I have a local CA for my network of machines. I am successfully using ansible modules openssl_privatekey / openssl_csr / openssl_certificate to create and distribute SSL certificates. However …
When I use the openssl ca command to create a cert, it will
check my CA database (index.txt) for a matching subject
generate a sequential serial number
register my new cert in the database
Sadly, the ansible modules don’t do this. It simply generates a certificate with (what I think is) a random serial number and does nothing with my index.txt file.
Is there a way that I can configure the ansible modules to manage my CA database? Or will I need to use a shell module to run the openssl ca command the way i want it to run?
Sadly, I don’t have a definitive answer to your question :/. I was looking for this a few years back, and couldn’t find a better solution than using ‘command’ module to this effect.
Right now, community.crypto collection doesn’t seem indeed to provide such a module.
These days, I’m using this role to push CA certs to remote servers; as you can see, install tasks directly use update-ca-certificates command, which is indeed not very elegant.
I hope someone else will provide a better solution.
The community.crypto collection has nothing which can help you with this. The openssl_* modules only indirectly use OpenSSL as a library under the hood (mostly via Python’s cryptography library, which is for many parts also using its own Rust code instead of relying on OpenSSL nowadays), and in very few cases (I think mostly openssl_pkcs12) PyOpenSSL. They never intended to support all features that the OpenSSL binary provides. The CA feature of the OpenSSL binary is something very specific to OpenSSL that the x509_certificate module (it has been renamed to that from openssl_certificate years ago since it really isn’t about OpenSSL, but about X.509 certificates) never supported and never will. If someone wants support for openssl ca, then a new module (or even multiple modules, since openssl ca can do quite a few things), for example named openssl_ca, needs to be added for that.
Indeed, I ended up putting my openssl ca command into a template, using that template to create a temporary script, and using expect to run the script and use my CA password from an ansible vault.