diff options
Diffstat (limited to 'playbooks/util/client_cert.yml')
-rw-r--r-- | playbooks/util/client_cert.yml | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/playbooks/util/client_cert.yml b/playbooks/util/client_cert.yml new file mode 100644 index 0000000..c81b298 --- /dev/null +++ b/playbooks/util/client_cert.yml @@ -0,0 +1,71 @@ +- name: generate client certificate + hosts: localhost + connection: local + become: no + vars_prompt: + - name: username + prompt: Enter username for the certificate subject + private: no + - name: passphrase + prompt: Enter password for the p12 file + private: yes + vars: + cert_dir: "{{ lookup('env', 'HOME') }}/pki" + key_size: 2048 + key_path: '{{ cert_dir }}/{{ username }}.key' + csr_path: '{{ cert_dir }}/{{ username }}.csr' + crt_path: '{{ cert_dir }}/{{ username }}.crt' + p12_path: '{{ cert_dir }}/{{ username }}.p12' + profile_id: caIPAclientAuth + tasks: + - name: create output directory + file: + path: '{{ cert_dir }}' + state: directory + + - name: generate private key + openssl_privatekey: + path: '{{ key_path }}' + size: '{{ key_size }}' + mode: 0600 + + - name: generate CSR + openssl_csr: + path: '{{ csr_path }}' + privatekey_path: '{{ key_path }}' + common_name: '{{ username }}' + use_common_name_for_san: no + + - name: request certificate from IPA + shell: + cmd: > + ipa cert-request {{ csr_path }} + --principal {{ username }} + --profile-id {{ profile_id }} + --chain + --certificate-out {{ crt_path }} + + # The openssl_pkcs12 ansible module seems to generate files that can't be + # decrypted by Android clients. The openssl CLI works fine though. + - name: generate PKCS#12 file + command: + cmd: > + openssl pkcs12 -export + -out {{ p12_path }} + -inkey {{ key_path }} + -in {{ crt_path }} + -name {{ username }}@{{ domain }} + -password pass:{{ passphrase | quote }} + creates: '{{ p12_path }}' + + - name: cleanup files + file: + path: '{{ item }}' + state: absent + loop: + - '{{ key_path }}' + - '{{ csr_path }}' + - '{{ crt_path }}' + + - debug: + msg: 'PKCS#12 file written to {{ p12_path }}. Passphrase: {{ passphrase }}' |