238 lines
9.2 KiB
YAML
238 lines
9.2 KiB
YAML
---
|
|
- name: "({{ select_crypto_backend }}) Generate privatekey"
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/{{ item }}.pem'
|
|
size: '{{ default_rsa_key_size_certifiates }}'
|
|
loop:
|
|
- privatekey
|
|
- privatekey2
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate CSRs"
|
|
openssl_csr:
|
|
privatekey_path: '{{ output_dir }}/{{ item.key }}.pem'
|
|
path: '{{ output_dir }}/{{ item.name }}.csr'
|
|
subject:
|
|
commonName: '{{ item.cn }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- name: cert
|
|
key: privatekey
|
|
cn: www.ansible.com
|
|
- name: cert-2
|
|
key: privatekey
|
|
cn: ansible.com
|
|
- name: cert-3
|
|
key: privatekey2
|
|
cn: example.com
|
|
- name: cert-4
|
|
key: privatekey2
|
|
cn: example.org
|
|
|
|
## Self Signed
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate self-signed certificate (check mode)"
|
|
x509_certificate_pipe:
|
|
provider: selfsigned
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
selfsigned_not_before: 20181023133742Z
|
|
selfsigned_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: generate_certificate_check
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate self-signed certificate"
|
|
x509_certificate_pipe:
|
|
provider: selfsigned
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
selfsigned_not_before: 20181023133742Z
|
|
selfsigned_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: generate_certificate
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate self-signed certificate (idempotent)"
|
|
x509_certificate_pipe:
|
|
provider: selfsigned
|
|
content: "{{ generate_certificate.certificate }}"
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
selfsigned_not_before: 20181023133742Z
|
|
selfsigned_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: generate_certificate_idempotent
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate self-signed certificate (idempotent, check mode)"
|
|
x509_certificate_pipe:
|
|
provider: selfsigned
|
|
content: "{{ generate_certificate.certificate }}"
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
selfsigned_not_before: 20181023133742Z
|
|
selfsigned_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: generate_certificate_idempotent_check
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate self-signed certificate (changed)"
|
|
x509_certificate_pipe:
|
|
provider: selfsigned
|
|
content: "{{ generate_certificate.certificate }}"
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
selfsigned_not_before: 20181023133742Z
|
|
selfsigned_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-2.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: generate_certificate_changed
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate self-signed certificate (changed, check mode)"
|
|
x509_certificate_pipe:
|
|
provider: selfsigned
|
|
content: "{{ generate_certificate.certificate }}"
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
selfsigned_not_before: 20181023133742Z
|
|
selfsigned_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-2.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: generate_certificate_changed_check
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)"
|
|
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
|
register: privatekey_modulus
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)"
|
|
shell: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
|
|
args:
|
|
stdin: "{{ generate_certificate.certificate }}"
|
|
register: certificate_cn
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)"
|
|
shell: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin'
|
|
args:
|
|
stdin: "{{ generate_certificate.certificate }}"
|
|
register: certificate_modulus
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (assert)"
|
|
assert:
|
|
that:
|
|
- certificate_cn.stdout.split('=')[-1] == 'www.ansible.com'
|
|
- certificate_modulus.stdout == privatekey_modulus.stdout
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (check mode, idempotency)"
|
|
assert:
|
|
that:
|
|
- generate_certificate_check is changed
|
|
- generate_certificate is changed
|
|
- generate_certificate_idempotent is not changed
|
|
- generate_certificate_idempotent_check is not changed
|
|
- generate_certificate_changed is changed
|
|
- generate_certificate_changed_check is changed
|
|
|
|
## Own CA
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate own CA certificate (check mode)"
|
|
x509_certificate_pipe:
|
|
provider: ownca
|
|
ownca_content: '{{ generate_certificate.certificate }}'
|
|
ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
ownca_not_before: 20181023133742Z
|
|
ownca_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-3.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: ownca_generate_certificate_check
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate own CA certificate"
|
|
x509_certificate_pipe:
|
|
provider: ownca
|
|
ownca_content: '{{ generate_certificate.certificate }}'
|
|
ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
ownca_not_before: 20181023133742Z
|
|
ownca_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-3.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_generate_certificate
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate own CA certificate (idempotent)"
|
|
x509_certificate_pipe:
|
|
provider: ownca
|
|
content: "{{ ownca_generate_certificate.certificate }}"
|
|
ownca_content: '{{ generate_certificate.certificate }}'
|
|
ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
ownca_not_before: 20181023133742Z
|
|
ownca_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-3.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_generate_certificate_idempotent
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate own CA certificate (idempotent, check mode)"
|
|
x509_certificate_pipe:
|
|
provider: ownca
|
|
content: "{{ ownca_generate_certificate.certificate }}"
|
|
ownca_content: '{{ generate_certificate.certificate }}'
|
|
ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
ownca_not_before: 20181023133742Z
|
|
ownca_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-3.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: ownca_generate_certificate_idempotent_check
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate own CA certificate (changed)"
|
|
x509_certificate_pipe:
|
|
provider: ownca
|
|
content: "{{ ownca_generate_certificate.certificate }}"
|
|
ownca_content: '{{ generate_certificate.certificate }}'
|
|
ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
ownca_not_before: 20181023133742Z
|
|
ownca_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-4.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_generate_certificate_changed
|
|
|
|
- name: "({{ select_crypto_backend }}) Generate own CA certificate (changed, check mode)"
|
|
x509_certificate_pipe:
|
|
provider: ownca
|
|
content: "{{ ownca_generate_certificate.certificate }}"
|
|
ownca_content: '{{ generate_certificate.certificate }}'
|
|
ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
ownca_not_before: 20181023133742Z
|
|
ownca_not_after: 20191023133742Z
|
|
csr_path: '{{ output_dir }}/cert-4.csr'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: ownca_generate_certificate_changed_check
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)"
|
|
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem'
|
|
register: privatekey_modulus
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)"
|
|
shell: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
|
|
args:
|
|
stdin: "{{ ownca_generate_certificate.certificate }}"
|
|
register: certificate_cn
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)"
|
|
shell: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin'
|
|
args:
|
|
stdin: "{{ ownca_generate_certificate.certificate }}"
|
|
register: certificate_modulus
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (assert)"
|
|
assert:
|
|
that:
|
|
- certificate_cn.stdout.split('=')[-1] == 'example.com'
|
|
- certificate_modulus.stdout == privatekey_modulus.stdout
|
|
|
|
- name: "({{ select_crypto_backend }}) Validate certificate (check mode, idempotency)"
|
|
assert:
|
|
that:
|
|
- ownca_generate_certificate_check is changed
|
|
- ownca_generate_certificate is changed
|
|
- ownca_generate_certificate_idempotent is not changed
|
|
- ownca_generate_certificate_idempotent_check is not changed
|
|
- ownca_generate_certificate_changed is changed
|
|
- ownca_generate_certificate_changed_check is changed
|