If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
winca_database_directory:
type: str
required: false
@@ -84,55 +97,61 @@ argument_specs:
default: sha256
choices:
- sha256
- - sha3_256
- - sha3_384
- - sha3_512
- sha384
- sha512
description:
- The hash algorithm name to use when generating the CA key pair.
- - This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
+ - If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
winca_ignore_unicode:
type: bool
required: false
default: false
description:
- Whether to ignore Unicode characters in the distinguished name.
- - This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
+ - If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
winca_key_length:
type: int
required: false
default: 2048
+ choices:
+ - 256
+ - 521
+ - 1024
+ - 2048
+ - 4096
description:
- The key length to use when generating the CA key pair.
- - This is only used when `winca_is_root_ca` is set to `true` or `winca_certificate_type` is set to `enterprise_parent`.
+ - If *winca_crypto_provider_algorithm* is `rsa`, this must be one of `1024`, `2048`, or `4096`.
+ - If *winca_crypto_provider_algorithm* is `ecdsa_p256`, this must be `256`.
+ - If *winca_crypto_provider_algorithm* is `ecdsa_p521`, this must be `521`.
+ - If *winca_is_root_ca* is set to `false` and *winca_certificate_type* is set to `existing`, this is ignored.
winca_overwrite_existing_ca_in_domain:
type: bool
required: false
default: false
description:
- Whether to overwrite the existing Certificate Authority in the domain.
- - This is only used when `winca_is_ad_integrated` is set to `true`.
+ - If *winca_is_ad_integrated* is set to `false`, this is ignored.
winca_overwrite_existing_database:
type: bool
required: false
default: false
description:
- - Whether to overwrite the existing Certificate Authority database.
+ - Whether to overwrite an existing Certificate Authority database, if one exists.
winca_overwrite_existing_key:
type: bool
required: false
default: false
description:
- Whether to overwrite the existing CA key pair.
- - This is only used when `winca_is_root_ca` is set to `true`.
+ - If *winca_is_root_ca* is set to `false`, this is ignored.
winca_ca_cert_validity_period:
type: int
required: false
default: 5
description:
- The validity period for the CA certificate.
- - This is only used when `winca_is_root_ca` is set to `true`.
+ - If *winca_is_root_ca* is set to `false`, this is ignored.
winca_ca_cert_validity_period_unit:
type: str
required: false
@@ -145,7 +164,7 @@ argument_specs:
- Years
description:
- The validity period unit for the CA certificate.
- - This is only used when `winca_is_root_ca` is set to `true`.
+ - If *winca_is_root_ca* is set to `false`, this is ignored.
winca_add_certenroll_virtual_directory:
type: bool
required: false
@@ -159,8 +178,8 @@ argument_specs:
required: false
description:
- The parent CA configuration to use when generating the CA certificate.
- - This is only used when `winca_certificate_type` is set to `enterprise_parent`.
- This should be formatted as `\`.
+ - If *winca_is_root_ca* is set to `true`, *winca_is_ad_integrated* is set to `false`, or *winca_certificate_type* is set to `existing`, this is ignored.
winca_log_directory:
type: str
required: false
@@ -204,13 +223,13 @@ argument_specs:
required: false
description:
- The distinguished name for the Active Directory configuration.
- - This is must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
+ - This must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
winca_ad_base_distinguished_name:
type: str
required: false
description:
- The base distinguished name for the Active Directory configuration.
- - This is must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
+ - This must be specified on a Standalone Root CA, if it is meant to sign Enterprise Subordinate CA certificates.
winca_audit_filter:
type: list
required: false
diff --git a/roles/certificate_authority/molecule/default/molecule.yml b/roles/certificate_authority/molecule/default/molecule.yml
index 40da44b..a9a1e6e 100644
--- a/roles/certificate_authority/molecule/default/molecule.yml
+++ b/roles/certificate_authority/molecule/default/molecule.yml
@@ -80,7 +80,8 @@ provisioner:
winsubca_signing_ca_cert_file_temp_path: C:\Windows\temp\signingcacert.crt
winsubca_cert_file_temp_path: "C:\\Windows\\temp\\{{ inventory_hostname }}.crt"
subjects:
- winca_crypto_provider_name: RSA#Microsoft Software Key Storage Provider
+ winca_crypto_provider_name: Microsoft Software Key Storage Provider
+ winca_crypto_provider_algorithm: rsa
winca_hash_algorithm_name: sha256
winca_key_length: 2048
winca_add_certenroll_virtual_directory: true
diff --git a/roles/certificate_authority/molecule/default/verify.yml b/roles/certificate_authority/molecule/default/verify.yml
index 594d8c1..d6fb664 100644
--- a/roles/certificate_authority/molecule/default/verify.yml
+++ b/roles/certificate_authority/molecule/default/verify.yml
@@ -84,7 +84,7 @@
Credential_password: "{{ winca_password }}"
CACommonName: "{{ winca_ca_cert_common_name }}"
CADistinguishedNameSuffix: "{{ winca_ca_distinguished_name_suffix }}"
- CryptoProviderName: "{{ winca_crypto_provider_name }}"
+ CryptoProviderName: "{{ winca_crypto_provider_algorithm }}#{{ winca_crypto_provider_name }}"
DatabaseDirectory: "{{ winca_database_directory }}"
HashAlgorithmName: "{{ winca_hash_algorithm_name }}"
KeyLength: "{{ winca_key_length }}"
@@ -141,7 +141,7 @@
Credential_password: "{{ winca_password }}"
CACommonName: "{{ winca_ca_cert_common_name }}"
CADistinguishedNameSuffix: "{{ winca_ca_distinguished_name_suffix }}"
- CryptoProviderName: "{{ winca_crypto_provider_name }}"
+ CryptoProviderName: "{{ winca_crypto_provider_algorithm }}#{{ winca_crypto_provider_name }}"
DatabaseDirectory: "{{ winca_database_directory }}"
HashAlgorithmName: "{{ winca_hash_algorithm_name }}"
KeyLength: "{{ winca_key_length }}"
diff --git a/roles/certificate_authority/tasks/validate.yml b/roles/certificate_authority/tasks/validate.yml
index 70519a1..eb7d2c8 100644
--- a/roles/certificate_authority/tasks/validate.yml
+++ b/roles/certificate_authority/tasks/validate.yml
@@ -28,3 +28,12 @@
- ansible_windows_domain_member
fail_msg: This machine is not a domain member.
success_msg: This machine is a domain member.
+
+- name: Validate key length
+ when:
+ - winca_is_root_ca or winca_certificate_type == 'enterprise_parent'
+ ansible.builtin.assert:
+ that:
+ - winca_key_length | int in _winca_allowed_key_lengths_by_algorithm[winca_crypto_provider_algorithm]
+ fail_msg: "Key length for {{ winca_crypto_provider_algorithm | upper }} keys must be one of: {{ _winca_allowed_key_lengths_by_algorithm[winca_crypto_provider_algorithm] | join(', ') }}"
+ success_msg: "{{ winca_crypto_provider_algorithm | upper }} key length of {{ winca_key_length }} is valid."
diff --git a/roles/certificate_authority/vars/main.yml b/roles/certificate_authority/vars/main.yml
index a096b9b..5560161 100644
--- a/roles/certificate_authority/vars/main.yml
+++ b/roles/certificate_authority/vars/main.yml
@@ -1,13 +1,28 @@
---
+_winca_default_key_length_by_algorithm:
+ rsa: 2048
+ ecdsa_p256: 256
+ ecdsa_p521: 521
+
+_winca_allowed_key_lengths_by_algorithm:
+ rsa:
+ - 1024
+ - 2048
+ - 4096
+ ecdsa_p256:
+ - 256
+ ecdsa_p521:
+ - 521
+
_winca_ca_type_prefix: "{{ 'Enterprise' if winca_is_ad_integrated else 'Standalone' }}"
_winca_ca_type_suffix: "{{ 'RootCA' if winca_is_root_ca else 'SubordinateCA' }}"
-_winca_formatted_hash_algorithm_name: "{{ winca_hash_algorithm_name | upper }}"
-
_winca_ca_type: "{{ _winca_ca_type_prefix }}{{ _winca_ca_type_suffix }}"
-_winca_crypto_provider_name: "{{ winca_crypto_provider_name if _winca_certificate_options_needed else omit }}"
-_winca_hash_algorithm_name: "{{ _winca_formatted_hash_algorithm_name if _winca_certificate_options_needed else omit }}"
+_winca_default_key_length: "{{ _winca_default_key_length_by_algorithm[winca_crypto_provider_algorithm] }}"
+_winca_formatted_crypto_provider_name: "{{ winca_crypto_provider_algorithm | upper }}#{{ winca_crypto_provider_name }}"
+_winca_crypto_provider_name: "{{ _winca_formatted_crypto_provider_name if _winca_certificate_options_needed else omit }}"
+_winca_hash_algorithm_name: "{{ winca_hash_algorithm_name | upper if _winca_certificate_options_needed else omit }}"
_winca_key_length: "{{ winca_key_length if _winca_certificate_options_needed else omit }}"
_winca_overwrite_existing_key: "{{ winca_overwrite_existing_key if winca_is_root_ca else omit }}"
diff --git a/roles/signed_certificate/README.md b/roles/signed_certificate/README.md
index 95f47a8..8734121 100644
--- a/roles/signed_certificate/README.md
+++ b/roles/signed_certificate/README.md
@@ -1,7 +1,7 @@
# Ansible Role: trippsc2.adcs.signed_certificate
-Version: 1.1.4
+Version: 1.1.5
This role issues a certificate from a AD CS Certification Authority.
diff --git a/roles/sub_ca_certificate/README.md b/roles/sub_ca_certificate/README.md
index 27401b5..1325b67 100644
--- a/roles/sub_ca_certificate/README.md
+++ b/roles/sub_ca_certificate/README.md
@@ -1,7 +1,7 @@
# Ansible Role: trippsc2.adcs.sub_ca_certificate
-Version: 1.1.4
+Version: 1.1.5
This role signs a subordinate CA certificate on a Windows machine.