--- # Copyright (c) Ansible Project # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later - name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey.pem' size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey with password openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate without CSR x509_certificate: path: '{{ remote_tmp_dir }}/cert_no_csr.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate_no_csr - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate without CSR - idempotency x509_certificate: path: '{{ remote_tmp_dir }}/cert_no_csr.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate_no_csr_idempotence - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate without CSR (check mode) x509_certificate: path: '{{ remote_tmp_dir }}/cert_no_csr.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: selfsigned_certificate_no_csr_idempotence_check - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR openssl_csr: path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' subject: commonName: www.example.com - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR openssl_csr: path: '{{ remote_tmp_dir }}/csr_minimal_change.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' subject: commonName: www.example.org - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate - idempotency x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate_idempotence - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (check mode) x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (check mode, other CSR) x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr_minimal_change.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: selfsigned_certificate_csr_minimal_change - name: (Selfsigned, {{select_crypto_backend}}) Get certificate information community.crypto.x509_certificate_info: path: '{{ remote_tmp_dir }}/cert.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result - name: (Selfsigned, {{select_crypto_backend}}) Get private key information community.crypto.openssl_privatekey_info: path: '{{ remote_tmp_dir }}/privatekey.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result_privatekey - name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate assert: that: - result.public_key == result_privatekey.public_key - "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'" - "result.subject.commonName == 'www.example.com'" - not result.expired - result.version == 3 - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned v2 certificate x509_certificate: path: '{{ remote_tmp_dir }}/cert_v2.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_version: 2 select_crypto_backend: "{{ select_crypto_backend }}" register: selfsigned_v2_cert ignore_errors: true - name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey2 openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey2.pem' size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR2 openssl_csr: subject: CN: www.example.com C: US ST: California L: Los Angeles O: ACME Inc. OU: - Roadrunner pest control - Pyrotechnics path: '{{ remote_tmp_dir }}/csr2.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem' keyUsage: - digitalSignature extendedKeyUsage: - ipsecUser - biometricInfo - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate2 x509_certificate: path: '{{ remote_tmp_dir }}/cert2.pem' csr_path: '{{ remote_tmp_dir }}/csr2.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' - name: (Selfsigned, {{select_crypto_backend}}) Get certificate information community.crypto.x509_certificate_info: path: '{{ remote_tmp_dir }}/cert2.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result - name: (Selfsigned, {{select_crypto_backend}}) Get private key information community.crypto.openssl_privatekey_info: path: '{{ remote_tmp_dir }}/privatekey2.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result_privatekey - name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate2 assert: that: - result.public_key == result_privatekey.public_key - "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'" - "result.subject.commonName == 'www.example.com'" - "result.subject.countryName == 'US'" - "result.subject.localityName == 'Los Angeles'" # L - "result.subject.organizationName == 'ACME Inc.'" - "['organizationalUnitName', 'Pyrotechnics'] in result.subject_ordered" - "['organizationalUnitName', 'Roadrunner pest control'] in result.subject_ordered" - not result.expired - result.version == 3 - "'Digital Signature' in result.key_usage" - "'IPSec User' in result.extended_key_usage" - "'Biometric Info' in result.extended_key_usage" - name: (Selfsigned, {{select_crypto_backend}}) Create private key 3 openssl_privatekey: path: "{{ remote_tmp_dir }}/privatekey3.pem" size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{select_crypto_backend}}) Create CSR 3 openssl_csr: subject: CN: www.example.com privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" path: "{{ remote_tmp_dir }}/csr3.pem" - name: (Selfsigned, {{select_crypto_backend}}) Create certificate3 with notBefore and notAfter x509_certificate: provider: selfsigned selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z path: "{{ remote_tmp_dir }}/cert3.pem" csr_path: "{{ remote_tmp_dir }}/csr3.pem" privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" select_crypto_backend: '{{ select_crypto_backend }}' - name: (Selfsigned, {{select_crypto_backend}}) Create certificate3 with notBefore and notAfter (idempotent) x509_certificate: provider: selfsigned selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z ignore_timestamps: false path: "{{ remote_tmp_dir }}/cert3.pem" csr_path: "{{ remote_tmp_dir }}/csr3.pem" privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" select_crypto_backend: '{{ select_crypto_backend }}' register: cert3_selfsigned_idem - name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' type: ECC curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}" # ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR openssl_csr: path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' subject: commonName: www.example.com - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate x509_certificate: path: '{{ remote_tmp_dir }}/cert_ecc.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_certificate_ecc - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR (privatekey passphrase) openssl_csr: path: '{{ remote_tmp_dir }}/csr_pass.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: hunter2 subject: commonName: www.example.com - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase) x509_certificate: path: '{{ remote_tmp_dir }}/cert_pass.pem' csr_path: '{{ remote_tmp_dir }}/csr_pass.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: hunter2 provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_certificate_passphrase - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1) x509_certificate: path: '{{ remote_tmp_dir }}/cert_pw1.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_passphrase: hunter2 provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_1 - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 2) x509_certificate: path: '{{ remote_tmp_dir }}/cert_pw2.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: wrong_password provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_2 - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 3) x509_certificate: path: '{{ remote_tmp_dir }}/cert_pw3.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_3 - name: (Selfsigned, {{select_crypto_backend}}) Create broken certificate copy: dest: "{{ remote_tmp_dir }}/cert_broken.pem" content: "broken" - name: (Selfsigned, {{select_crypto_backend}}) Regenerate broken cert x509_certificate: path: '{{ remote_tmp_dir }}/cert_broken.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 register: selfsigned_broken - name: (Selfsigned, {{select_crypto_backend}}) Backup test x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_1 - name: (Selfsigned, {{select_crypto_backend}}) Backup test (idempotent) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_2 - name: (Selfsigned, {{select_crypto_backend}}) Backup test (change) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_3 - name: (Selfsigned, {{select_crypto_backend}}) Backup test (remove) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' state: absent provider: selfsigned backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_4 - name: (Selfsigned, {{select_crypto_backend}}) Backup test (remove, idempotent) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' state: absent provider: selfsigned backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_5 - name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_1 - name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (idempotency) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_2 - name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: never_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_3 - name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove idempotency) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: never_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_4 - name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (re-enable) x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_5 - name: (Selfsigned, {{select_crypto_backend}}) Ed25519 and Ed448 tests (for cryptography >= 2.6) block: - name: (Selfsigned, {{select_crypto_backend}}) Generate privatekeys openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' type: '{{ item }}' loop: - Ed25519 - Ed448 register: selfsigned_certificate_ed25519_ed448_privatekey ignore_errors: true - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded when: selfsigned_certificate_ed25519_ed448_privatekey is not failed block: - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR openssl_csr: path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' subject: commonName: www.ansible.com select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 ignore_errors: true - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate x509_certificate: path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem' csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: selfsigned_certificate_ed25519_ed448 ignore_errors: true - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate - idempotency x509_certificate: path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem' csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: selfsigned_certificate_ed25519_ed448_idempotence ignore_errors: true when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') - import_tasks: ../tests/validate_selfsigned.yml