Generate selfsigned openssl certificates using ansible

Question

I'm trying to generate openssl selfsigned certificates using ansible.

The certificates are generated by doing:

openssl req -x509 -newkey rsa:4096 -days 365 -nodes -sha256 -keyout certs/tls.key -out certs/tls.crt -subj "/CN=docker-registry" -addext "subjectAltName = DNS:docker-registry"

To automate this I try to create an ansible playbook:

- name: Create certificate signing request (CSR) for self-signed certificate
  community.crypto.openssl_csr_pipe:
    privatekey_path: /registry/certs/tls.key
    common_name: docker-registry
    subject_alt_name:
      - "DNS:docker-registry"
  register: csr

- name: Create self-signed certificate from CSR
  community.crypto.x509_certificate:
    path: /registry/certs/tls.crt
    csr_content: "{{ csr.csr }}"
    privatekey_path: /registry/certs/tls.crt
    provider: selfsigned

But I am not quite sure if this is the correct way. Also I don't see how to set these parameters: -newkey rsa:4096 -days 365 -nodes -sha256. Is the -subj correctly set by common_name?

And what is the difference between path and privatekey_path?

Answer 1

The values "path" and "privatekey_path" correspond to the path of the output and the private key input on disk, respectively. In other words, "path" is used for output and "privatekey_path" as an input to ansible.

As far as I can tell, there is no equivalent to "-nodes". That just tells openssl not to encrypt the private key. I don't see any indication that ansible does that by default.

Finally, by setting the common name, SAN values, and other subject info in the request, the subject of the certificate appears to be set correctly. I verified similar results with my own experiments.

Taking cues from the documentation here, here, and here, it looks like this might get you what you want:

- name: Create the private key
  community.crypto.openssl_privatekey:
    path: /registry/certs/tls.key
    size: 4096

- name: Create certificate signing request (CSR) for self-signed certificate
  community.crypto.openssl_csr_pipe:
    privatekey_path: /registry/certs/tls.key
    common_name: docker-registry
    subject_alt_name:
      - "DNS:docker-registry"
  register: csr

- name: Create self-signed certificate from CSR
  community.crypto.x509_certificate:
    path: /registry/certs/tls.crt
    csr_content: "{{ csr.csr }}"
    privatekey_path: /registry/certs/tls.crt
    provider: selfsigned
    selfsigned_not_after: +365d # valid for one year
    selfsigned_not_before: "-1d" # valid since yesterday
    selfsigned_digest: "sha256" # this is the default and can be omitted

Note that values you set in your

openssl req ...

above are set in the different portions of the ansible play.

Note that this link will guide you through creating a private CA from scratch.