Role to provision and manage one or multiple PKI's on the target server.
The EasyRSA script is used as 'backend' to simplify the automation process.
Tested:
# latest
ansible-galaxy role install git+https://github.com/ansibleguy/infra_pki
# from galaxy
ansible-galaxy install ansibleguy.infra_pki
# or to custom role-path
ansible-galaxy install ansibleguy.infra_pki --roles-path ./roles
# install dependencies
ansible-galaxy install -r requirements.yml
You want a simple Ansible GUI? Check-out my Ansible WebUI
Define the config as needed:
You can find a more detailed example here: Example
pki:
crl_distribution:
domain: 'crl.ansibleguy.net'
instances:
root:
pwd_ca: !vault |
$ANSIBLE_VAULT;1.1;AES256
...
sub_cas:
main:
pwd_ca: !vault |
$ANSIBLE_VAULT;1.1;AES256
...
certs:
server: # server certificates
ansibleguy_net:
cn: 'AnsibleGuy Website'
san:
dns: ['www.ansibleguy.net', 'ansibleguy.net']
ip: '135.181.170.217'
uri: 'https://www-ansibleguy.net'
client: # client certificates
workstation1:
cn: 'AnsibleGuy Workstation'
You might want to use 'ansible-vault' to encrypt your passwords:
ansible-vault encrypt_string
Run the playbook:
ansible-playbook -K -D -i inventory/hosts.yml playbook_pki.yml
There is also an 'entrypoint' for managing single certificates - that can be useful if they are automagically managed by other roles.
# to run it interactively
ansible-playbook -K -D -i inventory/hosts.yml playbook_single_cert.yml
There are also some useful tags available:
To debug errors - you can set the 'debug' variable at runtime:
# WARNING: Will log passwords!
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
Note: --check
mode is not supported by this role as it heavily depends on scripted command-tasks.
Package installation
Configuration
Usage of a group to allow read-only access to public-keys
Default config:
Paths:
PKI user: 'pki'
Read-only group: 'pki_read'
EasyRSA vars:
Certificates:
Default opt-ins:
Adding dedicated PKI-user and read-only group
Saving CA/Sub-CA/Certificate passwords to files for easier automation
Installation and configuration of a Nginx webserver to server CRL's and CA-PublicKey's (not yet implemented)
Default opt-outs:
Purging of orphaned (existing but not configured) certificates
Encryption of certificate private-keys (non CA/Sub-CA)
Note: Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in the main defaults-file!
Info: To make sure the role config 'behaves' as expected - it tested by this role using molecule!
Per example: The certificate-attributes, file- & directory-permissions & -ownership are checked after generating multiple certificates using multiple Root- & Sub-CA's.
Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!
Note: If you want to read more about PKI's and certificates:
Warning: For gained security against CA-compromise you should:
Remove the ca.key file from your Online-system using a 'secure-deletion' tool like 'shred':
shred -vzu -n10 ca.key
Note: You have multiple options to supply the CA/Sub-CA/Certificate passwords:
Note: Certificate variables you set on:
Note: You can find scripts for automated certificate-expiration monitoring that can be integrated with monitoring systems like Zabbix at files/usr/local/bin/monitoring.
Warning: The CRL-Distribution settings CANNOT BE CHANGED easily.
All existing certificates would have to be re-generated once the settings are changed.
Note: The 'cert_expire' variable of the root-ca will set the runtime of the sub-ca's!
Note: Passwords used for CA/Sub-CA/Certificate encryption are checked for complexity rules:
Note: Certificates states can be set to either: