diff --git a/playbooks/ocserv-create-user-cert.yml b/playbooks/ocserv-create-user-cert.yml new file mode 100644 index 0000000..99c44d3 --- /dev/null +++ b/playbooks/ocserv-create-user-cert.yml @@ -0,0 +1,36 @@ +# Create key and certificate files for a ocserv client. Run with: +# +# ansible-playbook playbooks/ocserv-create-user-cert.yml -euser= -egroup= [-edays=] +# +# Default certificate lifetime is 365 days. + +- hosts: vrata + gather_facts: false + tasks: + - name: Set certificate filename + set_fact: + filename: "{{ inventory_hostname }}-{{ user }}-{{ now(utc=true, fmt='%s.%f') }}" + + - name: Create client key and signing request + delegate_to: localhost + shell: + cmd: | + openssl genpkey -algorithm rsa -out {{ filename }}.key + openssl req -new -subj /O=fri/OU={{ group }}/CN={{ user }} -key {{ filename }}.key -out {{ filename }}.csr + chdir: "{{ inventory_dir }}" + + # create certificate and store a copy on the server + - name: Sign certificate request + shell: + cmd: > + openssl x509 -req -sha256 -CA /etc/ocserv/ca.crt -CAkey /etc/ocserv/ca.key -days "{{ days | default(365) }}" + | tee "{{ filename }}.crt" + stdin: "{{ lookup('file', inventory_dir+'/'+filename+'.csr') }}" + chdir: /var/lib/ocserv/certs + register: user_certificate + + - name: Store client certificate + delegate_to: localhost + copy: + dest: "{{ inventory_dir }}/{{ filename }}.crt" + content: "{{ user_certificate.stdout }}" diff --git a/roles/ocserv/tasks/main.yml b/roles/ocserv/tasks/main.yml index 25f23af..17ed134 100644 --- a/roles/ocserv/tasks/main.yml +++ b/roles/ocserv/tasks/main.yml @@ -28,6 +28,13 @@ creates: ca.crt notify: restart ocserv +- name: Create directory for client certificates + file: + path: /var/lib/ocserv/certs + state: directory + owner: ocserv + group: ocserv + # this script allows routing from the client to their networks on connection - name: Install ocserv firewall script copy: