b2a415daae
* win_certificate_store: added new module * added warning about become or credssp for pfx
121 lines
3.4 KiB
YAML
121 lines
3.4 KiB
YAML
### keys in files/ have been generated with
|
|
# generate root private key
|
|
# openssl genrsa -aes256 -out enckey.pem 2048
|
|
# openssl rsa -in envkey.pem -out root-key.pem
|
|
#
|
|
# generate root certificate
|
|
# openssl req -x509 -key root-key.pem -days 24855 -out root-vert.pem -subj "/CN=root.ansible.com/C=US"
|
|
#
|
|
# generate subject private key
|
|
# openssl genrsa -aes256 -out enckey.pem 2048
|
|
# openssl rsa -in enckey.pem -out subj-key.pem
|
|
#
|
|
# generate subject certificate
|
|
# openssl req -new -key subj-key.pem -out cert.csr -subj "/CN=subject.ansible.com/C=US"
|
|
# openssl x509 -req -in cert.csr -CA root-cert.pem -CAkey root-key.pem -CAcreateserial -out subj-cert.pem -days 24855
|
|
###
|
|
---
|
|
- name: ensure test dir is present
|
|
win_file:
|
|
path: '{{win_cert_dir}}\exported'
|
|
state: directory
|
|
|
|
- name: ensure certificates are removed from store before test
|
|
win_certificate_store:
|
|
thumbprint: '{{item}}'
|
|
state: absent
|
|
with_items:
|
|
- '{{subj_thumbprint}}'
|
|
- '{{root_thumbprint}}'
|
|
|
|
- name: ensure certificates are removed from custom store before test
|
|
win_certificate_store:
|
|
thumbprint: '{{item}}'
|
|
state: absent
|
|
store_name: TrustedPeople
|
|
store_location: CurrentUser
|
|
with_items:
|
|
- '{{subj_thumbprint}}'
|
|
- '{{root_thumbprint}}'
|
|
|
|
# these files are created on the fly so we don't store binary in the git repo
|
|
- name: create PKCS12 without password
|
|
command: 'openssl pkcs12 -export -out subj-cert-without-pass.pfx -inkey subj-key.pem -in subj-cert.pem -passout pass:'
|
|
args:
|
|
chdir: '{{role_path}}/files'
|
|
delegate_to: localhost
|
|
run_once: yes
|
|
|
|
- name: create PKCS12 with password
|
|
command: 'openssl pkcs12 -export -out subj-cert-with-pass.pfx -inkey subj-key.pem -in subj-cert.pem -passout pass:{{key_password}}'
|
|
args:
|
|
chdir: '{{role_path}}/files'
|
|
delegate_to: localhost
|
|
run_once: yes
|
|
|
|
- name: create DER encoded cert
|
|
command: openssl x509 -outform der -in subj-cert.pem -out subj-cert.cer
|
|
args:
|
|
chdir: '{{role_path}}/files'
|
|
delegate_to: localhost
|
|
run_once: yes
|
|
|
|
- name: create PEM encoded PKCS7 file
|
|
command: openssl crl2pkcs7 -nocrl -certfile subj-cert.pem -certfile root-cert.pem -out chain.pem
|
|
args:
|
|
chdir: '{{role_path}}/files'
|
|
delegate_to: localhost
|
|
run_once: yes
|
|
|
|
- name: create DER encoded PKCS7 file
|
|
command: openssl crl2pkcs7 -nocrl -certfile subj-cert.pem -certfile root-cert.pem -out chain.p7b -outform der
|
|
args:
|
|
chdir: '{{role_path}}/files'
|
|
delegate_to: localhost
|
|
run_once: yes
|
|
|
|
- name: copy across test cert files
|
|
win_copy:
|
|
src: files/
|
|
dest: '{{win_cert_dir}}'
|
|
|
|
- block:
|
|
- name: run tests
|
|
include_tasks: test.yml
|
|
|
|
always:
|
|
- name: ensure generated keys are deleted
|
|
file:
|
|
path: '{{role_path}}/files/{{item}}'
|
|
state: absent
|
|
delegate_to: localhost
|
|
run_once: yes
|
|
with_items:
|
|
- subj-cert-with-pass.pfx
|
|
- subj-cert-without-pass.pfx
|
|
- subj-cert.cer
|
|
- chain.pem
|
|
- chain.p7b
|
|
|
|
- name: ensure certificates are removed from store after test
|
|
win_certificate_store:
|
|
thumbprint: '{{item}}'
|
|
state: absent
|
|
with_items:
|
|
- '{{subj_thumbprint}}'
|
|
- '{{root_thumbprint}}'
|
|
|
|
- name: ensure certificates are removed from custom store after test
|
|
win_certificate_store:
|
|
thumbprint: '{{item}}'
|
|
state: absent
|
|
store_name: TrustedPeople
|
|
store_location: CurrentUser
|
|
with_items:
|
|
- '{{subj_thumbprint}}'
|
|
- '{{root_thumbprint}}'
|
|
|
|
- name: ensure test dir is deleted
|
|
win_file:
|
|
path: '{{win_cert_dir}}'
|
|
state: absent
|