Adding easy-rsa PKI directory

f189fa4d · Shahaan Ayyub · root · d14f6070 · f189fa4d · f189fa4d
Commit f189fa4d authored 10 years ago by Shahaan Ayyub Committed by root 10 years ago
--- a/roles/easy-rsa-CA/files/defaultConfig
+++ b/roles/easy-rsa-CA/files/defaultConfig
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="/etc/easy-rsa/2.0"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=512
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="AU"
+export KEY_PROVINCE="Victoria"
+export KEY_CITY="Melbourne"
+export KEY_ORG="Monash University"
+export KEY_EMAIL="shahaan.ayyub@monash.edu"
+export KEY_OU="MCC-R@CMON"
+
+# X509 Subject Field
+export KEY_NAME="EasyRSA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"
--- a/roles/easy-rsa-CA/tasks/buildCA.yml
+++ b/roles/easy-rsa-CA/tasks/buildCA.yml
+--- 
+- 
+  name: "Building the CA Certificate"
+  shell: ' cd /etc/easy-rsa/2.0; source ./vars; ./clean-all;  export EASY_RSA="${EASY_RSA:-.}"; "$EASY_RSA/pkitool" --initca $*'
--- a/roles/easy-rsa-CA/tasks/buildClientCert.yml
+++ b/roles/easy-rsa-CA/tasks/buildClientCert.yml
+--- 
+- 
+  delegate_to: "127.0.0.1"
+  name: "Check if certificate exist"
+  register: cert
+  stat: "path=/etc/easy-rsa/2.0/keys/{{ client }}.crt"
+- 
+  delegate_to: "127.0.0.1"
+  name: "Creating Client certificate"
+  shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\\\"${EASY_RSA:-.}\\\"; \"$EASY_RSA/pkitool\" --csr {{ client }} ;\"$E ASY_RSA/pkitool\" --sign {{ client }}"
+
--- a/roles/easy-rsa-CA/tasks/buildServerCert.yml
+++ b/roles/easy-rsa-CA/tasks/buildServerCert.yml
+--- 
+- 
+  name: "Check if certificate exist"
+  register: cert
+  stat: "path=/etc/easy-rsa/2.0/keys/{{ server }}.crt"
+- 
+  name: "Creating Server certificate"
+  shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA/pkitool\"  --server {{ server }}"
+  when: "cert.stat.exists == false"
+- 
+  name: "Check if Diffie Hellman parameters file exist"
+  register: dh
+  stat: path=/etc/easy-rsa/2.0/keys/dh512.pem
+- 
+  name: "Generating Diffie-Hellman Parameters"
+  shell: "cd /etc/easy-rsa/2.0; source ./vars; ./build-dh"
+  when: "dh.stat.exists == false"
--- a/roles/easy-rsa-CA/tasks/copyConfigurationFile.yml
+++ b/roles/easy-rsa-CA/tasks/copyConfigurationFile.yml
+--- 
+- 
+  copy: "src={{ item }} dest=/etc/easy-rsa/2.0/vars mode=0644 owner=root"
+  name: "Copy the configuration file (userConfig): else defaultConfig"
+  with_first_found: 
+    - files:
+      - userConfig
+      - defaultConfig
+    - paths:
+      - /mnt/nectar-nfs/root/ansible-config-root/ansible_cluster_in_a_box/roles/easy-rsa-CA/files
--- a/roles/easy-rsa-CA/tasks/installEasyRsa.yml
+++ b/roles/easy-rsa-CA/tasks/installEasyRsa.yml
+--- 
+- 
+  name: "Installing easy-rsa"
+  yum: "name=easy-rsa state=latest"
+- 
+  name: "Moving easy-rsa to /etc"
+  shell: "cp -rf /usr/share/easy-rsa /etc/"
--- a/roles/easy-rsa-CA/tasks/main.yml
+++ b/roles/easy-rsa-CA/tasks/main.yml
+--- 
+- 
+  include: buildClientCert.yml
--- a/roles/easy-rsa-CA/vars/main.yml
+++ b/roles/easy-rsa-CA/vars/main.yml
+---
+ansible_ssh_user: "ec2-user"
+ansible_ssh_private_key_file: "/home/sgeadmin/.ssh/shahaan.pem"
+server: "{{ inventory_hostname }}"
+client: "{{ inventory_hostname }}"