-
Notifications
You must be signed in to change notification settings - Fork 350
Expand file tree
/
Copy pathcert.yml
More file actions
executable file
·124 lines (111 loc) · 4.96 KB
/
cert.yml
File metadata and controls
executable file
·124 lines (111 loc) · 4.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/env ansible-playbook
---
#==============================================================#
# File : cert.yml
# Desc : Issue certificates signed by Pigsty self-signed CA
# Ctime : 2022-11-19
# Mtime : 2025-12-31
# Path : cert.yml
# Docs : https://pigsty.io/docs/infra/cert
# License : Apache-2.0 @ https://pigsty.io/docs/about/license
# Copyright : 2018-2026 Ruohang Feng / Vonng (rh@vonng.com)
#==============================================================#
# This playbook issues X.509 certificates using the Pigsty CA.
# Prerequisites: CA must exist at files/pki/ca/ (created by infra.yml)
#
# Usage:
# ./cert.yml -e cn=<common_name> # basic usage
# ./cert.yml -e cn=<name> -e expire=3650d # custom validity
# ./cert.yml -e cn=<name> -e key=<path> -e crt=<path> # custom output
#
# Examples:
# ./cert.yml -e cn=dbuser_dba # PostgreSQL client cert
# ./cert.yml -e cn=dbuser_monitor # Monitor user cert
# ./cert.yml -e cn=myapp -e '{"san":["DNS:myapp.local","IP:10.0.0.1"]}'
#
# Output:
# files/pki/misc/<cn>.key # Private key (mode 0600)
# files/pki/misc/<cn>.crt # Certificate (mode 0600)
# files/pki/csr/<cn>.csr # CSR file (intermediate, can be deleted)
#==============================================================#
- name: Issue Cert
hosts: localhost
gather_facts: no
become: false
vars:
#----------------------------------------------------------#
# Certificate Subject Information
#----------------------------------------------------------#
cn: pigsty # Common Name, REQUIRED, pass via -e cn=<name>
san: # Subject Alternative Names (optional)
- DNS:localhost # - DNS names for the certificate
- IP:127.0.0.1 # - IP addresses for the certificate
org: pigsty # Organization name in certificate
unit: pigsty # Organizational Unit name
#----------------------------------------------------------#
# Certificate Validity
#----------------------------------------------------------#
expire: 7300d # Validity period: 20 years by default
# Use shorter period for sensitive certs
# e.g., expire=365d for 1 year
#----------------------------------------------------------#
# Output Paths (auto-generated from cn if not specified)
#----------------------------------------------------------#
# key: files/pki/misc/<cn>.key # Private key output path
# crt: files/pki/misc/<cn>.crt # Certificate output path
csr: files/pki/csr/tmp.csr # CSR path (overwritten if cn-based)
tasks:
#----------------------------------------------------------#
# 1. Determine Output Paths
#----------------------------------------------------------#
# If key/crt not explicitly provided, derive from cn
- name: set crt, key, csr path
when: key is not defined and crt is not defined
set_fact:
key: "files/pki/misc/{{ cn }}.key"
crt: "files/pki/misc/{{ cn }}.crt"
csr: "files/pki/csr/{{ cn }}.csr"
#----------------------------------------------------------#
# 2. Generate Private Key
#----------------------------------------------------------#
# Creates RSA private key if not exists, mode 0600 for security
- name: generate private key
connection: local
openssl_privatekey:
path: "{{ key }}"
mode: 0600
#----------------------------------------------------------#
# 3. Generate Certificate Signing Request (CSR)
#----------------------------------------------------------#
# CSR contains subject info and SAN, signed by private key
- name: generate signing request
connection: local
openssl_csr:
path: "{{ csr }}"
privatekey_path: "{{ key }}"
common_name: "{{ cn }}"
organization_name: "{{ org }}"
organizational_unit_name: "{{ unit }}"
subject_alt_name: "{{ san }}"
force: true # Always regenerate CSR
#----------------------------------------------------------#
# 4. Sign Certificate with CA
#----------------------------------------------------------#
# Issue certificate using Pigsty CA (files/pki/ca/ca.{key,crt})
- name: sign certificate with CA
connection: local
openssl_certificate:
path: "{{ crt }}"
csr_path: "{{ csr }}"
ownca_path: files/pki/ca/ca.crt
ownca_privatekey_path: files/pki/ca/ca.key
provider: ownca
ownca_not_after: "+{{ expire }}"
mode: 0600
#----------------------------------------------------------#
# 5. Print Result
#----------------------------------------------------------#
- name: print certificate paths
debug:
msg: "Certificate issued: {{ key }} {{ crt }}"
...