Generating a certificate chain in Ansible

Question

I am trying to generate a chain (self signed + one signed by the self signed) of certificates using Ansible OpenSSL modules.

So far have the following tasks:

- name: Generate a Self Signed OpenSSL certificate
  become: yes
  block:
    - apt: 
        name: python-openssl
        update_cache: yes
    - openssl_privatekey:
        path: /tmp/ansible.com.pem
    - openssl_csr:
        path: /tmp/ansible.com.csr
        privatekey_path: /tmp/ansible.com.pem
        common_name: ansible.com
    - openssl_certificate:
        path: /tmp/ansible.com.crt
        privatekey_path: /tmp/ansible.com.pem
        csr_path: /tmp/ansible.com.csr
        provider: selfsigned
    - openssl_privatekey:
        path: /tmp/child.com.pem
    - openssl_csr:
        path: /tmp/child.com.csr
        privatekey_path: /tmp/child.com.pem
        common_name: child.com
    - openssl_certificate:
        path: /tmp/child.com.crt
        privatekey_path: /tmp/ansible.com.pem
        csr_path: /tmp/child.com.csr
        provider: selfsigned

But the problem is that child certificate is not valid:

openssl verify -verbose -CAfile /tmp/ansible.com.crt /tmp/child.com.crt
/tmp/child.com.crt: CN = child.com
error 18 at 0 depth lookup:self signed certificate
OK

I am using Ansible 2.6.1

So what is invalid about those certificates? Both are self-signed and independent of each other. You can't verify one using the other one. It wouldn't make sense. — techraf, Jul 16 '18 at 20:32
I am trying to sign child certificate with the parent (ansible.com) key. Trying to make a chain instead of two self signed... — Oleg Tarasenko, Jul 16 '18 at 21:16
I am signing requests using ansible modules (openssl_certificate): https://docs.ansible.com/ansible/2.4/openssl_certificate_module.html — Oleg Tarasenko, Jul 17 '18 at 04:59
I am not sure how to add code formatting into comments, there are two blocks responsible for signing certificate requests (the first one is self-signed (e.g. uses own key), and the other one is supposed to be signed by the first). - openssl_certificate: path: /tmp/ansible.com.crt privatekey_path: /tmp/ansible.com.pem csr_path: /tmp/ansible.com.csr provider: selfsigned — Oleg Tarasenko, Jul 17 '18 at 07:07
I am pretty much sure that self signed certificate is fine, so looks like something wrong with the second block: ``` - openssl_certificate: path: /tmp/child.com.crt privatekey_path: /tmp/ansible.com.pem csr_path: /tmp/child.com.csr provider: selfsigned``` — Oleg Tarasenko, Jul 17 '18 at 07:08
I still think that the process is different, as I am generating a master_key, master_csr and making self signed certificate afterwords. And separately generating another private key (child), making csr, and now I want to sign it with the master key. — Oleg Tarasenko, Jul 17 '18 at 07:38
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/176117/discussion-between-oleg-tarasenko-and-techraf). — Oleg Tarasenko, Jul 17 '18 at 08:54

score 3 · Answer 1 · edited Jun 20 '20 at 09:12

A self-signed certificate is a self-signed certificate regardless of what key you provided for signing (this key is never verified anyway, because "you trust the certificate directly").

If you check the contents of the child.com.crt certificate with openssl x509 -in /tmp/child.com.crt -text -noout command, you'll see:

Certificate:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=child.com
        Subject: CN=child.com

not Issuer: CN=ansible.com (and there is no way to know whose key it is during the signing task, based on the key alone ― a key is just a random number; you'd need to provide the certificate of the signing party somewhere in the task, which you don't).

What you want to achieve will be possible in Ansible 2.7 with a new provider ownca introduced by this commit:

The 'ownca' provider is intended for generate OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).

[ ]

Example:
- name: Generate an OpenSSL certificate signed with your own CA certificate
  openssl_certificate:
    path: /etc/ssl/crt/ansible.com.crt
    csr_path: /etc/ssl/csr/ansible.com.csr
    ownca_path: /etc/ssl/crt/ansible_CA.crt
    ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem
    provider: ownca

For now (up to Ansible 2.6.x) you need to call openssl x509 -req (see examples) with the command module.

_A self-signed certificate is a self-signed certificate regardless of what key you provided for signing (this key is never verified anyway, because "you trust the certificate directly")._ This is not true. Nowadays many appliances require that final certificate enjoys participating in a full chain and both intermediate and root certificates have proper purpose and capabilities specified. — Igor A, Oct 07 '21 at 18:41

Generating a certificate chain in Ansible

1 Answers1