Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/pip/ansible-9.4.0
dependabot/github_actions/actions/setup-python-5.1.0
fix/14704
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ee6db37428'
${ noResults }
algo/roles/vpn/tasks/openssl.yml

178 lines
5.3 KiB
YAML
Raw Blame History

---
- block:
- name: Ensure the pki directory does not exist
file:
dest: configs/{{ IP_subject_alt_name }}/pki
state: absent
when: easyrsa_reinit_existent == True
- name: Ensure the pki directories exist
file:
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
state: directory
recurse: yes
with_items:
- ecparams
- certs
- crl
- newcerts
- private
- reqs
- name: Ensure the files exist
file:
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
state: touch
with_items:
- ".rnd"
- "private/.rnd"
- "index.txt"
- "index.txt.attr"
- "serial"
- name: Generate the openssl server configs
template:
src: openssl.cnf.j2
dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
- name: Build the CA pair
shell: >
openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
openssl req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf
-keyout private/cakey.pem
-out cacert.pem -x509 -days 3650
-batch
-passout pass:"{{ easyrsa_CA_password }}" &&
touch {{ IP_subject_alt_name }}_ca_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: "{{ IP_subject_alt_name }}_ca_generated"
environment:
subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
- name: Copy the CA certificate
copy:
src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
dest: "configs/{{ IP_subject_alt_name }}/cacert.pem"
mode: 0600
- name: Generate the serial number
shell: echo 01 > serial && touch serial_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: serial_generated
- name: Build the server pair
shell: >
openssl req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf
-keyout private/{{ IP_subject_alt_name }}.key
-out reqs/{{ IP_subject_alt_name }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" -batch &&
openssl ca -utf8
-in reqs/{{ IP_subject_alt_name }}.req
-out certs/{{ IP_subject_alt_name }}.crt
-config openssl.cnf -days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" &&
touch certs/{{ IP_subject_alt_name }}_crt_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: certs/{{ IP_subject_alt_name }}_crt_generated
environment:
subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
- name: Build the client's pair
shell: >
openssl req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf
-keyout private/{{ item }}.key
-out reqs/{{ item }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ item }}" -batch &&
openssl ca -utf8
-in reqs/{{ item }}.req
-out certs/{{ item }}.crt
-config openssl.cnf -days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ item }}" &&
touch certs/{{ item }}_crt_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: certs/{{ item }}_crt_generated
environment:
subjectAltName: "DNS:{{ item }}"
with_items: "{{ users }}"
- name: Build the client's p12
shell: >
openssl pkcs12
-in certs/{{ item }}.crt
-inkey private/{{ item }}.key
-export
-name {{ item }}
-out private/{{ item }}.p12
-certfile cacert.pem
-passout pass:"{{ easyrsa_p12_export_password }}"
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: private/{{ item }}.p12
with_items: "{{ users }}"
register: p12
- name: Copy the p12 certificates
copy:
src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
mode: 0600
with_items:
- "{{ users }}"
- name: Get active users
shell: >
grep ^V index.txt |
grep -v "{{ IP_subject_alt_name }}" |
awk '{print $5}' |
sed 's/\/CN=//g'
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
register: valid_certs
- name: Revoke non-existing users
shell: >
openssl ca
-config openssl.cnf
-passin pass:"{{ easyrsa_CA_password }}"
-revoke certs/{{ item }}.crt &&
openssl ca -gencrl
-config openssl.cnf
-passin pass:"{{ easyrsa_CA_password }}"
-revoke certs/{{ item }}.crt
-out crl/{{ item }}.crt
touch crl/{{ item }}_revoked
args:
chdir: configs/{{ IP_subject_alt_name }}/pki/
creates: crl/{{ item }}_revoked
environment:
subjectAltName: "DNS:{{ item }}"
when: item not in users
with_items: "{{ valid_certs.stdout_lines }}"
delegate_to: localhost
become: no
- name: Copy the revoked certificates to the vpn server
copy:
src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt"
when: item not in users
with_items: "{{ valid_certs.stdout_lines }}"
notify:
- rereadcrls
Reference in New Issue View Git Blame Copy Permalink