diff --git a/defaults/main.yml b/defaults/main.yml index 53e1c57..ef62266 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,3 +17,6 @@ easy_rsa_req_country: 'IT' easy_rsa_req_province: 'Province' easy_rsa_req_city: 'City' easy_rsa_req_org: 'Organization' +easy_rsa_add_crl_url: False +easy_rsa_crl_url: http://localhost/crl/crl.pem +easy_rsa_critical_ca_false: True diff --git a/tasks/main.yml b/tasks/main.yml index e0d018e..e4b00c3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -44,6 +44,27 @@ with_items: '{{ easy_rsa_helper_scripts }}' tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ] + - name: Fix the CA:False constraint + lineinfile: + path: '{{ easy_rsa_base_dir }}/x509-types/{{ item }}' + regexp: '^basicConstraints\ =\ CA:FALSE' + line: 'basicConstraints = critical,CA:FALSE' + loop: + - client + - code-signing + - email + - kdc + - server + - serverClient + when: easy_rsa_critical_ca_false + + - name: Add a CRL distribution URI + lineinfile: + path: '{{ easy_rsa_base_dir }}/x509-types/COMMON' + regexp: '^crlDistributionPoints.*' + line: 'crlDistributionPoints = URI:{{ easy_rsa_crl_url }}' + when: easy_rsa_add_crl_url + - name: Check if the CA has been initialized yet stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key register: easy_rsa_ca_key_file diff --git a/templates/renew-client-host-certificate.sh.j2 b/templates/renew-client-host-certificate.sh.j2 new file mode 100644 index 0000000..c55614e --- /dev/null +++ b/templates/renew-client-host-certificate.sh.j2 @@ -0,0 +1,34 @@ +#!/bin/bash + +host_arg= +if [ $# -ne 1 ] ; then + echo "You need to pass just one argument: the full hostname for wich the certificate is required" + exit 1 +else + host_arg="$1" +fi + +easy_rsa_base_dir={{ easy_rsa_pki_basedir }} +easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" +easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_vars_file="${easy_rsa_base_dir}/vars" +if [ -f "${easy_vars_file}.tmpl" ] ; then + echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." + exit 1 +fi + +echo "" +echo "Starting the renewal of a client host certificate." +echo "" + +cd "$easy_rsa_base_dir" +./easyrsa renew "$host_arg" nopass + +echo "" +echo "Done." +echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" +echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" +echo "" +echo "Remember that the key of the host certificates do not passphrase protected" + +exit 0 diff --git a/templates/renew-personal-certificate.sh.j2 b/templates/renew-personal-certificate.sh.j2 new file mode 100644 index 0000000..09cd5c8 --- /dev/null +++ b/templates/renew-personal-certificate.sh.j2 @@ -0,0 +1,41 @@ +#!/bin/bash + +name_arg= +email_arg= +if [ $# -ne 2 ] ; then + echo "You need to pass exactly two parameters in the following order: the full name, between double quotes, and the email address" + exit 1 +else + name_arg="$1" + email_arg="$2" +fi + +easy_rsa_base_dir={{ easy_rsa_pki_basedir }} +easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" +easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_vars_file="${easy_rsa_base_dir}/vars" +if [ -f "${easy_vars_file}.tmpl" ] ; then + echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." + exit 1 +fi + +echo "" +echo "Starting the renewal of a client host certificate." +echo "Remember that you need to supply a passphrase for the private key." +echo "" + +sleep 5 + +cd "$easy_rsa_base_dir" +cp -f "$easy_vars_file" "${easy_vars_file}.tmpl" +sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file" +./easyrsa renew "$name_arg" +mv -f "${easy_vars_file}.tmpl" "$easy_vars_file" + +echo "" +echo "Done." +echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt" +echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key" +echo "" + +exit 0 diff --git a/templates/renew-server-host-certificate.sh.j2 b/templates/renew-server-host-certificate.sh.j2 new file mode 100644 index 0000000..27cfaeb --- /dev/null +++ b/templates/renew-server-host-certificate.sh.j2 @@ -0,0 +1,34 @@ +#!/bin/bash + +host_arg= +if [ $# -ne 1 ] ; then + echo "You need to pass just one argument: the full hostname for wich the certificate is required" + exit 1 +else + host_arg="$1" +fi + +easy_rsa_base_dir={{ easy_rsa_pki_basedir }} +easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" +easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_vars_file="${easy_rsa_base_dir}/vars" +if [ -f "${easy_vars_file}.tmpl" ] ; then + echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." + exit 1 +fi + +echo "" +echo "Starting the renewal of a server host certificate." +echo "" + +cd "$easy_rsa_base_dir" +./easyrsa renew "$host_arg" nopass + +echo "" +echo "Done." +echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" +echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" +echo "" +echo "Remember that the key of the host certificates do not passphrase protected" + +exit 0 diff --git a/templates/safessl-easyrsa.cnf b/templates/safessl-easyrsa.cnf index 030785c..629c6c2 100644 --- a/templates/safessl-easyrsa.cnf +++ b/templates/safessl-easyrsa.cnf @@ -107,9 +107,12 @@ emailAddress_max = 64 # dynamically. This core section is left to support the odd usecase where # a user calls openssl directly. [ basic_exts ] -basicConstraints = CA:FALSE +basicConstraints = {% if easy_rsa_critical_ca_false %}critical,{% endif %}CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always +{% if easy_rsa_add_crl_url %} +crlDistributionPoints = URI:{{ easy_rsa_crl_url }} +{% endif %} # The Easy-RSA CA extensions [ easyrsa_ca ] diff --git a/vars/main.yml b/vars/main.yml index 318abae..84b7d45 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -18,4 +18,7 @@ easy_rsa_helper_scripts: - 'client-host-certificate' - 'server-host-certificate' - 'personal-certificate' + - 'renew-client-host-certificate' + - 'renew-server-host-certificate' + - 'renew-personal-certificate'