Browse Source

certificate: makes ownca compliant with MacOS requirements

For interoperability purposes, the certificates and the certificate
authority are modified to comply with the requirements for MacOS up to
10.15 as described at https://support.apple.com/en-us/HT210176
keep-around/66c4f3087e0e7cf9ed46271df9661b9bb7f8c3ca
Loïc Dachary 1 year ago
parent
commit
66c4f3087e
No known key found for this signature in database GPG Key ID: F3C139FB4D35D559
  1. 7
      molecule/certificate/roles/certificate/tasks/ca.yml
  2. 7
      molecule/certificate/roles/certificate/tasks/certificate.yml
  3. 2
      requirements-dev.txt
  4. 2
      requirements.in
  5. 2
      requirements.txt

7
molecule/certificate/roles/certificate/tasks/ca.yml

@ -26,10 +26,14 @@
path: '{{ certificate_local_directory }}/ca_csr.csr'
privatekey_path: '{{ certificate_local_directory }}/ca_privatekey.key'
subject:
commonName: Self Signed CA
commonName: "{{ domain }}"
subject_alt_name: "DNS:{{ domain }}"
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: true
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage
extended_key_usage:
- serverAuth
- name: Generate selfsigned CA certificate
openssl_certificate:
@ -37,6 +41,7 @@
csr_path: '{{ certificate_local_directory }}/ca_csr.csr'
privatekey_path: '{{ certificate_local_directory }}/ca_privatekey.key'
provider: selfsigned
selfsigned_not_after: "20220101133742Z"
selfsigned_digest: sha256
- name: mkdir -p /usr/local/share/ca-certificates/infrastructure

7
molecule/certificate/roles/certificate/tasks/certificate.yml

@ -66,7 +66,13 @@
openssl_csr:
path: '{{ certificate_local_directory }}/{{ certificate_fqdn }}.csr'
privatekey_path: '{{ certificate_local_directory }}/{{ certificate_fqdn }}.key'
subject:
commonName: "{{ certificate_fqdn }}"
subject_alt_name: 'DNS:{{ certificate_fqdn }}'
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage
extended_key_usage:
- serverAuth
- clientAuth
- name: Generate certificate
become: no
@ -77,6 +83,7 @@
privatekey_path: '{{ certificate_local_directory }}/{{ certificate_fqdn }}.key'
ownca_path: '{{ certificate_local_directory }}/ca.crt'
ownca_privatekey_path: '{{ certificate_local_directory }}/ca_privatekey.key'
ownca_not_after: "20210101133742Z"
provider: ownca
ownca_digest: sha256

2
requirements-dev.txt

@ -7,7 +7,7 @@
-e git+https://github.com/fmnisme/python-icinga2api.git@9a1a3cc7968d6c72bf49e97ef387b2824e6835e9#egg=icinga2api
alabaster==0.7.12 # via sphinx
ansible-lint==3.4.23 # via molecule
ansible==2.7.5
ansible==2.7.17
anyconfig==0.9.7 # via molecule
appdirs==1.4.3 # via openstacksdk
arrow==0.12.1 # via jinja2-time

2
requirements.in

@ -1,4 +1,4 @@
ansible==2.7.5
ansible==2.7.17
beautifulsoup4==4.7.1
cliff>=2.14
django==2.2

2
requirements.txt

@ -6,7 +6,7 @@
#
-e git+https://github.com/fmnisme/python-icinga2api.git@9a1a3cc7968d6c72bf49e97ef387b2824e6835e9#egg=icinga2api
ansible-lint==3.4.23 # via molecule
ansible==2.7.5
ansible==2.7.17
anyconfig==0.9.7 # via molecule
appdirs==1.4.3 # via openstacksdk, os-client-config
arrow==0.13.1 # via jinja2-time

Loading…
Cancel
Save