Skip to content
Snippets Groups Projects

CA store

An Ansible role to setup the CA store. The end goal is too have the same setup on both OSes, meaning:

  • Certificates owned by the ssl-cert group.
  • All upstream provided certificates at /usr/share/ca-certificates.
  • All locally provided certificates at /usr/local/share/ca-certificates.
  • A single concatenated file of all SSL certificates at /etc/ssl/certs/ca-certificates.crt.
  • All certificates by name and hash symlinked at /etc/ssl/certs.
  • Keys should go in to /etc/ssl/private.:
  • update-ca-certificates script for updating both symlinks and concatenated file after locally adding a certificate.
  • High bit count DH params file at /etc/ssl/dhparams.pem.
  • A self-signed key and cert at /etc/ssl/private/ssl-cert-snakeoil.key and /etc/ssl/certs/ssl-cert-snakeoil.pem respectfully.

Afterwards you'll be able to do the following:

  • Point to /etc/ssl/certs for a list of known certs by hash.
  • Point to /etc/ssl/certs/ca-certificates.crt for a single concatenated file of all known certs.
  • Add your certs at /usr/local/share/ca-certificates, run update-ca-certificates to update all locations.
  • Run the role again to update to the latest list of certs provided by upstream.
  • Save private keys at /etc/ssl/private owned by root:ssl-cert and have them securely stored.

Requirements

See meta/main.yml, tests/requirements.yml and assertions at the top of tasks/main.yml.

Role Variables

See defaults/main.yml.

Dependencies

See meta/main.yml.

Example Playbook

See tests/playbook.yml.

Testing

Testing requires Python 2.7 and either Docker or Vagrant and Virtualbox. Install the Python dependencies, dependent roles and roles required for testing:

pip install -r tests/requirements.txt
ansible-galaxy install git+file://$(pwd),$(git rev-parse --abbrev-ref HEAD) -p .molecule/roles
molecule dependency

To run the full test suite:

pre-commit run --all-files
molecule test --platform all

License

This software is licensed under the MIT license (see the LICENSE.txt file).

Author Information

Nimrod Adar, contact me or visit my website. Patches are welcome via git send-email. The repository is located at: https://www.shore.co.il/git/.