openssl genrsa require password in ansible script

Archives Ansible Project
1

when I run below mentioned commands to generate RSA and csr in linux prompt , its require a password (Enter pass phrase for pradeep.key) and mention there “abc” password. Please do let me know how to capture this password in ansible script. When I mention -des3 then its require the password and its mandatory part.

  1. openssl genrsa -des3 -out pradeep.key 2048
  2. openssl req -new -key pradeep.key -out pradeepcsr.csr -config set.txt
  3. openssl pkcs12 -export -out pradeep.p12 -inkey pradeep.key -in cert.pem

Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Enter pass phrase for pradeep.key:
Verifying - Enter pass phrase for pradeep.key:

I mentioned below ansible script :

command: openssl genrsa
-des3
-out “/app/ex.key” 2048

command: openssl req
-new
-subj ‘/C=US/ST=Florida/L=atlanta View/O=xx/CN=abc’
-key “/app/ex.key”
-out “/app/ex.csr”

Secondly, can we do this part with any ansible module, I tried with openssl_privatekey but its not cover all above details.

2

Hello,

Did you have issue generating your keys and csr via the openssl modules?

Because the following should correspond to your case (and work with ansible >=2.4):

`

  • openssl_privatekey:
    path: /app/ex.key
    passphrase: abcd
    cipher: des3
    size: 2048

  • openssl_csr:
    path: /app/ex.csr
    privatekey_path: /app/ex.key
    privatekey_passphrase: abcd
    common_name: abc
    state_or_province_name: Florida
    locality_name: atlanta View
    organization_name: xx
    country_name: US
    `

If you really want to go the other route, take a look at the expect module (link)
Below is an example:

`

  • expect:
    command: openssl genrsa -des3 -out /tmp/pradeep.key 2048
    responses:
    Enter pass phrase: abcd
    `

The questions are by default quite fuzzy so in this case we’re using it as a substring (matches both: "Enter pass phrase for " and “Verifying - Enter pass phrase for”)

No modules are yet available in the release version for pkcs12 management.
You may need to go the expect route or use the OpenSSL’s passin/passout options

PS: There is also a module available in the devel branch https://github.com/ansible/ansible/pull/27320 if you want to try out

  • SDE
3

Thanks for your response.

I tried with expect module but getting below mentioned error

“msg”: “The pexpect python module is required”

//

4

As the documentation and the message say you need install the python module pexpect on the host(s).
https://docs.ansible.com/ansible/latest/modules/expect_module.html#requirements