Try SpotterGenerate a new private key and certificate signed by the root certificate
| "added in version" 0.3.0 of maxhoesel.smallstep"
Authors: Max Hösel (@maxhoesel)
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.24.5
collections:
- name: maxhoesel.smallstep
version: 0.24.5Calls step-cli to create new certificates from the local or remote CA.
# See https://smallstep.com/docs/step-cli/reference/ca/certificate for more examples
- name: Request a new certificate for a given domain
maxhoesel.smallstep.step_ca_certificate:
token: "{{ your_token_here }}"
name: internal.example.com
crt_file: /tmp/mycert.crt
key_file: /tmp/mycert.key
- name: Request a new certificate with multiple Subject Alternative Names
maxhoesel.smallstep.step_ca_certificate:
name: foobar
san:
- hello.example.com
- 1.1.1.1
- 10.2.3.4
crt_file: /tmp/mycert.crt
key_file: /tmp/mycert.key
kty:
choices:
- EC
- OKP
- RSA
description: 'The kty to build the certificate upon. If unset, default is EC. I(kty)
is a case-sensitive string.
'
type: str
san:
description: 'Add dns/ip/email/uri Subject Alternative Name(s) (SANs) that should
be authorized. The I(san) parameter and the I(token) parameter are mutually exclusive.
Must be a list.
'
elements: str
type: list
set:
description: The key=value pair with template data variables to send to the CA. Must
be a list.
elements: str
type: list
acme:
description: 'ACME directory url to be used for requesting certificates via the ACME
protocol. Use this parameter to define an ACME server other than the Step CA. If
this flag is absent and an ACME provisioner has been selected then the I(ca_url)
parameter must be defined.
'
type: str
name:
aliases:
- subject
description: 'The Common Name, DNS Name, or IP address that will be set as the Subject
Common Name for the certificate. If no Subject Alternative Names (SANs) are configured
(via the san parameter) then the subject will be set as the only SAN.
'
required: true
type: str
root:
description: 'The path to the PEM file used as the root certificate authority. Used
if the module is run in online mode (default) and the hosts C(step-cli) is not configured
to trust the CA.
'
type: path
size:
description: 'The size (in bits) of the key for RSA and oct key types. RSA keys require
a minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and
128 bits for oct keys.
'
type: int
curve:
aliases:
- crv
choices:
- P-256
- P-384
- P-521
- Ed25519
description: 'The elliptic curve to use for EC and OKP key types. Corresponds to the
"crv" JWK parameter. Valid curves are defined in JWA [RFC7518]. If unset, default
is P-256 for EC keys and Ed25519 for OKP keys.
'
type: str
force:
description: Force the overwrite of files without asking.
type: bool
token:
description: The one-time token used to authenticate with the CA in order to create
the certificate.
type: str
ca_url:
description: 'URI of the targeted Step Certificate Authority. Used if the module is
run in online mode (default) and the hosts C(step-cli) is not configured to trust
the CA.
'
type: str
contact:
description: 'The email-address used for contact as part of the ACME protocol. These
contacts may be used to warn of certificate expiration or other certificate lifetime
events. Must be a list
'
elements: str
type: list
offline:
description: 'Don''t contact the CA. Offline mode uses the configuration, certificates,
and keys created with step ca init, but can accept a different configuration file
using the I(ca_config) flag.
'
type: bool
webroot:
description: 'Specify a path to use as a ''web root'' for validation in the ACME protocol.
Webroot is a mode in which the step process will write a challenge file to a location
being served by an existing fileserver in order to respond to ACME challenge validation
requests.
'
type: path
x5c_key:
description: Private key path, used to sign a JWT, corresponding to the certificate
that will be stored in the 'x5c' header.
type: path
crt_file:
description: File to write the certificate (PEM format)
required: true
type: path
key_file:
description: File to write the private key (PEM format)
required: true
type: path
set_file:
description: The path of a JSON file with the template data to send to the CA.
type: path
x5c_cert:
description: Certificate (chain) in PEM format to store in the 'x5c' header of a JWT.
type: str
ca_config:
description: The path to the certificate authority configuration file on the host.
type: path
not_after:
description: "The time/duration when the certificate validity period ends. If a time\
\ is used it is expected to be in RFC 3339 format. If a duration is used, it is\
\ a sequence of decimal numbers, each with optional fraction and a unit suffix,\
\ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\
\ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
not_before:
description: "The time/duration when the certificate validity period starts. If a\
\ time is used it is expected to be in RFC 3339 format. If a duration is used, it\
\ is a sequence of decimal numbers, each with optional fraction and a unit suffix,\
\ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\
\ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
standalone:
description: 'Get a certificate using the ACME protocol and standalone mode for validation.
Standalone is a mode in which the step process will run a server that will will
respond to ACME challenge validation requests. Standalone is the default mode for
serving challenge validation requests.
'
type: bool
http_listen:
description: 'Use a non-standard http address, behind a reverse proxy or load balancer,
for serving ACME challenges. The default address is :80, which requires super user
(sudo) privileges. This flag must be used in conjunction with the I(standalone)
param.
'
type: str
provisioner:
aliases:
- issuer
description: The provisioner name to use.
required: true
type: str
k8ssa_token_path:
description: Configure the file from which to read the kubernetes service account
token.
type: path
step_cli_executable:
default: step-cli
description: Name (or absolute path) of the C(step-cli) executable to use
type: path
provisioner_password_file:
description: The path to the file containing the password to decrypt the one-time
token generating key.
type: path