thalesgroup.ciphertrust.cm_certificate_authority module – Create and manage CipherTrust Manager Local CA
Note
This module is part of the thalesgroup.ciphertrust collection (version 1.0.2).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.
To use it in a playbook, specify: thalesgroup.ciphertrust.cm_certificate_authority.
New in thalesgroup.ciphertrust 1.0.0
Synopsis
Create and edit local Certificate Authority on CipherTrust Manager
Parameters
Parameter |
Comments |
|---|---|
RSA or ECDSA (default) algorithms are supported. Signature algorithm is selected based on the algorithm and size. Choices:
|
|
If set to true, the certificates signed by the specified CA can be used for client authentication. Choices:
|
|
If set to true, the certificates signed by the specified CA can be used for user authentication. Choices:
|
|
Certificate ID |
|
Common Name |
|
CSR in PEM format |
|
Parameters to be used during creating CSR like the subject, x509 extensions and signature algorithm used. |
|
Common Name |
|
Subject Alternative Names (SAN) values |
|
E-mail addresses |
|
List of names of the permitted extended key usages added as CSR extensions Valid values can be one or more of any serverAuth clientAuth codeSigning emailProtection ipsecEndSystem ipsecTunnel ipsecUser timeStamping ocspSigning microsoftServerGatedCrypto netscapeServerGatedCrypto microsoftCommercialCodeSigning microsoftKernelCodeSigning These keyUsage are allowed for CSR creation |
|
IP addresses |
|
If set, the value of the basic constraints extension value for CA is set to that boolean value and unset otherwise. Choices:
|
|
List of names of the permitted key usages added as CSR extensions. Valid values can be one or more of digitalSignature contentCommitment keyEncipherment dataEncipherment keyAgreement keyCertSign crlSign encipherOnly decipherOnly These keyUsage are allowed for CSR creation. |
|
This parameter is valid only when is CA parameter is set to true Specifies the maximum number of CAs that can appear below this one in a chain If maxPathLen is -1, pathlen is unset. |
|
Name fields are “O=organization, OU=organizational unit, L=location, ST=state/province, C=country”. Fields can be duplicated if present in different objects. |
|
Country, for example “US” |
|
Location, for example “Belcamp” |
|
Organization, for example “Thales Group” |
|
Organizational Unit, for example “RnD” |
|
State/province, for example “MD” |
|
Signature algorithm used for creating the CSR. Choices:
|
|
If set to true, the Subject Key Identifier extension is set to the hash specified by RFC5280, else unset Choices:
|
|
Subject Alternative Names (SAN) values |
|
Duration in days of certificate. Either duration or notAfter date must be specified. |
|
E-mail addresses |
|
Private key encryption algorithm. Choices:
|
|
ID |
|
IP addresses |
|
Parameters to be used for creating an asymmetric key to be used for CSR creation. |
|
Algorithm of key to be generated for CSR creation. Permitted values are ‘RSA’ or ‘EC’ and defaults to ‘RSA’ Choices:
|
|
Cryptographic curve id for elliptic key Choices:
|
|
Name of key to be generated for CSR creation |
|
Size of key to be generated for CSR creation Refer create key API for sizes for EC and RSA keys and their default values. |
|
Type of the identifier, keyID, for the private key to be used for creating CSR. |
|
Parameters to be used for creating an asymmetric key to be used for CSR creation. |
|
Version of the private key, keyID, to be used for creating CSR. |
|
this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM) holds IP/FQDN of the server, username, password, and port |
|
user’s domain path |
|
admin password of CM |
|
CM Server IP or FQDN |
|
Port on which CM server is listening |
|
internal or private IP of the CM Server, if different from the server_ip |
|
admin username of CM |
|
if SSL verification is required Choices:
|
|
A unique name of CA, if not provided, will be set to localca-<id>. |
|
Name fields are “O=organization, OU=organizational unit, L=location, ST=state/province, C=country”. Fields can be duplicated if present in different objects. |
|
Country, for example “US” |
|
Location, for example “Belcamp” |
|
Organization, for example “Thales Group” |
|
Organizational Unit, for example “RnD” |
|
State/province, for example “MD” |
|
End date of certificate Either notAfter or duration must be specified notAfter overrides duration if both are given. |
|
Start date of certificate |
|
Operation to be performed Choices:
|
|
Password to PEM-encrypt the private key. If not specified, the private key is not encrypted in return. |
|
Private Key bytes of the key which is to be used while creating CSR(Algorithm and size should be according to this key). If not given will generate key internally as per algorithm and size. |
|
server, client or ca Choices:
|
|
Specify one of the reason. Choices:
|
|
Key size |
Examples
- name: "Create CM Local CA"
thalesgroup.ciphertrust.cm_certificate_authority:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: create
cn: local_ca_ansible
name: AnsibleLocalCA
algorithm: RSA
size: 4096
names:
- C: CA
ST: ontario
L: ottawa
O: ciphertrust
OU: test
register: ca
- name: Self sign the CA
thalesgroup.ciphertrust.cm_certificate_authority:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: self-sign
id: "ca_id"
duration: 365
- name: Create CSR
thalesgroup.ciphertrust.cm_certificate_authority:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: create-csr-key
cn: csr
name: AnsibleCSR
algorithm: RSA
size: 2048
ipAddresses:
- 10.1.1.10
names:
- C: CA
ST: ontario
L: ottawa
O: ciphertrust
OU: test
encryptionAlgo: AES256
register: csr
- name: Issue Certificate
thalesgroup.ciphertrust.cm_certificate_authority:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: issue-cert
id: "ca_id"
csr: "csr"
purpose: server
duration: 365
name: AnsibleServerCert
register: cert
Authors
Anurag Jain (@anugram)