Running a playbook using the role
This pqge provides a few examples on how to use the Sectigo Ansible integration.
Additional example playbooks can be found in the tests folder included in the package.
SSL certificate issuance
This example uses the following directory structure:
-
my-playbook/: The playbook directory
-
example-playbook.yml: The playbook that uses the role
-
roles/
-
sectigo_ansible/: The
sectigo_ansiblerole directory
-
-
Set up the variables in the example-vars.yml variable file as shown in the following example.
sectigo_cm_user: "your username"
sectigo_cm_password: "your password"
sectigo_cm_uri: "your uri"
sectigo_cm_org_id: 123
sectigo_cm_base_url: "https://myorg.cert-manager.com/api/ssl/v1"
sectigo_csr_subject: "C=CA/ST=ON/L=Ottawa/O=myorg/OU=Research/CN=mydomain.com/[email protected]"
sectigo_ssl_cert_file_path: "/tmp/ssl/mycerts"
sectigo_ssl_cert_file_name: "your-certificate-file"
sectigo_ssl_cert_type: 51
sectigo_ssl_cert_validity: 365
sectigo_ssl_cert_format_type: x509
sectigo_ssl_cert_num_servers: 1
sectigo_ssl_cert_server_type: -1
sectigo_ssl_cert_subject_alt_names: ['example.your_domain.com', 'your_domain.com']
sectigo_ssl_cert_comments: "Test certificate for Sectigo"
sectigo_ssl_cert_expiry_window: 7
sectigo_auto_renew: true sectigo_max_timeout: 600
sectigo_loop_period: 30The following example-playbook.yml playbook can be used to generate a Sectigo SSL certificate using the sectigo_role.
- hosts: localhost
roles:
- role: sectigo_ansibleRun the following command from the directory containing example-playbook.yml and example-vars.yml.
ansible-playbook ./example-playbook.yml -e "@example-vars.yml"The playbook will create the my-certificate-file.crt SSL certificate under the /tmp/ssl/mycerts folder.
In the same folder you will also find the following:
-
my-certificate-file.csr: A CSR using the parameters defined in the
example-vars.ymlfile -
my-certificate-file.key: An RSA private key generated by the Ansible role
-
my-certificate-file.ids: A JSON file containing unique identifiers for the certificate
The same result can be achieved by setting the variables directly in the example-playbook-with-vars.yml playbook as shown in the following example.
- hosts: localhost
remote_user: root
vars:
sectigo_cm_user: "your username"
sectigo_cm_password: "your password"
sectigo_cm_uri: "your uri"
sectigo_cm_org_id: 123
sectigo_cm_base_url: "https://myorg.cert-manager.com/api/ssl/v1"
sectigo_csr_subject: "C=CA/ST=ON/L=Ottawa/O=myorg/OU=Research/CN=myorg.com/[email protected]"
sectigo_ssl_cert_file_path: "/tmp/ssl/mycerts"
sectigo_ssl_cert_file_name: "my-certificate-file"
sectigo_ssl_cert_type: 51
sectigo_ssl_cert_validity: 365
sectigo_ssl_cert_format_type: x509
sectigo_ssl_cert_num_servers: 1
sectigo_ssl_cert_server_type: -1
sectigo_ssl_cert_subject_alt_names: []
sectigo_ssl_cert_comments: "Test certificate for Sectigo"
sectigo_ssl_cert_expiry_window: 7
sectigo_auto_renew: true
sectigo_max_timeout: 600
sectigo_loop_period: 30
roles:
- sectigo_ansibleIn this case, the following command will produce the same results, without the need for variable files.
ansible-playbook ./example-playbook-with-vars.ymlSSL and client certificate revocation
SSL certificate revocation can be accomplished by setting the sectigo_state variable to absent and specifying the ID of the SSL certificate to revoke.
- hosts: localhost
remote_user: root
vars:
sectigo_cm_user: "your username"
sectigo_cm_password: "my password"
sectigo_cm_uri: "your uri"
sectigo_cm_org_id: 123
sectigo_cm_base_url: "https://myorg.cert-manager.com/api/ssl/v1"
sectigo_state: absent
sectigo_ssl_cert_ssl_id: 13241 sectigo_reason: "Certificate compromised"
roles:
- sectigo_ansibleAn alternative approach can be to take advantage of the certificate.ids file to fetch the sslId and use it as a variable in the playbook.
The following example shows you how you can achieve this using the slurp module for a certificate named myserver_certificate.
- name: Revoke myserver_certificate Server SSL certificate
hosts: all
pre_tasks:
- name: Fetch the file containing the sslId of the myserver_certificate certificate
slurp:
src: "/certificates/myserver_certificate.ids"
register: enrollment_ids
- name: Extract the json file contents
set_fact:
certificate_ssl_id: "{{(enrollment_ids.content|b64decode|from_json).sslId}}"
roles:
- sectigo_ansible
vars:
sectigo_cm_base_url: 'https://myorg.cert-manager.com/api/ssl/v1'
sectigo_ssl_cert_ssl_id: "{{certificate_ssl_id}}"
sectigo_reason: Compromised certificate
sectigo_state: absentClient certificate revocation is similar—it requires a different sectigo_cm_base_url and providing sectigo_client_cert_order_number instead of sectigo_ssl_cert_ssl_id.
- hosts: localhost
remote_user: root
vars:
sectigo_cm_user: "myuser"
sectigo_cm_password: "mypass"
sectigo_cm_uri: "myuri"
sectigo_cm_org_id: 123
sectigo_cm_base_url: "https://myorg.cert-manager.com/api/smime/v1"
sectigo_state: absent
sectigo_client_cert_order_number: 13241
sectigo_reason: "Certificate compromised"
roles:
- sectigo_ansibleYou can also use an alternate approach like the one used for server certificates, paying attention to the fact that this time you want to fetch the orderNumber field instead.
The following example shows how you can achieve this using the slurp module for a certificate named myclient_certificate.
- name: Revoke test_default Client (SMIME) Certificate
hosts: all
pre_tasks:
- name: Fetch the file containing the orderNumber of the myclient_certificate certificate
slurp:
src: "/smime-certificates/myclient_certificate.ids"
register: enrollment_ids
- name: Extract the json file contents
set_fact:
certificate_order_number: "{{(enrollment_ids.content|b64decode|from_json).orderNumber}}"
roles:
- sectigo_ansible
vars:
sectigo_cm_base_url: 'https://myorg.cert- manager.com/api/smime/v1'
sectigo_client_cert_order_number: "{{certificate_order_number}}"
sectigo_reason: Compromised certificate
sectigo_state: absent