Self-Signed Certificate

=========

This Ansible role creates self-signed certificates. It generates three PEM certificates with keys: CA, client, and server. Additionally, it produces two PFX certificates for both the client and server.

General Variables

Certificate Directory

self_signed_cert_dir: /etc/certs/

This is the directory where the certificates will be stored.

CFSSL and CFSSL JSON Download URLs

self_signed_cert_cfssl_url: https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
self_signed_cert_cfssl_json_url: https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

You can choose which versions of CFSSL and CFSSL tool to download.

Profiles

self_signed_cert_profiles:
  - name: server
    expirity: 8760h
    usages:
      - signing
      - key encipherment
      - server auth
      - client auth

CFSSL supports multiple profiles. Each profile has a unique name. The expiration date determines when the generated certificate will expire. The usages specify the certificate's purpose. Allowed values include:

• Key Usages: signing, digital signature, content commitment, key encipherment, key agreement, data encipherment, cert sign, CRL sign, encipher only, decipher only.
• Extended Key Usages: any, server auth, client auth, code signing, email protection, S/MIME, IPsec end system, IPsec tunnel, IPsec user, timestamping, OCSP signing, Microsoft SGC, Netscape SGC.

Certificate Authority

self_signed_cert_ca_certs:
  - name: example-ca
    cn: example.com
    key_algo: rsa
    key_size: 2048
    country: EU
    location: Internet
    organisation: Example
    organisation_unit: IT
    state: internet
    trust_ca_cert: false

The key_algo for the certificate authority can be either ECDSA256 or RSA. The trust_ca_cert option includes the CA certificate in the trusted root certificates.

Certificates

self_signed_cert_certs:
  - name: server
    profile: server
    ca_name: example-ca
    export_to_pfx: true
    cn: example.com
    hosts:
      - example.com
      - www.example.com
    key_algo: rsa
    key_size: 2048
    country: EU
    location: Internet
    organisation: Example
    organisation_unit: IT
    state: internet

Example Playbook

- hosts: localhost
  become: yes
  roles:
    - self-signed-cert
  vars:
    self_signed_cert_cfssl_url: https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64
    self_signed_cert_cfssl_json_url: https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64

    self_signed_cert_dir: /etc/certs/

    self_signed_cert_profiles:
      - name: server
        expirity: 8760h
        usages:
          - signing
          - key encipherment
          - server auth
          - client auth
      - name: client
        expirity: 8760h
        usages:
          - signing
          - key encipherment
          - client auth

    self_signed_cert_ca_certs:
      - name: example-ca
        cn: example.com
        key_algo: rsa
        key_size: 2048
        country: EU
        location: Internet
        organisation: Example
        organisation_unit: IT
        state: internet
        trust_ca_cert: false

    self_signed_cert_certs:
      - name: server
        profile: server
        ca_name: example-ca
        export_to_pfx: true
        cn: example.com
        hosts:
          - example.com
          - www.example.com
        key_algo: rsa
        key_size: 2048
        country: EU
        location: Internet
        organisation: Example
        organisation_unit: IT
        state: internet
      - name: client
        profile: client
        ca_name: example-ca
        export_to_pfx: true
        cn: example.com
        hosts:
          - example.com
          - www.example.com
        key_algo: rsa
        key_size: 2048
        country: EU
        location: Internet
        organisation: Example
        organisation_unit: IT
        state: internet