Improve certificate generation

1. Generate root CA
2. Generate wildcard CSR
3. Sign wildcard CSR with root CA
4. Install root CA system-wide
This commit is contained in:
Lukáš Kucharczyk 2021-04-27 22:25:17 +02:00
parent b5140b9e81
commit d9bd3ac145
No known key found for this signature in database
GPG Key ID: 65524498C0196B64
2 changed files with 41 additions and 9 deletions

View File

@ -8,6 +8,7 @@ homelab.
* completely managed by Ansible * completely managed by Ansible
* containerised * containerised
* configurable * configurable
* automatic SSL certificates via `openssl`
=== Containers === Containers

View File

@ -5,20 +5,51 @@
mode: '0755' mode: '0755'
loop: loop:
- "{{ nginx_confd_folder }}" - "{{ nginx_confd_folder }}"
- name: generate certificates - name: generate root ca
command: openssl req \ command: openssl req \
-x509 \ -x509 \
-sha256 \ -new \
-newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/{{ base_domain }}".key \
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
-out "{{ data_folder }}/nginx/{{ base_domain }}".crt \
-days 3650 \
-nodes \ -nodes \
-newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/rootca.key" \
-out "{{ data_folder }}/nginx/rootca.pem" \
-sha256 \
-days 3650 \
-subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
args:
creates: rootca.*
- name: generate wildcard csr
command: openssl req \
-new \
-nodes \
-newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \
-out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
args:
creates: "{{ data_folder }}/nginx/{{ base_domain }}.*"
- name: sign wildcard csr with root ca
command: openssl x509 \
-req \
-in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
-CA "{{ data_folder }}/nginx/rootca.pem" \
-CAkey "{{ data_folder }}/nginx/rootca.key" \
-CAcreateserial \
-out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \
-days 3650 \
-sha256
args:
creates: "{{ data_folder }}/nginx/{{ base_domain }}.crt"
- name: install root ca
command: trust anchor "{{ data_folder }}/nginx/rootca.pem"
args:
creates: /etc/ca-certificates/extracted/cadir/Homelab*
become: yes
- name: copy certificates - name: copy certificates
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ data_folder }}/nginx" dest: "{{ data_folder }}/nginx"
mode: '0755'
loop: loop:
- "{{ data_folder }}/nginx/{{ base_domain }}.key" - "{{ data_folder }}/nginx/{{ base_domain }}.key"
- "{{ data_folder }}/nginx/{{ base_domain }}.crt" - "{{ data_folder }}/nginx/{{ base_domain }}.crt"