当前位置: 首页 > article >正文

使用Ansible-playbook 自建CA,并签发客户端IP证书

article 2025/3/16 5:35:24

使用Ansible-playbook 自建CA,并签发客户端IP证书

需求

使用Ansible-playbook 来签发客户端IP证书

  • 签发单个IP地址,比如 脚本中使用{{ inventory_hostname }} 来获取主机的IP地址作为证书签发地址
---
- name: Generate and sign client IP certificate
  hosts: nginx
  become: true
  vars:
    # CA settings
    ca_name: CA
    ca_email: CA@example.com
    ca_key_size: 2048
    ca_cert_days: 3650
    ca_cert_path: /tmp/{{ ca_name }}.crt
    ca_key_path: /tmp/{{ ca_name }}.key
    # Client certificate settings
    client_name: server
    client_cert_days: 3650
    client_cert_path: /tmp/{{ client_name }}.crt
    client_key_path: /tmp/{{ client_name }}.key
  tasks:
    - name: Check if openssl is installed
      stat:
        path: /usr/bin/openssl
      register: openssl_installed
    - name: Install openssl if not installed
      yum:
        name: openssl
        state: present
      when: not openssl_installed.stat.exists
    - name: Generate CA private key
      shell: |
        openssl genrsa -out "{{ ca_key_path }}" "{{ ca_key_size }}"
      register: ca_key
    - name: Generate CA certificate
      shell: |
        openssl req -new -x509 -nodes \
        -key "{{ ca_key_path }}" \
        -subj "/CN={{ ca_name }}/emailAddress={{ ca_email }}" \
        -days "{{ ca_cert_days }}" \
        -out "{{ ca_cert_path }}"
      register: ca_cert
      args:
        executable: /bin/bash
      when: ca_key.changed
    - name: Generate client private key
      shell: |
        openssl genrsa -out "{{ client_key_path }}" "{{ ca_key_size }}"
      register: client_key
    - name: Generate client certificate signing request
      shell: |
        openssl req -new \
        -key "{{ client_key_path }}" \
        -subj "/CN={{ client_name }}" \
        -out /tmp/{{ client_name }}.csr
      register: client_csr
      args:
        executable: /bin/bash
      when: client_key.changed

    - name: Sign client certificate
      shell: |
        openssl x509 -req -in /tmp/{{ client_name }}.csr \
        -CA "{{ ca_cert_path }}" \
        -CAkey "{{ ca_key_path }}" \
        -CAcreateserial \
        -out "{{ client_cert_path }}" \
        -days "{{ client_cert_days }}" \
        -extfile <(echo "subjectAltName=IP:{{ inventory_hostname }}") \
        -sha256
      register: client_cert
      args:
        executable: /bin/bash
      when: client_csr.changed
    - name: Copy client certificate and key to target host
      copy:
        src: "{{ item }}"
        dest: /root
        mode: 0644
      with_items:
        - "{{ client_cert_path }}"
        - "{{ client_key_path }}"
  • 签发多个IP,例如脚本中的 subjectAltName=IP:192.168.1.100,IP:111.111.111.111
  • 私网IP,公网IP
---
- name: Generate and sign client IP certificate
  hosts: nginx
  become: true
  vars:
    # CA settings
    ca_name: CA
    ca_email: CA@example.com
    ca_key_size: 2048
    ca_cert_days: 3650
    ca_cert_path: /tmp/{{ ca_name }}.crt
    ca_key_path: /tmp/{{ ca_name }}.key
    # Client certificate settings
    client_name: server
    client_cert_days: 3650
    client_cert_path: /tmp/{{ client_name }}.crt
    client_key_path: /tmp/{{ client_name }}.key
  tasks:
    - name: Check if openssl is installed
      stat:
        path: /usr/bin/openssl
      register: openssl_installed
    - name: Install openssl if not installed
      yum:
        name: openssl
        state: present
      when: not openssl_installed.stat.exists
    - name: Generate CA private key
      shell: |
        openssl genrsa -out "{{ ca_key_path }}" "{{ ca_key_size }}"
      register: ca_key
    - name: Generate CA certificate
      shell: |
        openssl req -new -x509 -nodes \
        -key "{{ ca_key_path }}" \
        -subj "/CN={{ ca_name }}/emailAddress={{ ca_email }}" \
        -days "{{ ca_cert_days }}" \
        -out "{{ ca_cert_path }}"
      register: ca_cert
      args:
        executable: /bin/bash
      when: ca_key.changed
    - name: Generate client private key
      shell: |
        openssl genrsa -out "{{ client_key_path }}" "{{ ca_key_size }}"
      register: client_key
    - name: Generate client certificate signing request
      shell: |
        openssl req -new \
        -key "{{ client_key_path }}" \
        -subj "/CN={{ client_name }}" \
        -out /tmp/{{ client_name }}.csr
      register: client_csr
      args:
        executable: /bin/bash
      when: client_key.changed

    - name: Sign client certificate
      shell: |
        openssl x509 -req -in /tmp/{{ client_name }}.csr \
        -CA "{{ ca_cert_path }}" \
        -CAkey "{{ ca_key_path }}" \
        -CAcreateserial \
        -out "{{ client_cert_path }}" \
        -days "{{ client_cert_days }}" \
        -extfile <(echo "subjectAltName=IP:192.168.1.100,IP:111.111.111.111") \
        -sha256
      register: client_cert
      args:
        executable: /bin/bash
      when: client_csr.changed
    - name: Copy client certificate and key to target host
      copy:
        src: "{{ item }}"
        dest: /root
        mode: 0644
      with_items:
        - "{{ client_cert_path }}"
        - "{{ client_key_path }}"

http://www.kler.cn/a/297232.html

相关文章:

  • Docker基础-Docker Compose使用
  • 【正式版】深度技术Win10系统22H2最新版本:免费下载!
  • 【c++23种设计模式概述】
  • 将AI与情境定位结合以确保品牌安全
  • 【HarmonyOS】头像圆形裁剪功能之手势放大缩小,平移,双击缩放控制(三)
  • MyBatis 源码解析:BatchExecutor 与 SimpleExecutor 详解
  • 【三元组枚举中点】【树状数组】个人练习-Leetcode-1395. Count Number of Teams
  • Win11设置不同的类型的打开方式
  • 为何家用无线路由器不能实现PROFINET通信?
  • OCR技术视角:智能文档管理中的票据自动化识别与处理
  • 如何创建自己的Spring Boot Starter并为其编写单元测试
  • 决策树 (Decision Trees)
  • rust 命令
  • 【高阶数据结构】二叉树的创建、存储方式(顺序与链式)、遍历方法(递归与非递归)(精美图解+完整代码)
  • 内存取证隐写
  • 运维学习————Jenkins(1)
  • 【Go - 函数 参数缺省/默认值】
  • Flink 配置文件的深度解读
  • C#从入门到精通(22)—Path类的使用
  • Socket编程 (连接,发送消息) (Tcp、Udp) - Part1