reallyenglish.x509-certificate

Panoramica Versioni Approfondimenti

ansible-role-x509-certificate

This role manages X509 secret and public keys. It assumes you already have a valid secret key or a signed public key. The role does not create or manage Certificate Signing Requests (CSRs).

Requirements

No special requirements.

Role Variables

Variable Description Default
x509_certificate_dir The default directory for storing certificates and keys {{ __x509_certificate_dir }}
x509_certificate_packages Packages to install for managing keys, like certificate validation tools {{ __x509_certificate_packages }}
x509_certificate_default_owner Default owner for the keys {{ __x509_certificate_default_owner }}
x509_certificate_default_group Default group for the keys {{ __x509_certificate_default_group }}
x509_certificate_additional_packages Any extra packages to install before managing certificates and keys. Be careful with this, as it might affect subsequent tasks unexpectedly. []
x509_certificate_validate_command Command to validate certificates and keys; should be defined in x509_certificate_validate_command_secret and x509_certificate_validate_command_public openssl
x509_certificate_validate_command_secret Command dictionary for validating secret keys {"openssl"=>"openssl rsa -check -in %s"}
x509_certificate_validate_command_public Command dictionary for validating public keys {"openssl"=>"openssl x509 -noout -in %s"}
x509_certificate List of keys to manage []
x509_certificate_debug_log Set to yes for logging sensitive data during the play. This will include the value of x509_certificate, including secret keys. no

x509_certificate_validate_command_secret

A dictionary where the key is the command name, and the value is for validating secret key files.

x509_certificate_validate_command_public

A dictionary where the key is the command name, and the value is for validating public certificate files.

x509_certificate

A list of dictionaries containing keys and values explained below:

Key Value Required?
name A descriptive name for the keys yes
state Set to present to create the key, or absent to remove it yes
public A dictionary representing a public certificate no
secret A dictionary representing a secret key no

public and secret in x509_certificate

Both public and secret should contain a dictionary with the following keys:

Key Value Required?
path The file path; if not specified, the file will be created in x509_certificate_dir with the name $name.pem no
owner Owner of the file (default is x509_certificate_default_owner) no
group Group of the file (default is x509_certificate_default_group) no
mode File permissions (default is 0444 for public certificates, 0400 for secret keys) no
key Content of the key no

Debian

Variable Default
__x509_certificate_dir /etc/ssl
__x509_certificate_packages ["openssl"]
__x509_certificate_default_owner root
__x509_certificate_default_group root

FreeBSD

Variable Default
__x509_certificate_dir /usr/local/etc/ssl
__x509_certificate_packages []
__x509_certificate_default_owner root
__x509_certificate_default_group wheel

OpenBSD

Variable Default
__x509_certificate_dir /etc/ssl
__x509_certificate_packages []
__x509_certificate_default_owner root
__x509_certificate_default_group wheel

RedHat

Variable Default
__x509_certificate_dir /etc/ssl
__x509_certificate_packages ["openssl"]
__x509_certificate_default_owner root
__x509_certificate_default_group root

Dependencies

None

Example Playbook

- hosts: localhost
  roles:
    - ansible-role-x509-certificate
  vars:
    # Be cautious—only set this to `yes` if you're sure.
    x509_certificate_debug_log: yes

    x509_certificate_additional_packages:
      - quagga
    x509_certificate:
      - name: foo
        state: present
        public:
          key: |
            -----BEGIN CERTIFICATE-----
            MIIDOjCCAiICCQDaGChPypIR9jANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJB
            ...
            -----END CERTIFICATE-----
      - name: bar
        state: present
        public:
          path: /usr/local/etc/ssl/bar/bar.pub
          owner: "{% if ansible_os_family == 'FreeBSD' or ansible_os_family == 'OpenBSD' %}www{% elif ansible_os_family == 'RedHat' %}ftp{% else %}www-data{% endif %}"
          group: "{% if ansible_os_family == 'FreeBSD' or ansible_os_family == 'OpenBSD' %}www{% elif ansible_os_family == 'RedHat' %}ftp{% else %}www-data{% endif %}"
          mode: "0644"
          key: |
            -----BEGIN CERTIFICATE-----
            MIIDOjCCAiICCQDaGChPypIR9jANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJB
            ...
            -----END CERTIFICATE-----
        secret:
          path: /usr/local/etc/ssl/bar/bar.key
          owner: "{% if ansible_os_family == 'FreeBSD' or ansible_os_family == 'OpenBSD' %}www{% elif ansible_os_family == 'RedHat' %}ftp{% else %}www-data{% endif %}"
          group: "{% if ansible_os_family == 'FreeBSD' or ansible_os_family == 'OpenBSD' %}www{% elif ansible_os_family == 'RedHat' %}ftp{% else %}www-data{% endif %}"
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIEowIBAAKCAQEA2fZ3dYrKBhnh+DhW0Opqc5ZXaONvC6hGEh+Bu34cyzCnWLCK
            ...
            -----END RSA PRIVATE KEY-----

License

Copyright (c) 2017 Tomoyuki Sakurai <[email protected]>

You can use, copy, modify, and share this software for any purpose as long as you include the copyright notice.

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES. THE AUTHOR IS NOT LIABLE FOR ANY DAMAGES RESULTING FROM THE USE OF THIS SOFTWARE.

Author Information

Tomoyuki Sakurai tomoyukis@reallyenglish.com

This README was created by qansible

Informazioni sul progetto

Manages X509 public and secret keys

role certificate openssl x509
Installa
ansible-galaxy install reallyenglish.x509-certificate
GitHub repository
1 stelle
2 fork
1 problemi aperti
Licenza
isc
Download
200
Proprietario