blob: c81b298e47f57925a4cf1445787dd1cb34be1fd8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
- name: generate client certificate
hosts: localhost
connection: local
become: no
vars_prompt:
- name: username
prompt: Enter username for the certificate subject
private: no
- name: passphrase
prompt: Enter password for the p12 file
private: yes
vars:
cert_dir: "{{ lookup('env', 'HOME') }}/pki"
key_size: 2048
key_path: '{{ cert_dir }}/{{ username }}.key'
csr_path: '{{ cert_dir }}/{{ username }}.csr'
crt_path: '{{ cert_dir }}/{{ username }}.crt'
p12_path: '{{ cert_dir }}/{{ username }}.p12'
profile_id: caIPAclientAuth
tasks:
- name: create output directory
file:
path: '{{ cert_dir }}'
state: directory
- name: generate private key
openssl_privatekey:
path: '{{ key_path }}'
size: '{{ key_size }}'
mode: 0600
- name: generate CSR
openssl_csr:
path: '{{ csr_path }}'
privatekey_path: '{{ key_path }}'
common_name: '{{ username }}'
use_common_name_for_san: no
- name: request certificate from IPA
shell:
cmd: >
ipa cert-request {{ csr_path }}
--principal {{ username }}
--profile-id {{ profile_id }}
--chain
--certificate-out {{ crt_path }}
# The openssl_pkcs12 ansible module seems to generate files that can't be
# decrypted by Android clients. The openssl CLI works fine though.
- name: generate PKCS#12 file
command:
cmd: >
openssl pkcs12 -export
-out {{ p12_path }}
-inkey {{ key_path }}
-in {{ crt_path }}
-name {{ username }}@{{ domain }}
-password pass:{{ passphrase | quote }}
creates: '{{ p12_path }}'
- name: cleanup files
file:
path: '{{ item }}'
state: absent
loop:
- '{{ key_path }}'
- '{{ csr_path }}'
- '{{ crt_path }}'
- debug:
msg: 'PKCS#12 file written to {{ p12_path }}. Passphrase: {{ passphrase }}'
|