trombik.x509_certificate
trombik.x509_certificate
This tool helps manage X509 secret and public keys. It assumes you already have a valid secret key or a signed public key. Note that this tool does not create or manage Certificate Signing Requests (CSR).
Requirements
You need to have the ansible collection. Check the requirements.yml for reference.
Role Variables
| Variable | Description | Default |
|---|---|---|
x509_certificate_dir |
Directory to store certificates and keys | {{ __x509_certificate_dir }} |
x509_certificate_packages |
Packages needed to manage keys, like validating certificates | {{ __x509_certificate_packages }} |
x509_certificate_default_owner |
Default owner of keys | {{ __x509_certificate_default_owner }} |
x509_certificate_default_group |
Default group of keys | {{ __x509_certificate_default_group }} |
x509_certificate_additional_packages |
Extra packages to install before managing certificates and keys. This affects file ownership management; do it carefully. | [] |
x509_certificate_validate_command |
Command to validate certificates and keys. Must be defined in the variables below | openssl |
x509_certificate |
Keys to manage | [] |
x509_certificate_debug_log |
Log sensitive data during play if set to yes |
no |
x509_certificate_update_ca_store_command |
Command to run when CA certificate store is updated | {{ __x509_certificate_update_ca_store_command }} |
Validating Commands
You have to set commands for validating secret and public keys:
- Secret Key Validation Command:
{"openssl"=>"openssl rsa -check -in %s"} - Public Key Validation Command:
{"openssl"=>"openssl x509 -noout -in %s"}
Key Management
x509_certificate
This variable is a list that contains dictionaries for keys that you want to manage.
Columns:
| Key | Value | Mandatory? |
|---|---|---|
name |
Name of the key | yes |
state |
Should be either present or absent. If present, it creates the key; if absent, it removes it. |
yes |
public |
Dictionary representing the public certificate | no |
secret |
Dictionary representing the secret key | no |
Additional Information
If you need to include this role in your tasks, here’s a simple YAML example:
- name: Include role trombik.x509_certificate
include_role:
name: trombik.x509_certificate
vars:
x509_certificate: "{{ my_variable }}"
x509_certificate_debug_log: yes
For adding variables, you can use x509_certificate_vars.
Installation on Different Operating Systems
Debian:
- Directory:
/etc/ssl - Packages:
["openssl"] - Owner:
root - Group:
root
- Directory:
FreeBSD:
- Directory:
/usr/local/etc/ssl - Packages:
[] - Owner:
root - Group:
wheel
- Directory:
OpenBSD:
- Directory:
/etc/ssl - Packages:
[] - Owner:
root - Group:
wheel
- Directory:
RedHat:
- Directory:
/etc/ssl - Packages:
["openssl"] - Owner:
root - Group:
root
- Directory:
Example Playbook
Here's a simple playbook example for including this role:
---
- hosts: localhost
roles:
- trombik.x509_certificate
vars:
x509_certificate:
- name: example
state: present
public:
key: '...'
License
This software is provided "as is". The author takes no responsibility for any consequences resulting from its use.
Author Information
Created by Tomoyuki Sakurai y@trombik.org, and formatted through qansible.
ansible-galaxy install trombik.x509_certificate