Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_csr: Please add ability to specify the crl location (crlDistributionPoints URI http://$url/org.crl) #147

Closed
gderber opened this issue Nov 24, 2020 · 4 comments · Fixed by #167
Closed

openssl_csr: Please add ability to specify the crl location (crlDistributionPoints URI http://$url/org.crl) #147

gderber opened this issue Nov 24, 2020 · 4 comments · Fixed by #167

Comments

@gderber
Copy link
Contributor

gderber commented Nov 24, 2020

SUMMARY

Please add the ability to specify the crlDistributionPoints URI within the CSR.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

openssl_csr

ADDITIONAL INFORMATION

This is needed for smart card logon as a windows domain user (Samba DC). For this to work, the system looks for the crlDistribution point within the certificate to specify the URL to check for the CRL.

  • name: Generate Certificate Authority Certificate Signing Request (CSR)
    openssl_csr:
    path: "/etc/ssl/csr/www.ansible.com.csr"
    privatekey_path: "/etc/ssl/private/ansible.com.pem"
    privatekey_passphrase: "{{ privatekey_passphrase }}"
    common_name: "{{ common_name }}"
    country_name: "{{ country_name }}"
    email_address: "{{ email_address }}"
    organization_name: "{{ organization_name }}"
    key_usage: "{{ item.keyusage }}"
    basic_constraints: "{{ item.basic_constraints }}"
    create_subject_key_identifier: yes
    crl_distribution_point: "http://example.com/pki/ca.crl"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
@jrunu
Copy link

jrunu commented Dec 21, 2020

Hi @gderber, I have this requirement now as well. Did you happen to find a workaround for the time being?

@gderber
Copy link
Contributor Author

gderber commented Dec 21, 2020

Hi @jrunu, yes, I know a workaround, I haven't implemented it yet on my network, and it's not a very good workaround.

The workaround is to template out the openssl.cnf files for the certificate authorities, hosts, and users, then use the command module to run the specific openssl commands to create the certificate signing requests.

Basically using ansible to script the commands and config files you would normally do manually. Like I said, not a very good workaround.

@jrunu
Copy link

jrunu commented Dec 24, 2020

@gderber I that was my first hunch too. But I figured out that you can reuse the existing CSRs. So for the certs where I need the this extension I run something like this after the fact:

- name: Special Delivery
   command: openssl x509 -req -passin env:CAPASS -in "{{host.csr}}" -out "{{host.crt}}" -days 360 -CA "{{ca.crt}}" -CAcreateserial -CAkey "{{ca.pem}}" -extfile "{{crlDistributionPoint.cnf}}"
   environment:
       CAPASS: "{{ca_passphrase}}"
   delegate_to: localhost

crlDistributionPoint.cnf:

crlDistributionPoints=URI:http://example.com/crl.pem

The CA also needs "cRLSign" as additional key_usage. which in turn touches all existing certificates at least once. In my case this wasn't an issue, but it is something to consider.

@felixfontein felixfontein mentioned this issue Jan 2, 2021
Merged
@felixfontein
Copy link
Contributor

resolved_by_pr #167.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl_csr: allow to specify CRL distribution endpoints felixfontein/community.crypto
3 participants
@felixfontein @gderber @jrunu