BUSINESS PROBLEM
Some applications only support key pairs and CSRs that they generate themselves and do not allow import of externally generated private keys. A solution is needed that accepts a CSR as input to obtain a certificate for such cases.
PROPOSED SOLUTION
Optionally allow a CSR file to be specified in the role configuration and, if specified, use it to enroll a certificate rather than generating a new key pair and CSR for enrolling a certificate. When the CSR file is specified the privatekey_path (and other private key parameters) should not be required in the role configuration (ignored if they are present). The common_name and alt_name parameters should also not be required, rather the CSR should be parsed to obtain their values.
There is currently a csr_path parameter declared and used in library/venafi_certificate.py that may have been intended to support this use case but it seems the implementation is incomplete. The csr_path parameter is not declared in tasks/local-certificate.yml which means no value can be assigned to it by a playbook using the role. Even when assigned a value the behavior of the library is inconsistent with the user provided CSR requirements, it seems to always generate a new key pair and write a private key file (which fails when privatekey_path is set to null as would be logical). For the user provided CSR use case we should assume the remote device already has the private key or it will be delivered to it by a separate process.
BUSINESS PROBLEM Some applications only support key pairs and CSRs that they generate themselves and do not allow import of externally generated private keys. A solution is needed that accepts a CSR as input to obtain a certificate for such cases.
PROPOSED SOLUTION Optionally allow a CSR file to be specified in the role configuration and, if specified, use it to enroll a certificate rather than generating a new key pair and CSR for enrolling a certificate. When the CSR file is specified the
privatekey_path(and other private key parameters) should not be required in the role configuration (ignored if they are present). Thecommon_nameandalt_nameparameters should also not be required, rather the CSR should be parsed to obtain their values.There is currently a
csr_pathparameter declared and used in library/venafi_certificate.py that may have been intended to support this use case but it seems the implementation is incomplete. Thecsr_pathparameter is not declared in tasks/local-certificate.yml which means no value can be assigned to it by a playbook using the role. Even when assigned a value the behavior of the library is inconsistent with the user provided CSR requirements, it seems to always generate a new key pair and write a private key file (which fails whenprivatekey_pathis set to null as would be logical). For the user provided CSR use case we should assume the remote device already has the private key or it will be delivered to it by a separate process.CURRENT ALTERNATIVES Use VCert-Python.