adarnimrod.ca-store

Overview Versions Insights

CA store ########

.. image:: https://travis-ci.org/adarnimrod/ca-store.svg?branch=master :target: https://travis-ci.org/adarnimrod/ca-store

An Ansible role to setup the CA store. The end goal is too have the same setup on both OSes, meaning:

  • Certificates owned by the ssl-cert group.
  • All upstream provided certificates at :code:/usr/share/ca-certificates.
  • All locally provided certificates at :code:/usr/local/share/ca-certificates.
  • A single concatenated file of all SSL certificates at :code:/etc/ssl/certs/ca-certificates.crt.
  • All certificates by name and hash symlinked at :code:/etc/ssl/certs.
  • Keys should go in to :code:/etc/ssl/private.:
  • :code:update-ca-certificates script for updating both symlinks and concatenated file after locally adding a certificate.
  • High bit count DH params file at :code:/etc/ssl/dhparams.pem.
  • A self-signed key and cert at :code:/etc/ssl/private/ssl-cert-snakeoil.key and :code:/etc/ssl/certs/ssl-cert-snakeoil.pem respectfully.

Afterwards you'll be able to do the following:

  • Point to :code:/etc/ssl/certs for a list of known certs by hash.
  • Point to :code:/etc/ssl/certs/ca-certificates.crt for a single concatenated file of all known certs.
  • Add your certs at :code:/usr/local/share/ca-certificates, run :code:update-ca-certificates to update all locations.
  • Run the role again to update to the latest list of certs provided by upstream.
  • Save private keys at :code:/etc/ssl/private owned by root:ssl-cert and have them securely stored.

Requirements

See :code:meta/main.yml and assertions at the top of :code:tasks/main.yml.

Role Variables

See :code:defaults/main.yml.

Dependencies

See :code:meta/main.yml.

Example Playbook

See :code:tests/playbook.yml.

Testing

Testing requires Python 2.7 and either Docker or Vagrant and Virtualbox. Install the Python dependencies, dependent roles and roles required for testing:

.. code:: shell

pip install -r tests/requirements.txt
ansible-galaxy install git+file://$(pwd),$(git rev-parse --abbrev-ref HEAD) -p .molecule/roles
molecule dependency

To run the full test suite:

.. code:: shell

pre-commit run --all-files
molecule test --platform all

License

This software is licensed under the MIT license (see the :code:LICENSE.txt file).

Author Information

Nimrod Adar, contact me <[email protected]>_ or visit my website <https://www.shore.co.il/>. Patches are welcome via git send-email <http://git-scm.com/book/en/v2/Git-Commands-Email>. The repository is located at: https://git.shore.co.il/explore/.

About

Install and configure common CA store mechanism

role
Install
ansible-galaxy install adarnimrod.ca-store
GitHub repository
0 stars
0 forks
1 open issues
License
mit
Downloads
613
Owner
Nimrod Adar
https://shore.co.il/about