--- # Copyright (c) Ansible Project # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later - name: (Selfsigned, {{ select_crypto_backend }}) Generate privatekey community.crypto.openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey.pem' size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{ select_crypto_backend }}) Generate privatekey with password community.crypto.openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate without CSR community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_no_csr.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate_no_csr - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate without CSR - idempotency community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_no_csr.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate_no_csr_idempotence - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate without CSR (check mode) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_no_csr.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: selfsigned_certificate_no_csr_idempotence_check - name: (Selfsigned, {{ select_crypto_backend }}) Generate CSR community.crypto.openssl_csr: path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' subject: commonName: www.example.com - name: (Selfsigned, {{ select_crypto_backend }}) Generate CSR community.crypto.openssl_csr: path: '{{ remote_tmp_dir }}/csr_minimal_change.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' subject: commonName: www.example.org - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate - idempotency community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' return_content: true register: selfsigned_certificate_idempotence - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate (check mode) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate (check mode, other CSR) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert.pem' csr_path: '{{ remote_tmp_dir }}/csr_minimal_change.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' check_mode: true register: selfsigned_certificate_csr_minimal_change - name: (Selfsigned, {{ select_crypto_backend }}) Get certificate information community.crypto.x509_certificate_info: path: '{{ remote_tmp_dir }}/cert.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result - name: (Selfsigned, {{ select_crypto_backend }}) Get private key information community.crypto.openssl_privatekey_info: path: '{{ remote_tmp_dir }}/privatekey.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result_privatekey - name: (Selfsigned, {{ select_crypto_backend }}) Check selfsigned certificate ansible.builtin.assert: that: - result.public_key == result_privatekey.public_key - "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'" - "result.subject.commonName == 'www.example.com'" - not result.expired - result.version == 3 - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned v2 certificate community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_v2.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_version: 2 select_crypto_backend: "{{ select_crypto_backend }}" register: selfsigned_v2_cert ignore_errors: true - name: (Selfsigned, {{ select_crypto_backend }}) Generate privatekey2 community.crypto.openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey2.pem' size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{ select_crypto_backend }}) Generate CSR2 community.crypto.openssl_csr: subject: CN: www.example.com C: US ST: California L: Los Angeles O: ACME Inc. OU: - Roadrunner pest control - Pyrotechnics path: '{{ remote_tmp_dir }}/csr2.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem' keyUsage: - digitalSignature extendedKeyUsage: - ipsecUser - biometricInfo - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate2 community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert2.pem' csr_path: '{{ remote_tmp_dir }}/csr2.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' - name: (Selfsigned, {{ select_crypto_backend }}) Get certificate information community.crypto.x509_certificate_info: path: '{{ remote_tmp_dir }}/cert2.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result - name: (Selfsigned, {{ select_crypto_backend }}) Get private key information community.crypto.openssl_privatekey_info: path: '{{ remote_tmp_dir }}/privatekey2.pem' select_crypto_backend: '{{ select_crypto_backend }}' register: result_privatekey - name: (Selfsigned, {{ select_crypto_backend }}) Check selfsigned certificate2 ansible.builtin.assert: that: - result.public_key == result_privatekey.public_key - "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'" - "result.subject.commonName == 'www.example.com'" - "result.subject.countryName == 'US'" - "result.subject.localityName == 'Los Angeles'" # L - "result.subject.organizationName == 'ACME Inc.'" - "['organizationalUnitName', 'Pyrotechnics'] in result.subject_ordered" - "['organizationalUnitName', 'Roadrunner pest control'] in result.subject_ordered" - not result.expired - result.version == 3 - "'Digital Signature' in result.key_usage" - "'IPSec User' in result.extended_key_usage" - "'Biometric Info' in result.extended_key_usage" - name: (Selfsigned, {{ select_crypto_backend }}) Create private key 3 community.crypto.openssl_privatekey: path: "{{ remote_tmp_dir }}/privatekey3.pem" size: '{{ default_rsa_key_size_certificates }}' - name: (Selfsigned, {{ select_crypto_backend }}) Create CSR 3 community.crypto.openssl_csr: subject: CN: www.example.com privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" path: "{{ remote_tmp_dir }}/csr3.pem" - name: (Selfsigned, {{ select_crypto_backend }}) Create certificate3 with notBefore and notAfter community.crypto.x509_certificate: provider: selfsigned selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z path: "{{ remote_tmp_dir }}/cert3.pem" csr_path: "{{ remote_tmp_dir }}/csr3.pem" privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" select_crypto_backend: '{{ select_crypto_backend }}' - name: (Selfsigned, {{ select_crypto_backend }}) Create certificate3 with notBefore and notAfter (idempotent) community.crypto.x509_certificate: provider: selfsigned selfsigned_not_before: 20181023133742Z selfsigned_not_after: 20191023133742Z ignore_timestamps: false path: "{{ remote_tmp_dir }}/cert3.pem" csr_path: "{{ remote_tmp_dir }}/csr3.pem" privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem" select_crypto_backend: '{{ select_crypto_backend }}' register: cert3_selfsigned_idem - name: (Selfsigned, {{ select_crypto_backend }}) Generate privatekey community.crypto.openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' type: ECC curve: "{{ (ansible_facts.distribution == 'CentOS' and ansible_facts.distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}" # ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead - name: (Selfsigned, {{ select_crypto_backend }}) Generate CSR community.crypto.openssl_csr: path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' subject: commonName: www.example.com - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_ecc.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_certificate_ecc - name: (Selfsigned, {{ select_crypto_backend }}) Generate CSR (privatekey passphrase) community.crypto.openssl_csr: path: '{{ remote_tmp_dir }}/csr_pass.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: hunter2 subject: commonName: www.example.com - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate (privatekey passphrase) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_pass.pem' csr_path: '{{ remote_tmp_dir }}/csr_pass.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: hunter2 provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_certificate_passphrase - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate (failed passphrase 1) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_pw1.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_passphrase: hunter2 provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_1 - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate (failed passphrase 2) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_pw2.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_passphrase: wrong_password provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_2 - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate (failed passphrase 3) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_pw3.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' ignore_errors: true register: passphrase_error_3 - name: (Selfsigned, {{ select_crypto_backend }}) Create broken certificate ansible.builtin.copy: dest: "{{ remote_tmp_dir }}/cert_broken.pem" content: "broken" - name: (Selfsigned, {{ select_crypto_backend }}) Regenerate broken cert community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_broken.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 register: selfsigned_broken - name: (Selfsigned, {{ select_crypto_backend }}) Backup test community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_1 - name: (Selfsigned, {{ select_crypto_backend }}) Backup test (idempotent) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_2 - name: (Selfsigned, {{ select_crypto_backend }}) Backup test (change) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' csr_path: '{{ remote_tmp_dir }}/csr.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_3 - name: (Selfsigned, {{ select_crypto_backend }}) Backup test (remove) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' state: absent provider: selfsigned backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_4 - name: (Selfsigned, {{ select_crypto_backend }}) Backup test (remove, idempotent) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem' state: absent provider: selfsigned backup: true select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_backup_5 - name: (Selfsigned, {{ select_crypto_backend }}) Create subject key identifier test community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_1 - name: (Selfsigned, {{ select_crypto_backend }}) Create subject key identifier test (idempotency) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_2 - name: (Selfsigned, {{ select_crypto_backend }}) Create subject key identifier test (remove) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: never_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_3 - name: (Selfsigned, {{ select_crypto_backend }}) Create subject key identifier test (remove idempotency) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: never_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_4 - name: (Selfsigned, {{ select_crypto_backend }}) Create subject key identifier test (re-enable) community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem' csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem' provider: selfsigned selfsigned_digest: sha256 selfsigned_create_subject_key_identifier: always_create select_crypto_backend: '{{ select_crypto_backend }}' register: selfsigned_subject_key_identifier_5 - name: (Selfsigned, {{ select_crypto_backend }}) Ed25519 and Ed448 tests (for cryptography >= 2.6) block: - name: (Selfsigned, {{ select_crypto_backend }}) Generate privatekeys community.crypto.openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' type: '{{ item }}' loop: - Ed25519 - Ed448 register: selfsigned_certificate_ed25519_ed448_privatekey ignore_errors: true - name: (Selfsigned, {{ select_crypto_backend }}) Generate CSR etc. if private key generation succeeded when: selfsigned_certificate_ed25519_ed448_privatekey is not failed block: - name: (Selfsigned, {{ select_crypto_backend }}) Generate CSR community.crypto.openssl_csr: path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' subject: commonName: www.ansible.com select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 ignore_errors: true - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem' csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: selfsigned_certificate_ed25519_ed448 ignore_errors: true - name: (Selfsigned, {{ select_crypto_backend }}) Generate selfsigned certificate - idempotency community.crypto.x509_certificate: path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem' csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' provider: selfsigned selfsigned_digest: sha256 select_crypto_backend: '{{ select_crypto_backend }}' loop: - Ed25519 - Ed448 register: selfsigned_certificate_ed25519_ed448_idempotence ignore_errors: true when: select_crypto_backend == 'cryptography' and cryptography_version is version('3.3', '>=') - ansible.builtin.import_tasks: ../tests/validate_selfsigned.yml