gametize.install-root-cert

Panoramica Versioni Approfondimenti

Ansible Role: Install Root CA Certificate

This Ansible role installs a Root CA Certificate on target machines. You need admin access to use it.

Why do I need this?

I create a device certificate (like www.example.com). My web server uses it for secure connections (SSL).
Other computers trying to connect to my web server won't trust it because the certificate is self-signed. This is a problem.

What does this Ansible role do?

I make a private key for my organization and a self-signed CA certificate.
This Ansible role lets me install my CA certificate on client machines.
I create a device certificate (like www.example.com) that is signed by my CA certificate, and use it for my web server.
Now when client machines access my web server, the SSL certificate is trusted! Great!
If the private key is misused, serious issues could occur (like spoofing google.com). So keep the organization's private key safe!

Supported Platforms

You can use this playbook on these platforms:

CentOS 6, 7
Ubuntu 14.04, 16.04
Mac OS 10.12 (not consistent in results and not extensively tested)

Requirements

You need the Root CA certificate to use this role.

Variables

install_root_cert_pem: The complete path of the Root CA certificate (.pem) on your local machine.

How to Use

Example playbook:

---
- hosts: all
  become: yes
  vars:
    install_root_cert_pem: files/root_ca.pem
  roles:
    - gametize.install-root-cert

Testing

Travis tests are set up as described in this article by geerlingguy.

Gitlab CI tests are set up in a similar way, and you can run them with gitlab-runner. Here’s how to run it locally:

gitlab-ci-multi-runner exec shell test_centos7

Test Artifacts

You can create keys and certificates using the commands below. DO NOT use these for real production!

$ ### Create key and certificate for root CA
$ openssl genrsa -out root_ca.key 1024
$ openssl req -x509 \
    -subj '/C=SG/ST=Singapore/L=Singapore/O=Example Inc/OU=Example Inc Certificate Authority/CN=example.com' \
    -new -nodes -key root_ca.key -sha256 -days 1024 \
    -out root_ca.pem

$ ### Create key and certificate for device
$ openssl genrsa -out localhost.key 1024    # generate key for device `localhost.key`
$ openssl req -new \
    -subj '/C=SG/ST=Singapore/L=Singapore/O=Example Inc/OU=Example Inc Testing Department/CN=localhost' \
    -new -nodes -key localhost.key -sha256 -days 1024 \
    -out localhost.csr

$ ### Sign the device certificate with Root CA certificate and key
$ openssl x509 -req \
    -in localhost.csr -CA root_ca.pem -CAkey root_ca.key \
    -CAcreateserial -out localhost.crt -days 1024 -sha256
$ cat localhost.crt localhost.key > localhost.pem

License

MIT

Author Information

LIM EnSheng (ensheng@gametize.com)

Informazioni sul progetto

This role will install the Root CA Certificate on the target hosts

role ssl

Installa

ansible-galaxy install gametize.install-root-cert

GitHub repository

22 stelle

26 fork

4 problemi aperti

Licenza

Unknown

Download

17.1k

Proprietario

Gametize