selfsigned.yml 798 Bytes
Newer Older
ale's avatar
ale committed
1 2 3 4 5 6 7 8 9 10 11 12 13
---

# For public credentials, we always generate self-signed certificates
# and store them in /etc/credentials/public. These are good for
# testing, and as a fallback. In production, some sort of automation
# will manage these credentials and the services will use those
# instead.

- file:
    path: "/etc/credentials/selfsigned/{{ cn }}"
    state: directory

- name: "Create a self-signed certificate for {{ cn }}"
14
  shell: "openssl req -x509 -newkey rsa:2048 -keyout privkey.pem -nodes -out fullchain.pem -days 3650 -subj '/CN={{ cn }}'"
ale's avatar
ale committed
15 16
  args:
    chdir: "/etc/credentials/selfsigned/{{ cn }}"
17
    creates: "/etc/credentials/selfsigned/{{ cn }}/fullchain.pem"
ale's avatar
ale committed
18 19

- file:
20
    path: "/etc/credentials/selfsigned/{{ cn }}/privkey.pem"
ale's avatar
ale committed
21 22 23
    owner: root
    group: public-credentials
    mode: 0440