Also generate a certificate able to do client authentication.

2025-04-16 18:07:27 +02:00 · 2025-04-16 18:07:27 +02:00 · 3c259e30b8
parent 3abcb3be51
commit 3c259e30b8
2 changed files with 22 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -207,9 +207,9 @@ self_signed_subject: "/CN={{ ansible_fqdn }} self signed"

 mkcert_create_certificate: false
 mkcert_cert_name: "{{ ansible_fqdn }}.pem"
-mkcert_cert_dest_path: "{{ pki_dir }}/certs/{{ mkcert_cert_name }}"
+mkcert_cert_dest_path: "{{ pki_dir }}/certs"
 mkcert_key_name: "{{ ansible_fqdn }}-key.pem"
-mkcert_key_dest_path: "{{ pki_dir }}/keys/{{ mkcert_key_name }}"
+mkcert_key_dest_path: "{{ pki_dir }}/keys"
 mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {% for ip in ansible_all_ipv4_addresses %}{{ ip }} {% endfor %}"
 mkcert_ca_host: localhost

--- a/tasks/certificate_from_private_ca.yml
+++ b/tasks/certificate_from_private_ca.yml
@ -16,6 +16,16 @@
        CAROOT: /srv/mkcert-ca/.local/share/mkcert
      delegate_to: "{{ mkcert_ca_host }}"

+   - name: certificate_from_private_ca | Create the certificate (delegate to the CA vm)
+      ansible.builtin.command:
+        cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
+      args:
+        chdir: /srv/mkcert-ca
+        creates: "/srv/mkcert-ca/client-{{ mkcert_cert_name }}"
+      environment:
+        CAROOT: /srv/mkcert-ca/.local/share/mkcert
+      delegate_to: "{{ mkcert_ca_host }}"
+
 - name: certificate_from_private_ca | Manage the certificate installation
  tags: [pki, tls, tls_certificate]
  block:
@ -27,20 +37,28 @@
      loop:
        - "{{ mkcert_cert_name }}"
        - "{{ mkcert_key_name }}"
+        - "client-{{ mkcert_cert_name }}"
+        - "client-{{ mkcert_key_name }}"
      delegate_to: "{{ mkcert_ca_host }}"

    - name: certificate_from_private_ca | Copy the certificate to the destination server
      ansible.builtin.copy:
-        src: "files/{{ mkcert_cert_name }}"
+        src: "files/{{ item }}"
        dest: "{{ mkcert_cert_dest_path }}"
        owner: root
        group: root
        mode: 0444
+      loop:
+        - "{{ mkcert_cert_name }}"
+        - "client-{{ mkcert_cert_name }}"

    - name: certificate_from_private_ca | Copy the certificate to the destination server
      ansible.builtin.copy:
-        src: "files/{{ mkcert_key_name }}"
+        src: "files/{{ item }}"
        dest: "{{ mkcert_key_dest_path }}"
        owner: root
        group: root
        mode: 0440
+      loop:
+        - "{{ mkcert_key_name }}"
+        - "client-{{ mkcert_key_name }}"