Certificate Signing Readme

Abstract

This role uses the root and intermediate certificate authorities from the ca and int roles to sign a certificate that can be used for encrypted services.

Certificate Signing Readme#

Certificate Sign Requirements#

This role assumes the presence of openssl on an ArchLinux system along with services that can be verified by globally-untrusted authorities.

Certificate Sign Role Variables#

This role requires the following variables to be set.

variable

description

default

sign_ca_san

the subject alternative names for the ca

 
- DNS:ca.iana.org
- email:user@iana.org

sign_cert_san

the subject altnerative names for the signed cert

 
- DNS:cert.iana.org
- email:user@iana.org

sign_common_name

the common name to be associated with the signed cert

cert.iana.org

sign_int_path_crt

filesystem path to the intermediate authority cert

/etc/ssl/root/int/certs/int.crt

sign_int_path_key

filesystem path to the intermediate authority private key

/etc/ssl/root/int/private/int.key

sign_int_san

subject alternative names for the intermediate cert

 
- DNS:int.iana.org
- email:user@iana.org

sign_dirs

a list of directories required by the signed cert

 
- /etc/ssl/root/int/private
- /etc/ssl/root/int/certs
- /etc/ssl/root/int/csr
- /etc/ssl/root/int

sign_path_crt

path to the ca crt

/etc/ssl/root/int/certs/iana.org.crt

sign_path_csr

path to the certificate signing request

/etc/ssl/root/int/csr/iana.org.csr

sign_path_key

a list of subject alternative names for the ca

/etc/ssl/root/int/private/iana.org.key

Dependencies#

The following roles should have been run on the target before using this role.

Example Playbook#

The site.yml at the root of this repo contains a complete example of usage for this role.

- name: Sign End User Certificate
  hosts: localhost
  roles:
    - role: sign
      tags:
        - sign
      vars:
        sign_ca_san:
          - DNS:ca.iana.org
          - email:user@iana.org
        sign_cert_san:
          - DNS:cert.iana.org
          - email:user@iana.org
        sign_common_name: cert.iana.org
        sign_int_path_crt: /etc/ssl/root/int/certs/int.crt
        sign_int_path_key: /etc/ssl/root/int/private/int.key
        sign_int_san:
          - DNS:int.iana.org
          - email:user@iana.org
        sign_dirs:
          - /etc/ssl/root/int/certs
          - /etc/ssl/root/int/csr
          - /etc/ssl/root/int/private
          - /etc/ssl/root/int
        sign_path_crt: /etc/ssl/root/int/certs/iana.crt
        sign_path_csr: /etc/ssl/rott/int/csr/iana.csr
        sign_path_key: /etc/ssl/root/int/private/iana.key

License#

Unlicense

Author Information#

Code author: Xander Harris xandertheharris@gmail.com

Section author: Xander Harris xandertheharris@gmail.com

Contents