a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
community.crypto/pr/612/docsite/guide_selfsigned.html

230 lines
23 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>How to create self-signed certificates &mdash; Community.Crypto Collection documentation</title>
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/css/ansible.css" type="text/css" />
<link rel="stylesheet" href="../_static/antsibull-minimal.css" type="text/css" />
<link rel="stylesheet" href="../_static/css/rtd-ethical-ads.css" type="text/css" />
<link rel="shortcut icon" href="../_static/images/Ansible-Mark-RGB_Black.png"/>
<!--[if lt IE 9]>
<script src="../_static/js/html5shiv.min.js"></script>
<![endif]-->
<script src="../_static/jquery.js"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/sphinx_highlight.js"></script>
<script src="../_static/js/theme.js"></script>
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="How to create a small CA" href="guide_ownca.html" />
<link rel="prev" title="Community.Crypto" href="../index.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<body class="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<div class="DocSite-globalNav ansibleNav">
<ul>
<li><a href="https://www.ansible.com/ansiblefest" target="_blank">AnsibleFest</a></li>
<li><a href="https://www.ansible.com/tower" target="_blank">Products</a></li>
<li><a href="https://www.ansible.com/community" target="_blank">Community</a></li>
<li><a href="https://www.ansible.com/webinars-training" target="_blank">Webinars & Training</a></li>
<li><a href="https://www.ansible.com/blog" target="_blank">Blog</a></li>
</ul>
</div>
<a class="DocSite-nav" href="https://ansible-collections.github.io/community.crypto/branch/main/" style="padding-bottom: 30px;">
<img class="DocSiteNav-logo"
src="../_static/images/Ansible-Mark-RGB_White.png"
alt="Ansible Logo">
<div class="DocSiteNav-title">Community.Crypto Collection Docs</div>
</a>
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html" class="icon icon-home">
Community.Crypto Collection
</a><!--- Based on https://github.com/rtfd/sphinx_rtd_theme/pull/438/files -->
<div class="version">
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<label class="sr-only" for="q">Search docs:</label>
<input type="text" class="st-default-search-input" id="q" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul class="current">
<li class="toctree-l1 current"><a class="current reference internal" href="#">How to create self-signed certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="guide_ownca.html">How to create a small CA</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../acme_account_module.html">community.crypto.acme_account module Create, modify or delete ACME accounts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_account_info_module.html">community.crypto.acme_account_info module Retrieves information on ACME accounts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_certificate_module.html">community.crypto.acme_certificate module Create SSL/TLS certificates with the ACME protocol</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module Revoke certificates with the ACME protocol</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_inspect_module.html">community.crypto.acme_inspect module Send direct requests to an ACME server</a></li>
<li class="toctree-l1"><a class="reference internal" href="../certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module Complete certificate chain given a set of untrusted and root certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../crypto_info_module.html">community.crypto.crypto_info module Retrieve cryptographic capabilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="../ecs_certificate_module.html">community.crypto.ecs_certificate module Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<li class="toctree-l1"><a class="reference internal" href="../ecs_domain_module.html">community.crypto.ecs_domain module Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<li class="toctree-l1"><a class="reference internal" href="../get_certificate_module.html">community.crypto.get_certificate module Get a certificate from a host:port</a></li>
<li class="toctree-l1"><a class="reference internal" href="../luks_device_module.html">community.crypto.luks_device module Manage encrypted (LUKS) devices</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssh_cert_module.html">community.crypto.openssh_cert module Generate OpenSSH host or user certificates.</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssh_keypair_module.html">community.crypto.openssh_keypair module Generate OpenSSH private and public keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_module.html">community.crypto.openssl_csr module Generate OpenSSL Certificate Signing Request (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_info_module.html">community.crypto.openssl_csr_info module Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_pipe_module.html">community.crypto.openssl_csr_pipe module Generate OpenSSL Certificate Signing Request (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_dhparam_module.html">community.crypto.openssl_dhparam module Generate OpenSSL Diffie-Hellman Parameters</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_pkcs12_module.html">community.crypto.openssl_pkcs12 module Generate OpenSSL PKCS#12 archive</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_module.html">community.crypto.openssl_privatekey module Generate OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_convert_module.html">community.crypto.openssl_privatekey_convert module Convert OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module Provide information for OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module Generate OpenSSL private keys without disk access</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_publickey_module.html">community.crypto.openssl_publickey module Generate an OpenSSL public key from its private key.</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module Provide information for OpenSSL public keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_signature_module.html">community.crypto.openssl_signature module Sign data with openssl</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_signature_info_module.html">community.crypto.openssl_signature_info module Verify signatures with openssl</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_module.html">community.crypto.x509_certificate module Generate and/or check OpenSSL certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_info_module.html">community.crypto.x509_certificate_info module Provide information of OpenSSL X.509 certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_pipe_module.html">community.crypto.x509_certificate_pipe module Generate and/or check OpenSSL certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_crl_module.html">community.crypto.x509_crl module Generate Certificate Revocation Lists (CRLs)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_crl_info_module.html">community.crypto.x509_crl_info module Retrieve information on Certificate Revocation Lists (CRLs)</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_info_filter.html">community.crypto.openssl_csr_info filter Retrieve information from OpenSSL Certificate Signing Requests (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter Retrieve information from OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter Retrieve information from OpenSSL public keys in PEM format</a></li>
<li class="toctree-l1"><a class="reference internal" href="../split_pem_filter.html">community.crypto.split_pem filter Split PEM file contents into multiple objects</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter Retrieve information from X.509 certificates in PEM format</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_crl_info_filter.html">community.crypto.x509_crl_info filter Retrieve information from X.509 CRLs in PEM format</a></li>
</ul>
<!-- extra nav elements for Ansible beyond RTD Sphinx Theme -->
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">Community.Crypto Collection</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item active">How to create self-signed certificates</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="how-to-create-self-signed-certificates">
<span id="ansible-collections-community-crypto-docsite-guide-selfsigned"></span><h1>How to create self-signed certificates<a class="headerlink" href="#how-to-create-self-signed-certificates" title="Permalink to this heading"></a></h1>
<p>The <a class="reference external" href="https://galaxy.ansible.com/community/crypto">community.crypto collection</a> offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.</p>
<p>For creating any kind of certificate, you always have to start with a private key. You can use the <a class="reference internal" href="../openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module"><span class="std std-ref">community.crypto.openssl_privatekey module</span></a> to create a private key. If you only specify <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module-parameter-path"><span class="std std-ref"><span class="pre">path</span></span></a></strong></code>, the default parameters will be used. This will result in a 4096 bit RSA private key:</p>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create private key (RSA, 4096 bits)</span>
<span class="w"> </span><span class="nt">community.crypto.openssl_privatekey</span><span class="p">:</span>
<span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
</pre></div>
</div>
<p>You can specify <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module-parameter-type"><span class="std std-ref"><span class="pre">type</span></span></a></strong></code> to select another key type, <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module-parameter-size"><span class="std std-ref"><span class="pre">size</span></span></a></strong></code> to select a different key size (only available for RSA and DSA keys), or <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module-parameter-passphrase"><span class="std std-ref"><span class="pre">passphrase</span></span></a></strong></code> if you want to store the key password-protected:</p>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create private key (X25519) with password protection</span>
<span class="w"> </span><span class="nt">community.crypto.openssl_privatekey</span><span class="p">:</span>
<span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">X25519</span>
<span class="w"> </span><span class="nt">passphrase</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">changeme</span>
</pre></div>
</div>
<p>To create a very simple self-signed certificate with no specific information, you can proceed directly with the <a class="reference internal" href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><span class="std std-ref">community.crypto.x509_certificate module</span></a>:</p>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create simple self-signed certificate</span>
<span class="w"> </span><span class="nt">community.crypto.x509_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.pem</span>
<span class="w"> </span><span class="nt">privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsigned</span>
</pre></div>
</div>
<p>(If you used <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module-parameter-passphrase"><span class="std std-ref"><span class="pre">passphrase</span></span></a></strong></code> for the private key, you have to provide <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module-parameter-privatekey-passphrase"><span class="std std-ref"><span class="pre">privatekey_passphrase</span></span></a></strong></code>.)</p>
<p>You can use <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module-parameter-selfsigned-not-after"><span class="std std-ref"><span class="pre">selfsigned_not_after</span></span></a></strong></code> to define when the certificate expires (default: in roughly 10 years), and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module-parameter-selfsigned-not-before"><span class="std std-ref"><span class="pre">selfsigned_not_before</span></span></a></strong></code> to define from when the certificate is valid (default: now).</p>
<p>To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the <a class="reference internal" href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><span class="std std-ref">community.crypto.x509_certificate module</span></a>. If you do not need the CSR file, you can use the <a class="reference internal" href="../openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><span class="std std-ref">community.crypto.openssl_csr_pipe module</span></a> as in the example below. (To store it to disk, use the <a class="reference internal" href="../openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><span class="std std-ref">community.crypto.openssl_csr module</span></a> instead.)</p>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create certificate signing request (CSR) for self-signed certificate</span>
<span class="w"> </span><span class="nt">community.crypto.openssl_csr_pipe</span><span class="p">:</span>
<span class="w"> </span><span class="nt">privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w"> </span><span class="nt">common_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ansible.com</span>
<span class="w"> </span><span class="nt">organization_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ansible, Inc.</span>
<span class="w"> </span><span class="nt">subject_alt_name</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:ansible.com&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:www.ansible.com&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:docs.ansible.com&quot;</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">csr</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create self-signed certificate from CSR</span>
<span class="w"> </span><span class="nt">community.crypto.x509_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.pem</span>
<span class="w"> </span><span class="nt">csr_content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">csr.csr</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="nt">privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsigned</span>
</pre></div>
</div>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="../index.html" class="btn btn-neutral float-left" title="Community.Crypto" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="guide_ownca.html" class="btn btn-neutral float-right" title="How to create a small CA" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright Community.Crypto Contributors.</p>
</div>
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script><!-- extra footer elements for Ansible beyond RTD Sphinx Theme -->
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink