--- # NOTE: There are also ansible modules that help generating certificates # http://docs.ansible.com/ansible/latest/list_of_crypto_modules.html # # but I trust direct calls to openssl more.. - name: Delete local temporary directory for certificate generation file: path: "{{ local_sign_dir }}" state: absent become: false delegate_to: localhost - name: Create local temporary directory for certificate generation file: path: "{{ local_sign_dir }}" state: directory mode: 0755 become: false delegate_to: localhost - name: Remove certificates if they already exist file: path: "{{ item }}" state: absent become: false delegate_to: localhost with_items: - "{{ cert_key_path.local }}" - "{{ cert_csr_path }}" - "{{ cert_single_cert_path }}" - "{{ cert_cert_path.local }}" - "{{ cert_pcks12_cert_path.local }}" - name: Use current_host_config.hostname as common name (CN) in certificate generation set_fact: cert_host_fields: "/C={{cert_country}}/ST={{cert_state}}/L={{cert_locality}}/O={{cert_organization}}/OU=sub/CN={{ current_host_config.hostname }}" when: (current_host_config.contains_setup is not defined or current_host_config.contains_setup is defined) and ("mft-cluster-node" not in current_host_config.contains_setup or "fx-cluster" not in current_host_config.contains_setup) - name: Use current_host_config.cluster_hostname as common name (CN) in certificate generation if operating as a MFT cluster node set_fact: cert_host_fields: "/C={{cert_country}}/ST={{cert_state}}/L={{cert_locality}}/O={{cert_organization}}/OU=sub/CN={{ current_host_config.cluster_hostname }}" when: current_host_config.contains_setup is defined and ("mft-cluster-node" in current_host_config.contains_setup or "fx-cluster" in current_host_config.contains_setup) - name: Create local temporary openssl config template: src: openssl.cnf.j2 dest: "{{ cert_config_path }}" become: false delegate_to: localhost - name: Generate intermediate CSR command: > openssl req -newkey rsa:{{ cert_key_size }} -nodes -keyout {{ cert_inter_key_path }} -out {{ cert_inter_csr_path }} -days {{ cert_days_valid }} -subj "{{ cert_inter_fields }}" args: creates: "{{ cert_inter_csr_path }}" become: false delegate_to: localhost - name: Generate intermediate certificate command: > openssl x509 -extfile {{ cert_config_path }} -extensions v3_intermediate_ca -CA {{ cert_ca_cert_path.local }} -CAkey {{ cert_ca_key_path }} -req -in {{ cert_inter_csr_path }} -out {{ cert_inter_cert_path }} -days {{ cert_days_valid }} -CAcreateserial args: creates: "{{ cert_inter_cert_path }}" become: false delegate_to: localhost - name: Generate PKCS12 store command: > keytool -storetype PKCS12 -noprompt -storepass {{ cert_pkcs12_pass }} -importcert -file {{ cert_ca_cert_path.local }} -alias ca -keystore {{ cert_truststore_path.local }} args: creates: "{{ cert_truststore_path.local }}" become: false delegate_to: localhost - name: Create host key command: > openssl req -new -newkey rsa:{{ cert_key_size }} -nodes -out {{ cert_csr_path }} -keyout {{ cert_key_path.local }} -days {{ cert_days_valid }} -subj "{{ cert_host_fields }}" -config "{{ cert_config_path }}" -extensions v3_req args: creates: "{{ cert_key_path.local }}" become: false delegate_to: localhost - name: Create host certificate command: > openssl x509 -CA {{ cert_inter_cert_path }} -CAkey {{ cert_inter_key_path }} -req -in {{ cert_csr_path }} -out {{ cert_single_cert_path }} -days {{ cert_days_valid }} -CAcreateserial -extfile "{{ cert_config_path }}" -extensions v3_req args: creates: "{{ cert_single_cert_path }}" become: false delegate_to: localhost - name: Concat certificate chain shell: > cat {{ cert_single_cert_path }} {{ cert_inter_cert_path }} {{ cert_ca_cert_path.local }} > {{ cert_cert_path.local }} args: creates: "{{ cert_cert_path.local }}" become: false delegate_to: localhost - name: Export host certificate to PCKS12 format command: > openssl pkcs12 -export -inkey {{ cert_key_path.local }} -in {{ cert_cert_path.local }} -chain -CAfile {{ cert_cert_path.local }} -name {{ ansible_hostname }} -out {{ cert_pcks12_cert_path.local }} -passout pass:{{ cert_pkcs12_pass }} -noiter -nomaciter args: creates: "{{ cert_pcks12_cert_path.local }}" become: false delegate_to: localhost - name: Copy certificates to host linux copy: src: "{{ item.local }}" dest: "{{ item.remote }}" owner: "{{ cert_owner }}" group: "{{ cert_group }}" mode: 0600 with_items: - "{{ cert_key_path }}" - "{{ cert_cert_path }}" - "{{ cert_pcks12_cert_path }}" - "{{ cert_ca_cert_path }}" - "{{ cert_truststore_path }}" when: ansible_os_family != "Windows" and (fx_version is not defined or fx_version is version('3.0.0', '<')) become: true - name: Copy certificates to host linux copy: src: "{{ item.local }}" dest: "{{ item.remote_v3 }}" owner: "{{ cert_owner }}" group: "{{ cert_group }}" mode: 0600 with_items: - "{{ cert_key_path }}" - "{{ cert_cert_path }}" - "{{ cert_pcks12_cert_path }}" - "{{ cert_ca_cert_path }}" - "{{ cert_truststore_path }}" when: fx_version is defined and ansible_os_family != "Windows" and fx_version is version('3.0.0', '>=') become: true - name: Copy certificates to host windows win_copy: src: "{{ item.local }}" dest: "{{ item.remote }}" with_items: - "{{ cert_key_path }}" - "{{ cert_cert_path }}" - "{{ cert_pcks12_cert_path }}" - "{{ cert_ca_cert_path }}" - "{{ cert_truststore_path }}" when: ansible_os_family == "Windows" ignore_errors: true - name: Disable selinux command: setenforce 0 ignore_errors: true # vim:ft=ansible