--- - block: - name: Set subjectAltName as a fact set_fact: subjectAltName: "{{ subjectAltName_IP }}{% if ipv6_support %},IP:{{ ansible_default_ipv6['address'] }}{% endif %}{% if domain and subjectAltName_DNS %},DNS:{{ subjectAltName_DNS }}{% endif %}" tags: always - name: Ensure the pki directory does not exist file: dest: configs/{{ IP_subject_alt_name }}/pki state: absent when: keys_clean_all|bool == True - name: Ensure the pki directories exist file: dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}" state: directory recurse: yes with_items: - ecparams - certs - crl - newcerts - private - reqs - name: Ensure the files exist file: dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}" state: touch with_items: - ".rnd" - "private/.rnd" - "index.txt" - "index.txt.attr" - "serial" - name: Generate the openssl server configs template: src: openssl.cnf.j2 dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf" - name: Build the CA pair shell: > {{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem && {{ openssl_bin }} req -utf8 -new -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:"{{ CA_password }}" && touch {{ IP_subject_alt_name }}_ca_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: "{{ IP_subject_alt_name }}_ca_generated" executable: bash - name: Copy the CA certificate copy: src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem" dest: "configs/{{ IP_subject_alt_name }}/cacert.pem" mode: 0600 - name: Generate the serial number shell: echo 01 > serial && touch serial_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: serial_generated - name: Build the server pair shell: > {{ openssl_bin }} req -utf8 -new -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes -passin pass:"{{ CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch && {{ openssl_bin }} ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -days 3650 -batch -passin pass:"{{ CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" && touch certs/{{ IP_subject_alt_name }}_crt_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: certs/{{ IP_subject_alt_name }}_crt_generated executable: bash - name: Build the client's pair shell: > {{ openssl_bin }} req -utf8 -new -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ CA_password }}" -subj "/CN={{ item }}" -batch && {{ openssl_bin }} ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -days 3650 -batch -passin pass:"{{ CA_password }}" -subj "/CN={{ item }}" && touch certs/{{ item }}_crt_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: certs/{{ item }}_crt_generated executable: bash with_items: "{{ users }}" - name: Build the client's p12 shell: > {{ openssl_bin }} pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -passout pass:"{{ p12_export_password }}" args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" executable: bash with_items: "{{ users }}" register: p12 - name: Copy the p12 certificates copy: src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12" dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12" mode: 0600 with_items: - "{{ users }}" - name: Get active users shell: > grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g' args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" register: valid_certs - name: Revoke non-existing users shell: > {{ openssl_bin }} ca -gencrl -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -passin pass:"{{ CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt register: gencrl args: chdir: configs/{{ IP_subject_alt_name }}/pki/ creates: crl/{{ item }}.crt executable: bash when: item not in users with_items: "{{ valid_certs.stdout_lines }}" - name: Genereate new CRL file shell: > {{ openssl_bin }} ca -gencrl -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}")) -passin pass:"{{ CA_password }}" -out crl/algo.root.pem when: - gencrl is defined - gencrl.changed args: chdir: configs/{{ IP_subject_alt_name }}/pki/ executable: bash delegate_to: localhost become: no - name: Copy the CRL to the vpn server copy: src: configs/{{ IP_subject_alt_name }}/pki/crl/algo.root.pem dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem" when: - gencrl is defined - gencrl.changed notify: - rereadcrls