This is an Ansible role for generating private CA keys and signed certificates. These can be used to secure server/client applications, where both encryption of data in transit and authentication between nodes is required.
When configured properly, keys signed by a private CA can prevent MITM attacks, and can be used for 2-way authentication. An example might be securing the connections between nodes in a Kafka or Elastic Stack cluster.
The role follows these rough steps:
- Generate a CA (Certificate Authority) keypair
- Generate keys and CSRs (Certificate Signing Requests) for specified nodes
- Sign the CSRs using the CA, to create signed certificates (CRTs)
- Optionally package the necessary keys into java keystore/truststore binaries
Check out all the defaults here and override them as needed.
Recommended usage: run the role in a local playbook (see below), then move the generated files somewhere safe. Don't leave the keys lying around. This code is provided as-is, how you use it and store the resulting keys is your responsibility!
This role can be used to create new keys and CRTs from an existing CA certificate if one is present.
After they're created, move the required files into whatever project you're using them in. You can use
Ansible Vault to encrypt the files (including jks
binaries), and Ansible modules like copy
will decrypt them during upload if supplied with the vault password.
You can (and should) check the keys with various openssl
commands. Here are some examples:
openssl x509 -in generated_keys/ca.crt -text -noout
openssl rsa -in generated_keys/<key-name>.key -check
openssl x509 -in generated_keys/<key-name>.crt -text -noout
Due to an Ansible bug (fix now merged in devel
branch), you have to use Python 2.7 when running the tasks to create
java keystores. See this issue for details.
- name: Generate Keys
hosts: 127.0.0.1
connection: local
vars:
ansible_python_interpreter: '/usr/bin/python2.7'
roles:
- role: libre_ops.ca_keys
vars:
cert_organisation: Example Inc.
cert_unit: Keys Department
cert_country: FR
cert_state: Paris
cert_location: Paris
create_keys:
- filename: server
subject:
- "/CN=app.client.org"
- "/O={{ cert_organisation }}"
- "/OU={{ cert_unit }}"
- "/C={{ cert_country }}"
- "/ST={{ cert_state }}"
- "/L={{ cert_location }}"
- filename: client
subject:
- "/CN=app.server.org"
- "/O={{ cert_organisation }}"
- "/OU={{ cert_unit }}"
- "/C={{ cert_country }}"
- "/ST={{ cert_state }}"
- "/L={{ cert_location }}"