Create a simple PKI on Ubuntu/Debian. Mostly based on PKI-Tutorial
Some basic knowledge of openssl and PKI stuff.
Certificate subject:
simplepki_domainComponent_tld: "com"
simplepki_domainComponent_domain: "example"
simplepki_organizationName: "Example Company Inc"
Servers certificate requests:
simplepki_server_certs:
- { fqdn: 'example.com' }
- { fqdn: 'anothor.com', altnames: ['sub.another.com','mydomain.com']}
User certificate requests:
simplepki_user_certs:
- { username: 'fred', fullname: 'Fred Flintstone', email: 'fred@example.com' }
- { username: 'john', fullname: 'John Example', email: 'john@example.com' }
Revoke certificates:
simplepki_revocation_list:
- fred
- anothor.com
ansible-playbook playbook.yml --tags=servercert
Pass extra variable simplepki_renew_certificates. This variable should only be passed as command line argument.
ansible-playbook --extra-vars '{"simplepki_renew_certificates": ["fred","john"]}'
Pass extra variable simplepki_revocation_list.
ansible-playbook --extra-vars '{"simplepki_revocation_list": ["fred","john"]}'
None
- hosts: pki
roles:
- { role: jsecchiero.simple-pki }
Revoke a certificate:
List of valid revocation reasons:
-
unspecified
-
keyCompromise
-
CACompromise
-
affiliationChanged
-
superseded
-
cessationOfOperation
-
certificateHold
openssl ca -config etc/signing-ca.conf -revoke certs/fred.sha256.2048.crt -crl_reason unspecified
Create CRL:
openssl ca -gencrl -config etc/signing-ca.conf -out crl/signing-ca.crl
Check certificate without crl:
openssl verify -verbose -CAfile ca/chained-ca.sha256.2048.crt certs/fred.sha256.2048.crt
Check certificate with crl:
openssl verify -crl_check_all -verbose -CAfile ca/chained-ca.sha256.2048.crt \
-CRLfile crl/signing-ca.crl certs/fred.sha256.2048.crt
for store your pki in a private git repo private key enabled to the repo, must be readable only from the owner (chmod 400)
git_key: id_rsa
git_url: github.com/myprofile/myprivaterepo
git_branch: master
BSD