|
|
|
---
|
|
|
|
- name: Generate privatekey
|
|
|
|
openssl_privatekey:
|
|
|
|
path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
|
|
|
|
- name: Generate privatekey with password
|
|
|
|
openssl_privatekey:
|
|
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
|
|
passphrase: hunter2
|
|
|
|
cipher: auto
|
|
|
|
select_crypto_backend: cryptography
|
|
|
|
|
|
|
|
- name: Generate CSR 1
|
|
|
|
openssl_csr:
|
|
|
|
path: '{{ output_dir }}/csr_1.csr'
|
|
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
subject:
|
|
|
|
commonName: www.example.com
|
|
|
|
C: de
|
|
|
|
L: Somewhere
|
|
|
|
ST: Zurich
|
|
|
|
streetAddress: Welcome Street
|
|
|
|
O: Ansible
|
|
|
|
organizationalUnitName:
|
|
|
|
- Crypto Department
|
|
|
|
- ACME Department
|
|
|
|
serialNumber: "1234"
|
|
|
|
SN: Last Name
|
|
|
|
GN: First Name
|
|
|
|
title: Chief
|
|
|
|
pseudonym: test
|
|
|
|
UID: asdf
|
|
|
|
emailAddress: test@example.com
|
|
|
|
postalAddress: 1234 Somewhere
|
|
|
|
postalCode: "1234"
|
|
|
|
useCommonNameForSAN: no
|
|
|
|
key_usage:
|
|
|
|
- digitalSignature
|
|
|
|
- keyAgreement
|
|
|
|
- Non Repudiation
|
|
|
|
- Key Encipherment
|
|
|
|
- dataEncipherment
|
|
|
|
- Certificate Sign
|
|
|
|
- cRLSign
|
|
|
|
- Encipher Only
|
|
|
|
- decipherOnly
|
|
|
|
key_usage_critical: yes
|
|
|
|
extended_key_usage:
|
|
|
|
- serverAuth # the same as "TLS Web Server Authentication"
|
|
|
|
- TLS Web Server Authentication
|
|
|
|
- TLS Web Client Authentication
|
|
|
|
- Code Signing
|
|
|
|
- E-mail Protection
|
|
|
|
- timeStamping
|
|
|
|
- OCSPSigning
|
|
|
|
- Any Extended Key Usage
|
|
|
|
- qcStatements
|
|
|
|
- DVCS
|
|
|
|
- IPSec User
|
|
|
|
- biometricInfo
|
|
|
|
subject_alt_name:
|
|
|
|
- "DNS:www.ansible.com"
|
|
|
|
- "IP:1.2.3.4"
|
|
|
|
- "IP:::1"
|
|
|
|
- "email:test@example.org"
|
|
|
|
- "URI:https://example.org/test/index.html"
|
|
|
|
basic_constraints:
|
|
|
|
- "CA:TRUE"
|
|
|
|
- "pathlen:23"
|
|
|
|
basic_constraints_critical: yes
|
|
|
|
ocsp_must_staple: yes
|
|
|
|
subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
|
|
|
|
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
|
|
|
|
authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
|
|
|
|
authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
|
|
|
|
vars:
|
|
|
|
value_for_authority_cert_issuer:
|
|
|
|
- "DNS:ca.example.org"
|
|
|
|
- "IP:1.2.3.4"
|
|
|
|
|
|
|
|
- name: Generate CSR 2
|
|
|
|
openssl_csr:
|
|
|
|
path: '{{ output_dir }}/csr_2.csr'
|
|
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
|
|
privatekey_passphrase: hunter2
|
|
|
|
useCommonNameForSAN: no
|
|
|
|
basic_constraints:
|
|
|
|
- "CA:TRUE"
|
|
|
|
|
|
|
|
- name: Generate CSR 3
|
|
|
|
openssl_csr:
|
|
|
|
path: '{{ output_dir }}/csr_3.csr'
|
|
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
useCommonNameForSAN: no
|
|
|
|
subject_alt_name:
|
|
|
|
- "DNS:*.ansible.com"
|
|
|
|
- "DNS:*.example.org"
|
|
|
|
- "IP:DEAD:BEEF::1"
|
|
|
|
basic_constraints:
|
|
|
|
- "CA:FALSE"
|
|
|
|
authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
|
|
|
|
authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
|
|
|
|
vars:
|
|
|
|
value_for_authority_cert_issuer:
|
|
|
|
- "DNS:ca.example.org"
|
|
|
|
- "IP:1.2.3.4"
|
|
|
|
|
|
|
|
- name: Generate CSR 4
|
|
|
|
openssl_csr:
|
|
|
|
path: '{{ output_dir }}/csr_4.csr'
|
|
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
useCommonNameForSAN: no
|
|
|
|
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
|
|
|
|
|
|
|
|
- name: Generate selfsigned certificates
|
|
|
|
openssl_certificate:
|
|
|
|
path: '{{ output_dir }}/cert_{{ item }}.pem'
|
|
|
|
csr_path: '{{ output_dir }}/csr_{{ item }}.csr'
|
|
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
provider: selfsigned
|
|
|
|
selfsigned_digest: sha256
|
|
|
|
selfsigned_not_after: "+10d"
|
|
|
|
selfsigned_not_before: "-3d"
|
|
|
|
loop:
|
|
|
|
- 1
|
|
|
|
- 2
|
|
|
|
- 3
|
|
|
|
- 4
|
|
|
|
|
|
|
|
- name: Prepare result list
|
|
|
|
set_fact:
|
|
|
|
info_results: []
|
|
|
|
|
|
|
|
- name: Running tests with pyOpenSSL backend
|
|
|
|
include_tasks: impl.yml
|
|
|
|
vars:
|
|
|
|
select_crypto_backend: pyopenssl
|
|
|
|
when: pyopenssl_version.stdout is version('0.15', '>=')
|
|
|
|
|
|
|
|
- name: Prepare result list
|
|
|
|
set_fact:
|
|
|
|
pyopenssl_info_results: "{{ info_results }}"
|
|
|
|
info_results: []
|
|
|
|
|
|
|
|
- name: Running tests with cryptography backend
|
|
|
|
include_tasks: impl.yml
|
|
|
|
vars:
|
|
|
|
select_crypto_backend: cryptography
|
|
|
|
when: cryptography_version.stdout is version('1.6', '>=')
|
|
|
|
|
|
|
|
- name: Prepare result list
|
|
|
|
set_fact:
|
|
|
|
cryptography_info_results: "{{ info_results }}"
|
|
|
|
|
|
|
|
- block:
|
|
|
|
- name: Dump pyOpenSSL results
|
|
|
|
debug:
|
|
|
|
var: pyopenssl_info_results
|
|
|
|
- name: Dump cryptography results
|
|
|
|
debug:
|
|
|
|
var: cryptography_info_results
|
|
|
|
- name: Compare results
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- ' (item.0 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)
|
|
|
|
== (item.1 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)'
|
|
|
|
quiet: yes
|
|
|
|
loop: "{{ pyopenssl_info_results | zip(cryptography_info_results) | list }}"
|
|
|
|
when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.6', '>=')
|
|
|
|
vars:
|
|
|
|
keys_to_ignore:
|
|
|
|
- deprecations
|
|
|
|
- subject_key_identifier
|
|
|
|
- authority_key_identifier
|
|
|
|
- authority_cert_issuer
|
|
|
|
- authority_cert_serial_number
|