|
|
|
@ -16,12 +16,14 @@
|
|
|
|
|
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
|
|
|
|
|
state: directory
|
|
|
|
|
recurse: yes
|
|
|
|
|
mode: '0700'
|
|
|
|
|
with_items:
|
|
|
|
|
- ecparams
|
|
|
|
|
- certs
|
|
|
|
|
- crl
|
|
|
|
|
- newcerts
|
|
|
|
|
- private
|
|
|
|
|
- public
|
|
|
|
|
- reqs
|
|
|
|
|
|
|
|
|
|
- name: Ensure the files exist
|
|
|
|
@ -42,6 +44,7 @@
|
|
|
|
|
|
|
|
|
|
- name: Build the CA pair
|
|
|
|
|
shell: >
|
|
|
|
|
umask 077;
|
|
|
|
|
{{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem &&
|
|
|
|
|
{{ openssl_bin }} req -utf8 -new
|
|
|
|
|
-newkey ec:ecparams/secp384r1.pem
|
|
|
|
@ -70,6 +73,7 @@
|
|
|
|
|
|
|
|
|
|
- name: Build the server pair
|
|
|
|
|
shell: >
|
|
|
|
|
umask 077;
|
|
|
|
|
{{ openssl_bin }} req -utf8 -new
|
|
|
|
|
-newkey ec:ecparams/secp384r1.pem
|
|
|
|
|
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
|
|
|
|
@ -92,9 +96,10 @@
|
|
|
|
|
|
|
|
|
|
- name: Build the client's pair
|
|
|
|
|
shell: >
|
|
|
|
|
umask 077;
|
|
|
|
|
{{ openssl_bin }} req -utf8 -new
|
|
|
|
|
-newkey ec:ecparams/secp384r1.pem
|
|
|
|
|
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
|
|
|
|
|
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
|
|
|
|
|
-keyout private/{{ item }}.key
|
|
|
|
|
-out reqs/{{ item }}.req -nodes
|
|
|
|
|
-passin pass:"{{ CA_password }}"
|
|
|
|
@ -102,7 +107,7 @@
|
|
|
|
|
{{ openssl_bin }} ca -utf8
|
|
|
|
|
-in reqs/{{ item }}.req
|
|
|
|
|
-out certs/{{ item }}.crt
|
|
|
|
|
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
|
|
|
|
|
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
|
|
|
|
|
-days 3650 -batch
|
|
|
|
|
-passin pass:"{{ CA_password }}"
|
|
|
|
|
-subj "/CN={{ item }}" &&
|
|
|
|
@ -113,8 +118,24 @@
|
|
|
|
|
executable: bash
|
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Create links for the private keys
|
|
|
|
|
file:
|
|
|
|
|
src: "pki/private/{{ item }}.key"
|
|
|
|
|
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem"
|
|
|
|
|
state: link
|
|
|
|
|
force: true
|
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Build openssh public keys
|
|
|
|
|
openssl_publickey:
|
|
|
|
|
path: "configs/{{ IP_subject_alt_name }}/pki/public/{{ item }}.pub"
|
|
|
|
|
privatekey_path: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.key"
|
|
|
|
|
format: OpenSSH
|
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Build the client's p12
|
|
|
|
|
shell: >
|
|
|
|
|
umask 077;
|
|
|
|
|
{{ openssl_bin }} pkcs12
|
|
|
|
|
-in certs/{{ item }}.crt
|
|
|
|
|
-inkey private/{{ item }}.key
|
|
|
|
@ -149,7 +170,7 @@
|
|
|
|
|
- name: Revoke non-existing users
|
|
|
|
|
shell: >
|
|
|
|
|
{{ openssl_bin }} ca -gencrl
|
|
|
|
|
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
|
|
|
|
|
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
|
|
|
|
|
-passin pass:"{{ CA_password }}"
|
|
|
|
|
-revoke certs/{{ item }}.crt
|
|
|
|
|
-out crl/{{ item }}.crt
|
|
|
|
|