trfore.smallstep.step_ca role – Install Step Certificates

Note

This role is part of the trfore.smallstep collection (version 1.1.2).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install trfore.smallstep.

To use it in a playbook, specify: trfore.smallstep.step_ca.

Entry point initialize – Initializes a public key infrastructure (PKI) to be used by step CA

Synopsis

• This will initialize the a PKI to be used by step CA.

• The default initialization values are for non-production use only, as it will generate the PKI on the local disk at `/etc/step-ca/`. This path is assigned using the `step_ca_path` variable. Additionally, it will create two password files, `/etc/step-ca/password.txt` and `/etc/step-ca/password-provisioner.txt`, that are read-write only by the system-user `step`.

• Sensitive values are masked from ansible log, however, it is important to store these values using a form of encryption, e.g. ansible-vault.

• It is possible to productionize this role and initialize the PKI on a removable usb-drive; followed by a custom ansible task to move the keys to a security device, such as Yubikey. However, this is beyond the scope of the role and collection.

Parameters

Parameter	Comments
step_ca_address string	Address the CA will listen at. Default: ":443"
step_ca_name string / required	Name of the public key infrastructure (PKI).
step_ca_password string / required	Password to encrypt the root and intermediate keys.
step_ca_path path	Path to Step CA folder containing configuration and certificate files. Default: "/etc/step-ca/"
step_ca_provisioner_password string / required	Password for default JWK provisioner.
step_ca_root_cert path	Path to existing PEM file to be used as the root CA.
step_ca_root_key path	Path to key file for the existing PEM certificate.
step_ca_root_key_password path	Path to file with decryption password for the existing PEM certificate key.
step_ca_ssh_mgmt boolean	Enable Step CA SSH certificate management. Choices: false ← (default) true

Entry point main – Install Step Certificates

New in trfore.smallstep 1.0.0

Synopsis

• Install step CA, `step-ca`, for generating SSL/TLS certificates.

Parameters

Parameter	Comments
step_ca_checksum string	URL to `step-ca` package checksum. If empty, the checksum is skipped. Default: "https://github.com/smallstep/certificates/releases/download/v{{ step_ca_version }}/checksums.txt"
step_ca_enable_service boolean	Create systemd service for `step-ca`. Choices: false ← (default) true
step_ca_initialize boolean	Initialize a public key infrastructure (PKI) to be used by the CA. Choices: false ← (default) true
step_ca_pkg_src string	URL to `step-ca` package. Can be overridden in playbook when using a proxy. Default: "https://github.com/smallstep/certificates/releases/download/v{{ step_ca_version }}/step-ca_{{ step_ca_version }}_amd64.{{ __pkg_extension }}"
step_ca_version string	SemVer of `step-ca` to install, e.g. `0.15.7`, defaults to the latest version. Default: "latest"

Entry point service – Create systemd service for `step-ca`

Synopsis

• Creates systemd unit file, `step-ca.service`, and enables the service.

Parameters

Parameter	Comments
step_ca_path path	Path to Step CA folder containing configuration and certificate files. Default: "/etc/step-ca/"

Collection links

• Issue Tracker
• Repository (Sources)
• Submit a Bug Report
• Request a Feature