netzwirt.simple-pki

Panoramica Versioni Approfondimenti

ansible-simple-pki

This guide helps you create a simple Public Key Infrastructure (PKI) on Ubuntu/Debian. It is mainly based on the PKI-Tutorial.

Requirements

You should have a basic understanding of OpenSSL and PKI concepts.

Role Variables

Certificate Subject:

  • Domain Component:
    • simplepki_domainComponent_tld: "com"
    • simplepki_domainComponent_domain: "example"
  • Organization Name:
    • simplepki_organizationName: "Example Company Inc"

Server Certificate Requests:

  • simplepki_server_certs:
    • { fqdn: 'example.com' }
    • { fqdn: 'anothor.com', altnames: ['sub.another.com','mydomain.com']}

User Certificate Requests:

  • simplepki_user_certs:

Revocation of Certificates:

  • simplepki_revocation_list:
    • fred
    • anothor.com

Create Server Certificates Only

Run the following command:

ansible-playbook playbook.yml --tags=servercert

Renew Certificates from Command Line

To renew certificates, use the extra variable simplepki_renew_certificates as follows:

ansible-playbook --extra-vars '{"simplepki_renew_certificates": ["fred","john"]}'

Revoke Certificates from Command Line

Use the extra variable simplepki_revocation_list as follows:

ansible-playbook --extra-vars '{"simplepki_revocation_list": ["fred","john"]}'

Dependencies

There are no dependencies.

Example Playbook

- hosts: pki
  roles:
     - { role: netzwirt.simple-pki }

Revocation Cheat Sheet

To revoke a certificate, you can use valid reasons like:

  • unspecified
  • keyCompromise
  • CACompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • certificateHold

Command to revoke a certificate:

openssl ca -config etc/signing-ca.conf -revoke certs/fred.sha256.2048.crt -crl_reason unspecified

To create a Certificate Revocation List (CRL):

openssl ca -gencrl -config etc/signing-ca.conf -out crl/signing-ca.crl

To check a certificate without CRL:

openssl verify -verbose -CAfile ca/chained-ca.sha256.2048.crt certs/fred.sha256.2048.crt

To check a certificate with CRL:

openssl verify -crl_check_all -verbose -CAfile ca/chained-ca.sha256.2048.crt \
         -CRLfile crl/signing-ca.crl certs/fred.sha256.2048.crt

License

This project is licensed under the BSD license.

Author Information

Created by netzwirt.

Informazioni sul progetto

Simple PKI for Ubuntu/Debian

role cryptography networking security system
Installa
ansible-galaxy install netzwirt.simple-pki
GitHub repository
4 stelle
9 fork
1 problemi aperti
Licenza
Unknown
Download
116
Proprietario