maxhoesel / maxhoesel.smallstep / 0.23.1 / module / step_ca_certificate Generate a new private key and certificate signed by the root certificate | "added in version" 0.3.0 of maxhoesel.smallstep" Authors: Max Hösel (@maxhoesel)maxhoesel.smallstep.step_ca_certificate (0.23.1) — module
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.23.1
collections: - name: maxhoesel.smallstep version: 0.23.1
Calls step-cli to create new certificates from the local or remote CA.
# See https://smallstep.com/docs/step-cli/reference/ca/certificate for more examples - name: Request a new certificate for a given domain maxhoesel.smallstep.step_ca_certificate: token: "{{ your_token_here }}" name: internal.example.com crt_file: /tmp/mycert.crt key_file: /tmp/mycert.key
- name: Request a new certificate with multiple Subject Alternative Names maxhoesel.smallstep.step_ca_certificate: name: foobar san: - hello.example.com - 1.1.1.1 - 10.2.3.4 crt_file: /tmp/mycert.crt key_file: /tmp/mycert.key
kty: choices: - EC - OKP - RSA description: 'The kty to build the certificate upon. If unset, default is EC. I(kty) is a case-sensitive string. ' type: str san: description: 'Add dns/ip/email/uri Subject Alternative Name(s) (SANs) that should be authorized. The I(san) parameter and the I(token) parameter are mutually exclusive. Must be a list. ' elements: str type: list set: description: The key=value pair with template data variables to send to the CA. Must be a list. elements: str type: list acme: description: 'ACME directory url to be used for requesting certificates via the ACME protocol. Use this parameter to define an ACME server other than the Step CA. If this flag is absent and an ACME provisioner has been selected then the I(ca_url) parameter must be defined. ' type: str name: aliases: - subject description: 'The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the san parameter) then the subject will be set as the only SAN. ' required: true type: str root: description: 'The path to the PEM file used as the root certificate authority. Used if the module is run in online mode (default) and the hosts C(step-cli) is not configured to trust the CA. ' type: path size: description: 'The size (in bits) of the key for RSA and oct key types. RSA keys require a minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys. ' type: int curve: aliases: - crv choices: - P-256 - P-384 - P-521 - Ed25519 description: 'The elliptic curve to use for EC and OKP key types. Corresponds to the "crv" JWK parameter. Valid curves are defined in JWA [RFC7518]. If unset, default is P-256 for EC keys and Ed25519 for OKP keys. ' type: str force: description: Force the overwrite of files without asking. type: bool token: description: The one-time token used to authenticate with the CA in order to create the certificate. type: str ca_url: description: 'URI of the targeted Step Certificate Authority. Used if the module is run in online mode (default) and the hosts C(step-cli) is not configured to trust the CA. ' type: str contact: description: 'The email-address used for contact as part of the ACME protocol. These contacts may be used to warn of certificate expiration or other certificate lifetime events. Must be a list ' elements: str type: list offline: description: 'Don''t contact the CA. Offline mode uses the configuration, certificates, and keys created with step ca init, but can accept a different configuration file using the I(ca_config) flag. ' type: bool webroot: description: 'Specify a path to use as a ''web root'' for validation in the ACME protocol. Webroot is a mode in which the step process will write a challenge file to a location being served by an existing fileserver in order to respond to ACME challenge validation requests. ' type: path x5c_key: description: Private key path, used to sign a JWT, corresponding to the certificate that will be stored in the 'x5c' header. type: path crt_file: description: File to write the certificate (PEM format) required: true type: path key_file: description: File to write the private key (PEM format) required: true type: path set_file: description: The path of a JSON file with the template data to send to the CA. type: path x5c_cert: description: Certificate (chain) in PEM format to store in the 'x5c' header of a JWT. type: str ca_config: description: The path to the certificate authority configuration file on the host. type: path not_after: description: "The time/duration when the certificate validity period ends. If a time\ \ is used it is expected to be in RFC 3339 format. If a duration is used, it is\ \ a sequence of decimal numbers, each with optional fraction and a unit suffix,\ \ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\ \ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str not_before: description: "The time/duration when the certificate validity period starts. If a\ \ time is used it is expected to be in RFC 3339 format. If a duration is used, it\ \ is a sequence of decimal numbers, each with optional fraction and a unit suffix,\ \ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\ \ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str standalone: description: 'Get a certificate using the ACME protocol and standalone mode for validation. Standalone is a mode in which the step process will run a server that will will respond to ACME challenge validation requests. Standalone is the default mode for serving challenge validation requests. ' type: bool http_listen: description: 'Use a non-standard http address, behind a reverse proxy or load balancer, for serving ACME challenges. The default address is :80, which requires super user (sudo) privileges. This flag must be used in conjunction with the I(standalone) param. ' type: str provisioner: aliases: - issuer description: The provisioner name to use. required: true type: str k8ssa_token_path: description: Configure the file from which to read the kubernetes service account token. type: path step_cli_executable: default: step-cli description: Name (or absolute path) of the C(step-cli) executable to use type: path provisioner_password_file: description: The path to the file containing the password to decrypt the one-time token generating key. type: path