From 1a419a3f892b97f44dd912cfc20d6bb38d685bd3 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 20 Apr 2022 13:32:04 +0200 Subject: [PATCH] Allow to provide passphrase for keys In order to provide more security, allow to define key passphrases while generating CA or certificate keys. This can be a requirement or highly anticipated option for some systems. Change-Id: I0eeadb687b4fa6c5392951581dfbdf6b0db574f7 --- tasks/standalone/create_ca.yml | 5 +++++ tasks/standalone/create_cert.yml | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/tasks/standalone/create_ca.yml b/tasks/standalone/create_ca.yml index b092522..29a2700 100644 --- a/tasks/standalone/create_ca.yml +++ b/tasks/standalone/create_ca.yml @@ -45,6 +45,8 @@ - name: Generate CA private key for {{ ca.name }} openssl_privatekey: path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}" + passphrase: "{{ ca.key_passphrase | default(omit) }}" + cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}" register: ca_privkey - name: Read the serial number for {{ ca.name }} @@ -56,6 +58,7 @@ openssl_csr: path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no }}.csr" privatekey_path: "{{ ca_privkey.filename }}" + privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}" common_name: "{{ ca.cn }}" basic_constraints_critical: yes basic_constraints: "{{ ca.basic_constraints }}" @@ -82,6 +85,7 @@ csr_path: "{{ ca_csr.filename }}" provider: 'selfsigned' privatekey_path: "{{ ca_privkey.filename }}" + privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}" selfsigned_not_after: "{{ ca.not_after }}" register: ca_selfsigned_crt when: @@ -97,6 +101,7 @@ csr_path: "{{ ca_csr.filename }}" provider: 'ownca' ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}" + ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}" ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}" ownca_not_after: "{{ ca.not_after }}" register: ca_ownca_crt diff --git a/tasks/standalone/create_cert.yml b/tasks/standalone/create_cert.yml index e593402..5abbd04 100644 --- a/tasks/standalone/create_cert.yml +++ b/tasks/standalone/create_cert.yml @@ -25,6 +25,8 @@ - name: Generate certificate private key for {{ cert.name }} openssl_privatekey: path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}" + passphrase: "{{ cert.key_passphrase | default(omit) }}" + cipher: "{{ ('key_passphrase' in cert and cert.key_passphrase) | ternary('auto', omit) }}" force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}" register: cert_privkey @@ -32,6 +34,7 @@ openssl_csr: path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}" privatekey_path: "{{ cert_privkey.filename }}" + privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}" common_name: "{{ cert.cn | default(omit) }}" basic_constraints_critical: yes basic_constraints: "{{ cert.basic_constraints | default(omit) }}" @@ -53,6 +56,7 @@ csr_path: "{{ cert_csr.filename }}" ownca_path: "{{ _ca_file }}" ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}" + ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}" provider: ownca force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}" register: cert_crt