--- no_prompts: false debug: false testing: false # default config => is overwritten by provided config defaults_certs: mode: 'selfsigned' # selfsigned, snakeoil/quick, ca, pki, le_certbot path: '/etc/ssl/ansible' cert: name: key_size: 4096 # 1024, 2048, 4096 key_type: 'ECC' curve: 'secp256r1' cipher: 'auto' digest: 'sha256' regenerate: 'partial_idempotence' pwd: domains: [] ips: [] backend: 'auto' # certificate config cn: 'Ansible Certificate' org: ou: country: state: locality: san_other: # other RAW values to set as subject alternative name => MUST BE VALID email: # if using letsencrypt you might pass an email per domain => see letsencrypt-certs key_usage: 'serverAuth' # serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, ocspSigning ocsp_staple: false crl_distribution: [] # list of dicts # - full_name: # - "URI:https://ca.example.com/revocations.crl" # crl_issuer: # - "URI:https://ca.example.com/" # reasons: # - key_compromise # - ca_compromise # - cessation_of_operation valid_days: 730 mode_key: '0640' mode_cert: '0644' owner_key: 'root' group_key: 'root' owner_cert: 'root' group_cert: 'root' extension_cert: 'crt' extension_key: 'key' extension_csr: 'csr' letsencrypt: path: '/etc/letsencrypt' service: # apache, nginx renew_timer: 'Mon *-*-* 01:00:00' verbosity: 'v' certs: {} # see 'default_le_certbot_cert' below renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise hook: email: key_size: ca: path: valid_days: 7300 key_size: 8192 # 1024, 2048, 4096, 8192 key_type: 'ECC' curve: 'secp256r1' cipher: 'auto' digest: 'sha512' regenerate: 'partial_idempotence' pwd: backend: 'auto' # certificate config cn: 'CA Certificate' org: ou: country: state: locality: email: # letsencrypt example: # certs: # example1: # domains: ['example1.ansibleguy.net'] # email: 'dummy@ansibleguy.net' # example2: # domains: ['example2.ansibleguy.net'] # email: 'dummy@ansibleguy.net'