To build this Certificate Authority you need some basic requirements.
- A linux machine where this repo is cloned (control node).
- A CentOS 7 machine where the CA is going to be build (managed node or host).
- SSH access to the remote host.
- Ansible on your local host or remote host.
Note: The control node and host could be both the same. In this case everything is run locally.
There are many ways to run the build, we're going to describe two examples.
To create a request that can be signed by this CA go to this section
In this case Ansible is installed in the remote host.
If Ansible is not installed in the remote host you can run the script in scripts/ansible-install.sh. To do this log into your remote machine using ssh then download the script with wget and make it executable to finally run it as root (sudo is needed since we're going to use yum to install ansible).
wget https://raw.githubusercontent.com/N3L-s0n/own-certificate-authority/master/scripts/ansible-install.sh && chmod +x ansible-install.sh && sudo ./ansible-install.shThis script is going to update the yum repositories and install an older version of Ansible which is fine for now, it will also install git to clone this repository.
git clone https://github.com/N3L-s0n/own-certificate-authority.git && cd own-certificate-authorityNow that we have where to run our playbooks we can execute the playbooks/setup.yml playbook. It needs no variables but you can choose different OpenSSL and Python3.10 versions. This was tested using openssl-1.1.1p and Python-3.10.5
# playbooks/setup.yml
---
- hosts: all
# This playbook runs all setup needed to use community.crypto 2.3.2 if using default variables
roles:
- role: openssl-install
- role: python3-install
- role: ansible-install
tags: [ local ]
- role: cryptography-install
To run the playbook you have to set the host machine and connection, since we're running ansible locally we have to use the command shown below. You can add the tags argument to only run certain parts of the roles, e.g --tags openssl-dependencies will only install packages needed for openssl using yum. You also can set the openssl and python version, e.g --extra-vars "openssl_version=3.0.4.
Change <user> with the username you used with ssh.
ansible-playbook -i localhost, --connection local playbooks/setup.yml -u <user>Run hash -r to forget about ansible previous location
hash -rNow if you run ansible --version you should get at least ansible [core 2.13.1]. We'll use Community.Crypto which should be already installed, you can check it by running ansible-galaxy collection list and searching for community.crypto.
After this we should have OpenSSL, Python3.10, Cryptography and Ansible > core 2.13.0.
Now to get a certificate for our CA, we need to create a private key with a passphrase, a certificate signing request (CSR) and then create the certificate from this CSR using the generated key. This is all done by the playbook playbooks/ownca-certificate.yml you just need to set the variable for the passphrase, e.g --extra-vars "secret_ca_passphrase=test_password". The private key uses the RSA cryptosystem with a 2048 size. Certificate basic data like country name and state can also be set using variables. The defaults one are:
# playbooks/roles/ownca-certificate/defaults/main.yml
# You must change these according to your needs
---
country_name: "CR"
state_or_province_name: "San Jose"
locality_name: "San Pedro"
organization_name: "CI-0143 I-2022 Ltd"
organizational_unit_name: "Grupo 1"
common_name: "Seguridad grupo 1 CA"
To run the playbook execute the command below.
Change <user> with the username you used with ssh and <password> with your passphrase for the key.
ansible-playbook -i localhost, --connection local playbooks/ownca.yml -u <user> --extra-vars "secret_ca_passphrase=<password>"The private key and certificate are created in /etc/pki/CA/private/ and /etc/pki/CA/certs/ respectively.
We also included a playbook to sign request, first you need the request file stored in the CA machine, scp can be use to upload the file to the Request/ directory which was created in the previous playbook. Run the following command if the CSR file is not in the remote machine yet.
Change <user> with the username you used with ssh, <ip> with your remote machine IP address and <path/to/csr> with the path to the CSR file, e.g /tmp/www.test.com.csr.
scp <path/to/csr> <user>@<ip>:~/Requests/.To sign this request use playbooks/sign.yml. Change <user> with the username you used with ssh, <password> with your passphrase for the key and *<csr> with the name of the CSR file, e.g www.test.com.csr.
ansible-playbook -i localhost, --connection local playbooks/sign.yml -u <user> --extra-vars "csr_file=<*.csr> secret_ca_passphrase=<password>"The signed certificate should now exists in the Request/ directory with the same name but .crt extension. Send this file to the server which requested it.
In this case Ansible is installed in a control node.
To create a CSR for our web server you should have Ansible installed in the web server or a control node.
In this case you should clone the repository and run the setup playbook to install dependencies like OpenSSL 1.1.x and Cryptography. This will also install Ansible using pip3.10.
ansible-playbook -i localhost, --connection local playbooks/setup.yml -u <user> && hash -rNow run the playbook to create the CSR file. Default values are:
# playbooks/roles/server-request/defaults/main.yml
---
country_name: "CR"
state_or_province_name: "San Jose"
locality_name: "San Pedro"
organization_name: "CI-0143 I-2022 Ltd"
organizational_unit_name: "Grupo 1"
common_name: "www.test.com"
dir_key: "/etc/pki/tls/private"
dir_csr: "/etc/pki/tls/certs"Change <user> with your machine username, <password> with a new passphrase for the key and <common_name> with the hostname
Note: the hostname is going to be added to the Subject Alternative Names (SAN) list of the request with the domain too.
ansible-playbook -i localhost, --connection local playbooks/server.yml -u <user> --extra-vars "secret_passphrase=<password> common_name=<common_name>"Now you should have the request file in the /etc/pki/tls/certs/ directory if you didn't change the variable dir_csr