I have a local CA for my network of machines. I am successfully using ansible modules openssl_privatekey / openssl_csr / openssl_certificate to create and distribute SSL certificates. However …
When I use the
openssl ca command to create a cert, it will
- check my CA database (index.txt) for a matching subject
- generate a sequential serial number
- register my new cert in the database
Sadly, the ansible modules don’t do this. It simply generates a certificate with (what I think is) a random serial number and does nothing with my index.txt file.
Is there a way that I can configure the ansible modules to manage my CA database? Or will I need to use a shell module to run the
openssl ca command the way i want it to run?
Sadly, I don’t have a definitive answer to your question :/. I was looking for this a few years back, and couldn’t find a better solution than using ‘command’ module to this effect.
Right now, community.crypto collection doesn’t seem indeed to provide such a module.
These days, I’m using this role to push CA certs to remote servers; as you can see, install tasks directly use
update-ca-certificates command, which is indeed not very elegant.
I hope someone else will provide a better solution.
The community.crypto collection has nothing which can help you with this. The openssl_* modules only indirectly use OpenSSL as a library under the hood (mostly via Python’s cryptography library, which is for many parts also using its own Rust code instead of relying on OpenSSL nowadays), and in very few cases (I think mostly openssl_pkcs12) PyOpenSSL. They never intended to support all features that the OpenSSL binary provides. The CA feature of the OpenSSL binary is something very specific to OpenSSL that the x509_certificate module (it has been renamed to that from openssl_certificate years ago since it really isn’t about OpenSSL, but about X.509 certificates) never supported and never will. If someone wants support for
openssl ca, then a new module (or even multiple modules, since
openssl ca can do quite a few things), for example named
openssl_ca, needs to be added for that.
Thank you both.
Indeed, I ended up putting my
openssl ca command into a template, using that template to create a temporary script, and using
expect to run the script and use my CA password from an ansible vault.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.