--- # Copyright (c) Ansible Project # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later - name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey openssl_privatekey: path: '{{ remote_tmp_dir }}/ca_privatekey.pem' size: '{{ default_rsa_key_size_certifiates }}' - name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey with passphrase openssl_privatekey: path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem' passphrase: hunter2 cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certifiates }}' - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR openssl_csr: path: '{{ item.path }}' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' subject: '{{ item.subject }}' useCommonNameForSAN: false basic_constraints: - 'CA:TRUE' basic_constraints_critical: true loop: - path: '{{ remote_tmp_dir }}/ca_csr.csr' subject: commonName: Example CA - path: '{{ remote_tmp_dir }}/ca_csr2.csr' subject: commonName: Example CA 2 - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase) openssl_csr: path: '{{ remote_tmp_dir }}/ca_csr_pw.csr' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem' privatekey_passphrase: hunter2 subject: commonName: Example CA useCommonNameForSAN: false basic_constraints: - 'CA:TRUE' basic_constraints_critical: true - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (check mode) x509_certificate: path: '{{ remote_tmp_dir }}/ca_cert.pem' csr_path: '{{ remote_tmp_dir }}/ca_csr.csr' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: result_check_mode - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate x509_certificate: path: '{{ remote_tmp_dir }}/ca_cert.pem' csr_path: '{{ remote_tmp_dir }}/ca_csr.csr' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' register: result - name: (OwnCA, {{select_crypto_backend}}) Verify changed assert: that: - result_check_mode is changed - result is changed - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate with different commonName x509_certificate: path: '{{ remote_tmp_dir }}/ca_cert2.pem' csr_path: '{{ remote_tmp_dir }}/ca_csr2.csr' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase) x509_certificate: path: '{{ remote_tmp_dir }}/ca_cert_pw.pem' csr_path: '{{ remote_tmp_dir }}/ca_csr_pw.csr' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem' privatekey_passphrase: hunter2 provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: ownca_certificate - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: ownca_certificate_idempotence - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (check mode) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true - name: (OwnCA, {{select_crypto_backend}}) Copy ownca certificate to new file to check regeneration copy: src: '{{ remote_tmp_dir }}/ownca_cert.pem' dest: '{{ item }}' remote_src: true loop: - '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem' - '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem' - name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA subject x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert2.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: ownca_certificate_ca_subject_changed - name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA key x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert_pw.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem' ownca_privatekey_passphrase: hunter2 provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: ownca_certificate_ca_key_changed - name: (OwnCA, {{select_crypto_backend}}) Get certificate information community.crypto.x509_certificate_info: path: '{{ remote_tmp_dir }}/ownca_cert.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result - name: (OwnCA, {{select_crypto_backend}}) Get private key information community.crypto.openssl_privatekey_info: path: '{{ remote_tmp_dir }}/privatekey.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result_privatekey - name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate assert: that: - result.public_key == result_privatekey.public_key - "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'" - "result.subject.commonName == 'www.example.com'" - "result.issuer.commonName == 'Example CA'" - not result.expired - result.version == 3 - name: (OwnCA, {{select_crypto_backend}}) Generate ownca v2 certificate x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_v2.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_version: 2 select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_v2_certificate ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate2 x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert2.pem' csr_path: '{{ remote_tmp_dir }}/csr2.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' - name: (OwnCA, {{select_crypto_backend}}) Get certificate information community.crypto.x509_certificate_info: path: '{{ remote_tmp_dir }}/ownca_cert2.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result - name: (OwnCA, {{select_crypto_backend}}) Get private key information community.crypto.openssl_privatekey_info: path: '{{ remote_tmp_dir }}/privatekey2.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result_privatekey - name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate2 assert: that: - result.public_key == result_privatekey.public_key - "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'" - "result.subject.commonName == 'www.example.com'" - "result.subject.countryName == 'US'" - "result.subject.localityName == 'Los Angeles'" # L - "result.subject.organizationName == 'ACME Inc.'" - "['organizationalUnitName', 'Pyrotechnics'] in result.subject_ordered" - "['organizationalUnitName', 'Roadrunner pest control'] in result.subject_ordered" - "result.issuer.commonName == 'Example CA'" - not result.expired - result.version == 3 - "'Digital Signature' in result.key_usage" - "'IPSec User' in result.extended_key_usage" - "'Biometric Info' in result.extended_key_usage" - name: (OwnCA, {{select_crypto_backend}}) Create ownca certificate with notBefore and notAfter x509_certificate: provider: ownca ownca_not_before: 20181023133742Z ownca_not_after: 20191023133742Z path: "{{ remote_tmp_dir }}/ownca_cert3.pem" csr_path: "{{ remote_tmp_dir }}/csr.csr" privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' select_crypto_backend: '{{ select_crypto_backend }}' - name: (OwnCA, {{select_crypto_backend}}) Create ownca certificate with relative notBefore and notAfter x509_certificate: provider: ownca ownca_not_before: +1s ownca_not_after: +52w path: "{{ remote_tmp_dir }}/ownca_cert4.pem" csr_path: "{{ remote_tmp_dir }}/csr.csr" privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' select_crypto_backend: '{{ select_crypto_backend }}' - name: (OwnCA, {{select_crypto_backend}}) Generate ownca ECC certificate x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ecc.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_certificate_ecc - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ecc_2.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert_pw.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem' ownca_privatekey_passphrase: hunter2 provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_certificate_passphrase - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_pw1.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' ownca_privatekey_passphrase: hunter2 provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_1 - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_pw2.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' ownca_privatekey_passphrase: wrong_password provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_2 - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 3) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_pw3.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_3 - name: (OwnCA, {{select_crypto_backend}}) Create broken certificate copy: dest: "{{ remote_tmp_dir }}/ownca_broken.pem" content: "broken" - name: (OwnCA, {{select_crypto_backend}}) Regenerate broken cert x509_certificate: path: '{{ remote_tmp_dir }}/ownca_broken.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 register: ownca_broken - name: (OwnCA, {{select_crypto_backend}}) Backup test x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_backup_1 - name: (OwnCA, {{select_crypto_backend}}) Backup test (idempotent) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_backup_2 - name: (OwnCA, {{select_crypto_backend}}) Backup test (change) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_backup_3 - name: (OwnCA, {{select_crypto_backend}}) Backup test (remove) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem' state: absent provider: ownca backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_backup_4 - name: (OwnCA, {{select_crypto_backend}}) Backup test (remove, idempotent) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem' state: absent provider: ownca backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_backup_5 - name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_subject_key_identifier_1 - name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (idempotency) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_subject_key_identifier_2 - name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_subject_key_identifier: never_create select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_subject_key_identifier_3 - name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove idempotency) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_subject_key_identifier: never_create select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_subject_key_identifier_4 - name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (re-enable) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_subject_key_identifier_5 - name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_authority_key_identifier: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_authority_key_identifier_1 - name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (idempotency) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_authority_key_identifier: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_authority_key_identifier_2 - name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_authority_key_identifier: false select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_authority_key_identifier_3 - name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove idempotency) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_authority_key_identifier: false select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_authority_key_identifier_4 - name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (re-add) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 ownca_create_authority_key_identifier: true select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_authority_key_identifier_5 - name: (OwnCA, {{select_crypto_backend}}) Ed25519 and Ed448 tests (for cryptography >= 2.6) block: - name: (OwnCA, {{select_crypto_backend}}) Generate privatekeys openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' type: '{{ item }}' loop: - Ed25519 - Ed448 register: ownca_certificate_ed25519_ed448_privatekey ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded when: ownca_certificate_ed25519_ed448_privatekey is not failed block: - name: (OwnCA, {{select_crypto_backend}}) Generate CSR openssl_csr: path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' subject: commonName: www.ansible.com select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}.pem' csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: ownca_certificate_ed25519_ed448 ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}.pem' csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem' provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: ownca_certificate_ed25519_ed448_idempotence ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey openssl_privatekey: path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem' type: '{{ item }}' cipher: auto passphrase: Test123 ignore_errors: true loop: - Ed25519 - Ed448 - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR openssl_csr: path: '{{ remote_tmp_dir }}/ca_csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem' privatekey_passphrase: Test123 subject: commonName: Example CA useCommonNameForSAN: false basic_constraints: - 'CA:TRUE' basic_constraints_critical: true key_usage: - cRLSign - keyCertSign loop: - Ed25519 - Ed448 ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate x509_certificate: path: '{{ remote_tmp_dir }}/ca_cert_{{ item }}.pem' csr_path: '{{ remote_tmp_dir }}/ca_csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem' privatekey_passphrase: Test123 provider: selfsigned select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}_2.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert_{{ item }}.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem' ownca_privatekey_passphrase: Test123 provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: ownca_certificate_ed25519_ed448_2 ignore_errors: true - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent) x509_certificate: path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}_2.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' ownca_path: '{{ remote_tmp_dir }}/ca_cert_{{ item }}.pem' ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem' ownca_privatekey_passphrase: Test123 provider: ownca ownca_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: ownca_certificate_ed25519_ed448_2_idempotence ignore_errors: true when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') - import_tasks: ../tests/validate_ownca.yml