Ansible: creating SAN certificates with a custom root CA

Ansible has support for generating self-signed certificates as well as certificates using a custom root CA (certificate authority).  This is possible using the community.crypto collection.

I’ve put this into a role named ansible-role-cert-with-ca available on github, and it can be used from a playbook like below:

  vars:
    # custom CA, leaving undefined will create self-signed cert
    cert_domain_ca: myCA.foo

    # cert CN
    cert_domain_cn: primary.foo

    # cert SAN names (subject alternative names)
    cert_domains_san: ['secondary.foo','last.foo']

  roles:
    - role: ansible-role-cert-with-ca

Before running the playbook, be sure to first install the community.crypto collection.

# install dependency manually
ansible-galaxy collection install community.crypto -vvvv

# or using requirements.yml from github project
ansible-galaxy collection install -r requirements.yml -p .

After running this playbook, the generated cert and CA can be validated using openssl directly.

openssl x509 -in /tmp/myCA.foo.crt -text -noout
openssl x509 -in /tmp/primary.foo.crt -text -noout

The ‘cert_dir’ variable can be used to put the keys, csr, and certificates into the directory of your choosing.

 

REFERENCES

milliams.com, ansible certificate authority generation

ansible docs, x509_certificate

ansible galaxy, crypto collection

github fabianlee, ansible-role-cert-with-ca

digitalocean, how to setup and secure an etcd cluster

NOTES

verify that a certificate and CA match

openssl verify -CAfile /tmp/myCA.crt /tmp/my.local.crt

pulling certs from tls server

echo | openssl s_client -showcerts -servername my.local -connect 10.152.183.204:443

verify certs from tls server with custom CA not loaded at OS level

echo | openssl s_client -showcerts -servername my.local -connect 10.152.183.204:443 -CAfile /tmp/myCA.crt