pogosoftware.self_signed_cert

概述 版本 洞察

自签名证书

这个 Ansible 角色用于生成自签名证书。它将生成三个 PEM 证书及其密钥:CA 证书、客户端证书和服务器证书。此外,它还将为客户端和服务器生成两个 PFX 证书。

通用变量

证书目录

self_signed_cert_dir: /etc/certs/

这是证书保存的目录。

cfssl 和 cfssl_json 下载链接

self_signed_cert_cfssl_url: https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
self_signed_cert_cfssl_json_url: https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

您可以指定想要下载的 cfssl 和 cfssl_tool 的版本。

配置文件

self_signed_cert_profiles:
  - name: server
    expirity: 8760h
    usages:
      - signing
      - key encipherment
      - server auth
      - client auth

cfssl 支持多个配置文件。每个配置文件都有自己独特的名称。过期时间决定了使用此配置文件生成的证书何时到期。用途则决定了证书的使用。允许的值有:

  • 密钥用途:签名、数字签名、内容承诺、密钥加密、密钥协议、数据加密、证书签名、CRL 签名、仅加密、仅解密
  • 扩展密钥用途:任何、服务器身份验证、客户端身份验证、代码签名、电子邮件保护、S/MIME、IPsec 终端、IPsec 隧道、IPsec 用户、时间戳、OCSP 签名、微软 SGC、Netscape SGC

证书机构

self_signed_cert_ca_certs:
  - name: example-ca
    cn: example.com
    key_algo: rsa
    key_size: 2048
    country: EU
    location: Internet
    organisation: Example
    organisation_unit: IT
    state: internet
    trust_ca_cert: false

证书机构的 key_algo 可以是 ECDSA256 或 RSA。trust_ca_cert 将 CA 证书添加到受信任的根证书中。

证书

self_signed_cert_certs:
  - name: server
    profile: server
    ca_name: example-ca
    export_to_pfx: true
    cn: example.com
    hosts:
      - example.com
      - www.example.com
    key_algo: rsa
    key_size: 2048
    country: EU
    location: Internet
    organisation: Example
    organisation_unit: IT
    state: internet

示例剧本

- hosts: localhost
  become: yes
  roles:
    - self-signed-cert
  vars:
    self_signed_cert_cfssl_url: https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64
    self_signed_cert_cfssl_json_url: https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64

    self_signed_cert_dir: /etc/certs/

    self_signed_cert_profiles:
      - name: server
        expirity: 8760h
        usages:
          - signing
          - key encipherment
          - server auth
          - client auth
      - name: client
        expirity: 8760h
        usages:
          - signing
          - key encipherment
          - client auth

    self_signed_cert_ca_certs:
      - name: example-ca
        cn: example.com
        key_algo: rsa
        key_size: 2048
        country: EU
        location: Internet
        organisation: Example
        organisation_unit: IT
        state: internet
        trust_ca_cert: false

    self_signed_cert_certs:
      - name: server
        profile: server
        ca_name: example-ca
        export_to_pfx: true
        cn: example.com
        hosts:
          - example.com
          - www.example.com
        key_algo: rsa
        key_size: 2048
        country: EU
        location: Internet
        organisation: Example
        organisation_unit: IT
        state: internet
      - name: client
        profile: client
        ca_name: example-ca
        export_to_pfx: true
        cn: example.com
        hosts:
          - example.com
          - www.example.com
        key_algo: rsa
        key_size: 2048
        country: EU
        location: Internet
        organisation: Example
        organisation_unit: IT
        state: internet
关于项目

This ansible role allows generating a self-signed certificates.

role cert certificate cfssl pogosoftware self signed
安装
ansible-galaxy install pogosoftware.self_signed_cert
GitHub 仓库
1 星标
0 分叉
0 未解决问题
许可证
mit
下载
514
拥有者