--- - name: (Assertonly, {{select_crypto_backend}}) - Generate privatekey openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey.pem' size: '{{ default_rsa_key_size_certifiates }}' - name: (Assertonly, {{select_crypto_backend}}) - Generate privatekey with password openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certifiates }}' - name: (Assertonly, {{select_crypto_backend}}) - Generate CSR (no extensions) openssl_csr: path: '{{ remote_tmp_dir }}/csr_noext.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' subject: commonName: www.example.com useCommonNameForSAN: no - name: (Assertonly, {{select_crypto_backend}}) - Generate CSR (with SANs) openssl_csr: path: '{{ remote_tmp_dir }}/csr_sans.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' subject: commonName: www.example.com subject_alt_name: - "DNS:ansible.com" - "IP:127.0.0.1" - "IP:::1" useCommonNameForSAN: no - name: (Assertonly, {{select_crypto_backend}}) - Generate selfsigned certificate (no extensions) x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' csr_path: '{{ remote_tmp_dir }}/csr_noext.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' - name: (Assertonly, {{select_crypto_backend}}) - Generate selfsigned certificate (with SANs) x509_certificate: path: '{{ remote_tmp_dir }}/cert_sans.pem' csr_path: '{{ remote_tmp_dir }}/csr_sans.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' - name: (Assertonly, {{select_crypto_backend}}) - Assert that subject_alt_name is there (should fail) x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' provider: assertonly subject_alt_name: - "DNS:example.com" select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: yes register: extension_missing_san - name: (Assertonly, {{select_crypto_backend}}) - Assert that subject_alt_name is there x509_certificate: path: '{{ remote_tmp_dir }}/cert_sans.pem' provider: assertonly subject_alt_name: - "DNS:ansible.com" - "IP:127.0.0.1" - "IP:::1" select_crypto_backend: '{{ select_crypto_backend }}' register: extension_san - name: (Assertonly, {{select_crypto_backend}}) - Assert that subject_alt_name is there (strict) x509_certificate: path: '{{ remote_tmp_dir }}/cert_sans.pem' provider: assertonly subject_alt_name: - "DNS:ansible.com" - "IP:127.0.0.1" - "IP:::1" subject_alt_name_strict: yes select_crypto_backend: '{{ select_crypto_backend }}' register: extension_san_strict - name: (Assertonly, {{select_crypto_backend}}) - Assert that key_usage is there (should fail) x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' provider: assertonly key_usage: - digitalSignature select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: yes register: extension_missing_ku - name: (Assertonly, {{select_crypto_backend}}) - Assert that extended_key_usage is there (should fail) x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' provider: assertonly extended_key_usage: - biometricInfo select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: yes register: extension_missing_eku - assert: that: - extension_missing_san is failed - "'Found no subjectAltName extension' in extension_missing_san.msg" - extension_san is succeeded - extension_san_strict is succeeded - extension_missing_ku is failed - "'Found no keyUsage extension' in extension_missing_ku.msg" - extension_missing_eku is failed - "'Found no extendedKeyUsage extension' in extension_missing_eku.msg" - name: (Assertonly, {{select_crypto_backend}}) - Check wrong key fail x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: hunter2 provider: assertonly select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: yes register: private_key_error - name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 1 x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_passphrase: hunter2 provider: assertonly select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: yes register: passphrase_error_1 - name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 2 x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: wrong_password provider: assertonly select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: yes register: passphrase_error_2 - name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 3 x509_certificate: path: '{{ remote_tmp_dir }}/cert_noext.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' provider: assertonly select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: yes register: passphrase_error_3 - name: (Assertonly, {{select_crypto_backend}}) - assert: that: - private_key_error is failed - "'Certificate and private key ' in private_key_error.msg and ' do not match' in private_key_error.msg" - passphrase_error_1 is failed - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg" - passphrase_error_2 is failed - "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg" - passphrase_error_3 is failed - "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"