Sounds like a good tool that I could start using. My use case is for self signed certificate. State check could be something like key_size = (need to generate new key when key is not this size) key fingerprint
Sometimes I find myself using things like easy-rsa to manage keys for things like openvpn. Doing this though ansible would also be desirable. Thanks On Monday, May 30, 2016 at 8:59:43 AM UTC-4, Yanis Guenane wrote: > > Hello the Ansible Community, > > > After looking into ansible-modules-core[1] and ansible-modules-extras[2], > I've seen no current modules for managing OpenSSL private keys, certificate > signing requests and certificates. > > > Hence I have been working on three new modules that I have submitted for > review: > > * openssl_privatekey[3] > * openssl_csr[4] > * openssl_cert[5] > > > All three modules interact with openssl through pyOpenSSL python module. > > > openssl_privatekey > ---------------------------- > > Allow one to manage OpenSSL private keys. Nothing fancy. The user can > specify > the size of the key and the algorithm used for the key generation. > > A use case would be: > > > - name: Generate an OpenSSL private key > > openssl_privatekey: name=ansible.com.pem > > size=4096 > > type=RSA > > path='/etc/ssl/private/' > > > openssl_csr > ------------------ > > Allow one to manage OpenSSL certificate signing requests. The user can > specify > every field of a CSR subject. Also the subjectAltName extension is > supported. > Adding support for new extension is the module is an easy task. > > A use case would be: > > > - name: Generate an OpenSSL Certificate Signing Request > > openssl_csr: name=ansible.com > > digest=sha256 > > version=3 > > privatekey='/etc/ssl/private/ansible.com.pem' > > subjectAltName='DNS:www.ansible.com,DNS: > m.ansible.com' > > path='/etc/ssl/csr/' > > countryName=FR > > stateOrProvinceName=... > > localityName=... > > organizationName=... > > organizationalUnitName=... > > commonName=ansible.com > > [email protected] <javascript:> > > > openssl_cert > ------------------- > > Allow one to manage OpenSSL certificates. This module has a notion of > providers. > Currently two providers are supported: > > * self-signed > * letsencrypt (currently relying on acme-tiny, but aiming to speak acme > directly > ultimately) > > > If the 'self-signed' provider is used a use case would be: > > > - name: Generate an OpenSSL Certificate > > openssl_cert: name=ansible.com > > provider='self-signed' > > privatekey='/etc/ssl/private/ansible.com.pem' > > csr='/etc/ssl/csr/ansible.com.csr' > > notBefore=0 > > notAfter=31865000 > > digest='sha256' > > If the 'letsencrypt' provider is used a use case would be: > > > - name: Generate an OpenSSL Certificate > > openssl_cert: name=ansible.com > > provider='letsencrypt' > > accountkey='/etc/ssl/private/master.ansible.com' > > csr='/etc/ssl/csr/ansible.com' > > challenge='/etc/ssl/challenges/' > > > The idea behind those three modules is to be able to fully manage SSL > certificates > management workflow from end to end with dedicated modules. > > > I am sending this email as I'd like to have feebacks from the community on > what is the > best approach to tackle OpenSSL resources management with Ansible. And if > the > solution those modules bring would be an acceptable one. > > Thanks in advance for your feedbacks, > > [1] https://github.com/ansible/ansible-modules-core > [2] https://github.com/ansible/ansible-modules-extras > [3] https://github.com/ansible/ansible-modules-extras/pull/2326 > [4] https://github.com/ansible/ansible-modules-extras/pull/2341 > [5] https://github.com/ansible/ansible-modules-extras/pull/2343 > > -- > Yanis Guenane > > -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
