Certificate Authority Keys

This Ansible role helps you create private Certificate Authority (CA) keys and signed certificates. These can be used to secure server and client applications, ensuring data encryption during transit and authentication between different servers.

When set up correctly, certificates from a private CA can help prevent man-in-the-middle (MITM) attacks and enable mutual authentication. For example, they can secure communications between nodes in a Kafka or Elastic Stack cluster.

Here’s how the role works:

• Create a CA keypair (a pair of public and private keys)
• Generate keys and Certificate Signing Requests (CSRs) for the specified nodes
• Use the CA to sign the CSRs, creating signed certificates (CRTs)
• Optionally package these keys into Java keystore or truststore files

Defaults

You can find all the default settings here and change them if needed.

Usage

To use this role, it's best to run it in a local playbook (see example below) and then store the generated keys in a secure location. Make sure to keep your keys safe and do not leave them exposed. This code is provided as-is, so it's your job to manage and store the keys responsibly!

You can also create new keys and CRTs from an existing CA certificate if you have one.

Once created, transfer the necessary files to your project. You may want to use Ansible Vault to encrypt these files (including jks binaries). Ansible can decrypt them during upload if you provide the vault password.

Checking the Keys

You should check the keys with various openssl commands. Here are some examples:

openssl x509 -in generated_keys/ca.crt -text -noout
openssl rsa -in generated_keys/<key-name>.key -check
openssl x509 -in generated_keys/<key-name>.crt -text -noout

Python Limitation

Due to a bug in Ansible (now fixed in the devel branch), you need to use Python 2.7 when running tasks that create Java keystores. More details are available in this issue.

Example Playbook

- name: Generate Keys
  hosts: 127.0.0.1
  connection: local
  
  vars:
    ansible_python_interpreter: '/usr/bin/python2.7'

  roles:
    - role: libre_ops.ca_keys
      vars:
        cert_organisation: Example Inc.
        cert_unit: Keys Department
        cert_country: FR
        cert_state: Paris
        cert_location: Paris
        
        create_keys:
          - filename: server
            subject:
              - "/CN=app.client.org"
              - "/O={{ cert_organisation }}"
              - "/OU={{ cert_unit }}"
              - "/C={{ cert_country }}"
              - "/ST={{ cert_state }}"
              - "/L={{ cert_location }}"
              
          - filename: client
            subject:
              - "/CN=app.server.org"
              - "/O={{ cert_organisation }}"
              - "/OU={{ cert_unit }}"
              - "/C={{ cert_country }}"
              - "/ST={{ cert_state }}"
              - "/L={{ cert_location }}"