29ca9d2d4d
* Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
767 lines
24 KiB
YAML
767 lines
24 KiB
YAML
---
|
|
- name: Generate privatekey
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
- name: Generate CSR (check mode)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
check_mode: yes
|
|
register: generate_csr_check
|
|
|
|
- name: Generate CSR
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: generate_csr
|
|
|
|
- name: Generate CSR (idempotent)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: generate_csr_idempotent
|
|
|
|
- name: Generate CSR (idempotent, check mode)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
check_mode: yes
|
|
register: generate_csr_idempotent_check
|
|
|
|
- name: Generate CSR without SAN (check mode)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr-nosan.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
useCommonNameForSAN: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: generate_csr_nosan_check
|
|
|
|
- name: Generate CSR without SAN
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr-nosan.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
useCommonNameForSAN: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: generate_csr_nosan
|
|
|
|
- name: Generate CSR without SAN (idempotent)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr-nosan.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
useCommonNameForSAN: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: generate_csr_nosan_check_idempotent
|
|
|
|
- name: Generate CSR without SAN (idempotent, check mode)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr-nosan.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
useCommonNameForSAN: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
register: generate_csr_nosan_check_idempotent_check
|
|
|
|
# keyUsage longname and shortname should be able to be used
|
|
# interchangeably. Hence the long name is specified here
|
|
# but the short name is used to test idempotency for ipsecuser
|
|
# and vice-versa for biometricInfo
|
|
- name: Generate CSR with KU and XKU
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ku_xku.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
CN: www.ansible.com
|
|
keyUsage:
|
|
- digitalSignature
|
|
- keyAgreement
|
|
extendedKeyUsage:
|
|
- qcStatements
|
|
- DVCS
|
|
- IPSec User
|
|
- biometricInfo
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate CSR with KU and XKU (test idempotency)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ku_xku.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: 'www.ansible.com'
|
|
keyUsage:
|
|
- Key Agreement
|
|
- digitalSignature
|
|
extendedKeyUsage:
|
|
- ipsecUser
|
|
- qcStatements
|
|
- DVCS
|
|
- Biometric Info
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_ku_xku
|
|
|
|
- name: Generate CSR with KU and XKU (test XKU change)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ku_xku.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: 'www.ansible.com'
|
|
keyUsage:
|
|
- digitalSignature
|
|
- keyAgreement
|
|
extendedKeyUsage:
|
|
- ipsecUser
|
|
- qcStatements
|
|
- Biometric Info
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_ku_xku_change
|
|
|
|
- name: Generate CSR with KU and XKU (test KU change)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ku_xku.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: 'www.ansible.com'
|
|
keyUsage:
|
|
- digitalSignature
|
|
extendedKeyUsage:
|
|
- ipsecUser
|
|
- qcStatements
|
|
- Biometric Info
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_ku_xku_change_2
|
|
|
|
- name: Generate CSR with old API
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_oldapi.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate CSR with invalid SAN
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csrinvsan.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject_alt_name: invalid-san.example.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: generate_csr_invalid_san
|
|
ignore_errors: yes
|
|
|
|
- name: Generate CSR with OCSP Must Staple
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ocsp.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject_alt_name: "DNS:www.ansible.com"
|
|
ocsp_must_staple: true
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate CSR with OCSP Must Staple (test idempotency)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ocsp.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject_alt_name: "DNS:www.ansible.com"
|
|
ocsp_must_staple: true
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_ocsp_idempotency
|
|
|
|
- name: Generate ECC privatekey
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey2.pem'
|
|
type: ECC
|
|
curve: secp384r1
|
|
|
|
- name: Generate CSR with ECC privatekey
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr2.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate CSR with text common name
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr3.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
subject:
|
|
commonName: This is for Ansible
|
|
useCommonNameForSAN: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate CSR with country name
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr4.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
country_name: de
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: country_idempotent_1
|
|
|
|
- name: Generate CSR with country name (idempotent)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr4.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
country_name: de
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: country_idempotent_2
|
|
|
|
- name: Generate CSR with country name (idempotent 2)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr4.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
subject:
|
|
C: de
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: country_idempotent_3
|
|
|
|
- name: Generate CSR with country name (bad country name)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr4.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
subject:
|
|
C: dex
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: country_fail_4
|
|
ignore_errors: yes
|
|
|
|
- name: Generate privatekey with password
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: auto
|
|
select_crypto_backend: cryptography
|
|
|
|
- name: Generate CSR with privatekey passphrase
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_pw.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
privatekey_passphrase: hunter2
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: passphrase_1
|
|
|
|
- name: Generate CSR (failed passphrase 1)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_pw1.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
privatekey_passphrase: hunter2
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_1
|
|
|
|
- name: Generate CSR (failed passphrase 2)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_pw2.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
privatekey_passphrase: wrong_password
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_2
|
|
|
|
- name: Generate CSR (failed passphrase 3)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_pw3.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_3
|
|
|
|
- name: Create broken CSR
|
|
copy:
|
|
dest: "{{ output_dir }}/csrbroken.csr"
|
|
content: "broken"
|
|
- name: Regenerate broken CSR
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csrbroken.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
subject:
|
|
commonName: This is for Ansible
|
|
useCommonNameForSAN: no
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: output_broken
|
|
|
|
- name: Generate CSR
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_backup.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_backup_1
|
|
- name: Generate CSR (idempotent)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_backup.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_backup_2
|
|
- name: Generate CSR (change)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_backup.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: ansible.com
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_backup_3
|
|
- name: Generate CSR (remove)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_backup.csr'
|
|
state: absent
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: csr_backup_4
|
|
- name: Generate CSR (remove, idempotent)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_backup.csr'
|
|
state: absent
|
|
backup: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: csr_backup_5
|
|
|
|
- name: Generate CSR with subject key identifier
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ski.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
subject_key_identifier: "00:11:22:33"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: subject_key_identifier_1
|
|
|
|
- name: Generate CSR with subject key identifier (idempotency)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ski.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
subject_key_identifier: "00:11:22:33"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: subject_key_identifier_2
|
|
|
|
- name: Generate CSR with subject key identifier (change)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ski.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
subject_key_identifier: "44:55:66:77:88"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: subject_key_identifier_3
|
|
|
|
- name: Generate CSR with subject key identifier (auto-create)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ski.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
create_subject_key_identifier: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: subject_key_identifier_4
|
|
|
|
- name: Generate CSR with subject key identifier (auto-create idempotency)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ski.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
create_subject_key_identifier: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: subject_key_identifier_5
|
|
|
|
- name: Generate CSR with subject key identifier (remove)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ski.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: subject_key_identifier_6
|
|
|
|
- name: Generate CSR with authority key identifier
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_aki.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
authority_key_identifier: "00:11:22:33"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_key_identifier_1
|
|
|
|
- name: Generate CSR with authority key identifier (idempotency)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_aki.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
authority_key_identifier: "00:11:22:33"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_key_identifier_2
|
|
|
|
- name: Generate CSR with authority key identifier (change)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_aki.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
authority_key_identifier: "44:55:66:77:88"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_key_identifier_3
|
|
|
|
- name: Generate CSR with authority key identifier (remove)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_aki.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_key_identifier_4
|
|
|
|
- name: Generate CSR with authority cert issuer / serial number
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_acisn.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
authority_cert_issuer:
|
|
- "DNS:ca.example.org"
|
|
- "IP:1.2.3.4"
|
|
authority_cert_serial_number: 12345
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_cert_issuer_sn_1
|
|
|
|
- name: Generate CSR with authority cert issuer / serial number (idempotency)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_acisn.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
authority_cert_issuer:
|
|
- "DNS:ca.example.org"
|
|
- "IP:1.2.3.4"
|
|
authority_cert_serial_number: 12345
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_cert_issuer_sn_2
|
|
|
|
- name: Generate CSR with authority cert issuer / serial number (change issuer)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_acisn.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
authority_cert_issuer:
|
|
- "IP:1.2.3.4"
|
|
- "DNS:ca.example.org"
|
|
authority_cert_serial_number: 12345
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_cert_issuer_sn_3
|
|
|
|
- name: Generate CSR with authority cert issuer / serial number (change serial number)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_acisn.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
authority_cert_issuer:
|
|
- "IP:1.2.3.4"
|
|
- "DNS:ca.example.org"
|
|
authority_cert_serial_number: 54321
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_cert_issuer_sn_4
|
|
|
|
- name: Generate CSR with authority cert issuer / serial number (remove)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_acisn.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
register: authority_cert_issuer_sn_5
|
|
|
|
- name: Generate CSR with everything
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_everything.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
C: de
|
|
L: Somewhere
|
|
ST: Zurich
|
|
streetAddress: Welcome Street
|
|
O: Ansible
|
|
organizationalUnitName: Crypto Department
|
|
serialNumber: "1234"
|
|
SN: Last Name
|
|
GN: First Name
|
|
title: Chief
|
|
pseudonym: test
|
|
UID: asdf
|
|
emailAddress: test@example.com
|
|
postalAddress: 1234 Somewhere
|
|
postalCode: "1234"
|
|
useCommonNameForSAN: no
|
|
key_usage:
|
|
- digitalSignature
|
|
- keyAgreement
|
|
- Non Repudiation
|
|
- Key Encipherment
|
|
- dataEncipherment
|
|
- Certificate Sign
|
|
- cRLSign
|
|
- Encipher Only
|
|
- decipherOnly
|
|
key_usage_critical: yes
|
|
extended_key_usage:
|
|
- serverAuth # the same as "TLS Web Server Authentication"
|
|
- TLS Web Server Authentication
|
|
- TLS Web Client Authentication
|
|
- Code Signing
|
|
- E-mail Protection
|
|
- timeStamping
|
|
- OCSPSigning
|
|
- Any Extended Key Usage
|
|
- qcStatements
|
|
- DVCS
|
|
- IPSec User
|
|
- biometricInfo
|
|
subject_alt_name:
|
|
- "DNS:www.ansible.com"
|
|
- "IP:1.2.3.4"
|
|
- "IP:::1"
|
|
- "email:test@example.org"
|
|
- "URI:https://example.org/test/index.html"
|
|
basic_constraints:
|
|
- "CA:TRUE"
|
|
- "pathlen:23"
|
|
basic_constraints_critical: yes
|
|
ocsp_must_staple: yes
|
|
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
vars:
|
|
value_for_authority_cert_issuer:
|
|
- "DNS:ca.example.org"
|
|
- "IP:1.2.3.4"
|
|
register: everything_1
|
|
|
|
- name: Generate CSR with everything (idempotent, check mode)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_everything.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
C: de
|
|
L: Somewhere
|
|
ST: Zurich
|
|
streetAddress: Welcome Street
|
|
O: Ansible
|
|
organizationalUnitName: Crypto Department
|
|
serialNumber: "1234"
|
|
SN: Last Name
|
|
GN: First Name
|
|
title: Chief
|
|
pseudonym: test
|
|
UID: asdf
|
|
emailAddress: test@example.com
|
|
postalAddress: 1234 Somewhere
|
|
postalCode: "1234"
|
|
useCommonNameForSAN: no
|
|
key_usage:
|
|
- digitalSignature
|
|
- keyAgreement
|
|
- Non Repudiation
|
|
- Key Encipherment
|
|
- dataEncipherment
|
|
- Certificate Sign
|
|
- cRLSign
|
|
- Encipher Only
|
|
- decipherOnly
|
|
key_usage_critical: yes
|
|
extended_key_usage:
|
|
- serverAuth # the same as "TLS Web Server Authentication"
|
|
- TLS Web Server Authentication
|
|
- TLS Web Client Authentication
|
|
- Code Signing
|
|
- E-mail Protection
|
|
- timeStamping
|
|
- OCSPSigning
|
|
- Any Extended Key Usage
|
|
- qcStatements
|
|
- DVCS
|
|
- IPSec User
|
|
- biometricInfo
|
|
subject_alt_name:
|
|
- "DNS:www.ansible.com"
|
|
- "IP:1.2.3.4"
|
|
- "IP:::1"
|
|
- "email:test@example.org"
|
|
- "URI:https://example.org/test/index.html"
|
|
basic_constraints:
|
|
- "CA:TRUE"
|
|
- "pathlen:23"
|
|
basic_constraints_critical: yes
|
|
ocsp_must_staple: yes
|
|
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
vars:
|
|
value_for_authority_cert_issuer:
|
|
- "DNS:ca.example.org"
|
|
- "IP:1.2.3.4"
|
|
check_mode: yes
|
|
register: everything_2
|
|
|
|
- name: Generate CSR with everything (idempotent)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_everything.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
C: de
|
|
L: Somewhere
|
|
ST: Zurich
|
|
streetAddress: Welcome Street
|
|
O: Ansible
|
|
organizationalUnitName: Crypto Department
|
|
serialNumber: "1234"
|
|
SN: Last Name
|
|
GN: First Name
|
|
title: Chief
|
|
pseudonym: test
|
|
UID: asdf
|
|
emailAddress: test@example.com
|
|
postalAddress: 1234 Somewhere
|
|
postalCode: "1234"
|
|
useCommonNameForSAN: no
|
|
key_usage:
|
|
- digitalSignature
|
|
- keyAgreement
|
|
- Non Repudiation
|
|
- Key Encipherment
|
|
- dataEncipherment
|
|
- Certificate Sign
|
|
- cRLSign
|
|
- Encipher Only
|
|
- decipherOnly
|
|
key_usage_critical: yes
|
|
extended_key_usage:
|
|
- serverAuth # the same as "TLS Web Server Authentication"
|
|
- TLS Web Server Authentication
|
|
- TLS Web Client Authentication
|
|
- Code Signing
|
|
- E-mail Protection
|
|
- timeStamping
|
|
- OCSPSigning
|
|
- Any Extended Key Usage
|
|
- qcStatements
|
|
- DVCS
|
|
- IPSec User
|
|
- biometricInfo
|
|
subject_alt_name:
|
|
- "DNS:www.ansible.com"
|
|
- "IP:1.2.3.4"
|
|
- "IP:::1"
|
|
- "email:test@example.org"
|
|
- "URI:https://example.org/test/index.html"
|
|
basic_constraints:
|
|
- "CA:TRUE"
|
|
- "pathlen:23"
|
|
basic_constraints_critical: yes
|
|
ocsp_must_staple: yes
|
|
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
|
|
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
vars:
|
|
value_for_authority_cert_issuer:
|
|
- "DNS:ca.example.org"
|
|
- "IP:1.2.3.4"
|
|
register: everything_3
|
|
|
|
- name: Ed25519 and Ed448 tests (for cryptography >= 2.6)
|
|
block:
|
|
- name: Generate privatekeys
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_{{ item }}.pem'
|
|
type: '{{ item }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: generate_csr_ed25519_ed448_privatekey
|
|
ignore_errors: yes
|
|
|
|
- name: Generate CSR if private key generation succeeded
|
|
when: generate_csr_ed25519_ed448_privatekey is not failed
|
|
block:
|
|
|
|
- name: Generate CSR
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_{{ item }}.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: generate_csr_ed25519_ed448
|
|
ignore_errors: yes
|
|
|
|
- name: Generate CSR (idempotent)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_{{ item }}.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem'
|
|
subject:
|
|
commonName: www.ansible.com
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop:
|
|
- Ed25519
|
|
- Ed448
|
|
register: generate_csr_ed25519_ed448_idempotent
|
|
ignore_errors: yes
|
|
|
|
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')
|