CA store
An Ansible role to setup the CA store. The end goal is too have the same setup on both OSes, meaning:
- Certificates owned by the ssl-cert group.
- All upstream provided certificates at
/usr/share/ca-certificates
. - All locally provided certificates at
/usr/local/share/ca-certificates
. - A single concatenated file of all SSL certificates at
/etc/ssl/certs/ca-certificates.crt
. - All certificates by name and hash symlinked at
/etc/ssl/certs
. - Keys should go in to
/etc/ssl/private
.: -
update-ca-certificates
script for updating both symlinks and concatenated file after locally adding a certificate. - High bit count DH params file at
/etc/ssl/dhparams.pem
. - A self-signed key and cert at
/etc/ssl/private/ssl-cert-snakeoil.key
and/etc/ssl/certs/ssl-cert-snakeoil.pem
respectfully.
Afterwards you'll be able to do the following:
- Point to
/etc/ssl/certs
for a list of known certs by hash. - Point to
/etc/ssl/certs/ca-certificates.crt
for a single concatenated file of all known certs. - Add your certs at
/usr/local/share/ca-certificates
, runupdate-ca-certificates
to update all locations. - Run the role again to update to the latest list of certs provided by upstream.
- Save private keys at
/etc/ssl/private
owned by root:ssl-cert and have them securely stored.
Requirements
See meta/main.yml
, tests/requirements.yml
and assertions at
the top of tasks/main.yml
.
Role Variables
See defaults/main.yml
.
Dependencies
See meta/main.yml
.
Example Playbook
See tests/playbook.yml
.
Testing
Testing requires Python 2.7 and either Docker or Vagrant and Virtualbox. Install the Python dependencies, dependent roles and roles required for testing:
pip install -r tests/requirements.txt
ansible-galaxy install git+file://$(pwd),$(git rev-parse --abbrev-ref HEAD) -p .molecule/roles
molecule dependency
To run the full test suite:
pre-commit run --all-files
molecule test --platform all
License
This software is licensed under the MIT license (see the LICENSE.txt
file).
Author Information
Nimrod Adar, contact me or visit my website. Patches are welcome via git send-email. The repository is located at: https://www.shore.co.il/git/.