Added steps to generate CA signed certificates

jborean93 · Sep 2, 2020 · 0614c55 · 0614c55
1 parent 371abc8
commit 0614c55
Show file tree

Hide file tree

Showing 4 changed files with 166 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -29,4 +29,5 @@ __pycache__/
 /ci-*.zip
 /Unix/build-*
 /integration_environment/.vagrant
+/integration_environment/cert_setup
 /integration_environment/exchange*
diff --git a/integration_environment/files/generate_cert.sh b/integration_environment/files/generate_cert.sh
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+set -o pipefail -eux
+
+SUBJECT="${1}"
+PASSWORD="${2}"
+
+generate () {
+    KEY="${1}"
+    ALGORITHM="${2:-}"
+    EXTRA_OPTIONS=()
+
+    if [ -z "${ALGORITHM}" ]; then
+        OUTPUT_PATH="${KEY}"
+
+    else
+        echo "Generating RSASSA-PSS certificate"
+        OUTPUT_PATH="${KEY}-${ALGORITHM}"
+        EXTRA_OPTIONS=("-sigopt" "rsa_padding_mode:${ALGORITHM}")
+
+    fi
+
+    echo "Generating ${KEY} signed cert"
+    openssl req \
+        -new \
+        "-${KEY}" \
+        -subj "/CN=${SUBJECT}" \
+        -newkey rsa:2048 \
+        -keyout "${OUTPUT_PATH}.key" \
+        -out "${OUTPUT_PATH}.csr" \
+        -config openssl.conf \
+        -reqexts req \
+        -passin pass:"${PASSWORD}" \
+        -passout pass:"${PASSWORD}" \
+        ${EXTRA_OPTIONS[@]}
+
+    openssl x509 \
+        -req \
+        -in "${OUTPUT_PATH}.csr" \
+        -"-${KEY}" \
+        -CA ca.pem \
+        -CAkey ca.key \
+        -CAcreateserial \
+        -out "${OUTPUT_PATH}.pem" \
+        -days 365 \
+        -extfile openssl.conf \
+        -extensions req \
+        -passin pass:"${PASSWORD}" \
+        ${EXTRA_OPTIONS[@]}
+
+    openssl pkcs12 \
+        -export \
+        -out "${OUTPUT_PATH}.pfx" \
+        -inkey "${OUTPUT_PATH}.key" \
+        -in "${OUTPUT_PATH}.pem" \
+        -passin pass:"${PASSWORD}" \
+        -passout pass:"${PASSWORD}"
+}
+
+echo "Generating CA issuer"
+openssl genrsa \
+    -aes256 \
+    -out ca.key \
+    -passout pass:"${PASSWORD}"
+
+openssl req \
+    -new \
+    -x509 \
+    -days 365 \
+    -key ca.key \
+    -out ca.pem \
+    -subj "/CN=OMI Root" \
+    -passin pass:"${PASSWORD}"
+
+generate sha1
+generate sha224
+generate sha256
+generate sha256 pss
+generate sha384
+generate sha512
+generate sha512 pss
+
+touch complete.txt
diff --git a/integration_environment/main.yml b/integration_environment/main.yml
@@ -11,6 +11,67 @@
   tags:
   - windows
   tasks:
+  - name: create cert output folder
+    file:
+      path: '{{ playbook_dir }}/cert_setup'
+      state: directory
+    delegate_to: localhost
+
+  - name: create ssl config file
+    template:
+      src: openssl.conf.tmpl
+      dest: '{{ playbook_dir }}/cert_setup/openssl.conf'
+    delegate_to: localhost
+
+  - name: generate CA and WinRM certificates
+    script: generate_cert.sh {{ (inventory_hostname ~ "." ~ domain_name) | quote }} password
+    args:
+      creates: '{{ playbook_dir }}/cert_setup/complete.txt'
+      chdir: '{{ playbook_dir }}/cert_setup'
+    delegate_to: localhost
+
+  - name: copy certifies to the Windows host
+    win_copy:
+      src: '{{ playbook_dir }}/cert_setup'
+      dest: C:\Windows\TEMP\
+
+  - name: import the WinRM certs to the certificate store
+    win_certificate_store:
+      path: C:\Windows\TEMP\cert_setup\{{ item }}.pfx
+      key_exportable: no
+      key_storage: machine
+      password: password
+      state: present
+      store_location: LocalMachine
+      store_name: My
+    register: winrm_cert_info
+    with_items:
+    - sha1
+    - sha224
+    - sha256
+    - sha256-pss
+    - sha384
+    - sha512
+    - sha512-pss
+
+  - name: set friendlyname on imported certificates for test info
+    win_shell: |
+      $ErrorActionPreference = 'Stop'
+      $desiredName = '{{ item.item }}'
+
+      $cert = Get-Item -LiteralPath Cert:\LocalMachine\My\{{ item.thumbprints[0] }}
+      if ($cert.FriendlyName -ne $desiredName) {
+          $cert.FriendlyName = $desiredName
+          $true
+      } else {
+          $false
+      }
+    with_items: '{{ winrm_cert_info.results }}'
+    loop_control:
+      label: '{{ item.item }}'
+    register: winrm_cert_friendly_name
+    changed_when: winrm_cert_friendly_name.stdout | trim | bool
+
   - name: get network connection for private adapter
     win_shell: |
       foreach ($instance in (Get-CimInstance -ClassName Win32_NetworkAdapter -Filter "Netenabled='True'")) {
@@ -73,6 +134,18 @@
       ansible_become_user: '{{ domain_upn }}'
       ansible_become_pass: '{{ domain_password }}'
 
+  - name: make sure the CBT level is set to Strict
+    win_shell: |
+      $cbtPath = 'WSMan:\localhost\Service\Auth\CbtHardeningLevel'
+      if ((Get-Item -LiteralPath $cbtPath).Value -ne 'Strict') {
+          Set-Item -LiteralPath $cbtPath -Value Strict
+          $true
+      } else {
+          $false
+      }
+    register: cbt_result
+    changed_when: cbt_result.stdout | trim | bool
+
 - name: set up Linux test host
   hosts: linux
   gather_facts: no

diff --git a/integration_environment/templates/openssl.conf.tmpl b/integration_environment/templates/openssl.conf.tmpl
@@ -0,0 +1,9 @@
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[req]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature,keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = DNS:{{ inventory_hostname }}.{{ domain_name }}