Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A simple ansible playbook to create a new self-signed certificate
---
- hosts: localhost
vars:
- dnsname: your.dns.name
- tmppath: "./tmp/"
- crtpath: "{{ tmppath }}{{ dnsname }}.crt"
- pempath: "{{ tmppath }}{{ dnsname }}.pem"
- csrpath: "{{ tmppath }}{{ dnsname }}.csr"
- pfxpath: "{{ tmppath }}{{ dnsname }}.pfx"
- private_key_password: "password"
tasks:
- file:
path: "{{ tmppath }}"
state: absent
- file:
path: "{{ tmppath }}"
state: directory
- name: "Generate the private key file to sign the CSR"
openssl_privatekey:
path: "{{ pempath }}"
passphrase: "{{ private_key_password }}"
cipher: aes256
- name: "Generate the CSR file signed with the private key"
openssl_csr:
path: "{{ csrpath }}"
privatekey_path: "{{ pempath }}"
privatekey_passphrase: "{{ private_key_password }}"
common_name: "{{ dnsname }}"
- name: "Sign the CSR file as a CA to turn it into a certificate"
openssl_certificate:
path: "{{ crtpath }}"
privatekey_path: "{{ pempath }}"
privatekey_passphrase: "{{ private_key_password }}"
csr_path: "{{ csrpath }}"
provider: selfsigned
- name: "Convert the signed certificate into a PKCS12 file with the attached private key"
openssl_pkcs12:
action: export
path: "{{ pfxpath }}"
name: "{{ dnsname }}"
privatekey_path: "{{ pempath }}"
privatekey_passphrase: "{{ private_key_password }}"
passphrase: password
certificate_path: "{{ crtpath }}"
state: present
@gnulux

This comment has been minimized.

Copy link

@gnulux gnulux commented Jul 21, 2020

Hi,

thank for your share . Do you know if it's possible to use certificate file content instead of path . I don't want to store my private key on remote host. It could be forgotten
i mean:

openssl_certificate:
path: |
{{ csrcontent }}
privatekey_path: |
{{ private_key_content }}
privatekey_passphrase: "{{ private_key_password }}"
csr_path: "{{ csrcontent }}"
provider: selfsigned

@JonTheNiceGuy

This comment has been minimized.

Copy link
Owner Author

@JonTheNiceGuy JonTheNiceGuy commented Jul 21, 2020

From a quick scan of the openssl_certificate_module documentation it looks like you can't. It might be worth creating the file briefly and then removing it straight after the action?

@gnulux

This comment has been minimized.

Copy link

@gnulux gnulux commented Jul 21, 2020

@JonTheNiceGuy

This comment has been minimized.

Copy link
Owner Author

@JonTheNiceGuy JonTheNiceGuy commented Jul 22, 2020

Understood. However, it's probably worth raising it as a feature request on the Ansible project.

I should note, however, that although Ansible works by running commands over SSH, the way it does that is to transfer a python script to the managed node over SFTP to a temp directory, and then executes it. As such, the Ansible task would have written your private key to the disk on your managed node, albeit only for the duration of that task.

If you're significantly concerned about writing your private key to the remote node, why not generate your certificates locally, using the delegate_to: localhost command, like this:

- hosts: all
  tasks:
  - some_module:
      argument: somevalue
    delegate_to: localhost
@gnulux

This comment has been minimized.

Copy link

@gnulux gnulux commented Jul 22, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.