forked from Vonng/pigsty
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcert.yml
executable file
·81 lines (71 loc) · 2.56 KB
/
cert.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env ansible-playbook
---
#==============================================================#
# File : cert.yml
# Desc : issue certificates with local CA
# Ctime : 2022-11-19
# Mtime : 2023-02-07
# Path : cert.yml
# Author : Ruohang Feng ([email protected])
# License : AGPLv3
#==============================================================#
#---------------------------------------------------------------
# Example:
# issue postgres admin/monitor user client certificate:
# ./cert.yml -e cn=dbuser_dba
# ./cert.yml -e cn=dbuser_monitor
# cert are generated under files/pki/misc/<cn>.{key,crt} by default
#---------------------------------------------------------------
- name: Issue Cert
hosts: localhost
gather_facts: no
become: no
vars:
# CERT INFORMATION
cn: pigsty # add cn here, required [INPUT]
san: # add subject alternative names here
- DNS:localhost # dns records
- IP:127.0.0.1 # ip addresses
org: pigsty # organization name
unit: pigsty # organization unit name
expire: 7300d # 20 years
#key: files/pki/misc/misc.key # private key path [OUTPUT]
#crt: files/pki/misc/misc.crt # certificate file path [OUTPUT]
csr: files/pki/csr/tmp.csr # temporary csr file path
tasks:
# if key & crt path are not specified, generate them with cn
- name: set crt, key, csr path
when: key is not defined and crt is not defined
set_fact:
key: "files/pki/misc/{{ cn }}.key"
crt: "files/pki/misc/{{ cn }}.crt"
csr: "files/pki/csr/{{ cn }}.csr"
- name: generate key {{ key_path }}
connection: local
openssl_privatekey:
path: "{{ key }}"
mode: 0600
- name: generate csr {{ csr_path }}
connection: local
openssl_csr:
path: "{{ csr }}"
privatekey_path: "{{ key }}"
common_name: "{{ cn }}"
organization_name: "{{ org }}"
organizational_unit_name: "{{ unit }}"
subject_alt_name: "{{ san }}"
force: true
- name: signing crt {{ csr_path }}
connection: local
openssl_certificate:
path: "{{ crt }}"
csr_path: "{{ csr }}"
ownca_path: files/pki/ca/ca.crt
ownca_privatekey_path: files/pki/ca/ca.key
provider: ownca
selfsigned_not_after: "+{{ expire }}"
mode: 0600
- name: print summary
debug:
msg: "{{ key }} {{ crt }}"
...