Refactor certificates role to normalize server and client certificate creation

Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>

Author: ehelms

playbooks/deploy.yaml

@@ -5,29 +5,36 @@
   become: true
   vars:
     certificates_hostnames:
+      - "{{ ansible_fqdn }}"
       - localhost
+    ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
+    ca_key: "{{ certificates_ca_directory }}/private/ca.key"
+    server_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_fqdn }}.crt"
+    server_key: "{{ certificates_ca_directory }}/private/{{ ansible_fqdn }}.key"
+    client_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_fqdn }}-client.crt"
+    client_key: "{{ certificates_ca_directory }}/private/{{ ansible_fqdn }}-client.key"
     candlepin_db_password: "CHANGEME"
     candlepin_keystore_password: "CHANGEME"
     candlepin_oauth_secret: "CHANGEME"
-    candlepin_ca_key: "{{ certificates_ca_directory }}/private/ca.key"
-    candlepin_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
+    candlepin_ca_key: "{{ ca_key }}"
+    candlepin_ca_certificate: "{{ ca_certificate }}"
     candlepin_tomcat_key: "{{ certificates_ca_directory }}/private/localhost.key"
     candlepin_tomcat_certificate: "{{ certificates_ca_directory }}/certs/localhost.crt"
-    candlepin_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
-    candlepin_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
-    foreman_proxy_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    foreman_proxy_server_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}.key"
-    foreman_proxy_server_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}.crt"
-    foreman_proxy_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
-    foreman_proxy_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
-    foreman_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    foreman_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
-    foreman_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
+    candlepin_client_key: "{{ client_key }}"
+    candlepin_client_certificate: "{{ client_certificate }}"
+    foreman_proxy_ca_certificate: "{{ ca_certificate }}"
+    foreman_proxy_server_key: "{{ server_key }}"
+    foreman_proxy_server_certificate: "{{ server_ceritificate }}"
+    foreman_proxy_client_key: "{{ client_key }}"
+    foreman_proxy_client_certificate: "{{ client_certificate }}"
+    foreman_ca_certificate: "{{ ca_certificate }}"
+    foreman_client_key: "{{ client_key }}"
+    foreman_client_certificate: "{{ client_certificate }}"
     foreman_db_password: "CHANGEME"
-    httpd_server_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    httpd_client_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    httpd_server_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}.crt"
-    httpd_server_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}.key"
+    httpd_server_ca_certificate: "{{ ca_certificate }}"
+    httpd_client_ca_certificate: "{{ ca_certificate }}"
+    httpd_server_certificate: "{{ server_certificate }}"
+    httpd_server_key: "{{ server_key }}"
     pulp_db_password: "CHANGEME"
     pulp_content_origin: "https://{{ ansible_fqdn }}"
     postgresql_databases:

roles/certificates/defaults/main.yml

@@ -1,7 +1,6 @@
 ---
+certificates_ca: true
 certificates_ca_directory: /root/certificates # Change this to /var/lib?
 certificates_ca_directory_keys: "{{ certificates_ca_directory }}/private"
 certificates_ca_directory_certs: "{{ certificates_ca_directory }}/certs"
 certificates_ca_directory_requests: "{{ certificates_ca_directory }}/requests"
-certificates_server: "{{ ansible_fqdn }}"
-certificates_client: "{{ ansible_fqdn }}-client"

roles/certificates/tasks/ca.yml

@@ -0,0 +1,60 @@
+---
+- name: 'Install openssl'
+  ansible.builtin.package:
+    name: openssl
+    state: present
+
+- name: 'Create certs directory'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory_certs }}"
+    state: directory
+    mode: '0755'
+
+- name: 'Create keys directory'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory_keys }}"
+    state: directory
+    mode: '0755'
+
+- name: 'Create requests directory'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory_requests }}"
+    state: directory
+    mode: '0755'
+
+- name: 'Deploy configuration file'
+  ansible.builtin.template:
+    src: openssl.cnf.j2
+    dest: "{{ certificates_ca_directory }}/openssl.cnf"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: 'Create index file'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory }}/index.txt"
+    state: touch
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: 'Ensure serial starting number'
+  ansible.builtin.template:
+    src: serial.j2
+    dest: "{{ certificates_ca_directory }}/serial"
+    force: false
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: 'Creating CA certificate and key'
+  ansible.builtin.command: >
+    openssl req -new
+      -x509
+      -nodes
+      -extensions v3_ca
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -keyout "{{ certificates_ca_directory_keys }}/ca.key"
+      -out "{{ certificates_ca_directory_certs }}/ca.crt"
+  args:
+    creates: "{{ certificates_ca_directory_certs }}/ca.crt"

roles/certificates/tasks/issue.yml

@@ -1,23 +1,60 @@
 ---
-- name: 'Creating signing request'
+- name: 'Create server key'
   ansible.builtin.command: >
-    openssl req -new
-      -newkey rsa:2048
-      -nodes
-      -out    "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
-      -keyout "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
-      -subj "/C=US/ST=North Carolina/L=Raleigh/O=Foreman/OU=Katello/CN={{ certificates_hostname }}"
+    openssl genrsa
+      -out "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
+      4096
+  args:
+    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
+
+- name: 'Creating server signing request'
+  ansible.builtin.command: >
+    openssl req
+      -new
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -key "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
+      -out "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
   args:
     creates: "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
 
-- name: 'Sign signing request'
+- name: 'Sign server signing request'
+  ansible.builtin.command: >
+    openssl ca
+      -create_serial
+      -batch
+      -extensions ssl_server
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -in "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
+      -out "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}.crt"
+  args:
+    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}.crt"
+
+- name: 'Create client key'
+  ansible.builtin.command: >
+    openssl genrsa
+      -out "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}-client.key"
+      4096
+  args:
+    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}-client.key"
+
+- name: 'Creating client signing request'
+  ansible.builtin.command: >
+    openssl req
+      -new
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -key "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}-client.key"
+      -out "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}-client.csr"
+  args:
+    creates: "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}-client.csr"
+
+- name: 'Sign client signing request'
   ansible.builtin.command: >
       openssl ca
-        -config "{{ certificates_ca_directory }}/openssl.cnf"
+        -create_serial
         -batch
-        -policy signing_policy
-        -extensions signing_req
-        -out "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}.crt"
-        -infiles "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
+        -extensions ssl_client
+        -config "{{ certificates_ca_directory }}/openssl.cnf"
+        -in "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}-client.csr"
+        -out "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}-client.crt"
   args:
-    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}.crt"
+    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}-client.crt"

roles/certificates/tasks/main.yml

@@ -1,121 +1,7 @@
 ---
-- name: 'Install openssl'
-  ansible.builtin.package:
-    name: openssl
-    state: present
-
-- name: 'Create certs directory'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory_certs }}"
-    state: directory
-    mode: '0755'
-
-- name: 'Create keys directory'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory_keys }}"
-    state: directory
-    mode: '0755'
-
-- name: 'Create requests directory'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory_requests }}"
-    state: directory
-    mode: '0755'
-
-- name: 'Deploy configuration file'
-  ansible.builtin.template:
-    src: openssl.cnf.j2
-    dest: "{{ certificates_ca_directory }}/openssl.cnf"
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: 'Create index file'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory }}/index.txt"
-    state: touch
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: 'Ensure serial starting number'
-  ansible.builtin.template:
-    src: serial.j2
-    dest: "{{ certificates_ca_directory }}/serial"
-    force: false
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: 'Creating CA certificate and key'
-  ansible.builtin.command: >
-    openssl req -new
-      -x509
-      -nodes
-      -extensions v3_ca
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -keyout "{{ certificates_ca_directory_keys }}/ca.key"
-      -out "{{ certificates_ca_directory_certs }}/ca.crt"
-  args:
-    creates: "{{ certificates_ca_directory_certs }}/ca.crt"
-
-- name: 'Create server key'
-  ansible.builtin.command: >
-    openssl genrsa
-      -out "{{ certificates_ca_directory_keys }}/{{ certificates_server }}.key"
-  args:
-    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_server }}.key"
-
-- name: 'Create server signing request'
-  ansible.builtin.command: >
-    openssl req
-      -new
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -key "{{ certificates_ca_directory_keys }}/{{ certificates_server }}.key"
-      -out "{{ certificates_ca_directory_requests }}/{{ certificates_server }}.csr"
-  args:
-    creates: "{{ certificates_ca_directory_requests }}/{{ certificates_server }}.csr"
-
-- name: 'Create server certificate'
-  ansible.builtin.command: >
-    openssl ca
-      -create_serial
-      -batch
-      -extensions ssl_server
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -in "{{ certificates_ca_directory_requests }}/{{ certificates_server }}.csr"
-      -out "{{ certificates_ca_directory_certs }}/{{ certificates_server }}.crt"
-  args:
-    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_server }}.crt"
-
-- name: 'Create client key'
-  ansible.builtin.command: >
-    openssl genrsa
-      -out "{{ certificates_ca_directory_keys }}/{{ certificates_client }}.key"
-  args:
-    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_client }}.key"
-
-- name: 'Create client signing request'
-  ansible.builtin.command: >
-    openssl req
-      -new
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -key "{{ certificates_ca_directory_keys }}/{{ certificates_client }}.key"
-      -out "{{ certificates_ca_directory_requests }}/{{ certificates_client }}.csr"
-  args:
-    creates: "{{ certificates_ca_directory_requests }}/{{ certificates_client }}.csr"
-
-- name: 'Create server certificate'
-  ansible.builtin.command: >
-    openssl ca
-      -create_serial
-      -batch
-      -extensions ssl_client
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -in "{{ certificates_ca_directory_requests }}/{{ certificates_client }}.csr"
-      -out "{{ certificates_ca_directory_certs }}/{{ certificates_client }}.crt"
-  args:
-    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_client }}.crt"
+- name: 'Generate CA certificate'
+  ansible.builtin.include_tasks: ca.yml
+  when: certificates_ca
 
 - name: 'Issue other certificates'
   ansible.builtin.include_tasks: issue.yml

roles/certificates/templates/openssl.cnf.j2

@@ -36,7 +36,7 @@ commonName             = supplied
 emailAddress           = optional
 
 [ req ]
-default_bits        = 2048
+default_bits        = 4096
 default_keyfile     = privkey.pem
 distinguished_name  = req_distinguished_name
 req_extensions      = v3_req