Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 18. Requesting certificates using RHEL System Roles

With the certificate System Role, you can use Red Hat Ansible Core to issue and manage certificates.

This chapter covers the following topics:

18.1. The certificate System Role
Copiar o link

Using the certificate System Role, you can manage issuing and renewing TLS and SSL certificates using Ansible Core.

The role uses certmonger as the certificate provider, and currently supports issuing and renewing self-signed certificates and using the IdM integrated certificate authority (CA).

You can use the following variables in your Ansible playbook with the certificate System Role:

certificate_wait
to specify if the task should wait for the certificate to be issued.
certificate_requests
to represent each certificate to be issued and its parameters.

18.2. Requesting a new self-signed certificate using the certificate System Role
Copiar o link

With the certificate System Role, you can use Ansible Core to issue self-signed certificates.

This process uses the certmonger provider and requests the certificate through the getcert command.

Note

By default, certmonger automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew parameter in the Ansible playbook to no.

Prerequisites

  • The Ansible Core package is installed on the control machine.
  • You have the rhel-system-roles package installed on the system from which you want to run the playbook.

Procedure

  1. Optional: Create an inventory file, for example inventory.file: 

    $ *touch inventory.file*
    Copy to Clipboard Toggle word wrap

  2. Open your inventory file and define the hosts on which you want to request the certificate, for example: 

    [webserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  3. Create a playbook file, for example request-certificate.yml:

    • Set hosts to include the hosts on which you want to request the certificate, such as webserver.

    • Set the certificate_requests variable to include the following:

      • Set the name parameter to the desired name of the certificate, such as mycert.
      • Set the dns parameter to the domain to be included in the certificate, such as *.example.com.
      • Set the ca parameter to self-sign.

    • Set the rhel-system-roles.certificate role under roles.

      This is the playbook file for this example: 

      ---
- hosts: webserver

  vars:
    certificate_requests:
      - name: mycert
        dns: "*.example.com"
        ca: self-sign

  roles:
    - rhel-system-roles.certificate
      Copy to Clipboard Toggle word wrap
  4. Save the file.

  5. Run the playbook: 

    $ *ansible-playbook -i inventory.file request-certificate.yml*
    Copy to Clipboard Toggle word wrap

18.3. Requesting a new certificate from IdM CA using the certificate System Role
Copiar o link

With the certificate System Role, you can use anible-core to issue certificates while using an IdM server with an integrated certificate authority (CA). Therefore, you can efficiently and consistently manage the certificate trust chain for multiple systems when using IdM as the CA.

This process uses the certmonger provider and requests the certificate through the getcert command.

Note

By default, certmonger automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew parameter in the Ansible playbook to no.

Prerequisites

  • The Ansible Core package is installed on the control machine.
  • You have the rhel-system-roles package installed on the system from which you want to run the playbook.

Procedure

  1. Optional: Create an inventory file, for example inventory.file: 

    $ *touch inventory.file*
    Copy to Clipboard Toggle word wrap

  2. Open your inventory file and define the hosts on which you want to request the certificate, for example: 

    [webserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  3. Create a playbook file, for example request-certificate.yml:

    • Set hosts to include the hosts on which you want to request the certificate, such as webserver.

    • Set the certificate_requests variable to include the following:

      • Set the name parameter to the desired name of the certificate, such as mycert.
      • Set the dns parameter to the domain to be included in the certificate, such as www.example.com.
      • Set the principal parameter to specify the Kerberos principal, such as HTTP/www.example.com@EXAMPLE.COM.
      • Set the ca parameter to ipa.

    • Set the rhel-system-roles.certificate role under roles.

      This is the playbook file for this example: 

      ---
- hosts: webserver
  vars:
    certificate_requests:
      - name: mycert
        dns: www.example.com
        principal: HTTP/www.example.com@EXAMPLE.COM
        ca: ipa

  roles:
    - rhel-system-roles.certificate
      Copy to Clipboard Toggle word wrap
  4. Save the file.

  5. Run the playbook: 

    $ *ansible-playbook -i inventory.file request-certificate.yml*
    Copy to Clipboard Toggle word wrap

With the certificate Role, you can use Ansible Core to execute a command before and after a certificate is issued or renewed.

In the following example, the administrator ensures stopping the httpd service before a self-signed certificate for www.example.com is issued or renewed, and restarting it afterwards.

Note

By default, certmonger automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew parameter in the Ansible playbook to no.

Prerequisites

  • The Ansible Core package is installed on the control machine.
  • You have the rhel-system-roles package installed on the system from which you want to run the playbook.

Procedure

  1. Optional: Create an inventory file, for example inventory.file: 

    $ *touch inventory.file*
    Copy to Clipboard Toggle word wrap

  2. Open your inventory file and define the hosts on which you want to request the certificate, for example: 

    [webserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  3. Create a playbook file, for example request-certificate.yml:

    • Set hosts to include the hosts on which you want to request the certificate, such as webserver.

    • Set the certificate_requests variable to include the following:

      • Set the name parameter to the desired name of the certificate, such as mycert.
      • Set the dns parameter to the domain to be included in the certificate, such as www.example.com.
      • Set the ca parameter to the CA you want to use to issue the certificate, such as self-sign.
      • Set the run_before parameter to the command you want to execute before this certificate is issued or renewed, such as systemctl stop httpd.service.
      • Set the run_after parameter to the command you want to execute after this certificate is issued or renewed, such as systemctl start httpd.service.

    • Set the rhel-system-roles.certificate role under roles.

      This is the playbook file for this example: 

      ---
- hosts: webserver
  vars:
    certificate_requests:
      - name: mycert
        dns: www.example.com
        ca: self-sign
        run_before: systemctl stop httpd.service
        run_after: systemctl start httpd.service

  roles:
    - rhel-system-roles.certificate
      Copy to Clipboard Toggle word wrap
  4. Save the file.

  5. Run the playbook: 

    $ *ansible-playbook -i inventory.file request-certificate.yml*
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat