-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
276 lines (270 loc) · 10.8 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
---
# defaults file for ssl-certs
# NOTE on paths: Paths for files can be specified at 4 levels that are:
#
# - Global base path, defined in ssl_store_path and ssl_base.path variables
# - Entity path, defined in ssl_sequence.<entity>.store_path or
# ssl_sequence.<entity>.path
# - Object type path. defined in ssl_key_dir.name, ssl_csr_dir.name,
# ssl_crt_dir.name and ssl_chain_dir.name
# - Object path, defined in ssl_sequence.<entity>.<object>.store_path or
# ssl_sequence.<entity>.<object>.path
#
# An "entity" is one definition inside ssl_sequence while an "object" is a key,
# a certificate or a chain.
#
# The definitions can be used together or override each other with the more
# nested ones having more priority. The paths are joined together using python's
# os.path.join which means you can exploit its properties to combine paths.
# Each layer is responsible to set ownership and permission only at its level.
#
# Example:
# ssl_store_path/ssl_sequence.<entity>.store_path/ssl_crt_dir.name/
# ssl_sequence.<entity>.<object>.store_path/ssl_sequence.<entity>.name.<ext>
# Base path for the store on the Ansible machine
ssl_store_path: ../file_store/ssl_certificates
# Base path for all remote operations.
# On top of specifying the path this dictionary contains all the fields of the
# Ansible module "file" and they are used to set permissions on the directory.
ssl_base:
path: /tmp/ssl_certs
mode: '0755'
# Object type base paths.
# On top of specifying the path this dictionary contains all the fields of the
# Ansible module "file" and they are used to set permissions on the directory.
ssl_key_dir:
name: key
mode: '0700'
ssl_csr_dir:
name: csr
mode: '0750'
ssl_crt_dir:
name: crt
mode: '0755'
ssl_chain_dir:
name: crt
mode: '0755'
# Default OpenSSL values
ssl_country: GB
ssl_state: London
ssl_location: London
ssl_organization: Example Company
ssl_email: [email protected]
ssl_organizational_unit: IT Operations
# Main SSL Sequence. Objects will be created following this sequence, one after
# the other.
ssl_sequence: []
# #
# # The following is a working example of how to setup a Root CA (root_ca), a
# # certificate (website) and a certificate chain (website_chain) with the two
# # certificates.
# # Each entry shows how to use different parameters and options.
# # Most of these options are derived directly from OpenSSL so that it's highly
# # encouraged to check the manual pages of OpenSSL for a full description of
# # the fields and options.
# #
# # Root CA
# - name: root_ca
# # Custom path for the entity.
# path: /tmp/ssl_certs
# # Custom path for the local store of the entity. Same rules as above
# store_path: /tmp/ssl_certs/key
# # File modifiers, as per usual "file" Ansible module, applied to the files
# # of the whole entity.
# #owner: nginx
# #group: nginx
# #mode: '0666'
# # Definition of the private key (more options shown below too)
# key:
# # Crypto system: rsa, dsa, ecdsa
# type: ecdsa
# # If using ECDSA, this is the name of the elliptic curve. The name can be
# # found using: openssl ecparam -list_curves
# ec_curve: prime256v1
# # If set to a cipher it encrypts the key. See openssl for the list of
# # supported algorithms.
# encryption: aes256
# # The passphrase to use to encrypt the key
# passphrase: Passw0rd
# # Definition of the certificate (more options shown below too)
# certificate:
# # This indicates that the certificate is to be self-signed. If both this
# # option and the "signing_key" option are missing then only the CSR
# # is generated.
# self_signed: yes
# common_name: My website root Certificate Authority
# organizational_unit: Example Security Office
# # Days of validity. Default is 30
# days: 1000
# # Installs the certificate on the system trust store
# trust: yes
# # SSL v3 extensions. Default is to omit these values
# authorityKeyIdentifier: 'keyid:always,issuer:always'
# basicConstraints: 'critical,CA:TRUE,pathlen:0'
# keyUsage: 'critical,cRLSign,digitalSignature,keyCertSign'
# subjectKeyIdentifier: 'hash'
#
# # Website signed certificate
# - name: website
# # It forces the creation of a new key and certificate on the machine
# force_create: yes
# # It gives priority to the key that is stored remotely versus the one stored
# # on the local repository (it will overwrite the local one if it's already
# # present remotely)
# force_remote: yes
# # If set to false, no operation will be performed
# enabled: yes
# # Definition of the private key
# key:
# # Crypto system: rsa, dsa, ecdsa
# type: rsa
# # Length of they key, applies to RSA and DSA key types
# bits: 2048
# # Custom path for the object's entity.
# path: /tmp/ssl_certs
# # Custom path for the local store of the object's entity.
# store_path: /tmp/ssl_certs/key
# # File modifiers, as per usual "file" Ansible module, applied to the key
# # object only.
# #owner: nginx
# #group: nginx
# #mode: '0666'
# # If set to no the file will not be stored locally
# fetch: no
# # Both force_create and force_remote can be specified also at "key",
# # "certificate" and "chain" level to override the entity ones
# force_create: no
# # Definition of the certificate
# certificate:
# common_name: "{{ ansible_fqdn }}"
# # For alternative DNS names
# alt_names_dns: [ internal.example.com ]
# # For alternative IP addresses
# #alt_names_ips: [ "{{ ansible_default_ipv4.address }}" ]
# # Reference the name of the signing CA certificate. If both this option
# # and the "signing_key" option are missing then only the CSR is generated.
# signing_key: root_ca
# # Digest algorithm, defaults to sha256
# digest: sha1
# #owner: nginx
# #group: nginx
# # SSL v3 extensions. Default is to omit these values
# basicConstraints: 'CA:FALSE'
# subjectKeyIdentifier: 'hash'
# keyUsage: 'nonRepudiation,digitalSignature,keyEncipherment'
# extendedKeyUsage: 'clientAuth'
# # If set to no the file will not be stored locally
# fetch: no
#
# # Reuse a private key to generate a new certificate
# - name: website_self_signed
# # In this example the certificate is created using a previous private key
# # (of the "website" entity) and self-signing the it. This feature can also
# # be used to create cross-signed certificates.
# certificate:
# generating_key: website
# self_signed: yes
# common_name: "{{ ansible_fqdn }}"
# alt_names_dns: [ internal.example.com ]
# digest: sha1
# #owner: nginx
# #group: nginx
# basicConstraints: 'CA:FALSE'
# subjectKeyIdentifier: 'hash'
# keyUsage: 'nonRepudiation,digitalSignature,keyEncipherment'
# extendedKeyUsage: 'clientAuth'
#
# # Create only the CSR
# - name: website_manual_sign
# # Here both "signing_key" and "self_signed" are missing. This stops the role
# # at the CSR only so that it can be manually signed. This, of course, is a
# # two steps process and when you have the certificate it must be added back
# # for the role to install it.
# certificate:
# generating_key: website
# self_signed: yes
# common_name: "{{ ansible_fqdn }}"
# alt_names_dns: [ internal.example.com ]
# digest: sha1
# #owner: nginx
# #group: nginx
# basicConstraints: 'CA:FALSE'
# subjectKeyIdentifier: 'hash'
# keyUsage: 'nonRepudiation,digitalSignature,keyEncipherment'
# extendedKeyUsage: 'clientAuth'
#
# # Create a certificate chain
# - name: website_chain
# # This is a postfix applied to the name of the entity to create the file
# # name of the chain.
# chain_postfix: '-list'
# # Definition the chain as list of certificates. Here it's shown on a separate
# # entity but it can be part of any entity with "key" and "certificates"
# # attributes. Chain files will end in -chain.crt
# chain:
# # File modifiers, as per usual "file" Ansible module
# #owner: nginx
# #group: nginx
# # If set to no the file will not be stored locally
# fetch: yes
# # Installs the certificate on the system trust store
# trust: yes
# # List of the certificate names that form the chain. The names are the
# # names used in the above certificates. The output chain will contain the
# # certificates in the order that they appear here. The order on which the
# # certificates appear is important as stated in RFC4346 Section 7.4.2
# # If set to yes the file will be stored locally
# fetch: yes
# certificates:
# - website
# - root_ca
# - website_self_signed
#
# # Example of a client certificate, created in one entity, with a chain file.
# - name: client_certificate
# key:
# type: rsa
# bits: 4096
# certificate:
# days: 730
# common_name: John Smith <[email protected]>
# # Certificate details can be changed here. Valid keys mimic the ssl_*
# # equivalents of the upper level variables.
# email: [email protected]
# country: GI
# state: Gibraltar
# location: Gibraltar
# signing_key: root_ca
# digest: sha256
# # We restrict the key usage for a specific purpose
# keyUsage: nonRepudiation,digitalSignature,keyEncipherment
# basicConstraints: 'CA:FALSE'
# extendedKeyUsage: clientAuth
# subjectKeyIdentifier: hash
# chain:
# # Force the update of the chain
# force_create: yes
# # A chain can be included together with a Key and Certificate. The chain
# # will be named appending -chain.crt to the file.
# certificates:
# - client_certificate
# - root_ca
#
# # Example of installing and trusting an existing certificate
# - name: client_certificate
# certificate:
# trust: yes
#
# # Example of format conversion (each format is optional)
# - name: client_certificate
# certificate:
# # DER format.
# # File permissions are set as per upper "certificate" settings
# der:
# convert: yes
# force_create: yes
# # Java Key Store (requires java installed)
# jks:
# convert: yes
# keystore: /tmp/my_store.jks
# storepass: changeit