diff options
Diffstat (limited to 'ansible/roles/certificates/tasks/generate-certificates.yml')
-rw-r--r-- | ansible/roles/certificates/tasks/generate-certificates.yml | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml new file mode 100644 index 00000000..ac8fe1e3 --- /dev/null +++ b/ansible/roles/certificates/tasks/generate-certificates.yml @@ -0,0 +1,90 @@ +--- +- name: Create certificates directory certs to current dir + file: + path: "{{ certificates_local_dir }}" + state: directory + +# Some of task are delegated to Ansible container because unavailable +# version of python-pyOpenSSL +- name: Generate root CA private key + openssl_privatekey: + path: "{{ certificates_local_dir }}/rootCA.key" + size: 4096 + +- name: Generate an OpenSSL CSR. + openssl_csr: + path: "{{ certificates_local_dir }}/rootCA.csr" + privatekey_path: "{{ certificates_local_dir }}/rootCA.key" + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + basic_constraints: + - CA:true + basic_constraints_critical: true + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + +- name: Generate root CA certificate + openssl_certificate: + provider: selfsigned + path: "{{ certificates_local_dir }}/rootCA.crt" + csr_path: "{{ certificates_local_dir }}/rootCA.csr" + privatekey_path: "{{ certificates_local_dir }}/rootCA.key" + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + force: true + notify: Restart Docker + +- name: Generate private Nexus key + openssl_privatekey: + path: "{{ certificates_local_dir }}/nexus_server.key" + size: 4096 + force: false + +- name: Generate Nexus CSR (certificate signing request) + openssl_csr: + path: "{{ certificates_local_dir }}/nexus_server.csr" + privatekey_path: "{{ certificates_local_dir }}/nexus_server.key" + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + common_name: registry-1.docker.io + key_usage: + - keyAgreement + - nonRepudiation + - digitalSignature + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + subject_alt_name: + "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" + +- name: Generate v3 extension config file + template: + src: v3.ext.j2 + dest: "{{ certificates_local_dir }}/v3.ext" + +# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) +# Currently using 2.6.3 +- name: Sign Nexus certificate + command: > + openssl + x509 + -req + -in "{{ certificates_local_dir }}/nexus_server.csr" + -extfile "{{ certificates_local_dir }}/v3.ext" + -CA "{{ certificates_local_dir }}/rootCA.crt" + -CAkey "{{ certificates_local_dir }}/rootCA.key" + -CAcreateserial + -out "{{ certificates_local_dir }}/nexus_server.crt" + -days 3650 + -sha256 |