diff --git a/library/certificate_request.py b/library/certificate_request.py index c7a38b9..72f67f0 100644 --- a/library/certificate_request.py +++ b/library/certificate_request.py @@ -160,6 +160,10 @@ description: - Command that should run after saving the certificate. required: false + profile: + description: + - The certificate profile. Only used with certmonger. + required: false author: - Sergio Oliveira Campos (@seocam) @@ -359,6 +363,7 @@ def _get_argument_spec(): wait=dict(type="bool", default=True), run_before=dict(type="str"), run_after=dict(type="str"), + profile=dict(type="str"), ) @property diff --git a/module_utils/certificate_lsr/providers/certmonger.py b/module_utils/certificate_lsr/providers/certmonger.py index d32fb26..5488107 100644 --- a/module_utils/certificate_lsr/providers/certmonger.py +++ b/module_utils/certificate_lsr/providers/certmonger.py @@ -239,6 +239,11 @@ def request_certificate(self): if self.module.params["wait"]: command += ["-w"] + # Set profile + profile = self.module.params["profile"] + if profile: + command += ["-T", profile] + # Set certificate locations if not self.exists_in_certmonger: command += ["-k", self.certificate_key_path] diff --git a/tasks/main.yml b/tasks/main.yml index f382d2e..4248da7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -140,4 +140,5 @@ run_before: "{{ item.run_before | default(omit) }}" run_after: "{{ item.run_after | default(omit) }}" ca: "{{ item.ca | default(omit) }}" + profile: "{{ item.profile | default(omit) }}" loop: "{{ certificate_requests }}" diff --git a/tests/tasks/assert_certificate_parameters.yml b/tests/tasks/assert_certificate_parameters.yml index 0643bf5..90a0cbd 100644 --- a/tests/tasks/assert_certificate_parameters.yml +++ b/tests/tasks/assert_certificate_parameters.yml @@ -154,3 +154,21 @@ fail_msg: >- {{ cert['auto_renew'] | default('yes') | bool }} != {{ result.stdout | bool }} + +- name: Retrieve profile + shell: >- + set -euo pipefail; + getcert list -f {{ cert['path'] }} | + grep 'profile' | + sed 's/^\s\+profile: //g' + register: result + changed_when: false + when: cert['profile'] is defined + +- name: Verify certificate profile + assert: + that: + - cert['profile'] == result.stdout + fail_msg: >- + {{ cert['profile'] }} != {{ result.stdout }} + when: cert['profile'] is defined \ No newline at end of file diff --git a/tests/tests_basic_ipa.yml b/tests/tests_basic_ipa.yml index 8302dea..79b544b 100644 --- a/tests/tests_basic_ipa.yml +++ b/tests/tests_basic_ipa.yml @@ -21,6 +21,12 @@ principal: HTTP/ipaserver.test.local@TEST.LOCAL ca: ipa group: ftp + + - name: cert_with_profile + dns: ipaserver.test.local + principal: HTTP/ipaserver.test.local@TEST.LOCAL + ca: ipa + profile: caIPAserviceCert roles: - linux-system-roles.certificate @@ -80,9 +86,36 @@ - content_commitment - key_encipherment - data_encipherment + + - path: /etc/pki/tls/certs/cert_with_profile.crt + key_path: /etc/pki/tls/private/cert_with_profile.key + owner: root + mode: "0640" + subject: + - name: commonName + oid: 2.5.4.3 + value: ipaserver.test.local + - name: organizationName + oid: 2.5.4.10 + value: TEST.LOCAL + subject_alt_name: + - name: DNS + value: ipaserver.test.local + - name: Universal Principal Name (UPN) + oid: 1.3.6.1.4.1.311.20.2.3 + value: HTTP/ipaserver.test.local@TEST.LOCAL + - name: Kerberos principalname + oid: 1.3.6.1.5.2.2 + value: HTTP/ipaserver.test.local@TEST.LOCAL + key_usage: + - digital_signature + - content_commitment + - key_encipherment + - data_encipherment + profile: caIPAserviceCert tasks: - name: Verify each certificate include_tasks: tasks/assert_certificate_parameters.yml loop: "{{ certificates }}" loop_control: - loop_var: cert + loop_var: cert \ No newline at end of file