Skip to content
This repository has been archived by the owner on Apr 25, 2020. It is now read-only.

Commit

Permalink
Add template and tweak commands for SAN support. (#38)
Browse files Browse the repository at this point in the history 
* Add template and tweak commands for SAN support.

* Correct dest param.

* Add ssl_certs_email default

* Correct email param

* Correct cert path name.

* skip prompts

* remove prompt setting

* add subject fields in command line.

* Disable prompt. Remove defaults.

* Remove config param from cert gen and fields from csr gen.

* Add spacing in jinja tags. Add default value for ssl_certs_san_name

* Reformat code to modern Ansible syntax.

* Add DNS.2 entry for SAN
  • Loading branch information
@tyler-8 @jdauphant
tyler-8 authored and jdauphant committed Aug 5, 2018
1 parent 8155f21 commit d963e1b
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 16 deletions.
23 changes: 13 additions & 10 deletions defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,26 @@ ssl_certs_country: "US"
ssl_certs_locality: "New York"
ssl_certs_organization: "Your company"
ssl_certs_state: "New York"
ssl_certs_common_name: "{{ansible_fqdn}}"
ssl_certs_common_name: "{{ ansible_fqdn }}"
ssl_certs_san_name: "{{ ssl_certs_common_name }}"
ssl_certs_email: "[email protected]"
ssl_certs_days: "365"
ssl_certs_fields: "/C={{ssl_certs_country}}/ST={{ssl_certs_state}}/L={{ssl_certs_locality}}/O={{ssl_certs_organization}}/CN={{ssl_certs_common_name}}"
ssl_certs_fields: "/C={{ ssl_certs_country }}/ST={{ ssl_certs_state }}/L={{ ssl_certs_locality }}/O={{ ssl_certs_organization }}/CN={{ ssl_certs_common_name }}"

ssl_certs_path: "/etc/ssl/{{ssl_certs_common_name}}"
ssl_certs_path: "/etc/ssl/{{ ssl_certs_common_name }}"
ssl_certs_conf_path: "{{ ssl_certs_path }}/{{ ssl_certs_common_name }}.conf"
ssl_certs_path_owner: "www-data"
ssl_certs_path_group: "www-data"
ssl_certs_privkey_path: "{{ssl_certs_path}}/{{ssl_certs_common_name}}.key"
ssl_certs_cert_path: "{{ssl_certs_path}}/{{ssl_certs_common_name}}.pem"
ssl_certs_csr_path: "{{ssl_certs_path}}/{{ssl_certs_common_name}}.csr"
ssl_certs_combined_path: "{{ssl_certs_path}}/{{ssl_certs_common_name}}.combined.pem"
ssl_certs_dhparam_path: "{{ssl_certs_path}}/dhparam.pem"
ssl_certs_privkey_path: "{{ ssl_certs_path }}/{{ ssl_certs_common_name }}.key"
ssl_certs_cert_path: "{{ ssl_certs_path }}/{{ ssl_certs_common_name }}.pem"
ssl_certs_csr_path: "{{ ssl_certs_path }}/{{ ssl_certs_common_name }}.csr"
ssl_certs_combined_path: "{{ ssl_certs_path }}/{{ ssl_certs_common_name }}.combined.pem"
ssl_certs_dhparam_path: "{{ ssl_certs_path }}/dhparam.pem"
ssl_certs_mode: "0700"
ssl_certs_force_replace: yes

ssl_certs_local_privkey_path: "{{inventory_dir|default(playbook_dir)}}/files/ssl/{{ssl_certs_common_name}}.key"
ssl_certs_local_cert_path: "{{inventory_dir|default(playbook_dir)}}/files/ssl/{{ssl_certs_common_name}}.pem"
ssl_certs_local_privkey_path: "{{ inventory_dir|default(playbook_dir) }}/files/ssl/{{ ssl_certs_common_name}}.key"
ssl_certs_local_cert_path: "{{ inventory_dir|default(playbook_dir) }}/files/ssl/{{ ssl_certs_common_name }}.pem"
ssl_certs_local_privkey_data: ""
ssl_certs_local_cert_data: ""

Expand Down
39 changes: 33 additions & 6 deletions tasks/generate.yml
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,47 @@
---
- name: Generate RSA key
command: openssl genrsa -out {{ ssl_certs_privkey_path }} {{ ssl_certs_key_size }} creates={{ ssl_certs_privkey_path }}
command: "openssl genrsa -out {{ ssl_certs_privkey_path }} {{ ssl_certs_key_size }}"
args:
creates: "{{ ssl_certs_privkey_path }}"

- name: RSA key file ownership
file: path={{ ssl_certs_privkey_path }} owner={{ ssl_certs_path_owner }} group={{ ssl_certs_path_group }} mode={{ ssl_certs_mode }}
file:
path: "{{ ssl_certs_privkey_path }}"
owner: "{{ ssl_certs_path_owner }}"
group: "{{ ssl_certs_path_group }}"
mode: "{{ ssl_certs_mode }}"

- name: Generate certificate config file
template:
src: sslcert.conf.j2
dest: "{{ ssl_certs_conf_path }}"
owner: "{{ ssl_certs_path_owner }}"
group: "{{ ssl_certs_path_group }}"
mode: "{{ ssl_certs_mode }}"

- name: Generate CSR
command: openssl req -new -sha256 -subj "{{ ssl_certs_fields }}" -key {{ ssl_certs_privkey_path }} -out {{ ssl_certs_csr_path }} creates={{ ssl_certs_csr_path }}
command: "openssl req -config {{ ssl_certs_conf_path }} -new -sha256 -key {{ ssl_certs_privkey_path }} -out {{ ssl_certs_csr_path }}"
args:
creates: "{{ ssl_certs_csr_path }}"

- name: CSR file ownership
file: path={{ ssl_certs_csr_path }} owner={{ ssl_certs_path_owner }} group={{ ssl_certs_path_group }} mode={{ ssl_certs_mode }}
file:
path: "{{ ssl_certs_csr_path }}"
owner: "{{ ssl_certs_path_owner }}"
group: "{{ ssl_certs_path_group }}"
mode: "{{ ssl_certs_mode }}"

- name: Generate self-signed SSL certificate
command: openssl req -nodes -x509 -sha256 -days {{ ssl_certs_days }} -in {{ ssl_certs_csr_path }} -key {{ ssl_certs_privkey_path }} -out {{ ssl_certs_cert_path }} -extensions v3_ca creates={{ ssl_certs_cert_path }}
command: "openssl req -config {{ ssl_certs_conf_path }} -nodes -x509 -sha256 -days {{ ssl_certs_days }} -in {{ ssl_certs_csr_path }} -key {{ ssl_certs_privkey_path }} -out {{ ssl_certs_cert_path }} -extensions v3_ca"
args:
creates: "{{ ssl_certs_cert_path }}"
when: ssl_certs_generate_self_signed

- name: Self-signed SSL certificate file ownership
file: path={{ ssl_certs_cert_path }} owner={{ ssl_certs_path_owner }} group={{ ssl_certs_path_group }} mode={{ ssl_certs_mode }}
file:
path: "{{ ssl_certs_cert_path }}"
owner: "{{ ssl_certs_path_owner }}"
group: "{{ ssl_certs_path_group }}"
mode: "{{ ssl_certs_mode }}"
when: ssl_certs_generate_self_signed

46 changes: 46 additions & 0 deletions templates/sslcert.conf.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
[ req ]

prompt = no
default_bits = {{ ssl_certs_key_size }}
default_keyfile = {{ ssl_certs_privkey_path }}
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only

[ subject ]

countryName = {{ ssl_certs_country }}
stateOrProvinceName = {{ ssl_certs_state }}
localityName = {{ ssl_certs_locality }}
organizationName = {{ ssl_certs_organization }}
commonName = {{ ssl_certs_common_name }}
emailAddress = {{ ssl_certs_email }}

[ x509_ext ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names

[ v3_ca ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names

[ alternate_names ]

DNS.1 = {{ ssl_certs_common_name }}
DNS.2 = {{ ssl_certs_san_name }}

0 comments on commit d963e1b

Please sign in to comment.