ocserv: add playbook for creating client certificates

playbooks/ocserv-create-user-cert.yml

@@ -0,0 +1,36 @@
+# Create key and certificate files for a ocserv client. Run with:
+#
+# ansible-playbook playbooks/ocserv-create-user-cert.yml -euser=<username> -egroup=<group> [-edays=<days>]
+#
+# Default certificate lifetime is 365 days.
+
+- hosts: vrata
+  gather_facts: false
+  tasks:
+    - name: Set certificate filename
+      set_fact:
+        filename: "{{ inventory_hostname }}-{{ user }}-{{ now(utc=true, fmt='%s.%f') }}"
+
+    - name: Create client key and signing request
+      delegate_to: localhost
+      shell:
+        cmd: |
+          openssl genpkey -algorithm rsa -out {{ filename }}.key
+          openssl req -new -subj /O=fri/OU={{ group }}/CN={{ user }} -key {{ filename }}.key -out {{ filename }}.csr
+        chdir: "{{ inventory_dir }}"
+
+    # create certificate and store a copy on the server
+    - name: Sign certificate request
+      shell:
+        cmd: >
+          openssl x509 -req -sha256 -CA /etc/ocserv/ca.crt -CAkey /etc/ocserv/ca.key -days "{{ days | default(365) }}"
+          | tee "{{ filename }}.crt"
+        stdin: "{{ lookup('file', inventory_dir+'/'+filename+'.csr') }}"
+        chdir: /var/lib/ocserv/certs
+      register: user_certificate
+
+    - name: Store client certificate
+      delegate_to: localhost
+      copy:
+        dest: "{{ inventory_dir }}/{{ filename }}.crt"
+        content: "{{ user_certificate.stdout }}"

roles/ocserv/tasks/main.yml

@@ -28,6 +28,13 @@
     creates: ca.crt
   notify: restart ocserv
 
+- name: Create directory for client certificates
+  file:
+    path: /var/lib/ocserv/certs
+    state: directory
+    owner: ocserv
+    group: ocserv
+
 # this script allows routing from the client to their networks on connection
 - name: Install ocserv firewall script
   copy: