Jooho.generate-self-signed-cert
Ansible Role: Generate Self Signed Certificate
This role helps create self-signed certificates. It can create the following combinations:
Case 1:
- ROOT CA
- Intermediate CA
- Server Certificate (with or without Subject Alternative Name (SAN))
Case 2:
- Root CA
- Server Certificate (with or without SAN)
Requirements
- yum
Role Variables
| Name | Default Value | Required | Description |
|---|---|---|---|
| cert_base_dir | /root/cert_base | No | Default directory where certificates will be stored |
| root_cert_bit | 4096 | No | Default size of the root certificate key |
| intermediate_cert_bit | 4096 | No | Default size of the intermediate certificate key |
| server_cert_bit | 2048 | No | Default size of the server certificate key |
| serial_number | 1000 | No | Common information for the certificate - Serial Number |
| countryName | CA | No | Common information for the certificate - Country Name |
| stateOrProvinceName | ON | No | Common information for the certificate - Province Name |
| localityName | MILTON | No | Common information for the certificate - Locality Name |
| organizationName | RED HAT | No | Common information for the certificate - Organization Name |
| organizationalUnitName | SCE | No | Common information for the certificate - Organizational Unit Name |
| emailAddress | test@test.com | No | Common information for the certificate - Email Address |
| root_commonName | Root CA | No | Root certificate information - Common Name |
| intermediate_commonName | Intermediate CA | No | Intermediate certificate information - Common Name |
| cert_commonName | lb.example.com | No | Server certificate information - Common Name |
| use_intermediate_cert | yes | No | Whether to use an intermediate certificate |
| use_san | yes | No | Whether to add SAN information with the common name |
| san_dns | No | List of additional DNS names for SAN | |
| san_ip | No | List of additional IP addresses for SAN | |
| overwrite_server_cert | yes | No | Whether to delete existing server certificate directories based on Common Name |
| clean_all | no | No | Whether to recreate all certificates |
Dependencies
- None
Example Playbook
- name: Example Playbook
hosts: localhost
gather_facts: false
roles:
- { role: Jooho.generate-self-signed-cert }
Example Variables
Wildcard Certificate:
cert_commonName: *.cloudapps.example.com
SAN DNS List:
san_dns:
- { index: 1, dns: lb.example.com }
- { index: 2, dns: master-cluster.example.com }
SAN IP List:
san_ip:
- { index: 1, ip: 192.168.200.205 }
Note
The permissions for the private key and certificate should be set to 400/444. However, this Ansible role uses 777/777 because these files will be copied elsewhere. After copying them, it's recommended to change the permissions.
Useful Commands
openssl x509 -in {{ cert_base_dir }}/{{ server_cert_commonName }}/{{ server_cert_commonName }}.cert.pem -text
openssl x509 -in /root/cert_base/lb.example.com/lb.example.com.cert.pem -text
Reference Document
License
- BSD/MIT
Author Information
This role was created in 2017 by Jooho Lee.