Add some options. renewal scripts.
This commit is contained in:
parent
7567958bec
commit
2b61560c77
|
@ -17,3 +17,6 @@ easy_rsa_req_country: 'IT'
|
||||||
easy_rsa_req_province: 'Province'
|
easy_rsa_req_province: 'Province'
|
||||||
easy_rsa_req_city: 'City'
|
easy_rsa_req_city: 'City'
|
||||||
easy_rsa_req_org: 'Organization'
|
easy_rsa_req_org: 'Organization'
|
||||||
|
easy_rsa_add_crl_url: False
|
||||||
|
easy_rsa_crl_url: http://localhost/crl/crl.pem
|
||||||
|
easy_rsa_critical_ca_false: True
|
||||||
|
|
|
@ -44,6 +44,27 @@
|
||||||
with_items: '{{ easy_rsa_helper_scripts }}'
|
with_items: '{{ easy_rsa_helper_scripts }}'
|
||||||
tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ]
|
tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ]
|
||||||
|
|
||||||
|
- name: Fix the CA:False constraint
|
||||||
|
lineinfile:
|
||||||
|
path: '{{ easy_rsa_base_dir }}/x509-types/{{ item }}'
|
||||||
|
regexp: '^basicConstraints\ =\ CA:FALSE'
|
||||||
|
line: 'basicConstraints = critical,CA:FALSE'
|
||||||
|
loop:
|
||||||
|
- client
|
||||||
|
- code-signing
|
||||||
|
- email
|
||||||
|
- kdc
|
||||||
|
- server
|
||||||
|
- serverClient
|
||||||
|
when: easy_rsa_critical_ca_false
|
||||||
|
|
||||||
|
- name: Add a CRL distribution URI
|
||||||
|
lineinfile:
|
||||||
|
path: '{{ easy_rsa_base_dir }}/x509-types/COMMON'
|
||||||
|
regexp: '^crlDistributionPoints.*'
|
||||||
|
line: 'crlDistributionPoints = URI:{{ easy_rsa_crl_url }}'
|
||||||
|
when: easy_rsa_add_crl_url
|
||||||
|
|
||||||
- name: Check if the CA has been initialized yet
|
- name: Check if the CA has been initialized yet
|
||||||
stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key
|
stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key
|
||||||
register: easy_rsa_ca_key_file
|
register: easy_rsa_ca_key_file
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
host_arg=
|
||||||
|
if [ $# -ne 1 ] ; then
|
||||||
|
echo "You need to pass just one argument: the full hostname for wich the certificate is required"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
host_arg="$1"
|
||||||
|
fi
|
||||||
|
|
||||||
|
easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
|
||||||
|
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
|
||||||
|
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
|
||||||
|
easy_vars_file="${easy_rsa_base_dir}/vars"
|
||||||
|
if [ -f "${easy_vars_file}.tmpl" ] ; then
|
||||||
|
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Starting the renewal of a client host certificate."
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
cd "$easy_rsa_base_dir"
|
||||||
|
./easyrsa renew "$host_arg" nopass
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Done."
|
||||||
|
echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
|
||||||
|
echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
|
||||||
|
echo ""
|
||||||
|
echo "Remember that the key of the host certificates do not passphrase protected"
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,41 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
name_arg=
|
||||||
|
email_arg=
|
||||||
|
if [ $# -ne 2 ] ; then
|
||||||
|
echo "You need to pass exactly two parameters in the following order: the full name, between double quotes, and the email address"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
name_arg="$1"
|
||||||
|
email_arg="$2"
|
||||||
|
fi
|
||||||
|
|
||||||
|
easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
|
||||||
|
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
|
||||||
|
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
|
||||||
|
easy_vars_file="${easy_rsa_base_dir}/vars"
|
||||||
|
if [ -f "${easy_vars_file}.tmpl" ] ; then
|
||||||
|
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Starting the renewal of a client host certificate."
|
||||||
|
echo "Remember that you need to supply a passphrase for the private key."
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
cd "$easy_rsa_base_dir"
|
||||||
|
cp -f "$easy_vars_file" "${easy_vars_file}.tmpl"
|
||||||
|
sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file"
|
||||||
|
./easyrsa renew "$name_arg"
|
||||||
|
mv -f "${easy_vars_file}.tmpl" "$easy_vars_file"
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Done."
|
||||||
|
echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
|
||||||
|
echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,34 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
host_arg=
|
||||||
|
if [ $# -ne 1 ] ; then
|
||||||
|
echo "You need to pass just one argument: the full hostname for wich the certificate is required"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
host_arg="$1"
|
||||||
|
fi
|
||||||
|
|
||||||
|
easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
|
||||||
|
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
|
||||||
|
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
|
||||||
|
easy_vars_file="${easy_rsa_base_dir}/vars"
|
||||||
|
if [ -f "${easy_vars_file}.tmpl" ] ; then
|
||||||
|
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Starting the renewal of a server host certificate."
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
cd "$easy_rsa_base_dir"
|
||||||
|
./easyrsa renew "$host_arg" nopass
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Done."
|
||||||
|
echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
|
||||||
|
echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
|
||||||
|
echo ""
|
||||||
|
echo "Remember that the key of the host certificates do not passphrase protected"
|
||||||
|
|
||||||
|
exit 0
|
|
@ -107,9 +107,12 @@ emailAddress_max = 64
|
||||||
# dynamically. This core section is left to support the odd usecase where
|
# dynamically. This core section is left to support the odd usecase where
|
||||||
# a user calls openssl directly.
|
# a user calls openssl directly.
|
||||||
[ basic_exts ]
|
[ basic_exts ]
|
||||||
basicConstraints = CA:FALSE
|
basicConstraints = {% if easy_rsa_critical_ca_false %}critical,{% endif %}CA:FALSE
|
||||||
subjectKeyIdentifier = hash
|
subjectKeyIdentifier = hash
|
||||||
authorityKeyIdentifier = keyid,issuer:always
|
authorityKeyIdentifier = keyid,issuer:always
|
||||||
|
{% if easy_rsa_add_crl_url %}
|
||||||
|
crlDistributionPoints = URI:{{ easy_rsa_crl_url }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# The Easy-RSA CA extensions
|
# The Easy-RSA CA extensions
|
||||||
[ easyrsa_ca ]
|
[ easyrsa_ca ]
|
||||||
|
|
|
@ -18,4 +18,7 @@ easy_rsa_helper_scripts:
|
||||||
- 'client-host-certificate'
|
- 'client-host-certificate'
|
||||||
- 'server-host-certificate'
|
- 'server-host-certificate'
|
||||||
- 'personal-certificate'
|
- 'personal-certificate'
|
||||||
|
- 'renew-client-host-certificate'
|
||||||
|
- 'renew-server-host-certificate'
|
||||||
|
- 'renew-personal-certificate'
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue