-
Notifications
You must be signed in to change notification settings - Fork 2
/
sign-csr.yml
101 lines (85 loc) · 2.64 KB
/
sign-csr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#
# (c) Copyright 2020 Jeff Kight
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Ansible playbooks to Manage CAs, Intermediate CAs and Certificates
#
# Author: Jeff Kight <jeff@kight.net>
#
---
- hosts: localhost
connection: local
gather_facts: yes
roles:
- cert-manager
vars_prompt:
- name: cert_domain
prompt: "Enter CA domain"
private: no
confirm: no
default: "domain.tld"
when: site_id is not defined
- name: cert_csr_path
prompt: "Enter the CSR filename with path"
private: no
confirm: no
default: "server.csr"
when: cert_csr_path is not defined
- name: cert_duration
prompt: "Enter the certificate duration in days"
private: no
confirm: no
default: 825
when: cert_duration is not defined
- name: cert_server
prompt: "Server cert (true/false)"
private: no
confirm: no
default: true
when: cert_server is not defined
- name: cert_client
prompt: "Client cert (true/false)"
private: no
confirm: no
default: true
when: cert_client is not defined
tasks:
- name: Set TLS root
set_fact:
tls_dir: "{{ tls_root }}/{{ cert_domain }}"
- name: Verify CSR exists
file:
path: "{{ cert_csr_path }}"
- name: Get text from CSR
shell: >
{{ openssl_cmd }} req -text -noout -in {{ cert_csr_path }}
register: csr_text
- name: Confirm signing of CSR
pause:
prompt: |
{{ csr_text.stdout }}
Please press 'Ctrl-C' 'A' to abort
Please press Enter to continue
- name: Get subject from CSR
shell: >
{{ openssl_cmd }} req -subject -noout -in {{ cert_csr_path }}
register: csr_subject
- name: Extract CN from CSR subject
set_fact:
csr_cn: "{{ csr_subject.stdout | regex_replace('^.*CN\\=', '') | regex_replace('/.*', '') }}"
- name: Set Host root
set_fact:
host_dir: "{{ tls_dir }}/{{ store_dir }}/{{ csr_cn }}/{{ ansible_date_time.date }}"
- import_tasks: roles/cert-manager/tasks/prep_csr_sign.yml
- import_tasks: roles/cert-manager/tasks/sign_csr.yml