-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerate_ca.yaml
59 lines (51 loc) · 1.73 KB
/
generate_ca.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
- hosts: localhost
gather_facts: yes
vars:
ca_path: /some/path
filename: rootCA
common_name: Root CA
#passphrase: <password>
tasks:
- name: Create CA directory
file:
path: "{{ ca_path }}"
state: directory
- name: Generate private key
community.crypto.openssl_privatekey:
path: "{{ ca_path }}/{{ filename }}.key"
passphrase: "{{ passphrase | default(omit) }}"
- name: Generate csr
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ ca_path }}/{{ filename }}.key"
common_name: "{{ common_name }}"
use_common_name_for_san: false
extendedKeyUsage:
- serverAuth
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
key_usage:
- keyCertSign
key_usage_critical: true
register: ca_csr
- name: Generate CA certificate from CSR
community.crypto.x509_certificate:
path: "{{ ca_path }}/{{ filename }}.pem"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ ca_path }}/{{ filename }}.key"
privatekey_passphrase: "{{ passphrase | default(omit) }}"
provider: selfsigned
- name: Copy CA to trust store
when: ansible_os_family == "RedHat"
copy:
src: "{{ ca_path }}/{{ filename }}.pem"
dest: /etc/pki/ca-trust/source/anchors
become: yes
- name: Add CA to system trust
when: ansible_os_family == "Darwin"
command: 'security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" {{ ca_path }}/{{ filename }}.pem'
become: yes
- name: Add CA to system trust
when: ansible_os_family == "RedHat"
command: update-ca-trust
become: yes