Add role to generate certificates using custom CA

2020-10-05 02:27:13 +02:00 · 2020-10-05 02:27:13 +02:00 · db37f85615
parent 8750a53f8d
commit db37f85615
3 changed files with 49 additions and 0 deletions
--- a/roles/generate_certificate/defaults/main.yml
+++ b/roles/generate_certificate/defaults/main.yml
@ -0,0 +1,11 @@
+---
+generate_certificate_base_path: /etc/ssl/owncerts
+generate_certificate_key_path: "{{ generate_certificate_base_path }}/{{ generate_certificate_domain }}.key"
+generate_certificate_csr_path: "{{ generate_certificate_base_path }}/{{ generate_certificate_domain }}.csr"
+generate_certificate_crt_path: "{{ generate_certificate_base_path }}/{{ generate_certificate_domain }}.crt"
+generate_certificate_ca_path: /etc/ssl/ca/ca.crt
+generate_certificate_ca_privatekey_path: /etc/ssl/ca/ca.key
+generate_certificate_ca_privatekey_passphrase: "this is a secret!"
+generate_certificate_domain: example.org
+generate_certificate_organization_name: Example
+generate_certificate_email_address: email@example.org
--- a/roles/generate_certificate/tasks/main.yml
+++ b/roles/generate_certificate/tasks/main.yml
@ -0,0 +1,37 @@
+---
+- name: install python3-openssl
+  apt:
+    name: python3-openssl
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: ensure {{ generate_certificate_base_path }} esists
+  file:
+    path: "{{ generate_certificate_base_path }}"
+    state: directory
+    owner: root
+    mode: 0700
+
+- name: generate certificate private key
+  openssl_privatekey:
+    path: "{{ generate_certificate_key_path }}"
+    size: 2048
+    type: RSA
+
+- name: generate Certificate Signing Request
+  openssl_csr:
+    path: "{{ generate_certificate_csr_path }}"
+    privatekey_path: "{{ generate_certificate_key_path }}"
+    organization_name: "{{ generate_certificate_organization_name }}"
+    email_address: "{{ generate_certificate_email_address }}"
+    common_name: "{{ generate_certificate_domain }}"
+
+- name: generate a certificate for {{ generate_certificate_domain }}
+  openssl_certificate:
+    path: "{{ generate_certificate_crt_path }}"
+    csr_path: "{{ generate_certificate_csr_path }}"
+    ownca_path: "{{ generate_certificate_ca_path }}"
+    ownca_privatekey_path: "{{ generate_certificate_ca_privatekey_path }}"
+    ownca_privatekey_passphrase: "{{ generate_certificate_ca_privatekey_passphrase }}"
+    ownca_not_after: "+365d"
+    provider: ownca
--- a/tests/test.yml
+++ b/tests/test.yml
@ -30,3 +30,4 @@
    # - {role: ../roles/homeassistant, become: true}
    # - {role: ../roles/mosquitto, become: true}
    # - {role: ../roles/generate_ca, become: true}
+    # - {role: ../roles/generate_certificate, become: true}