change default key-type from RSA to ECC (fix #2)
This commit is contained in:
Rath Pascal
parent
3fb208ea04
commit
a1e56c3bb9
|
|
@ -12,7 +12,8 @@ defaults_certs:
|
||||||
cert:
|
cert:
|
||||||
name:
|
name:
|
||||||
key_size: 4096 # 1024, 2048, 4096
|
key_size: 4096 # 1024, 2048, 4096
|
||||||
key_type: 'RSA'
|
key_type: 'ECC'
|
||||||
|
curve: 'secp256r1'
|
||||||
cipher: 'auto'
|
cipher: 'auto'
|
||||||
digest: 'sha256'
|
digest: 'sha256'
|
||||||
regenerate: 'partial_idempotence'
|
regenerate: 'partial_idempotence'
|
||||||
|
|
@ -70,7 +71,8 @@ defaults_certs:
|
||||||
path:
|
path:
|
||||||
valid_days: 7300
|
valid_days: 7300
|
||||||
key_size: 8192 # 1024, 2048, 4096, 8192
|
key_size: 8192 # 1024, 2048, 4096, 8192
|
||||||
key_type: 'RSA'
|
key_type: 'ECC'
|
||||||
|
curve: 'secp256r1'
|
||||||
cipher: 'auto'
|
cipher: 'auto'
|
||||||
digest: 'sha512'
|
digest: 'sha512'
|
||||||
regenerate: 'partial_idempotence'
|
regenerate: 'partial_idempotence'
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,7 @@
|
||||||
cipher: "{{ config_ca.ca.cipher }}"
|
cipher: "{{ config_ca.ca.cipher }}"
|
||||||
size: "{{ config_ca.ca.key_size }}"
|
size: "{{ config_ca.ca.key_size }}"
|
||||||
type: "{{ config_ca.ca.key_type }}"
|
type: "{{ config_ca.ca.key_type }}"
|
||||||
|
curve: "{{ config_ca.ca.curve }}"
|
||||||
regenerate: "{{ config_ca.ca.regenerate }}"
|
regenerate: "{{ config_ca.ca.regenerate }}"
|
||||||
mode: "{{ config_ca.mode_key }}"
|
mode: "{{ config_ca.mode_key }}"
|
||||||
owner: "{{ config_ca.owner_key }}"
|
owner: "{{ config_ca.owner_key }}"
|
||||||
|
|
@ -48,6 +49,7 @@
|
||||||
select_crypto_backend: "{{ config_ca.ca.backend }}"
|
select_crypto_backend: "{{ config_ca.ca.backend }}"
|
||||||
size: "{{ config_ca.ca.key_size }}"
|
size: "{{ config_ca.ca.key_size }}"
|
||||||
type: "{{ config_ca.ca.key_type }}"
|
type: "{{ config_ca.ca.key_type }}"
|
||||||
|
curve: "{{ config_ca.ca.curve }}"
|
||||||
regenerate: "{{ config_ca.ca.regenerate }}"
|
regenerate: "{{ config_ca.ca.regenerate }}"
|
||||||
mode: "{{ config_ca.mode_key }}"
|
mode: "{{ config_ca.mode_key }}"
|
||||||
owner: "{{ config_ca.owner_key }}"
|
owner: "{{ config_ca.owner_key }}"
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,7 @@
|
||||||
cipher: "{{ config_cert.cert.cipher }}"
|
cipher: "{{ config_cert.cert.cipher }}"
|
||||||
size: "{{ config_cert.cert.key_size }}"
|
size: "{{ config_cert.cert.key_size }}"
|
||||||
type: "{{ config_cert.cert.key_type }}"
|
type: "{{ config_cert.cert.key_type }}"
|
||||||
|
curve: "{{ config_cert.cert.curve }}"
|
||||||
passphrase: "{{ config_cert.cert.pwd }}"
|
passphrase: "{{ config_cert.cert.pwd }}"
|
||||||
regenerate: "{{ config_cert.cert.regenerate }}"
|
regenerate: "{{ config_cert.cert.regenerate }}"
|
||||||
mode: "{{ config_cert.mode_key }}"
|
mode: "{{ config_cert.mode_key }}"
|
||||||
|
|
@ -37,6 +38,7 @@
|
||||||
select_crypto_backend: "{{ config_cert.cert.backend }}"
|
select_crypto_backend: "{{ config_cert.cert.backend }}"
|
||||||
size: "{{ config_cert.cert.key_size }}"
|
size: "{{ config_cert.cert.key_size }}"
|
||||||
type: "{{ config_cert.cert.key_type }}"
|
type: "{{ config_cert.cert.key_type }}"
|
||||||
|
curve: "{{ config_cert.cert.curve }}"
|
||||||
regenerate: "{{ config_cert.cert.regenerate }}"
|
regenerate: "{{ config_cert.cert.regenerate }}"
|
||||||
mode: "{{ config_cert.mode_key }}"
|
mode: "{{ config_cert.mode_key }}"
|
||||||
owner: "{{ config_cert.owner_key }}"
|
owner: "{{ config_cert.owner_key }}"
|
||||||
|
|
|
||||||
|
|
@ -25,27 +25,57 @@
|
||||||
CERT_CONFIG.cert.ips | length > 0 or
|
CERT_CONFIG.cert.ips | length > 0 or
|
||||||
CERT_CONFIG.cert.san_other
|
CERT_CONFIG.cert.san_other
|
||||||
|
|
||||||
- name: Certificates | Snakeoil | Build command
|
- name: Certificates | Snakeoil | Build command 1/2
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
cert_cmd: "openssl req -x509 -newkey rsa:{{ CERT_CONFIG.cert.key_size }} -sha256 -nodes \
|
cert_pub: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_cert }}"
|
||||||
{% if CERT_CONFIG.cert.cn | default(none, true) is not none %}
|
cert_key: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_key }}"
|
||||||
-subj \"/CN={{ CERT_CONFIG.cert.cn }}\" \
|
cert_attrs: "-days {{ CERT_CONFIG.cert.valid_days }} \
|
||||||
{% endif %}
|
{% if CERT_CONFIG.cert.cn | default(none, true) is not none %}\
|
||||||
|
-subj \"/CN={{ CERT_CONFIG.cert.cn }}\"
|
||||||
|
{% endif %}\
|
||||||
{% if cert_san | default(none, true) is not none %}
|
{% if cert_san | default(none, true) is not none %}
|
||||||
-addext \"subjectAltName = {{ cert_san | replace(' ', '') }}\" \
|
-addext \"subjectAltName = {{ cert_san | replace(' ', '') }}\" \
|
||||||
{% endif %}
|
{% endif %}"
|
||||||
-keyout {{ _cert_key }} -out {{ _cert_pub }} \
|
|
||||||
-days {{ CERT_CONFIG.cert.valid_days }}"
|
|
||||||
cert_pub: "{{ _cert_pub }}"
|
|
||||||
vars:
|
|
||||||
_cert_pub: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_cert }}"
|
|
||||||
_cert_key: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_key }}"
|
|
||||||
|
|
||||||
- name: Certificates | Snakeoil | Certificate command
|
- name: Certificates | Snakeoil | Build command 2/2 (RSA)
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
cert_cmd_rsa: "openssl req -x509 -newkey rsa:{{ CERT_CONFIG.cert.key_size }} -sha256 -nodes {{ cert_attrs }} \
|
||||||
|
-keyout {{ cert_key }} -out {{ cert_pub }}"
|
||||||
|
when: CERT_CONFIG.cert.key_type == 'RSA'
|
||||||
|
|
||||||
|
- name: Certificates | Snakeoil | Build command 2/2 (ECC)
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
cert_cmd_ecc1: "openssl ecparam -out {{ cert_key }} -name {{ CERT_CONFIG.cert.curve }} -genkey"
|
||||||
|
cert_cmd_ecc2: "openssl req -new -x509 -nodes -key {{ cert_key }} -out {{ cert_pub }} {{ cert_attrs }}"
|
||||||
|
when: CERT_CONFIG.cert.key_type == 'ECC'
|
||||||
|
|
||||||
|
- name: Certificates | Snakeoil | Certificate command (RSA)
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
var: cert_cmd
|
var: cert_cmd_rsa
|
||||||
|
when: CERT_CONFIG.cert.key_type == 'RSA'
|
||||||
|
|
||||||
- name: Certificates | Snakeoil | Create Certificate
|
- name: Certificates | Snakeoil | Certificate commands (ECC)
|
||||||
ansible.builtin.command: "{{ cert_cmd }}"
|
ansible.builtin.debug:
|
||||||
|
var: "{{ item }}"
|
||||||
|
loop:
|
||||||
|
- cert_cmd_ecc1
|
||||||
|
- cert_cmd_ecc2
|
||||||
|
when: CERT_CONFIG.cert.key_type == 'ECC'
|
||||||
|
|
||||||
|
- name: Certificates | Snakeoil | Create Certificate (RSA)
|
||||||
|
ansible.builtin.command: "{{ cert_cmd_rsa }}"
|
||||||
args:
|
args:
|
||||||
creates: "{{ cert_pub }}"
|
creates: "{{ cert_pub }}"
|
||||||
|
when: CERT_CONFIG.cert.key_type == 'RSA'
|
||||||
|
|
||||||
|
- name: Certificates | Snakeoil | Create Key (ECC)
|
||||||
|
ansible.builtin.command: "{{ cert_cmd_ecc1 }}"
|
||||||
|
args:
|
||||||
|
creates: "{{ cert_key }}"
|
||||||
|
when: CERT_CONFIG.cert.key_type == 'ECC'
|
||||||
|
|
||||||
|
- name: Certificates | Snakeoil | Create Certificate (ECC)
|
||||||
|
ansible.builtin.command: "{{ cert_cmd_ecc2 }}"
|
||||||
|
args:
|
||||||
|
creates: "{{ cert_pub }}"
|
||||||
|
when: CERT_CONFIG.cert.key_type == 'ECC'
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue