wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-02 18:13:13 +02:00
Code Issues Projects Releases Wiki Activity

openssl commands folded

Browse source
This commit is contained in:
Ruben Jongejan 2017-05-10 09:45:37 +02:00
parent dd1af76c34
commit 50a961c6d2
1 changed files with 51 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
roles/vpn/tasks/openssl.yml
View file

@ -37,9 +37,15 @@
dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
- name: Build the CA pair
shell: |
shell: >
openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:"{{ easyrsa_CA_password }}" &&
openssl req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf
-keyout private/cakey.pem
-out cacert.pem -x509 -days 3650
-batch
-passout pass:"{{ easyrsa_CA_password }}" &&
touch {{ IP_subject_alt_name }}_ca_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
@ -60,9 +66,20 @@
creates: serial_generated
- name: Build the server pair
shell: |
openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch &&
openssl ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" &&
shell: >
openssl req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf
-keyout private/{{ IP_subject_alt_name }}.key
-out reqs/{{ IP_subject_alt_name }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" -batch &&
openssl ca -utf8
-in reqs/{{ IP_subject_alt_name }}.req
-out certs/{{ IP_subject_alt_name }}.crt
-config openssl.cnf -days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" &&
touch certs/{{ IP_subject_alt_name }}_crt_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
@ -71,9 +88,20 @@
subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
- name: Build the client's pair
shell: |
openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
shell: >
openssl req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf
-keyout private/{{ item }}.key
-out reqs/{{ item }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ item }}" -batch &&
openssl ca -utf8
-in reqs/{{ item }}.req
-out certs/{{ item }}.crt
-config openssl.cnf -days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ item }}" &&
touch certs/{{ item }}_crt_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
@ -84,7 +112,8 @@
- name: Build the client's p12
shell: >
openssl pkcs12 -in certs/{{ item }}.crt
openssl pkcs12
-in certs/{{ item }}.crt
-inkey private/{{ item }}.key
-export
-name {{ item }}
@ -104,7 +133,7 @@
- "{{ users }}"
- name: Get active users
shell: |
shell: >
grep ^V index.txt |
grep -v "{{ IP_subject_alt_name }}" |
awk '{print $5}' |
@ -114,12 +143,19 @@
register: valid_certs
- name: Revoke non-existing users
shell: |
openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
touch crl/{{ item }}_revoked
shell: >
openssl ca
-config openssl.cnf
-passin pass:"{{ easyrsa_CA_password }}"
-revoke certs/{{ item }}.crt &&
openssl ca -gencrl
-config openssl.cnf
-passin pass:"{{ easyrsa_CA_password }}"
-revoke certs/{{ item }}.crt
-out crl/{{ item }}.crt
touch crl/{{ item }}_revoked
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
chdir: configs/{{ IP_subject_alt_name }}/pki/
creates: crl/{{ item }}_revoked
environment:
subjectAltName: "DNS:{{ item }}"