Hello the Ansible Community,
After looking into ansible-modules-core[1] and ansible-modules-extras[2], I've seen no current modules for managing OpenSSL private keys, certificate signing requests and certificates. Hence I have been working on three new modules that I have submitted for review: * openssl_privatekey[3] * openssl_csr[4] * openssl_cert[5] All three modules interact with openssl through pyOpenSSL python module. openssl_privatekey ---------------------------- Allow one to manage OpenSSL private keys. Nothing fancy. The user can specify the size of the key and the algorithm used for the key generation. A use case would be: > - name: Generate an OpenSSL private key > openssl_privatekey: name=ansible.com.pem > size=4096 > type=RSA > path='/etc/ssl/private/' openssl_csr ------------------ Allow one to manage OpenSSL certificate signing requests. The user can specify every field of a CSR subject. Also the subjectAltName extension is supported. Adding support for new extension is the module is an easy task. A use case would be: > - name: Generate an OpenSSL Certificate Signing Request > openssl_csr: name=ansible.com > digest=sha256 > version=3 > privatekey='/etc/ssl/private/ansible.com.pem' > subjectAltName='DNS:www.ansible.com,DNS:m.ansible.com' > path='/etc/ssl/csr/' > countryName=FR > stateOrProvinceName=... > localityName=... > organizationName=... > organizationalUnitName=... > commonName=ansible.com > [email protected] openssl_cert ------------------- Allow one to manage OpenSSL certificates. This module has a notion of providers. Currently two providers are supported: * self-signed * letsencrypt (currently relying on acme-tiny, but aiming to speak acme directly ultimately) If the 'self-signed' provider is used a use case would be: > - name: Generate an OpenSSL Certificate > openssl_cert: name=ansible.com > provider='self-signed' > privatekey='/etc/ssl/private/ansible.com.pem' > csr='/etc/ssl/csr/ansible.com.csr' > notBefore=0 > notAfter=31865000 > digest='sha256' If the 'letsencrypt' provider is used a use case would be: > - name: Generate an OpenSSL Certificate > openssl_cert: name=ansible.com > provider='letsencrypt' > accountkey='/etc/ssl/private/master.ansible.com' > csr='/etc/ssl/csr/ansible.com' > challenge='/etc/ssl/challenges/' The idea behind those three modules is to be able to fully manage SSL certificates management workflow from end to end with dedicated modules. I am sending this email as I'd like to have feebacks from the community on what is the best approach to tackle OpenSSL resources management with Ansible. And if the solution those modules bring would be an acceptable one. Thanks in advance for your feedbacks, [1] https://github.com/ansible/ansible-modules-core [2] https://github.com/ansible/ansible-modules-extras [3] https://github.com/ansible/ansible-modules-extras/pull/2326 [4] https://github.com/ansible/ansible-modules-extras/pull/2341 [5] https://github.com/ansible/ansible-modules-extras/pull/2343 -- Yanis Guenane -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
