-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path1_main.yml
114 lines (97 loc) · 2.6 KB
/
1_main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
---
no_prompts: false
debug: false
# default config => is overwritten by provided config
defaults_pki:
manage:
users: true # if set to false - the users and groups will need to be created BEFORE running the initialization
webserver: true # install and configure a nginx webserver to serve CRL's and CA-PublicKey's
save_passwords: true
purge: false # remove certificates that exist on the CA but not in your config
crl_distribution:
enable: true
domain:
protocol: 'http'
mode_public: '0640' # or 0644
easyrsa_version: '3.1.2'
backup:
enable: true
path: '/var/backups/pki'
service: 'backup-pki'
time: 'Sun 00:00'
crl_updater:
enable: true
service: 'pki-crl-updater'
time: 'Sun 01:00'
vars: {}
instances: {}
extensions: {}
defaults_instance: # > pki_cnf
ca_cn: 'Root CA'
path_base: '/var/local/lib/pki'
owner: 'pki'
group: 'pki'
group_read: 'pki_read' # for monitoring and so on
pwd_ca:
vars: {}
extensions: {}
crl_distribution: {}
defaults_vars: # > pki_vars & > pki_vars_subca
# if value is set to {none}, 'none', '' or ' ' the variable will be ignored
# easyrsa-defaults will be used instead
req_country: 'AT'
req_province: 'Styria'
req_city: '' # also: location
req_org: ''
req_email: ''
req_ou: ''
key_size: 4096 # 1024, 2048, 4096, 8192
algo: 'ec' # rsa, ec, ed; WARNING: ed not yet supported!
digest: 'sha256' # md5, sha1, sha256, sha224, sha384, sha512
curve: 'secp384r1' # used for 'ec' and 'ed' algos
ca_expire: 7300 # 20 years
cert_expire: 1095 # 3 years
crl_days: 180
cert_renew: 90
dn: 'org' # cn_only, org; org => "traditional" Country/Province/City/Org/OU/email/CN format
rand_sn: 'yes'
fix_offset: # 1-365
ns_support: 'no'
ns_comment: 'Certificate'
# will be ignored: 'no_pass', 'temp_dir', 'ext_dir', 'ssl_conf', 'batch'
defaults_vars_root_ca: # > pki_vars
crl_days: 3650 # would need to be regenerated with access to the root 'ca.key'
ca_expire: 7300 # 20 years
cert_expire: 5475 # 15 years; sub-ca's
digest: 'sha512'
defaults_subca: # > pki_cnf_subca
ca_cn: 'SubCA'
pwd_ca:
vars: {}
extensions: {}
certs: {}
crl_distribution: {}
export:
unencrypted: false
chain: true
pkcs1: false
pkcs7: false # p7b = public cert-store
pkcs8: false
pkcs12: true
defaults_cert:
state: 'present'
export:
# unencrypted:
# chain:
# pkcs1:
# pkcs7:
# pkcs8:
# pkcs12:
cn: "Certificate-{{ ansible_date_time.date }}-{{ ansible_date_time.time }}"
req:
country:
province:
city: # also: location
org:
email:
ou: