Skip to content
/ ca_keys Public

Ansible role for generating private CA keys and signed certificates

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

libre-ops/ca_keys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
defaults
defaults
 
 
meta
meta
 
 
tasks
tasks
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Certificate Authority keys

This is an Ansible role for generating private CA keys and signed certificates. These can be used to secure server/client applications, where both encryption of data in transit and authentication between nodes is required.

When configured properly, keys signed by a private CA can prevent MITM attacks, and can be used for 2-way authentication. An example might be securing the connections between nodes in a Kafka or Elastic Stack cluster.

The role follows these rough steps:

  • Generate a CA (Certificate Authority) keypair
  • Generate keys and CSRs (Certificate Signing Requests) for specified nodes
  • Sign the CSRs using the CA, to create signed certificates (CRTs)
  • Optionally package the necessary keys into java keystore/truststore binaries

Defaults

Check out all the defaults here and override them as needed.

Usage

Recommended usage: run the role in a local playbook (see below), then move the generated files somewhere safe. Don't leave the keys lying around. This code is provided as-is, how you use it and store the resulting keys is your responsibility!

This role can be used to create new keys and CRTs from an existing CA certificate if one is present.

After they're created, move the required files into whatever project you're using them in. You can use Ansible Vault to encrypt the files (including jks binaries), and Ansible modules like copy will decrypt them during upload if supplied with the vault password.

Checking the keys

You can (and should) check the keys with various openssl commands. Here are some examples:

openssl x509 -in generated_keys/ca.crt -text -noout
openssl rsa -in generated_keys/<key-name>.key -check
openssl x509 -in generated_keys/<key-name>.crt -text -noout

Python limitation

Due to an Ansible bug (fix now merged in devel branch), you have to use Python 2.7 when running the tasks to create java keystores. See this issue for details.

Example playbook

- name: Generate Keys
  hosts: 127.0.0.1
  connection: local
  
  vars:
    ansible_python_interpreter: '/usr/bin/python2.7'

  roles:
    - role: libre_ops.ca_keys
      vars:
        cert_organisation: Example Inc.
        cert_unit: Keys Department
        cert_country: FR
        cert_state: Paris
        cert_location: Paris
        
        create_keys:
          - filename: server
            subject:
              - "/CN=app.client.org"
              - "/O={{ cert_organisation }}"
              - "/OU={{ cert_unit }}"
              - "/C={{ cert_country }}"
              - "/ST={{ cert_state }}"
              - "/L={{ cert_location }}"
              
          - filename: client
            subject:
              - "/CN=app.server.org"
              - "/O={{ cert_organisation }}"
              - "/OU={{ cert_unit }}"
              - "/C={{ cert_country }}"
              - "/ST={{ cert_state }}"
              - "/L={{ cert_location }}"

About

Ansible role for generating private CA keys and signed certificates

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

1.0.1 Latest
Jun 14, 2019
+ 1 release

Packages

No packages published