Ansible - Create a public certificate using the openssh_cert module
by
Jeremy Canfield |
Updated: August 18 2022
| Ansible articles
If you are not familiar with modules, check out Ansible - Getting Started with Modules.
The openssh_cert module can be used to create a public certificate (such as new_cert.pub) using an existing public key (such as id_rsa.pub) and an existing private key (such as id_rsa). Or, the openssh_keypair module can be used to create a public certificate (such as id_rsa.pub) and private key (such as id_rsa). After generating a new certificate, you may want to use the authorized_key module to append the certificate to authorized_keys files.
- name: Create the new_cert.pub public certificate
openssh_cert:
type: user
signing_key: /home/john.doe/.ssh/id_rsa
public_key: /home/john.doe/.ssh/id_rsa.pub
path: /home/john.doe/.ssh/new_cert.pub
valid_from: always
valid_to: forever
Optional parameters:
- force - When "no" is used, which is what is used when this parameter is not used, if the certificate already exists, a new certificate will not be generated. When "yes" is used, if the certificate already exists, a new certificate will be created.
- owner (e.g. owner: "john.doe")
- group (e.g. group: "john.doe")
- mode (e.g. mode: "0644")
- regenerate - whether or not to regenerate the private key (see ansible-doc openssh_keypair --snippet)
- seuser - SELinux user (e.g. seuser: "unconfined_u")
- serole - SELinux role (e.g. serole: "object_r")
- setype - SELinux type (e.g. setype: "ssh_t")
- selevel - SELinux level (e.g. selevel: "s0")
- state - present (to create the certificate) or absent (to delete the certifcate)
- type - user, host
Example:
- name: "Create the new_cert.pub public certificate"
openssh_cert:
force: "no"
owner: "john.doe"
group: "john.doe"
mode: "0644"
path: "/home/john.doe/.ssh/new_cert.pub"
public_key: "/home/john.doe/.ssh/id_rsa.pub"
seuser: "unconfined_u"
serole: "object_r"
setype: "httpd_sys_content_r"
selevel: "s"
signing_key: "/home/john.doe/.ssh/id_rsa"
state: "present"
type: "user"
valid_from: always
valid_to: forever
Did you find this article helpful?
If so, consider buying me a coffee over at