Bootstrap FreeKB - Ansible - Create a public certificate using the openssh_cert module
Ansible - Create a public certificate using the openssh_cert module

Updated:   |  Ansible articles

If you are not familiar with modules, check out Ansible - Getting Started with Modules.

The openssh_cert module can be used to create a public certificate (such as new_cert.pub) using an existing public key (such as id_rsa.pub) and an existing private key (such as id_rsa). Or, the openssh_keypair module can be used to create a public certificate (such as id_rsa.pub) and private key (such as id_rsa). After generating a new certificate, you may want to use the authorized_key module to append the certificate to authorized_keys files.

- name: Create the new_cert.pub public certificate
  openssh_cert:
    type: user
    signing_key: /home/john.doe/.ssh/id_rsa
    public_key: /home/john.doe/.ssh/id_rsa.pub
    path: /home/john.doe/.ssh/new_cert.pub
    valid_from: always
    valid_to: forever

 

Optional parameters:

  • force - When "no" is used, which is what is used when this parameter is not used, if the certificate already exists, a new certificate will not be generated. When "yes" is used, if the certificate already exists, a new certificate will be created.
  • owner (e.g. owner: "john.doe")
  • group (e.g. group: "john.doe")
  • mode (e.g. mode: "0644")
  • regenerate - whether or not to regenerate the private key (see ansible-doc openssh_keypair --snippet)
  • seuser - SELinux user (e.g. seuser: "unconfined_u")
  • serole - SELinux role (e.g. serole: "object_r")
  • setype - SELinux type (e.g. setype: "ssh_t")
  • selevel - SELinux level (e.g. selevel: "s0")
  • state - present (to create the certificate) or absent (to delete the certifcate)
  • type - user, host

 

Example:

- name: "Create the new_cert.pub public certificate"
  openssh_cert:
    force: "no"
    owner: "john.doe"
    group: "john.doe"
    mode: "0644"
    path: "/home/john.doe/.ssh/new_cert.pub"
    public_key: "/home/john.doe/.ssh/id_rsa.pub"
    seuser: "unconfined_u"
    serole: "object_r"
    setype: "httpd_sys_content_r"
    selevel: "s"
    signing_key: "/home/john.doe/.ssh/id_rsa"
    state: "present"
    type: "user"
    valid_from: always
    valid_to: forever

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter c8c61f in the box below so that we can be sure you are a human.