Ansible role to generate unlimited SSL certificates

This is the task for SSL generation:

- name: Create ssl directory
  file: path={{params['ssl'].folder}} state=directory group={{ apache_group }} owner={{ apache_user }}
  become: yes

# generate your own: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
- name: Copy CA certificate and CA private key
  copy:
    src: "{{ item }}"
    dest: "{{params['ssl'].folder}}"
    mode: u+rw,g+r,o+r
  with_fileglob:
    - files/*
  become: yes

- name: Creating private keys for hosts
  shell: openssl genrsa -out {{params['ssl'].folder}}/{{ item.host }}.key 2048
  become: yes
  args:
    executable: "/bin/bash"
  with_items: "{{params['vhosts']}}"
  when: item.ssl|default(true)|bool == true

- name: Creating CSR for hosts
  shell: openssl req -new -key {{params['ssl'].folder}}/{{ item.host }}.key -nodes -out {{params['ssl'].folder}}/{{ item.host }}.csr -subj "/C={{params['ssl'].country_name}}/ST={{params['ssl'].state}}/L={{params['ssl'].locality}}/O={{params['ssl'].organization}}/CN={{ item.host }}"
  become: yes
  args:
    executable: "/bin/bash"
  with_items: "{{params['vhosts']}}"
  when: item.ssl|default(true)|bool == true

- name: Generate the Subject Alternative Name (SAN) extension per host
  template:
    src: ssl/extfile.ext
    dest: "{{params['ssl'].folder}}/{{ item.host }}.ext"
  become: yes
  with_items: "{{params['vhosts']}}"
  when: item.ssl|default(true)|bool == true

- name: Create the certificate per host
  shell: openssl x509 -req -in {{params['ssl'].folder}}/{{ item.host }}.csr -CA {{params['ssl'].folder}}/root_certificate_authority.pem -CAkey {{params['ssl'].folder}}/ca_key.key -passin pass:{{params['ssl'].pass_phrase}} -CAcreateserial -out {{params['ssl'].folder}}/{{ item.host }}.crt -days 1825 -sha256 -extfile {{params['ssl'].folder}}/{{ item.host }}.ext
  become: yes
  args:
    executable: "/bin/bash"
  with_items: "{{params['vhosts']}}"
  when: item.ssl|default(true)|bool == true

 

This is the parameters I used:

vhosts:
  - { projectFolder: "mylocalfolder", host: "azul.dev", framework: "symfony", alias: "az" }
ssl:
    pass_phrase: "vagrant"
    folder: "/etc/apache2/ssl"
    country_name: "MA"
    state: "Ouarzazate"
    locality: "Ouarzazate"
    organization: "Tamazgha Ltd"

One thought on “Ansible role to generate unlimited SSL certificates

  1. Anthony says:

    I’d been looking for an ansible role that creates website certificates using my own Certificate Authority. Thanks so much for sharing this!

Comments are closed.