mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-24 21:14:00 -07:00 
			
		
		
		
	new provider: ownca (#35840)
This commit is contained in:
		
					parent
					
						
							
								c4a6bce69f
							
						
					
				
			
			
				commit
				
					
						b61b113fb9
					
				
			
		
					 6 changed files with 473 additions and 119 deletions
				
			
		|  | @ -24,9 +24,11 @@ version_added: "2.4" | |||
| short_description: Generate and/or check OpenSSL certificates | ||||
| description: | ||||
|     - "This module allows one to (re)generate OpenSSL certificates. It implements a notion | ||||
|        of provider (ie. C(selfsigned), C(acme), C(assertonly)) for your certificate. | ||||
|        of provider (ie. C(selfsigned), C(ownca), C(acme), C(assertonly)) for your certificate. | ||||
|        The 'assertonly' provider is intended for use cases where one is only interested in | ||||
|        checking properties of a supplied certificate. | ||||
|        The 'ownca' provider is intended for generate OpenSSL certificate signed with your own | ||||
|        CA (Certificate Authority) certificate (self-signed certificate). | ||||
|        Many properties that can be specified in this module are for validation of an | ||||
|        existing or newly generated certificate. The proper place to specify them, if you | ||||
|        want to receive a certificate with these properties is a CSR (Certificate Signing Request). | ||||
|  | @ -48,7 +50,7 @@ options: | |||
| 
 | ||||
|     provider: | ||||
|         required: true | ||||
|         choices: [ 'selfsigned', 'assertonly', 'acme' ] | ||||
|         choices: [ 'selfsigned', 'ownca', 'assertonly', 'acme' ] | ||||
|         description: | ||||
|             - Name of the provider to use to generate/retrieve the OpenSSL certificate. | ||||
|               The C(assertonly) provider will not generate files and fail if the certificate file is missing. | ||||
|  | @ -94,6 +96,45 @@ options: | |||
|               If this value is not specified, certificate will stop being valid 10 years from now. | ||||
|         aliases: [ selfsigned_notAfter ] | ||||
| 
 | ||||
|     ownca_path: | ||||
|         description: | ||||
|             - Remote absolute path of the CA (Certificate Authority) certificate. | ||||
|         version_added: "2.7" | ||||
| 
 | ||||
|     ownca_privatekey_path: | ||||
|         description: | ||||
|             - Path to the CA (Certificate Authority) private key to use when signing the certificate. | ||||
|         version_added: "2.7" | ||||
| 
 | ||||
|     ownca_privatekey_passphrase: | ||||
|         description: | ||||
|             - The passphrase for the I(ownca_privatekey_path). | ||||
|         version_added: "2.7" | ||||
| 
 | ||||
|     ownca_digest: | ||||
|         default: "sha256" | ||||
|         description: | ||||
|             - Digest algorithm to be used for the C(ownca) certificate. | ||||
|         version_added: "2.7" | ||||
| 
 | ||||
|     ownca_version: | ||||
|         default: 3 | ||||
|         description: | ||||
|             - Version of the C(ownca) certificate. Nowadays it should almost always be C(3). | ||||
|         version_added: "2.7" | ||||
| 
 | ||||
|     ownca_not_before: | ||||
|         description: | ||||
|             - The timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME. | ||||
|               If this value is not specified, certificate will start being valid from now. | ||||
|         version_added: "2.7" | ||||
| 
 | ||||
|     ownca_not_after: | ||||
|         description: | ||||
|             - The timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME. | ||||
|               If this value is not specified, certificate will stop being valid 10 years from now. | ||||
|         version_added: "2.7" | ||||
| 
 | ||||
|     acme_accountkey_path: | ||||
|         description: | ||||
|             - Path to the accountkey for the C(acme) provider | ||||
|  | @ -209,6 +250,9 @@ extends_documentation_fragment: files | |||
| notes: | ||||
|     - All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern. | ||||
|       Date specified should be UTC. Minutes and seconds are mandatory. | ||||
|     - For security reason, when you use C(ownca) provider, you should NOT run M(openssl_certificate) on | ||||
|       a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key | ||||
|       on the target machine. Once signed, the certificate can be moved to the target machine. | ||||
| ''' | ||||
| 
 | ||||
| 
 | ||||
|  | @ -220,6 +264,14 @@ EXAMPLES = ''' | |||
|     csr_path: /etc/ssl/csr/ansible.com.csr | ||||
|     provider: selfsigned | ||||
| 
 | ||||
| - name: Generate an OpenSSL certificate signed with your own CA certificate | ||||
|   openssl_certificate: | ||||
|     path: /etc/ssl/crt/ansible.com.crt | ||||
|     csr_path: /etc/ssl/csr/ansible.com.csr | ||||
|     ownca_path: /etc/ssl/crt/ansible_CA.crt | ||||
|     ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem | ||||
|     provider: ownca | ||||
| 
 | ||||
| - name: Generate a Let's Encrypt Certificate | ||||
|   openssl_certificate: | ||||
|     path: /etc/ssl/crt/ansible.com.crt | ||||
|  | @ -381,6 +433,7 @@ class Certificate(crypto_utils.OpenSSLObject): | |||
|         self.csr_path = module.params['csr_path'] | ||||
|         self.cert = None | ||||
|         self.privatekey = None | ||||
|         self.csr = None | ||||
|         self.module = module | ||||
| 
 | ||||
|     def check(self, module, perms_required=True): | ||||
|  | @ -399,6 +452,24 @@ class Certificate(crypto_utils.OpenSSLObject): | |||
|                 except OpenSSL.SSL.Error: | ||||
|                     return False | ||||
| 
 | ||||
|         def _validate_csr(): | ||||
|             try: | ||||
|                 self.csr.verify(self.cert.get_pubkey()) | ||||
|             except OpenSSL.crypto.Error: | ||||
|                 return False | ||||
|             if self.csr.get_subject() != self.cert.get_subject(): | ||||
|                 return False | ||||
|             csr_extensions = self.csr.get_extensions() | ||||
|             cert_extension_count = self.cert.get_extension_count() | ||||
|             if len(csr_extensions) != cert_extension_count: | ||||
|                 return False | ||||
|             for extension_number in range(0, cert_extension_count): | ||||
|                 cert_extension = self.cert.get_extension(extension_number) | ||||
|                 csr_extension = filter(lambda extension: extension.get_short_name() == cert_extension.get_short_name(), csr_extensions) | ||||
|                 if cert_extension.get_data() != list(csr_extension)[0].get_data(): | ||||
|                     return False | ||||
|             return True | ||||
| 
 | ||||
|         if not state_and_perms: | ||||
|             return False | ||||
| 
 | ||||
|  | @ -411,6 +482,11 @@ class Certificate(crypto_utils.OpenSSLObject): | |||
|             ) | ||||
|             return _validate_privatekey() | ||||
| 
 | ||||
|         if self.csr_path: | ||||
|             self.csr = crypto_utils.load_certificate_request(self.csr_path) | ||||
|             if not _validate_csr(): | ||||
|                 return False | ||||
| 
 | ||||
|         return True | ||||
| 
 | ||||
| 
 | ||||
|  | @ -502,6 +578,105 @@ class SelfSignedCertificate(Certificate): | |||
|         return result | ||||
| 
 | ||||
| 
 | ||||
| class OwnCACertificate(Certificate): | ||||
|     """Generate the own CA certificate.""" | ||||
| 
 | ||||
|     def __init__(self, module): | ||||
|         super(OwnCACertificate, self).__init__(module) | ||||
|         self.notBefore = module.params['ownca_not_before'] | ||||
|         self.notAfter = module.params['ownca_not_after'] | ||||
|         self.digest = module.params['ownca_digest'] | ||||
|         self.version = module.params['ownca_version'] | ||||
|         self.serial_number = randint(1000, 99999) | ||||
|         self.ca_cert_path = module.params['ownca_path'] | ||||
|         self.ca_privatekey_path = module.params['ownca_privatekey_path'] | ||||
|         self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase'] | ||||
|         self.csr = crypto_utils.load_certificate_request(self.csr_path) | ||||
|         self.ca_cert = crypto_utils.load_certificate(self.ca_cert_path) | ||||
|         self.ca_privatekey = crypto_utils.load_privatekey( | ||||
|             self.ca_privatekey_path, self.ca_privatekey_passphrase | ||||
|         ) | ||||
| 
 | ||||
|     def generate(self, module): | ||||
| 
 | ||||
|         if not os.path.exists(self.ca_cert_path): | ||||
|             raise CertificateError( | ||||
|                 'The CA certificate %s does not exist' % self.ca_cert_path | ||||
|             ) | ||||
| 
 | ||||
|         if not os.path.exists(self.ca_privatekey_path): | ||||
|             raise CertificateError( | ||||
|                 'The CA private key %s does not exist' % self.ca_privatekey_path | ||||
|             ) | ||||
| 
 | ||||
|         if not os.path.exists(self.csr_path): | ||||
|             raise CertificateError( | ||||
|                 'The certificate signing request file %s does not exist' % self.csr_path | ||||
|             ) | ||||
| 
 | ||||
|         if not self.check(module, perms_required=False) or self.force: | ||||
|             cert = crypto.X509() | ||||
|             cert.set_serial_number(self.serial_number) | ||||
|             if self.notBefore: | ||||
|                 cert.set_notBefore(self.notBefore.encode()) | ||||
|             else: | ||||
|                 cert.gmtime_adj_notBefore(0) | ||||
|             if self.notAfter: | ||||
|                 cert.set_notAfter(self.notAfter.encode()) | ||||
|             else: | ||||
|                 # If no NotAfter specified, expire in | ||||
|                 # 10 years. 315360000 is 10 years in seconds. | ||||
|                 cert.gmtime_adj_notAfter(315360000) | ||||
|             cert.set_subject(self.csr.get_subject()) | ||||
|             cert.set_issuer(self.ca_cert.get_subject()) | ||||
|             cert.set_version(self.version - 1) | ||||
|             cert.set_pubkey(self.csr.get_pubkey()) | ||||
|             cert.add_extensions(self.csr.get_extensions()) | ||||
| 
 | ||||
|             cert.sign(self.ca_privatekey, self.digest) | ||||
|             self.cert = cert | ||||
| 
 | ||||
|             try: | ||||
|                 with open(self.path, 'wb') as cert_file: | ||||
|                     cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert)) | ||||
|             except EnvironmentError as exc: | ||||
|                 raise CertificateError(exc) | ||||
| 
 | ||||
|             self.changed = True | ||||
| 
 | ||||
|         file_args = module.load_file_common_arguments(module.params) | ||||
|         if module.set_fs_attributes_if_different(file_args, False): | ||||
|             self.changed = True | ||||
| 
 | ||||
|     def dump(self, check_mode=False): | ||||
| 
 | ||||
|         result = { | ||||
|             'changed': self.changed, | ||||
|             'filename': self.path, | ||||
|             'privatekey': self.privatekey_path, | ||||
|             'csr': self.csr_path, | ||||
|             'ca_cert': self.ca_cert_path, | ||||
|             'ca_privatekey': self.ca_privatekey_path | ||||
|         } | ||||
| 
 | ||||
|         if check_mode: | ||||
|             now = datetime.datetime.utcnow() | ||||
|             ten = now.replace(now.year + 10) | ||||
|             result.update({ | ||||
|                 'notBefore': self.notBefore if self.notBefore else now.strftime("%Y%m%d%H%M%SZ"), | ||||
|                 'notAfter': self.notAfter if self.notAfter else ten.strftime("%Y%m%d%H%M%SZ"), | ||||
|                 'serial_number': self.serial_number, | ||||
|             }) | ||||
|         else: | ||||
|             result.update({ | ||||
|                 'notBefore': self.cert.get_notBefore(), | ||||
|                 'notAfter': self.cert.get_notAfter(), | ||||
|                 'serial_number': self.cert.get_serial_number(), | ||||
|             }) | ||||
| 
 | ||||
|         return result | ||||
| 
 | ||||
| 
 | ||||
| class AssertOnlyCertificate(Certificate): | ||||
|     """validate the supplied certificate.""" | ||||
| 
 | ||||
|  | @ -805,7 +980,7 @@ def main(): | |||
|         argument_spec=dict( | ||||
|             state=dict(type='str', choices=['present', 'absent'], default='present'), | ||||
|             path=dict(type='path', required=True), | ||||
|             provider=dict(type='str', choices=['selfsigned', 'assertonly', 'acme']), | ||||
|             provider=dict(type='str', choices=['selfsigned', 'ownca', 'assertonly', 'acme']), | ||||
|             force=dict(type='bool', default=False,), | ||||
|             csr_path=dict(type='path'), | ||||
| 
 | ||||
|  | @ -837,6 +1012,15 @@ def main(): | |||
|             selfsigned_notBefore=dict(type='str', aliases=['selfsigned_not_before']), | ||||
|             selfsigned_notAfter=dict(type='str', aliases=['selfsigned_not_after']), | ||||
| 
 | ||||
|             # provider: ownca | ||||
|             ownca_path=dict(type='path'), | ||||
|             ownca_privatekey_path=dict(type='path'), | ||||
|             ownca_privatekey_passphrase=dict(type='path', no_log=True), | ||||
|             ownca_digest=dict(type='str', default='sha256'), | ||||
|             ownca_version=dict(type='int', default='3'), | ||||
|             ownca_not_before=dict(type='str'), | ||||
|             ownca_not_after=dict(type='str'), | ||||
| 
 | ||||
|             # provider: acme | ||||
|             acme_accountkey_path=dict(type='path'), | ||||
|             acme_challenge_path=dict(type='path'), | ||||
|  | @ -848,7 +1032,7 @@ def main(): | |||
| 
 | ||||
|     if not pyopenssl_found: | ||||
|         module.fail_json(msg='The python pyOpenSSL library is required') | ||||
|     if module.params['provider'] in ['selfsigned', 'assertonly']: | ||||
|     if module.params['provider'] in ['selfsigned', 'ownca', 'assertonly']: | ||||
|         try: | ||||
|             getattr(crypto.X509Req, 'get_extensions') | ||||
|         except AttributeError: | ||||
|  | @ -867,6 +1051,8 @@ def main(): | |||
|         certificate = SelfSignedCertificate(module) | ||||
|     elif provider == 'acme': | ||||
|         certificate = AcmeCertificate(module) | ||||
|     elif provider == 'ownca': | ||||
|         certificate = OwnCACertificate(module) | ||||
|     else: | ||||
|         certificate = AssertOnlyCertificate(module) | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,120 +1,7 @@ | |||
| - block: | ||||
|     - name: Generate privatekey | ||||
|       openssl_privatekey: | ||||
|         path: '{{ output_dir }}/privatekey.pem' | ||||
| 
 | ||||
|     - name: Generate CSR | ||||
|       openssl_csr: | ||||
|         path: '{{ output_dir }}/csr.csr' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|         subject: | ||||
|           commonName: www.example.com | ||||
|     - import_tasks: selfsigned.yml | ||||
| 
 | ||||
|     - name: Generate selfsigned certificate | ||||
|       openssl_certificate: | ||||
|         path: '{{ output_dir }}/cert.pem' | ||||
|         csr_path: '{{ output_dir }}/csr.csr' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|         provider: selfsigned | ||||
|         selfsigned_digest: sha256 | ||||
|       register: selfsigned_certificate | ||||
| 
 | ||||
|     - name: Generate selfsigned certificate | ||||
|       openssl_certificate: | ||||
|         path: '{{ output_dir }}/cert.pem' | ||||
|         csr_path: '{{ output_dir }}/csr.csr' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|         provider: selfsigned | ||||
|         selfsigned_digest: sha256 | ||||
|       register: selfsigned_certificate_idempotence | ||||
| 
 | ||||
|     - name: Generate selfsigned certificate (check mode) | ||||
|       openssl_certificate: | ||||
|         path: '{{ output_dir }}/cert.pem' | ||||
|         csr_path: '{{ output_dir }}/csr.csr' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|         provider: selfsigned | ||||
|         selfsigned_digest: sha256 | ||||
|       check_mode: yes | ||||
| 
 | ||||
|     - name: Check selfsigned certificate | ||||
|       openssl_certificate: | ||||
|         path: '{{ output_dir }}/cert.pem' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|         provider: assertonly | ||||
|         has_expired: False | ||||
|         version: 3 | ||||
|         signature_algorithms: | ||||
|           - sha256WithRSAEncryption | ||||
|           - sha256WithECDSAEncryption | ||||
|         subject: | ||||
|           commonName: www.example.com | ||||
| 
 | ||||
|     - name: Generate selfsigned v2 certificate | ||||
|       openssl_certificate: | ||||
|         path: '{{ output_dir }}/cert_v2.pem' | ||||
|         csr_path: '{{ output_dir }}/csr.csr' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|         provider: selfsigned | ||||
|         selfsigned_digest: sha256 | ||||
|         selfsigned_version: 2 | ||||
| 
 | ||||
|     - name: Generate privatekey2 | ||||
|       openssl_privatekey: | ||||
|         path: '{{ output_dir }}/privatekey2.pem' | ||||
| 
 | ||||
|     - name: Generate CSR2 | ||||
|       openssl_csr: | ||||
|         subject: | ||||
|           CN: www.example.com | ||||
|           C: US | ||||
|           ST: California | ||||
|           L: Los Angeles | ||||
|           O: ACME Inc. | ||||
|           OU: | ||||
|             - Roadrunner pest control | ||||
|             - Pyrotechnics | ||||
|         path: '{{ output_dir }}/csr2.csr' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|         keyUsage: | ||||
|           - digitalSignature | ||||
|         extendedKeyUsage: | ||||
|           - ipsecUser | ||||
|           - biometricInfo | ||||
| 
 | ||||
|     - name: Generate selfsigned certificate2 | ||||
|       openssl_certificate: | ||||
|         path: '{{ output_dir }}/cert2.pem' | ||||
|         csr_path: '{{ output_dir }}/csr2.csr' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|         provider: selfsigned | ||||
|         selfsigned_digest: sha256 | ||||
| 
 | ||||
|     - name: Check selfsigned certificate2 | ||||
|       openssl_certificate: | ||||
|         path: '{{ output_dir }}/cert2.pem' | ||||
|         privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|         provider: assertonly | ||||
|         has_expired: False | ||||
|         version: 3 | ||||
|         signature_algorithms: | ||||
|           - sha256WithRSAEncryption | ||||
|           - sha256WithECDSAEncryption | ||||
|         subject: | ||||
|           commonName: www.example.com | ||||
|           C: US | ||||
|           ST: California | ||||
|           L: Los Angeles | ||||
|           O: ACME Inc. | ||||
|           OU: | ||||
|             - Roadrunner pest control | ||||
|             - Pyrotechnics | ||||
|         keyUsage: | ||||
|           - digitalSignature | ||||
|         extendedKeyUsage: | ||||
|           - ipsecUser | ||||
|           - biometricInfo | ||||
| 
 | ||||
|     - import_tasks: ../tests/validate.yml | ||||
|     - import_tasks: ownca.yml | ||||
| 
 | ||||
|   when: pyopenssl_version.stdout is version('0.15', '>=') | ||||
|  |  | |||
							
								
								
									
										116
									
								
								test/integration/targets/openssl_certificate/tasks/ownca.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										116
									
								
								test/integration/targets/openssl_certificate/tasks/ownca.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,116 @@ | |||
| - name: Generate CA privatekey | ||||
|   openssl_privatekey: | ||||
|     path: '{{ output_dir }}/ca_privatekey.pem' | ||||
| 
 | ||||
| - name: Generate CA CSR | ||||
|   openssl_csr: | ||||
|     path: '{{ output_dir }}/ca_csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/ca_privatekey.pem' | ||||
|     subject: | ||||
|       commonName: Example CA | ||||
| 
 | ||||
| - name: Generate selfsigned CA certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ca_cert.pem' | ||||
|     csr_path: '{{ output_dir }}/ca_csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/ca_privatekey.pem' | ||||
|     provider: selfsigned | ||||
|     selfsigned_digest: sha256 | ||||
| 
 | ||||
| - name: Generate ownca certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ownca_cert.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     ownca_path: '{{ output_dir }}/ca_cert.pem' | ||||
|     ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' | ||||
|     provider: ownca | ||||
|     ownca_digest: sha256 | ||||
|   register: ownca_certificate | ||||
| 
 | ||||
| - name: Generate ownca certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ownca_cert.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     ownca_path: '{{ output_dir }}/ca_cert.pem' | ||||
|     ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' | ||||
|     provider: ownca | ||||
|     ownca_digest: sha256 | ||||
|   register: ownca_certificate_idempotence | ||||
| 
 | ||||
| - name: Generate ownca certificate (check mode) | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ownca_cert.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     ownca_path: '{{ output_dir }}/ca_cert.pem' | ||||
|     ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' | ||||
|     provider: ownca | ||||
|     ownca_digest: sha256 | ||||
|   check_mode: yes | ||||
| 
 | ||||
| - name: Check ownca certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ownca_cert.pem' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     provider: assertonly | ||||
|     has_expired: False | ||||
|     version: 3 | ||||
|     signature_algorithms: | ||||
|       - sha256WithRSAEncryption | ||||
|       - sha256WithECDSAEncryption | ||||
|     subject: | ||||
|       commonName: www.example.com | ||||
|     issuer: | ||||
|       commonName: Example CA | ||||
| 
 | ||||
| - name: Generate ownca v2 certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ownca_cert_v2.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     ownca_path: '{{ output_dir }}/ca_cert.pem' | ||||
|     ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' | ||||
|     provider: ownca | ||||
|     ownca_digest: sha256 | ||||
|     ownca_version: 2 | ||||
| 
 | ||||
| - name: Generate ownca certificate2 | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ownca_cert2.pem' | ||||
|     csr_path: '{{ output_dir }}/csr2.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|     ownca_path: '{{ output_dir }}/ca_cert.pem' | ||||
|     ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' | ||||
|     provider: ownca | ||||
|     ownca_digest: sha256 | ||||
| 
 | ||||
| - name: Check ownca certificate2 | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/ownca_cert2.pem' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|     provider: assertonly | ||||
|     has_expired: False | ||||
|     version: 3 | ||||
|     signature_algorithms: | ||||
|       - sha256WithRSAEncryption | ||||
|       - sha256WithECDSAEncryption | ||||
|     subject: | ||||
|       commonName: www.example.com | ||||
|       C: US | ||||
|       ST: California | ||||
|       L: Los Angeles | ||||
|       O: ACME Inc. | ||||
|       OU: | ||||
|         - Roadrunner pest control | ||||
|         - Pyrotechnics | ||||
|     keyUsage: | ||||
|       - digitalSignature | ||||
|     extendedKeyUsage: | ||||
|       - ipsecUser | ||||
|       - biometricInfo | ||||
|     issuer: | ||||
|       commonName: Example CA | ||||
| 
 | ||||
| - import_tasks: ../tests/validate_ownca.yml | ||||
|  | @ -0,0 +1,117 @@ | |||
| - name: Generate privatekey | ||||
|   openssl_privatekey: | ||||
|     path: '{{ output_dir }}/privatekey.pem' | ||||
| 
 | ||||
| - name: Generate CSR | ||||
|   openssl_csr: | ||||
|     path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     subject: | ||||
|       commonName: www.example.com | ||||
| 
 | ||||
| - name: Generate selfsigned certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/cert.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     provider: selfsigned | ||||
|     selfsigned_digest: sha256 | ||||
|   register: selfsigned_certificate | ||||
| 
 | ||||
| - name: Generate selfsigned certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/cert.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     provider: selfsigned | ||||
|     selfsigned_digest: sha256 | ||||
|   register: selfsigned_certificate_idempotence | ||||
| 
 | ||||
| - name: Generate selfsigned certificate (check mode) | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/cert.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     provider: selfsigned | ||||
|     selfsigned_digest: sha256 | ||||
|   check_mode: yes | ||||
| 
 | ||||
| - name: Check selfsigned certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/cert.pem' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     provider: assertonly | ||||
|     has_expired: False | ||||
|     version: 3 | ||||
|     signature_algorithms: | ||||
|       - sha256WithRSAEncryption | ||||
|       - sha256WithECDSAEncryption | ||||
|     subject: | ||||
|       commonName: www.example.com | ||||
| 
 | ||||
| - name: Generate selfsigned v2 certificate | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/cert_v2.pem' | ||||
|     csr_path: '{{ output_dir }}/csr.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey.pem' | ||||
|     provider: selfsigned | ||||
|     selfsigned_digest: sha256 | ||||
|     selfsigned_version: 2 | ||||
| 
 | ||||
| - name: Generate privatekey2 | ||||
|   openssl_privatekey: | ||||
|     path: '{{ output_dir }}/privatekey2.pem' | ||||
| 
 | ||||
| - name: Generate CSR2 | ||||
|   openssl_csr: | ||||
|     subject: | ||||
|       CN: www.example.com | ||||
|       C: US | ||||
|       ST: California | ||||
|       L: Los Angeles | ||||
|       O: ACME Inc. | ||||
|       OU: | ||||
|         - Roadrunner pest control | ||||
|         - Pyrotechnics | ||||
|     path: '{{ output_dir }}/csr2.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|     keyUsage: | ||||
|       - digitalSignature | ||||
|     extendedKeyUsage: | ||||
|       - ipsecUser | ||||
|       - biometricInfo | ||||
| 
 | ||||
| - name: Generate selfsigned certificate2 | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/cert2.pem' | ||||
|     csr_path: '{{ output_dir }}/csr2.csr' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|     provider: selfsigned | ||||
|     selfsigned_digest: sha256 | ||||
| 
 | ||||
| - name: Check selfsigned certificate2 | ||||
|   openssl_certificate: | ||||
|     path: '{{ output_dir }}/cert2.pem' | ||||
|     privatekey_path: '{{ output_dir }}/privatekey2.pem' | ||||
|     provider: assertonly | ||||
|     has_expired: False | ||||
|     version: 3 | ||||
|     signature_algorithms: | ||||
|       - sha256WithRSAEncryption | ||||
|       - sha256WithECDSAEncryption | ||||
|     subject: | ||||
|       commonName: www.example.com | ||||
|       C: US | ||||
|       ST: California | ||||
|       L: Los Angeles | ||||
|       O: ACME Inc. | ||||
|       OU: | ||||
|         - Roadrunner pest control | ||||
|         - Pyrotechnics | ||||
|     keyUsage: | ||||
|       - digitalSignature | ||||
|     extendedKeyUsage: | ||||
|       - ipsecUser | ||||
|       - biometricInfo | ||||
| 
 | ||||
| - import_tasks: ../tests/validate_selfsigned.yml | ||||
|  | @ -0,0 +1,48 @@ | |||
| - name: Validate ownca certificate (test - verify CA) | ||||
|   shell: 'openssl verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"' | ||||
|   register: ownca_verify_ca | ||||
| 
 | ||||
| - name: Validate ownca certificate (test - ownca certificate modulus) | ||||
|   shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem' | ||||
|   register: ownca_cert_modulus | ||||
| 
 | ||||
| - name: Validate ownca certificate (test - ownca issuer value) | ||||
|   shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"' | ||||
|   register: ownca_cert_issuer | ||||
| 
 | ||||
| - name: Validate ownca certificate (test - ownca certficate version == default == 3) | ||||
|   shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' | ||||
|   register: ownca_cert_version | ||||
| 
 | ||||
| - name: Validate ownca certificate (assert) | ||||
|   assert: | ||||
|     that: | ||||
|       - ownca_verify_ca.stdout == 'OK' | ||||
|       - ownca_cert_modulus.stdout == privatekey_modulus.stdout | ||||
|       - ownca_cert_version.stdout == '3' | ||||
|       - ownca_cert_issuer.stdout == 'CN=Example CA' | ||||
| 
 | ||||
| - name: Validate ownca certificate idempotence | ||||
|   assert: | ||||
|     that: | ||||
|       - ownca_certificate.serial_number == ownca_certificate_idempotence.serial_number | ||||
|       - ownca_certificate.notBefore == ownca_certificate_idempotence.notBefore | ||||
|       - ownca_certificate.notAfter == ownca_certificate_idempotence.notAfter | ||||
| 
 | ||||
| - name: Validate ownca certificate v2 (test - ownca certificate version == 2) | ||||
|   shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' | ||||
|   register: ownca_cert_v2_version | ||||
| 
 | ||||
| - name: Validate ownca certificate version 2 (assert) | ||||
|   assert: | ||||
|     that: | ||||
|       - ownca_cert_v2_version.stdout == '2' | ||||
| 
 | ||||
| - name: Validate ownca certificate2 (test - ownca certificate modulus) | ||||
|   shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem' | ||||
|   register: ownca_cert2_modulus | ||||
| 
 | ||||
| - name: Validate ownca certificate2 (assert) | ||||
|   assert: | ||||
|     that: | ||||
|       - ownca_cert2_modulus.stdout == privatekey2_modulus.stdout | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue