Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create CA and Client Certificates on a protected CA Server, and transfer to them to your nodes, using Ansible

Create CA and Client Certificates on a protected CA Server, and transfer to them to your nodes, using Ansible

This is based on https://kapuablog.wordpress.com/2019/11/26/ansible-reading-a-remote-yaml-file/

It has been used in $my_service to generate client certificates on a protected Certificate Authority (CA) server (accessible only to my Ansible Tower/AWX server) and is then distributed to the client nodes.

- hosts: all
tasks:
- name: Create Client Certificate
become: true
delegate_to: "{{ ca_server }}"
shell:
cmd: "/opt/my_service/create_cert -name {{ inventory_hostname }}"
chdir: /etc/my_service
creates: "/etc/my_service/{{ inventory_hostname }}.crt"
- name: Read CA.crt, node.crt and node.key
# Based on https://kapuablog.wordpress.com/2019/11/26/ansible-reading-a-remote-yaml-file/
become: true
delegate_to: "{{ ca_server }}"
command: "cat '/etc/my_service/{{ item }}'"
register: keymaterials
loop:
- ca.crt
- "{{ inventory_hostname }}.crt"
- "{{ inventory_hostname }}.key"
- name: Transfer certificates to target
become: true
copy:
content: "{{ item.stdout }}"
dest: "/etc/my_service/{{ item.item }}"
owner: root
group: root
mode: 0700
loop: "{{ keymaterials.results | default([]) }}"
loop_control:
label: "{{ item.item }}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.