652 lines
26 KiB
YAML
652 lines
26 KiB
YAML
---
|
|
# Copyright (c) Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey
|
|
openssl_privatekey:
|
|
path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
size: '{{ default_rsa_key_size_certifiates }}'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey with passphrase
|
|
openssl_privatekey:
|
|
path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
|
|
passphrase: hunter2
|
|
cipher: auto
|
|
select_crypto_backend: cryptography
|
|
size: '{{ default_rsa_key_size_certifiates }}'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
|
|
openssl_csr:
|
|
path: '{{ item.path }}'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
subject: '{{ item.subject }}'
|
|
useCommonNameForSAN: no
|
|
basic_constraints:
|
|
- 'CA:TRUE'
|
|
basic_constraints_critical: yes
|
|
loop:
|
|
- path: '{{ remote_tmp_dir }}/ca_csr.csr'
|
|
subject:
|
|
commonName: Example CA
|
|
- path: '{{ remote_tmp_dir }}/ca_csr2.csr'
|
|
subject:
|
|
commonName: Example CA 2
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
|
|
openssl_csr:
|
|
path: '{{ remote_tmp_dir }}/ca_csr_pw.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
|
|
privatekey_passphrase: hunter2
|
|
subject:
|
|
commonName: Example CA
|
|
useCommonNameForSAN: no
|
|
basic_constraints:
|
|
- 'CA:TRUE'
|
|
basic_constraints_critical: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (check mode)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/ca_csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: true
|
|
register: result_check_mode
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/ca_csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Verify changed
|
|
assert:
|
|
that:
|
|
- result_check_mode is changed
|
|
- result is changed
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate with different commonName
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ca_cert2.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/ca_csr2.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/ca_csr_pw.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
|
|
privatekey_passphrase: hunter2
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: ownca_certificate
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: ownca_certificate_idempotence
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (check mode)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Copy ownca certificate to new file to check regeneration
|
|
copy:
|
|
src: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
|
dest: '{{ item }}'
|
|
remote_src: true
|
|
loop:
|
|
- '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
|
|
- '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA subject
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert2.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: ownca_certificate_ca_subject_changed
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA key
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
|
|
ownca_privatekey_passphrase: hunter2
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: ownca_certificate_ca_key_changed
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Get certificate information
|
|
community.crypto.x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Get private key information
|
|
community.crypto.openssl_privatekey_info:
|
|
path: '{{ remote_tmp_dir }}/privatekey.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result_privatekey
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate
|
|
assert:
|
|
that:
|
|
- result.public_key == result_privatekey.public_key
|
|
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
|
|
- "result.subject.commonName == 'www.example.com'"
|
|
- "result.issuer.commonName == 'Example CA'"
|
|
- not result.expired
|
|
- result.version == 3
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca v2 certificate
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_v2.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_version: 2
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_v2_certificate
|
|
ignore_errors: true
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate2
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert2.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr2.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Get certificate information
|
|
community.crypto.x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert2.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Get private key information
|
|
community.crypto.openssl_privatekey_info:
|
|
path: '{{ remote_tmp_dir }}/privatekey2.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result_privatekey
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate2
|
|
assert:
|
|
that:
|
|
- result.public_key == result_privatekey.public_key
|
|
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
|
|
- "result.subject.commonName == 'www.example.com'"
|
|
- "result.subject.countryName == 'US'"
|
|
- "result.subject.localityName == 'Los Angeles'" # L
|
|
- "result.subject.organizationName == 'ACME Inc.'"
|
|
- "['organizationalUnitName', 'Pyrotechnics'] in result.subject_ordered"
|
|
- "['organizationalUnitName', 'Roadrunner pest control'] in result.subject_ordered"
|
|
- "result.issuer.commonName == 'Example CA'"
|
|
- not result.expired
|
|
- result.version == 3
|
|
- "'Digital Signature' in result.key_usage"
|
|
- "'IPSec User' in result.extended_key_usage"
|
|
- "'Biometric Info' in result.extended_key_usage"
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create ownca certificate with notBefore and notAfter
|
|
x509_certificate:
|
|
provider: ownca
|
|
ownca_not_before: 20181023133742Z
|
|
ownca_not_after: 20191023133742Z
|
|
path: "{{ remote_tmp_dir }}/ownca_cert3.pem"
|
|
csr_path: "{{ remote_tmp_dir }}/csr.csr"
|
|
privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create ownca certificate with relative notBefore and notAfter
|
|
x509_certificate:
|
|
provider: ownca
|
|
ownca_not_before: +1s
|
|
ownca_not_after: +52w
|
|
path: "{{ remote_tmp_dir }}/ownca_cert4.pem"
|
|
csr_path: "{{ remote_tmp_dir }}/csr.csr"
|
|
privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca ECC certificate
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ecc.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_certificate_ecc
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ecc_2.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
|
|
ownca_privatekey_passphrase: hunter2
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: selfsigned_certificate_passphrase
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_pw1.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
ownca_privatekey_passphrase: hunter2
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_1
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_pw2.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
|
|
ownca_privatekey_passphrase: wrong_password
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_2
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 3)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_pw3.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_3
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create broken certificate
|
|
copy:
|
|
dest: "{{ remote_tmp_dir }}/ownca_broken.pem"
|
|
content: "broken"
|
|
- name: (OwnCA, {{select_crypto_backend}}) Regenerate broken cert
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_broken.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
register: ownca_broken
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Backup test
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_backup_1
|
|
- name: (OwnCA, {{select_crypto_backend}}) Backup test (idempotent)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_backup_2
|
|
- name: (OwnCA, {{select_crypto_backend}}) Backup test (change)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_backup_3
|
|
- name: (OwnCA, {{select_crypto_backend}}) Backup test (remove)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
|
state: absent
|
|
provider: ownca
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_backup_4
|
|
- name: (OwnCA, {{select_crypto_backend}}) Backup test (remove, idempotent)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
|
state: absent
|
|
provider: ownca
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_backup_5
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_subject_key_identifier: always_create
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_subject_key_identifier_1
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (idempotency)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_subject_key_identifier: always_create
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_subject_key_identifier_2
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_subject_key_identifier: never_create
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_subject_key_identifier_3
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove idempotency)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_subject_key_identifier: never_create
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_subject_key_identifier_4
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (re-enable)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_subject_key_identifier: always_create
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_subject_key_identifier_5
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_authority_key_identifier: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_authority_key_identifier_1
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (idempotency)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_authority_key_identifier: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_authority_key_identifier_2
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_authority_key_identifier: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_authority_key_identifier_3
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove idempotency)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_authority_key_identifier: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_authority_key_identifier_4
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (re-add)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
ownca_create_authority_key_identifier: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: ownca_authority_key_identifier_5
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Ed25519 and Ed448 tests (for cryptography >= 2.6)
|
|
block:
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate privatekeys
|
|
openssl_privatekey:
|
|
path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
|
|
type: '{{ item }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: ownca_certificate_ed25519_ed448_privatekey
|
|
ignore_errors: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded
|
|
when: ownca_certificate_ed25519_ed448_privatekey is not failed
|
|
block:
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CSR
|
|
openssl_csr:
|
|
path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
ignore_errors: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: ownca_certificate_ed25519_ed448
|
|
ignore_errors: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: ownca_certificate_ed25519_ed448_idempotence
|
|
ignore_errors: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey
|
|
openssl_privatekey:
|
|
path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem'
|
|
type: '{{ item }}'
|
|
cipher: auto
|
|
passphrase: Test123
|
|
ignore_errors: yes
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
|
|
openssl_csr:
|
|
path: '{{ remote_tmp_dir }}/ca_csr_{{ item }}.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem'
|
|
privatekey_passphrase: Test123
|
|
subject:
|
|
commonName: Example CA
|
|
useCommonNameForSAN: no
|
|
basic_constraints:
|
|
- 'CA:TRUE'
|
|
basic_constraints_critical: yes
|
|
key_usage:
|
|
- cRLSign
|
|
- keyCertSign
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
ignore_errors: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ca_cert_{{ item }}.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/ca_csr_{{ item }}.csr'
|
|
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem'
|
|
privatekey_passphrase: Test123
|
|
provider: selfsigned
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
ignore_errors: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}_2.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert_{{ item }}.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem'
|
|
ownca_privatekey_passphrase: Test123
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: ownca_certificate_ed25519_ed448_2
|
|
ignore_errors: yes
|
|
|
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent)
|
|
x509_certificate:
|
|
path: '{{ remote_tmp_dir }}/ownca_cert_{{ item }}_2.pem'
|
|
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
|
ownca_path: '{{ remote_tmp_dir }}/ca_cert_{{ item }}.pem'
|
|
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem'
|
|
ownca_privatekey_passphrase: Test123
|
|
provider: ownca
|
|
ownca_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: ownca_certificate_ed25519_ed448_2_idempotence
|
|
ignore_errors: yes
|
|
|
|
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')
|
|
|
|
- import_tasks: ../tests/validate_ownca.yml
|