Currently the venafi.machine_identity Ansible collection only supports locally generated CSRs. This prevents being able to initiate a request where the CSR is Service Generated via the Ansible module, which is the preferred method set by the admins of our TPP instance. My team is looking to automate certificate requests during server build, and Ansible is one of our key tools in our process.
PROPOSED SOLUTION
As this is already implemented in vcert-python, we can modify venafi_certificate.py plugin to support a new csr_origin parameter that can be passed via the Ansible playbook/role. Additional checks should be added to ensure that any options that are require for (or conflict with) the chosen csr_origin are properly handled.
Additionally, the section where the chain, cert, and key are written to files will need to be modified to support copying the privatekey from where it is stored since it will not be generated locally.
CURRENT ALTERNATIVES
Currently we are manually requesting certificates through the web portal. The only alternative to do this via ansible at this time would be to make direct calls to the API via URI
VENAFI EXPERIENCE
While Venafi TPP has been used within the company for a while, I myself have only just begun working with it as part of this effort with server builds.
BUSINESS PROBLEM
Currently the venafi.machine_identity Ansible collection only supports locally generated CSRs. This prevents being able to initiate a request where the CSR is Service Generated via the Ansible module, which is the preferred method set by the admins of our TPP instance. My team is looking to automate certificate requests during server build, and Ansible is one of our key tools in our process.
PROPOSED SOLUTION
As this is already implemented in vcert-python, we can modify venafi_certificate.py plugin to support a new csr_origin parameter that can be passed via the Ansible playbook/role. Additional checks should be added to ensure that any options that are require for (or conflict with) the chosen csr_origin are properly handled.
Additionally, the section where the chain, cert, and key are written to files will need to be modified to support copying the privatekey from where it is stored since it will not be generated locally.
CURRENT ALTERNATIVES
Currently we are manually requesting certificates through the web portal. The only alternative to do this via ansible at this time would be to make direct calls to the API via URI
VENAFI EXPERIENCE
While Venafi TPP has been used within the company for a while, I myself have only just begun working with it as part of this effort with server builds.