diff options
-rw-r--r-- | ansible/roles/certificates/tasks/main.yml | 100 | ||||
-rw-r--r-- | ansible/roles/certificates/tasks/upload_root_ca.yml | 10 | ||||
-rw-r--r-- | ansible/roles/certificates/templates/v3.ext.j2 | 9 |
3 files changed, 119 insertions, 0 deletions
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml new file mode 100644 index 00000000..2e7dd88a --- /dev/null +++ b/ansible/roles/certificates/tasks/main.yml @@ -0,0 +1,100 @@ +--- +# Some of task are delegated to Ansible container because unavailable +# version of python-pyOpenSSL +- name: Generate root CA private key + openssl_privatekey: + path: /certs/rootCA.key + size: 4096 + delegate_to: localhost + +- name: Generate an OpenSSL CSR. + openssl_csr: + path: /certs/rootCA.csr + privatekey_path: /certs/rootCA.key + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + basic_constraints: + - CA:true + basic_constraints_critical: yes + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + delegate_to: localhost + +- name: Generate root CA certificate + openssl_certificate: + provider: selfsigned + path: /certs/rootCA.crt + csr_path: /certs/rootCA.csr + privatekey_path: /certs/rootCA.key + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + force: yes + delegate_to: localhost + notify: Restart Docker + +- name: Generate private Nexus key + openssl_privatekey: + path: /certs/nexus_server.key + size: 4096 + force: False + delegate_to: localhost + +- name: Generate Nexus CSR (certificate signing request) + openssl_csr: + path: /certs/nexus_server.csr + privatekey_path: /certs/nexus_server.key + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + common_name: registry-1.docker.io + key_usage: + - keyAgreement + - nonRepudiation + - digitalSignature + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + subject_alt_name: + "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" + delegate_to: localhost + +- name: Generate v3 extension config file + template: + src: v3.ext.j2 + dest: /certs/v3.ext + delegate_to: localhost + +# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) +# Currently using 2.6.3 +- name: Sign Nexus certificate + command: > + openssl + x509 + -req + -in /certs/nexus_server.csr + -extfile /certs/v3.ext + -CA /certs/rootCA.crt + -CAkey /certs/rootCA.key + -CAcreateserial + -out /certs/nexus_server.crt + -days 3650 + -sha256 + delegate_to: localhost + +- name: Upload certificates to infrastructure server + copy: + src: /certs + directory_mode: yes + dest: "{{ app_data_path }}/" + +- import_tasks: upload_root_ca.yml diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml new file mode 100644 index 00000000..5a59d27b --- /dev/null +++ b/ansible/roles/certificates/tasks/upload_root_ca.yml @@ -0,0 +1,10 @@ +--- +- name: Copy root certificate + copy: + src: "/certs/rootCA.crt" + dest: /etc/pki/ca-trust/source/anchors/ + notify: Restart Docker + +- name: Extract root certificate + command: /usr/bin/update-ca-trust extract + notify: Restart Docker diff --git a/ansible/roles/certificates/templates/v3.ext.j2 b/ansible/roles/certificates/templates/v3.ext.j2 new file mode 100644 index 00000000..7be946fd --- /dev/null +++ b/ansible/roles/certificates/templates/v3.ext.j2 @@ -0,0 +1,9 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +{% for name in all_simulated_hosts -%} + DNS.{{ loop.index }} = {{ name }} +{% endfor %} |