anugram.cm_pki.cm_local_ca module – Create and manage CipherTrust Manager Local CA

Note

This module is part of the anugram.cm_pki collection (version 1.0.0).

To install it, use: ansible-galaxy collection install anugram.cm_pki.

To use it in a playbook, specify: anugram.cm_pki.cm_local_ca.

New in anugram.cm_pki 1.0.0

Synopsis 

Create and edit local Certificate Authority on CipherTrust Manager

Parameters 

Parameter	Comments
algorithm string	RSA or ECDSA (default) algorithms are supported. Signature algorithm (SHA512WithRSA, SHA384WithRSA, SHA256WithRSA, SHA1WithRSA, ECDSAWithSHA512, ECDSAWithSHA384, ECDSAWithSHA256) is selected based on the algorithm and size.
allow_client_authentication boolean	If set to true, the certificates signed by the specified CA can be used for client authentication. Choices: `false` `true`
allow_user_authentication boolean	If set to true, the certificates signed by the specified CA can be used for user authentication. Choices: `false` `true`
cn string	Common Name
csr string	CSR in PEM format
csrParams dictionary	Parameters to be used during creating CSR like the subject, x509 extensions and signature algorithm used.
dnsNames string	Subject Alternative Names (SAN) values
duration integer	Duration in days of certificate. Either duration or notAfter date must be specified.
emailAddresses string	E-mail addresses
encryptionAlgo string	Private key encryption algorithm. Choices: `"AES256"` `"AES192"` `"AES128"` `"TDES"`
ipAddresses string	IP addresses
keyGenParams dictionary	Parameters to be used for creating an asymmetric key to be used for CSR creation.
keyID string	Type of the identifier, keyID, for the private key to be used for creating CSR.
keyIDType string	Parameters to be used for creating an asymmetric key to be used for CSR creation.
keyVersion integer	Version of the private key, keyID, to be used for creating CSR.
localNode dictionary / required	this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM) holds IP/FQDN of the server, username, password, and port
password string / required	admin password of CM
server_ip string / required	CM Server IP or FQDN
server_port integer / required	Port on which CM server is listening Default: `5432`
server_private_ip string / required	internal or private IP of the CM Server, if different from the server_ip
user string / required	admin username of CM
verify boolean / required	if SSL verification is required Choices: `false` ← (default) `true`
name string	A unique name of CA, if not provided, will be set to localca-<id>.
names list / elements=string	Name fields
notAfter string	End date of certificate. Either notAfter or duration must be specified. notAfter overrides duration if both are given.
notBefore string	Start date of certificate
op_type string / required	Operation to be performed Choices: `"create"` `"patch"` `"issue-cert"` `"self-sign"` `"revoke-cert"` `"resume-cert"` `"create-csr"` `"create-csr-key"`
password string	Password to PEM-encrypt the private key. If not specified, the private key is not encrypted in return.
privateKeyBytes string	Private Key bytes of the key which is to be used while creating CSR(Algorithm and size should be according to this key). If not given will generate key internally as per algorithm and size.
purpose string	server, client or ca
reason string	Specify one of the reason. Choices: `"unspecified"` `"keyCompromise"` `"cACompromise"` `"affiliationChanged"` `"superseded"` `"cessationOfOperation"` `"certificateHold"` `"removeFromCRL"` `"privilegeWithdrawn"` `"aACompromise"`
size string	CSR in PEM format

Examples 

- name: "Create CM Local CA"
  anugram.cm_pki.cm_local_ca:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create
    cn: local_ca_ansible
    name: AnsibleLocalCA
    algorithm: RSA
    size: 4096
    names:
      - C: CA
        ST: ontario
        L: ottawa
        O: ciphertrust
        OU: test
  register: ca

- name: Self sign the CA
  anugram.cm_pki.cm_local_ca:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: self-sign
    id: "{{ ca['response']['id'] }}"
    duration: 365

- name: Create CSR
  anugram.cm_pki.cm_local_ca:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create-csr-key
    cn: csr
    name: AnsibleCSR
    algorithm: RSA
    size: 2048
    ipAddresses:
      - 10.1.1.10
    names:
      - C: CA
        ST: ontario
        L: ottawa
        O: ciphertrust
        OU: test
    encryptionAlgo: AES256
  register: csr

- name: Issue Certificate
  anugram.cm_pki.cm_local_ca:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: issue-cert
    id: "{{ ca['response']['id'] }}"
    csr: "{{ csr['response']['data']['csr'] }}"
    purpose: server
    duration: 365
    name: AnsibleServerCert
  register: cert

Authors

Anurag Jain, Developer Advocate Thales Group

Collection links

Issue Tracker Homepage Repository (Sources)