--- # Copyright (c) Ansible Project # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later - name: "({{ select_crypto_backend }}) Generate privatekey" community.crypto.openssl_privatekey: path: '{{ remote_tmp_dir }}/{{ item }}.pem' size: '{{ default_rsa_key_size_certificates }}' loop: - privatekey - privatekey2 - name: "({{ select_crypto_backend }}) Generate CSRs" community.crypto.openssl_csr: privatekey_path: '{{ remote_tmp_dir }}/{{ item.key }}.pem' path: '{{ remote_tmp_dir }}/{{ item.name }}.csr' subject: commonName: '{{ item.cn }}' select_crypto_backend: '{{ select_crypto_backend }}' loop: - name: cert key: privatekey cn: www.ansible.com - name: cert-2 key: privatekey cn: ansible.com - name: cert-3 key: privatekey2 cn: example.com - name: cert-4 key: privatekey2 cn: example.org ## Self Signed - name: "({{ select_crypto_backend }}) Generate self-signed certificate (check mode)" community.crypto.x509_certificate_pipe: provider: selfsigned privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert.csr' select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: generate_certificate_check - name: "({{ select_crypto_backend }}) Generate self-signed certificate" community.crypto.x509_certificate_pipe: provider: selfsigned privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert.csr' select_crypto_backend: '{{ select_crypto_backend }}' register: generate_certificate - name: "({{ select_crypto_backend }}) Generate self-signed certificate (idempotent)" community.crypto.x509_certificate_pipe: provider: selfsigned content: "{{ generate_certificate.certificate }}" privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert.csr' select_crypto_backend: '{{ select_crypto_backend }}' register: generate_certificate_idempotent - name: "({{ select_crypto_backend }}) Generate self-signed certificate (idempotent, check mode)" community.crypto.x509_certificate_pipe: provider: selfsigned content: "{{ generate_certificate.certificate }}" privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert.csr' select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: generate_certificate_idempotent_check - name: "({{ select_crypto_backend }}) Generate self-signed certificate (changed)" community.crypto.x509_certificate_pipe: provider: selfsigned content: "{{ generate_certificate.certificate }}" privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-2.csr' select_crypto_backend: '{{ select_crypto_backend }}' register: generate_certificate_changed - name: "({{ select_crypto_backend }}) Generate self-signed certificate (changed, check mode)" community.crypto.x509_certificate_pipe: provider: selfsigned content: "{{ generate_certificate.certificate }}" privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-2.csr' select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: generate_certificate_changed_check - name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)" ansible.builtin.command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)" ansible.builtin.command: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" args: stdin: "{{ generate_certificate.certificate }}" register: certificate_cn - name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)" ansible.builtin.command: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin' args: stdin: "{{ generate_certificate.certificate }}" register: certificate_modulus - name: "({{ select_crypto_backend }}) Validate certificate (assert)" ansible.builtin.assert: that: - certificate_cn.stdout.split('=')[-1] == 'www.ansible.com' - certificate_modulus.stdout == privatekey_modulus.stdout - name: "({{ select_crypto_backend }}) Validate certificate (check mode, idempotency)" ansible.builtin.assert: that: - generate_certificate_check is changed - generate_certificate is changed - generate_certificate_idempotent is not changed - generate_certificate_idempotent_check is not changed - generate_certificate_changed is changed - generate_certificate_changed_check is changed ## Own CA - name: "({{ select_crypto_backend }}) Generate own CA certificate (check mode)" community.crypto.x509_certificate_pipe: provider: ownca ownca_content: '{{ generate_certificate.certificate }}' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_not_before: 20181023133742Z ownca_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-3.csr' select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: ownca_generate_certificate_check - name: "({{ select_crypto_backend }}) Generate own CA certificate" community.crypto.x509_certificate_pipe: provider: ownca ownca_content: '{{ generate_certificate.certificate }}' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_not_before: 20181023133742Z ownca_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-3.csr' select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_generate_certificate - name: "({{ select_crypto_backend }}) Generate own CA certificate (idempotent)" community.crypto.x509_certificate_pipe: provider: ownca content: "{{ ownca_generate_certificate.certificate }}" ownca_content: '{{ generate_certificate.certificate }}' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_not_before: 20181023133742Z ownca_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-3.csr' select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_generate_certificate_idempotent - name: "({{ select_crypto_backend }}) Generate own CA certificate (idempotent, check mode)" community.crypto.x509_certificate_pipe: provider: ownca content: "{{ ownca_generate_certificate.certificate }}" ownca_content: '{{ generate_certificate.certificate }}' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_not_before: 20181023133742Z ownca_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-3.csr' select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: ownca_generate_certificate_idempotent_check - name: "({{ select_crypto_backend }}) Generate own CA certificate (changed)" community.crypto.x509_certificate_pipe: provider: ownca content: "{{ ownca_generate_certificate.certificate }}" ownca_content: '{{ generate_certificate.certificate }}' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_not_before: 20181023133742Z ownca_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-4.csr' select_crypto_backend: '{{ select_crypto_backend }}' register: ownca_generate_certificate_changed - name: "({{ select_crypto_backend }}) Generate own CA certificate (changed, check mode)" community.crypto.x509_certificate_pipe: provider: ownca content: "{{ ownca_generate_certificate.certificate }}" ownca_content: '{{ generate_certificate.certificate }}' ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' ownca_not_before: 20181023133742Z ownca_not_after: 20191023133742Z csr_path: '{{ remote_tmp_dir }}/cert-4.csr' select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: ownca_generate_certificate_changed_check - name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)" ansible.builtin.command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)" ansible.builtin.command: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" args: stdin: "{{ ownca_generate_certificate.certificate }}" register: certificate_cn - name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)" ansible.builtin.command: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin' args: stdin: "{{ ownca_generate_certificate.certificate }}" register: certificate_modulus - name: "({{ select_crypto_backend }}) Validate certificate (assert)" ansible.builtin.assert: that: - certificate_cn.stdout.split('=')[-1] == 'example.com' - certificate_modulus.stdout == privatekey_modulus.stdout - name: "({{ select_crypto_backend }}) Validate certificate (check mode, idempotency)" ansible.builtin.assert: that: - ownca_generate_certificate_check is changed - ownca_generate_certificate is changed - ownca_generate_certificate_idempotent is not changed - ownca_generate_certificate_idempotent_check is not changed - ownca_generate_certificate_changed is changed - ownca_generate_certificate_changed_check is changed