--- # Tasks required by 00-initial-config.adoc. - name: Create a CA on workstation. hosts: workstation.lab.example.com become: no gather_subset: min tasks: # TODO: Only if necessary. - name: Create directories. ansible.builtin.file: path: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/newcerts" state: directory recurse: yes mode: 0700 # TODO: Only if necessary. - name: Create cert index. ansible.builtin.copy: dest: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/index.txt" mode: 0600 content: "" # TODO: Only if necessary. - name: Create cert serial tracker. ansible.builtin.copy: dest: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/serial" mode: 0600 content: "0000" - name: Ensure openssl.cnf is there and correct. ansible.builtin.copy: dest: "{{ ansible_facts['user_dir'] }}/ca/openssl.cnf" mode: 0600 content: | [ ca ] default_ca = CA_default [ CA_default ] dir = /home/student/ca/lab-ca serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = /home/student/ca/ca-cert.pem private_key = /home/student/ca/ca-key.pem default_days = 365 default_crl_days= 30 default_md = sha256 policy = policy_any email_in_dn = no name_opt = ca_default cert_opt = ca_default copy_extensions = copy [ policy_any ] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional - name: Check if CA key exists to save time ansible.builtin.stat: path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem" get_attributes: no get_checksum: no get_mime: no register: cakey_file - name: Check if CA cert exists to save time ansible.builtin.stat: path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem" get_attributes: no get_checksum: no get_mime: no register: cacert_file - name: Create a new CA private key, if it does not exist yet. community.crypto.openssl_privatekey: path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem" passphrase: verysecret type: RSA cipher: auto size: 8192 mode: 0600 when: cakey_file.stat.exists == false - name: Generate a CSR for the CA cert. community.crypto.openssl_csr: path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem" privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem" privatekey_passphrase: verysecret basic_constraints: "CA:TRUE" basic_constraints_critical: yes subject: C: US ST: North Carolina L: Raleigh O: Red Hat OU: RHT CN: Classroom Root CA mode: 0600 when: cacert_file.stat.exists == false - name: Create a self-signed cert for the CA. community.crypto.x509_certificate: path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem" csr_path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem" privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem" privatekey_passphrase: verysecret provider: selfsigned selfsigned_not_after: +510w mode: 0600 when: cacert_file.stat.exists == false - name: Get rid of the CSR. ansible.builtin.file: path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem" state: absent - name: Copy CA cert to ca-trust dir. become: yes ansible.builtin.copy: src: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem" dest: "/etc/pki/ca-trust/source/anchors/lab-ca.pem" mode: 0644 register: copied - name: Have workstation trust the CA. become: yes command: update-ca-trust when: copied.changed ...