This repository contains sample playbooks that can be leveraged as-is or with minor modifications/customizations along with Entrust PKI stack, specifically CA Gateway and one or more backend Entrust Certificate Authorities.
- community.crypto.cagw_certificate: Enrolls a certificate and optionally deploys it to a remote location.
This section will walk you through the process of setting up the Entrust CA Gateway Ansible module and configure it to work with Entrust CA Gateway.
Assuming the host OS is a Centos/RHEL 8 machine
Ansible installation steps may change as per the host flavor or version of the Operating System. Below steps are specific to Centos/RHEL 8. For better guidance refer Ansible's own documentation.
# Update Cache
sudo dnf makecache
# Install epel release
sudo dnf install epel-release
# Update cache again
sudo dnf makecache
# Now install Ansible
sudo dnf install ansible
# Verify installation and version
ansible --version
Entrust CA Gateway Ansible module is currently available only via Entrust's own software distribution channel. You may reach out to your sales representative from Entrust to get access to the plugin.
We are working to get the module reviewed and eventually being made available via community crypto module, but meanwhile you can contact Entrust sales to get the module.
Entrust CA Gateway Ansible module is available as a .tar.gz archive file and can be installed as any standard private module. Once the Ansible is installed on the host machine, please follow the stwps below to install the module in your own Ansible server instance.
ansible-galaxy collection install community-crypto-1.0.0.tar.gz
Entrust CA Gateway REST APIs work on a mutually authenticated TLS tunnel and hence you might require to add the CA Gateway's TLS certificate issuer's public certificate to the Ansible server's trust anchors. The steps are similar to how you would add the trust anchor of any private issuing Certificate Authority. For the ease, sample commands are below. Please be aware that these commands are specific to the OS flavor and version and it is best to refer OS' own documentation for the same.
Before running the below command(s), please create a certificate bundle file in PEM format, typical order of certs is -
- Issuing CA certificate(s)
- Root CA certificate
sudo cp /system_path/CA-Cert-Chain.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
| Parameter | Description |
|---|---|
| path | Absolute path and file name where the CA signed server certifacte will be stored on the Ansible host machine |
| csr | Absolute path and file name where the server's certificate signing request will be stored on the Ansible host machine |
| cagw_api_client_cert_path | CA Gateway only allows an mTLS based incoming REST API call. This is the absolute path of the client certificate in PEM format on the Ansible host machine. |
| cagw_api_client_cert_key_path | CA Gateway only allows an mTLS based incoming REST API call. This is the absolute path of the client non-protected private key format on the Ansible host machine. |
| certificate_authority_id | CA Gateway allows configuring multiple Certificate Authorities at the backend of the same CA Gateway instance. certificate_authority_id uniquely identifies a Certificate Authority (CA) which you want to use for a particular certificate issuance. Please refer to CA Gateway documentation to get the right certificate_authority_id for this request |
| certificate_profile_id | CA Gateway allows configuring multiple certificate profiles against each Certificate Authority. certificate_profile_id uniquely identifies a certificate profile which you want to use for a particular certificate issuance. Please refer to CA Gateway documentation to get the right certificate_profile_id for this request |
| request_type | Request type can be either a 'new' or 'renew' |
| enrollment_format | Can be either 'X509' or 'PKCS12' |
| dn | Subject DN for the server certificate to be issued. Typically the server's hostname is part of the DN |
| cagw_api_specification_path | Absolute path and file name where the CAGW API specifications YAML file is present. This file contains information about the CA Gateway's FQDN which you want to connect to amongst other information. |
| connection_type | Can be either 'SM' for Entrust Certificate Authority (private TLS certs) or 'ECS' for Entrust Certificate Services (public TLS certs) |
| requester_name | For the ECS Certificate Authority only, refer ECS documentation on how ECS uses this information |
| requester_email | For the ECS Certificate Authority only, refer ECS documentation on how ECS uses this information |
| requester_phone | For the ECS Certificate Authority only, refer ECS documentation on how ECS uses this information |
| tracking_info | For the ECS Certificate Authority only, refer ECS documentation on how ECS uses this information |
| force | Force the rekey operation |