diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index e4d5272f..6d890c99 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -60,22 +60,30 @@ - clientAuth - '1.3.6.1.5.5.7.3.17' # IPsec End Entity extended_key_usage_critical: true - # Name constraints to restrict certificate scope + # Name constraints to restrict certificate scope - using simplified format + # Note: Complex IPv6 and conditional constraints from defaults/main.yml need manual implementation name_constraints_permitted: - "{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{ '/255.255.255.255' if subjectAltName_type == 'IP' else '' }}" - - "DNS:{{ openssl_constraint_random_id }}" - "email:{{ openssl_constraint_random_id }}" name_constraints_excluded: - "DNS:.com" - - "DNS:.org" + - "DNS:.org" - "DNS:.net" - "DNS:.gov" - "DNS:.edu" - "DNS:.mil" - "DNS:.int" + - "email:.com" + - "email:.org" + - "email:.net" + - "email:.gov" + - "email:.edu" + - "email:.mil" + - "email:.int" - "IP:10.0.0.0/255.0.0.0" - "IP:172.16.0.0/255.240.0.0" - "IP:192.168.0.0/255.255.0.0" + - "IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0" name_constraints_critical: true register: ca_csr @@ -127,7 +135,7 @@ - name: Create CSRs for client certificates community.crypto.openssl_csr_pipe: privatekey_path: "{{ ipsec_pki_path }}/private/{{ item }}.key" - subject_alt_name: + subject_alt_name: - "email:{{ item }}@{{ openssl_constraint_random_id }}" common_name: "{{ item }}" key_usage: @@ -253,4 +261,4 @@ src: "{{ ipsec_pki_path }}/crl.pem" dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem" notify: - - rereadcrls \ No newline at end of file + - rereadcrls