Chapter 18. Requesting certificates using RHEL System Roles
With the certificate
System Role, you can use Red Hat Ansible Core to issue and manage certificates.
This chapter covers the following topics:
18.1. The certificate
System Role
Using the certificate
System Role, you can manage issuing and renewing TLS and SSL certificates using Ansible Core.
The role uses certmonger
as the certificate provider, and currently supports issuing and renewing self-signed certificates and using the IdM integrated certificate authority (CA).
You can use the following variables in your Ansible playbook with the certificate
System Role:
certificate_wait
- to specify if the task should wait for the certificate to be issued.
certificate_requests
- to represent each certificate to be issued and its parameters.
Additional resources
-
See the
/usr/share/ansible/roles/rhel-system-roles.certificate/README.md
file. - Preparing a control node and managed nodes to use RHEL System Roles
18.2. Requesting a new self-signed certificate using the certificate
System Role
With the certificate
System Role, you can use Ansible Core to issue self-signed certificates.
This process uses the certmonger
provider and requests the certificate through the getcert
command.
By default, certmonger
automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew
parameter in the Ansible playbook to no
.
Prerequisites
- The Ansible Core package is installed on the control machine.
-
You have the
rhel-system-roles
package installed on the system from which you want to run the playbook.
Procedure
Optional: Create an inventory file, for example
inventory.file
:$ *touch inventory.file*
Open your inventory file and define the hosts on which you want to request the certificate, for example:
[webserver] server.idm.example.com
Create a playbook file, for example
request-certificate.yml
:-
Set
hosts
to include the hosts on which you want to request the certificate, such aswebserver
. Set the
certificate_requests
variable to include the following:-
Set the
name
parameter to the desired name of the certificate, such asmycert
. -
Set the
dns
parameter to the domain to be included in the certificate, such as*.example.com
. -
Set the
ca
parameter toself-sign
.
-
Set the
Set the
rhel-system-roles.certificate
role underroles
.This is the playbook file for this example:
--- - hosts: webserver vars: certificate_requests: - name: mycert dns: "*.example.com" ca: self-sign roles: - rhel-system-roles.certificate
-
Set
- Save the file.
Run the playbook:
$ *ansible-playbook -i inventory.file request-certificate.yml*
Additional resources
-
See the
/usr/share/ansible/roles/rhel-system-roles.certificate/README.md
file. -
See the
ansible-playbook(1)
man page.
18.3. Requesting a new certificate from IdM CA using the certificate
System Role
With the certificate
System Role, you can use anible-core
to issue certificates while using an IdM server with an integrated certificate authority (CA). Therefore, you can efficiently and consistently manage the certificate trust chain for multiple systems when using IdM as the CA.
This process uses the certmonger
provider and requests the certificate through the getcert
command.
By default, certmonger
automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew
parameter in the Ansible playbook to no
.
Prerequisites
- The Ansible Core package is installed on the control machine.
-
You have the
rhel-system-roles
package installed on the system from which you want to run the playbook.
Procedure
Optional: Create an inventory file, for example
inventory.file
:$ *touch inventory.file*
Open your inventory file and define the hosts on which you want to request the certificate, for example:
[webserver] server.idm.example.com
Create a playbook file, for example
request-certificate.yml
:-
Set
hosts
to include the hosts on which you want to request the certificate, such aswebserver
. Set the
certificate_requests
variable to include the following:-
Set the
name
parameter to the desired name of the certificate, such asmycert
. -
Set the
dns
parameter to the domain to be included in the certificate, such aswww.example.com
. -
Set the
principal
parameter to specify the Kerberos principal, such asHTTP/www.example.com@EXAMPLE.COM
. -
Set the
ca
parameter toipa
.
-
Set the
Set the
rhel-system-roles.certificate
role underroles
.This is the playbook file for this example:
--- - hosts: webserver vars: certificate_requests: - name: mycert dns: www.example.com principal: HTTP/www.example.com@EXAMPLE.COM ca: ipa roles: - rhel-system-roles.certificate
-
Set
- Save the file.
Run the playbook:
$ *ansible-playbook -i inventory.file request-certificate.yml*
Additional resources
-
See the
/usr/share/ansible/roles/rhel-system-roles.certificate/README.md
file. -
See the
ansible-playbook(1)
man page.
18.4. Specifying commands to run before or after certificate issuance using the certificate
System Role
With the certificate
Role, you can use Ansible Core to execute a command before and after a certificate is issued or renewed.
In the following example, the administrator ensures stopping the httpd
service before a self-signed certificate for www.example.com
is issued or renewed, and restarting it afterwards.
By default, certmonger
automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew
parameter in the Ansible playbook to no
.
Prerequisites
- The Ansible Core package is installed on the control machine.
-
You have the
rhel-system-roles
package installed on the system from which you want to run the playbook.
Procedure
Optional: Create an inventory file, for example
inventory.file
:$ *touch inventory.file*
Open your inventory file and define the hosts on which you want to request the certificate, for example:
[webserver] server.idm.example.com
Create a playbook file, for example
request-certificate.yml
:-
Set
hosts
to include the hosts on which you want to request the certificate, such aswebserver
. Set the
certificate_requests
variable to include the following:-
Set the
name
parameter to the desired name of the certificate, such asmycert
. -
Set the
dns
parameter to the domain to be included in the certificate, such aswww.example.com
. -
Set the
ca
parameter to the CA you want to use to issue the certificate, such asself-sign
. -
Set the
run_before
parameter to the command you want to execute before this certificate is issued or renewed, such assystemctl stop httpd.service
. -
Set the
run_after
parameter to the command you want to execute after this certificate is issued or renewed, such assystemctl start httpd.service
.
-
Set the
Set the
rhel-system-roles.certificate
role underroles
.This is the playbook file for this example:
--- - hosts: webserver vars: certificate_requests: - name: mycert dns: www.example.com ca: self-sign run_before: systemctl stop httpd.service run_after: systemctl start httpd.service roles: - rhel-system-roles.certificate
-
Set
- Save the file.
Run the playbook:
$ *ansible-playbook -i inventory.file request-certificate.yml*
Additional resources
-
See the
/usr/share/ansible/roles/rhel-system-roles.certificate/README.md
file. -
See the
ansible-playbook(1)
man page.