Ansible has support for generating self-signed certificates as well as certificates using a custom root CA (certificate authority). This is possible using the community.crypto collection.
I’ve put this into a role named ansible-role-cert-with-ca available on github, and it can be used from a playbook like below:
vars: # custom CA, leaving undefined will create self-signed cert cert_domain_ca: myCA.foo # cert CN cert_domain_cn: primary.foo # cert SAN names (subject alternative names) cert_domains_san: ['secondary.foo','last.foo'] roles: - role: ansible-role-cert-with-ca
Before running the playbook, be sure to first install the community.crypto collection.
# install dependency manually
ansible-galaxy collection install community.crypto -vvvv
# or using requirements.yml from github project
ansible-galaxy collection install -r requirements.yml -p .
After running this playbook, the generated cert and CA can be validated using openssl directly.
openssl x509 -in /tmp/myCA.foo.crt -text -noout openssl x509 -in /tmp/primary.foo.crt -text -noout
The ‘cert_dir’ variable can be used to put the keys, csr, and certificates into the directory of your choosing.
REFERENCES
milliams.com, ansible certificate authority generation
ansible docs, x509_certificate
ansible galaxy, crypto collection
github fabianlee, ansible-role-cert-with-ca
digitalocean, how to setup and secure an etcd cluster
NOTES
verify that a certificate and CA match
openssl verify -CAfile /tmp/myCA.crt /tmp/my.local.crt
pulling certs from tls server
echo | openssl s_client -showcerts -servername my.local -connect 10.152.183.204:443
verify certs from tls server with custom CA not loaded at OS level
echo | openssl s_client -showcerts -servername my.local -connect 10.152.183.204:443 -CAfile /tmp/myCA.crt