|
|
|
@ -1,228 +1,225 @@
|
|
|
|
|
#!/usr/bin/python
|
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
#
|
|
|
|
|
# (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
|
|
|
|
|
|
|
|
|
|
# Copyrigt: (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
|
|
|
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
|
|
|
|
'status': ['preview'],
|
|
|
|
|
'supported_by': 'community'}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DOCUMENTATION = '''
|
|
|
|
|
DOCUMENTATION = r'''
|
|
|
|
|
---
|
|
|
|
|
module: openssl_csr
|
|
|
|
|
author: "Yanis Guenane (@Spredzy)"
|
|
|
|
|
version_added: "2.4"
|
|
|
|
|
version_added: '2.4'
|
|
|
|
|
short_description: Generate OpenSSL Certificate Signing Request (CSR)
|
|
|
|
|
description:
|
|
|
|
|
- "This module allows one to (re)generate OpenSSL certificate signing requests.
|
|
|
|
|
It uses the pyOpenSSL python library to interact with openssl. This module supports
|
|
|
|
|
the subjectAltName, keyUsage, extendedKeyUsage, basicConstraints and OCSP Must Staple
|
|
|
|
|
extensions."
|
|
|
|
|
- This module allows one to (re)generate OpenSSL certificate signing requests.
|
|
|
|
|
- It uses the pyOpenSSL python library to interact with openssl. This module supports
|
|
|
|
|
the subjectAltName, keyUsage, extendedKeyUsage, basicConstraints and OCSP Must Staple
|
|
|
|
|
extensions.
|
|
|
|
|
requirements:
|
|
|
|
|
- "One of the following Python libraries:"
|
|
|
|
|
- "cryptography >= 1.3"
|
|
|
|
|
- "pyOpenSSL >= 0.15"
|
|
|
|
|
- Either cryptography >= 1.3
|
|
|
|
|
- Or pyOpenSSL >= 0.15
|
|
|
|
|
author:
|
|
|
|
|
- Yanis Guenane (@Spredzy)
|
|
|
|
|
options:
|
|
|
|
|
state:
|
|
|
|
|
required: false
|
|
|
|
|
default: "present"
|
|
|
|
|
choices: [ present, absent ]
|
|
|
|
|
description:
|
|
|
|
|
- Whether the certificate signing request should exist or not, taking action if the state is different from what is stated.
|
|
|
|
|
digest:
|
|
|
|
|
type: str
|
|
|
|
|
required: false
|
|
|
|
|
default: "sha256"
|
|
|
|
|
choices: [ absent, present ]
|
|
|
|
|
default: present
|
|
|
|
|
digest:
|
|
|
|
|
description:
|
|
|
|
|
- Digest used when signing the certificate signing request with the private key
|
|
|
|
|
- The digest used when signing the certificate signing request with the private key.
|
|
|
|
|
type: str
|
|
|
|
|
default: sha256
|
|
|
|
|
privatekey_path:
|
|
|
|
|
required: true
|
|
|
|
|
description:
|
|
|
|
|
- Path to the privatekey to use when signing the certificate signing request
|
|
|
|
|
- The path to the privatekey to use when signing the certificate signing request.
|
|
|
|
|
type: path
|
|
|
|
|
required: true
|
|
|
|
|
privatekey_passphrase:
|
|
|
|
|
required: false
|
|
|
|
|
description:
|
|
|
|
|
- The passphrase for the privatekey.
|
|
|
|
|
type: str
|
|
|
|
|
version:
|
|
|
|
|
required: false
|
|
|
|
|
default: 1
|
|
|
|
|
description:
|
|
|
|
|
- Version of the certificate signing request
|
|
|
|
|
- The version of the certificate signing request.
|
|
|
|
|
type: int
|
|
|
|
|
default: 1
|
|
|
|
|
force:
|
|
|
|
|
required: false
|
|
|
|
|
default: False
|
|
|
|
|
type: bool
|
|
|
|
|
description:
|
|
|
|
|
- Should the certificate signing request be forced regenerated by this ansible module
|
|
|
|
|
- Should the certificate signing request be forced regenerated by this ansible module.
|
|
|
|
|
type: bool
|
|
|
|
|
default: no
|
|
|
|
|
path:
|
|
|
|
|
required: true
|
|
|
|
|
description:
|
|
|
|
|
- Name of the file into which the generated OpenSSL certificate signing request will be written
|
|
|
|
|
- The name of the file into which the generated OpenSSL certificate signing request will be written.
|
|
|
|
|
type: path
|
|
|
|
|
required: true
|
|
|
|
|
subject:
|
|
|
|
|
required: false
|
|
|
|
|
description:
|
|
|
|
|
- Key/value pairs that will be present in the subject name field of the certificate signing request.
|
|
|
|
|
- If you need to specify more than one value with the same key, use a list as value.
|
|
|
|
|
type: str
|
|
|
|
|
version_added: '2.5'
|
|
|
|
|
country_name:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'C', 'countryName' ]
|
|
|
|
|
description:
|
|
|
|
|
- countryName field of the certificate signing request subject
|
|
|
|
|
- The countryName field of the certificate signing request subject.
|
|
|
|
|
type: str
|
|
|
|
|
aliases: [ C, countryName ]
|
|
|
|
|
state_or_province_name:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'ST', 'stateOrProvinceName' ]
|
|
|
|
|
description:
|
|
|
|
|
- stateOrProvinceName field of the certificate signing request subject
|
|
|
|
|
- The stateOrProvinceName field of the certificate signing request subject.
|
|
|
|
|
type: str
|
|
|
|
|
aliases: [ ST, stateOrProvinceName ]
|
|
|
|
|
locality_name:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'L', 'localityName' ]
|
|
|
|
|
description:
|
|
|
|
|
- localityName field of the certificate signing request subject
|
|
|
|
|
- The localityName field of the certificate signing request subject.
|
|
|
|
|
type: str
|
|
|
|
|
aliases: [ L, localityName ]
|
|
|
|
|
organization_name:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'O', 'organizationName' ]
|
|
|
|
|
description:
|
|
|
|
|
- organizationName field of the certificate signing request subject
|
|
|
|
|
- The organizationName field of the certificate signing request subject.
|
|
|
|
|
type: str
|
|
|
|
|
aliases: [ O, organizationName ]
|
|
|
|
|
organizational_unit_name:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'OU', 'organizationalUnitName' ]
|
|
|
|
|
description:
|
|
|
|
|
- organizationalUnitName field of the certificate signing request subject
|
|
|
|
|
- The organizationalUnitName field of the certificate signing request subject.
|
|
|
|
|
type: str
|
|
|
|
|
aliases: [ OU, organizationalUnitName ]
|
|
|
|
|
common_name:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'CN', 'commonName' ]
|
|
|
|
|
description:
|
|
|
|
|
- commonName field of the certificate signing request subject
|
|
|
|
|
- The commonName field of the certificate signing request subject.
|
|
|
|
|
type: str
|
|
|
|
|
aliases: [ CN, commonName ]
|
|
|
|
|
email_address:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'E', 'emailAddress' ]
|
|
|
|
|
description:
|
|
|
|
|
- emailAddress field of the certificate signing request subject
|
|
|
|
|
- The emailAddress field of the certificate signing request subject.
|
|
|
|
|
type: str
|
|
|
|
|
aliases: [ E, emailAddress ]
|
|
|
|
|
subject_alt_name:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'subjectAltName' ]
|
|
|
|
|
description:
|
|
|
|
|
- SAN extension to attach to the certificate signing request
|
|
|
|
|
- SAN extension to attach to the certificate signing request.
|
|
|
|
|
- This can either be a 'comma separated string' or a YAML list.
|
|
|
|
|
- Values should be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
|
|
|
|
|
C(otherName) and the ones specific to your CA)
|
|
|
|
|
- Note that if no SAN is specified, but a common name, the common
|
|
|
|
|
name will be added as a SAN except if C(useCommonNameForSAN) is
|
|
|
|
|
set to I(false).
|
|
|
|
|
- More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6)
|
|
|
|
|
- More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6).
|
|
|
|
|
type: list
|
|
|
|
|
aliases: [ subjectAltName ]
|
|
|
|
|
subject_alt_name_critical:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'subjectAltName_critical' ]
|
|
|
|
|
description:
|
|
|
|
|
- Should the subjectAltName extension be considered as critical
|
|
|
|
|
useCommonNameForSAN:
|
|
|
|
|
- Should the subjectAltName extension be considered as critical.
|
|
|
|
|
type: bool
|
|
|
|
|
default: true
|
|
|
|
|
aliases: [ subjectAltName_critical ]
|
|
|
|
|
use_common_name_for_san:
|
|
|
|
|
description:
|
|
|
|
|
- If set to I(true), the module will fill the common name in for
|
|
|
|
|
- If set to C(yes), the module will fill the common name in for
|
|
|
|
|
C(subject_alt_name) with C(DNS:) prefix if no SAN is specified.
|
|
|
|
|
type: bool
|
|
|
|
|
default: yes
|
|
|
|
|
aliases: [ useCommonNameForSAN ]
|
|
|
|
|
version_added: '2.8'
|
|
|
|
|
key_usage:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'keyUsage' ]
|
|
|
|
|
description:
|
|
|
|
|
- This defines the purpose (e.g. encipherment, signature, certificate signing)
|
|
|
|
|
of the key contained in the certificate.
|
|
|
|
|
- This can either be a 'comma separated string' or a YAML list.
|
|
|
|
|
type: list
|
|
|
|
|
aliases: [ keyUsage ]
|
|
|
|
|
key_usage_critical:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'keyUsage_critical' ]
|
|
|
|
|
description:
|
|
|
|
|
- Should the keyUsage extension be considered as critical
|
|
|
|
|
- Should the keyUsage extension be considered as critical.
|
|
|
|
|
type: bool
|
|
|
|
|
aliases: [ keyUsage_critical ]
|
|
|
|
|
extended_key_usage:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'extKeyUsage', 'extendedKeyUsage' ]
|
|
|
|
|
description:
|
|
|
|
|
- Additional restrictions (e.g. client authentication, server authentication)
|
|
|
|
|
on the allowed purposes for which the public key may be used.
|
|
|
|
|
- This can either be a 'comma separated string' or a YAML list.
|
|
|
|
|
type: list
|
|
|
|
|
aliases: [ extKeyUsage, extendedKeyUsage ]
|
|
|
|
|
extended_key_usage_critical:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'extKeyUsage_critical', 'extendedKeyUsage_critical' ]
|
|
|
|
|
description:
|
|
|
|
|
- Should the extkeyUsage extension be considered as critical
|
|
|
|
|
- Should the extkeyUsage extension be considered as critical.
|
|
|
|
|
type: bool
|
|
|
|
|
aliases: [ extKeyUsage_critical, extendedKeyUsage_critical ]
|
|
|
|
|
basic_constraints:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: ['basicConstraints']
|
|
|
|
|
description:
|
|
|
|
|
- Indicates basic constraints, such as if the certificate is a CA.
|
|
|
|
|
version_added: 2.5
|
|
|
|
|
type: list
|
|
|
|
|
aliases: [ basicConstraints ]
|
|
|
|
|
version_added: '2.5'
|
|
|
|
|
basic_constraints_critical:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'basicConstraints_critical' ]
|
|
|
|
|
description:
|
|
|
|
|
- Should the basicConstraints extension be considered as critical
|
|
|
|
|
version_added: 2.5
|
|
|
|
|
- Should the basicConstraints extension be considered as critical.
|
|
|
|
|
type: bool
|
|
|
|
|
aliases: [ basicConstraints_critical ]
|
|
|
|
|
version_added: '2.5'
|
|
|
|
|
ocsp_must_staple:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: ['ocspMustStaple']
|
|
|
|
|
description:
|
|
|
|
|
- Indicates that the certificate should contain the OCSP Must Staple
|
|
|
|
|
extension (U(https://tools.ietf.org/html/rfc7633)).
|
|
|
|
|
version_added: 2.5
|
|
|
|
|
type: bool
|
|
|
|
|
aliases: [ ocspMustStaple ]
|
|
|
|
|
version_added: '2.5'
|
|
|
|
|
ocsp_must_staple_critical:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'ocspMustStaple_critical' ]
|
|
|
|
|
description:
|
|
|
|
|
- Should the OCSP Must Staple extension be considered as critical
|
|
|
|
|
- "Warning: according to the RFC, this extension should not be marked
|
|
|
|
|
as critical, as old clients not knowing about OCSP Must Staple
|
|
|
|
|
are required to reject such certificates
|
|
|
|
|
(see U(https://tools.ietf.org/html/rfc7633#section-4))."
|
|
|
|
|
version_added: 2.5
|
|
|
|
|
- Note that according to the RFC, this extension should not be marked
|
|
|
|
|
as critical, as old clients not knowing about OCSP Must Staple
|
|
|
|
|
are required to reject such certificates
|
|
|
|
|
(see U(https://tools.ietf.org/html/rfc7633#section-4)).
|
|
|
|
|
type: bool
|
|
|
|
|
aliases: [ ocspMustStaple_critical ]
|
|
|
|
|
version_added: '2.5'
|
|
|
|
|
select_crypto_backend:
|
|
|
|
|
description:
|
|
|
|
|
- "Determines which crypto backend to use. The default choice is C(auto),
|
|
|
|
|
which tries to use C(cryptography) if available, and falls back to
|
|
|
|
|
C(pyopenssl)."
|
|
|
|
|
- "If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/)
|
|
|
|
|
library."
|
|
|
|
|
- "If set to C(cryptography), will try to use the
|
|
|
|
|
L(cryptography,https://cryptography.io/) library."
|
|
|
|
|
- Determines which crypto backend to use.
|
|
|
|
|
- The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl).
|
|
|
|
|
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
|
|
|
|
|
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
|
|
|
|
|
type: str
|
|
|
|
|
default: 'auto'
|
|
|
|
|
choices:
|
|
|
|
|
- auto
|
|
|
|
|
- cryptography
|
|
|
|
|
- pyopenssl
|
|
|
|
|
version_added: "2.8"
|
|
|
|
|
extends_documentation_fragment: files
|
|
|
|
|
|
|
|
|
|
choices: [ auto, cryptography, pyopenssl ]
|
|
|
|
|
default: auto
|
|
|
|
|
version_added: '2.8'
|
|
|
|
|
extends_documentation_fragment:
|
|
|
|
|
- files
|
|
|
|
|
notes:
|
|
|
|
|
- "If the certificate signing request already exists it will be checked whether subjectAltName,
|
|
|
|
|
keyUsage, extendedKeyUsage and basicConstraints only contain the requested values, whether
|
|
|
|
|
OCSP Must Staple is as requested, and if the request was signed by the given private key."
|
|
|
|
|
- If the certificate signing request already exists it will be checked whether subjectAltName,
|
|
|
|
|
keyUsage, extendedKeyUsage and basicConstraints only contain the requested values, whether
|
|
|
|
|
OCSP Must Staple is as requested, and if the request was signed by the given private key.
|
|
|
|
|
seealso:
|
|
|
|
|
- module: openssl_certificate
|
|
|
|
|
- module: openssl_dhparam
|
|
|
|
|
- module: openssl_pkcs12
|
|
|
|
|
- module: openssl_privatekey
|
|
|
|
|
- module: openssl_publickey
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
EXAMPLES = r'''
|
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
|
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request with a
|
|
|
|
|
# passphrase protected private key
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request with a passphrase protected private key
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
privatekey_passphrase: ansible
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
|
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request with Subject information
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request with Subject information
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
country_name: FR
|
|
|
|
@ -230,14 +227,14 @@ EXAMPLES = '''
|
|
|
|
|
email_address: jdoe@ansible.com
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
|
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request with subjectAltName extension
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request with subjectAltName extension
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
subject_alt_name: 'DNS:www.ansible.com,DNS:m.ansible.com'
|
|
|
|
|
|
|
|
|
|
# Generate an OpenSSL CSR with subjectAltName extension with dynamic list
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
- name: Generate an OpenSSL CSR with subjectAltName extension with dynamic list
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
subject_alt_name: "{{ item.value | map('regex_replace', '^', 'DNS:') | list }}"
|
|
|
|
@ -246,15 +243,15 @@ EXAMPLES = '''
|
|
|
|
|
- www.ansible.com
|
|
|
|
|
- m.ansible.com
|
|
|
|
|
|
|
|
|
|
# Force re-generate an OpenSSL Certificate Signing Request
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
- name: Force re-generate an OpenSSL Certificate Signing Request
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
force: True
|
|
|
|
|
force: yes
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
|
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request with special key usages
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request with special key usages
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
@ -264,16 +261,15 @@ EXAMPLES = '''
|
|
|
|
|
extended_key_usage:
|
|
|
|
|
- clientAuth
|
|
|
|
|
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request with OCSP Must Staple
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request with OCSP Must Staple
|
|
|
|
|
openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
|
ocsp_must_staple: true
|
|
|
|
|
ocsp_must_staple: yes
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RETURN = '''
|
|
|
|
|
RETURN = r'''
|
|
|
|
|
privatekey:
|
|
|
|
|
description: Path to the TLS/SSL private key the CSR was generated for
|
|
|
|
|
returned: changed or success
|
|
|
|
@ -384,34 +380,34 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
|
|
|
|
|
self.privatekey_path = module.params['privatekey_path']
|
|
|
|
|
self.privatekey_passphrase = module.params['privatekey_passphrase']
|
|
|
|
|
self.version = module.params['version']
|
|
|
|
|
self.subjectAltName = module.params['subjectAltName']
|
|
|
|
|
self.subjectAltName_critical = module.params['subjectAltName_critical']
|
|
|
|
|
self.keyUsage = module.params['keyUsage']
|
|
|
|
|
self.keyUsage_critical = module.params['keyUsage_critical']
|
|
|
|
|
self.extendedKeyUsage = module.params['extendedKeyUsage']
|
|
|
|
|
self.extendedKeyUsage_critical = module.params['extendedKeyUsage_critical']
|
|
|
|
|
self.basicConstraints = module.params['basicConstraints']
|
|
|
|
|
self.basicConstraints_critical = module.params['basicConstraints_critical']
|
|
|
|
|
self.ocspMustStaple = module.params['ocspMustStaple']
|
|
|
|
|
self.ocspMustStaple_critical = module.params['ocspMustStaple_critical']
|
|
|
|
|
self.subjectAltName = module.params['subject_alt_name']
|
|
|
|
|
self.subjectAltName_critical = module.params['subject_alt_name_critical']
|
|
|
|
|
self.keyUsage = module.params['key_usage']
|
|
|
|
|
self.keyUsage_critical = module.params['key_usage_critical']
|
|
|
|
|
self.extendedKeyUsage = module.params['extended_key_usage']
|
|
|
|
|
self.extendedKeyUsage_critical = module.params['extended_key_usage_critical']
|
|
|
|
|
self.basicConstraints = module.params['basic_constraints']
|
|
|
|
|
self.basicConstraints_critical = module.params['basic_constraints_critical']
|
|
|
|
|
self.ocspMustStaple = module.params['ocsp_must_staple']
|
|
|
|
|
self.ocspMustStaple_critical = module.params['ocsp_must_staple_critical']
|
|
|
|
|
self.request = None
|
|
|
|
|
self.privatekey = None
|
|
|
|
|
|
|
|
|
|
self.subject = [
|
|
|
|
|
('C', module.params['countryName']),
|
|
|
|
|
('ST', module.params['stateOrProvinceName']),
|
|
|
|
|
('L', module.params['localityName']),
|
|
|
|
|
('O', module.params['organizationName']),
|
|
|
|
|
('OU', module.params['organizationalUnitName']),
|
|
|
|
|
('CN', module.params['commonName']),
|
|
|
|
|
('emailAddress', module.params['emailAddress']),
|
|
|
|
|
('C', module.params['country_name']),
|
|
|
|
|
('ST', module.params['state_or_province_name']),
|
|
|
|
|
('L', module.params['locality_name']),
|
|
|
|
|
('O', module.params['organization_name']),
|
|
|
|
|
('OU', module.params['organizational_unit_name']),
|
|
|
|
|
('CN', module.params['common_name']),
|
|
|
|
|
('emailAddress', module.params['email_address']),
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
if module.params['subject']:
|
|
|
|
|
self.subject = self.subject + crypto_utils.parse_name_field(module.params['subject'])
|
|
|
|
|
self.subject = [(entry[0], entry[1]) for entry in self.subject if entry[1]]
|
|
|
|
|
|
|
|
|
|
if not self.subjectAltName and module.params['useCommonNameForSAN']:
|
|
|
|
|
if not self.subjectAltName and module.params['use_common_name_for_san']:
|
|
|
|
|
for sub in self.subject:
|
|
|
|
|
if sub[0] in ('commonName', 'CN'):
|
|
|
|
|
self.subjectAltName = ['DNS:%s' % sub[1]]
|
|
|
|
@ -944,33 +940,33 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
|
|
|
|
def main():
|
|
|
|
|
module = AnsibleModule(
|
|
|
|
|
argument_spec=dict(
|
|
|
|
|
state=dict(default='present', choices=['present', 'absent'], type='str'),
|
|
|
|
|
digest=dict(default='sha256', type='str'),
|
|
|
|
|
privatekey_path=dict(require=True, type='path'),
|
|
|
|
|
state=dict(type='str', default='present', choices=['absent', 'present']),
|
|
|
|
|
digest=dict(type='str', default='sha256'),
|
|
|
|
|
privatekey_path=dict(type='path', require=True),
|
|
|
|
|
privatekey_passphrase=dict(type='str', no_log=True),
|
|
|
|
|
version=dict(default='1', type='int'),
|
|
|
|
|
force=dict(default=False, type='bool'),
|
|
|
|
|
path=dict(required=True, type='path'),
|
|
|
|
|
version=dict(type='int', default=1),
|
|
|
|
|
force=dict(type='bool', default=False),
|
|
|
|
|
path=dict(type='path', required=True),
|
|
|
|
|
subject=dict(type='dict'),
|
|
|
|
|
countryName=dict(aliases=['C', 'country_name'], type='str'),
|
|
|
|
|
stateOrProvinceName=dict(aliases=['ST', 'state_or_province_name'], type='str'),
|
|
|
|
|
localityName=dict(aliases=['L', 'locality_name'], type='str'),
|
|
|
|
|
organizationName=dict(aliases=['O', 'organization_name'], type='str'),
|
|
|
|
|
organizationalUnitName=dict(aliases=['OU', 'organizational_unit_name'], type='str'),
|
|
|
|
|
commonName=dict(aliases=['CN', 'common_name'], type='str'),
|
|
|
|
|
emailAddress=dict(aliases=['E', 'email_address'], type='str'),
|
|
|
|
|
subjectAltName=dict(aliases=['subject_alt_name'], type='list', elements='str'),
|
|
|
|
|
subjectAltName_critical=dict(aliases=['subject_alt_name_critical'], default=False, type='bool'),
|
|
|
|
|
useCommonNameForSAN=dict(type='bool', default=True),
|
|
|
|
|
keyUsage=dict(aliases=['key_usage'], type='list', elements='str'),
|
|
|
|
|
keyUsage_critical=dict(aliases=['key_usage_critical'], default=False, type='bool'),
|
|
|
|
|
extendedKeyUsage=dict(aliases=['extKeyUsage', 'extended_key_usage'], type='list', elements='str'),
|
|
|
|
|
extendedKeyUsage_critical=dict(aliases=['extKeyUsage_critical', 'extended_key_usage_critical'], default=False, type='bool'),
|
|
|
|
|
basicConstraints=dict(aliases=['basic_constraints'], type='list', elements='str'),
|
|
|
|
|
basicConstraints_critical=dict(aliases=['basic_constraints_critical'], default=False, type='bool'),
|
|
|
|
|
ocspMustStaple=dict(aliases=['ocsp_must_staple'], default=False, type='bool'),
|
|
|
|
|
ocspMustStaple_critical=dict(aliases=['ocsp_must_staple_critical'], default=False, type='bool'),
|
|
|
|
|
select_crypto_backend=dict(required=False, choices=['auto', 'pyopenssl', 'cryptography'], default='auto', type='str'),
|
|
|
|
|
country_name=dict(type='str', aliases=['C', 'countryName']),
|
|
|
|
|
state_or_province_name=dict(type='str', aliases=['ST', 'stateOrProvinceName']),
|
|
|
|
|
locality_name=dict(type='str', aliases=['L', 'localityName']),
|
|
|
|
|
organization_name=dict(type='str', aliases=['O', 'organizationName']),
|
|
|
|
|
organizational_unit_name=dict(type='str', aliases=['OU', 'organizationalUnitName']),
|
|
|
|
|
common_name=dict(type='str', aliases=['CN', 'commonName']),
|
|
|
|
|
email_address=dict(type='str', aliases=['E', 'emailAddress']),
|
|
|
|
|
subject_alt_name=dict(type='list', elements='str', aliases=['subjectAltName']),
|
|
|
|
|
subject_alt_name_critical=dict(type='bool', default=False, aliases=['subjectAltName_critical']),
|
|
|
|
|
use_common_name_for_san=dict(type='bool', default=True, aliases=['useCommonNameForSAN']),
|
|
|
|
|
key_usage=dict(type='list', elements='str', aliases=['keyUsage']),
|
|
|
|
|
key_usage_critical=dict(type='bool', default=False, aliases=['keyUsage_critical']),
|
|
|
|
|
extended_key_usage=dict(type='list', elements='str', aliases=['extKeyUsage', 'extendedKeyUsage']),
|
|
|
|
|
extended_key_usage_critical=dict(type='bool', default=False, aliases=['extKeyUsage_critical', 'extendedKeyUsage_critical']),
|
|
|
|
|
basic_constraints=dict(type='list', elements='str', aliases=['basicConstraints']),
|
|
|
|
|
basic_constraints_critical=dict(type='bool', default=False, aliases=['basicConstraints_critical']),
|
|
|
|
|
ocsp_must_staple=dict(type='bool', default=False, aliases=['ocspMustStaple']),
|
|
|
|
|
ocsp_must_staple_critical=dict(type='bool', default=False, aliases=['ocspMustStaple_critical']),
|
|
|
|
|
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
|
|
|
|
|
),
|
|
|
|
|
add_file_common_args=True,
|
|
|
|
|
supports_check_mode=True,
|
|
|
|
|