tasks/create-saml-keys-cert.yml - private-cloud-ansible-playbooks/apigee-opdk-setup-edge-sso-config - Git at Google

 ---
 - name: Assert that service provider key file exists
   stat:
     path: "{{ sso_saml_service_provider_key_file_path }}"
   register: key

 - block:
   - name: Create SAML folder
     file:
       path: "{{ saml_folder }}"
       state: directory
       owner: "{{ opdk_user_name }}"
       group: "{{ opdk_group_name }}"

   - name: Generate a passphrase
     command: "openssl rand -base64 48"
     args:
       chdir: "{{ saml_folder }}"
     register: passphrase

   - name: Generate your private key with a passphrase
     command: "openssl genrsa -{{ saml_private_encryption_type }} -passout pass:{{ passphrase.stdout }} -out {{ sso_saml_service_provider_key_file_name}} {{ saml_private_key_size }}"
     args:
       chdir: "{{ saml_folder }}"

 #  - name: Calculate 365 days
 #    command: date -d '+365 days' +%y%m%d%H%M
 #    register: expiry
 #
 #  - name: Generate your private key with a passphrase
 #    openssl_certificate:
 #      path: "{{ sso_saml_service_provider_certificate_file_name }}"
 #      privatekey_path: "{{ sso_saml_service_provider_key_file_path }}"
 #      csr_path: "{{ saml_cert_signing_request_file_name }}"
 #      provider: selfsigned
 #      subject: "{{ saml_cert_subject }}"
 #      state: present
 #      not_after: "{{ expiry.stdout }}"

   - name: Prep to remove passphrase from Key
     copy:
       dest: "{{ saml_folder }}/remove-passphrase-{{ sso_saml_service_provider_key_file_name}}"
       src: "{{ sso_saml_service_provider_key_file_path}}"
       remote_src: yes

   - name: Remove the passphrase from the key
     shell: "openssl rsa -in remove-passphrase-{{ sso_saml_service_provider_key_file_name}} -passin pass:{{ passphrase.stdout }} -out {{ sso_saml_service_provider_key_file_name}}"
     args:
       chdir: "{{ saml_folder }}"

   - name: Clean up passphrase removal file
     file:
       path: "{{ saml_folder }}/remove-passphrase-{{ sso_saml_service_provider_key_file_name}}"
       state: absent

   - name: Generate certificate signing request for CA
     shell: "openssl req -x509 -sha256 -new -passin pass:{{ passphrase.stdout }}  -key {{ sso_saml_service_provider_key_file_name}} -out {{ saml_cert_signing_request_file_name }} -subj {{ saml_cert_subject }}"
     args:
       chdir: "{{ saml_folder }}"

   - name: Generate self-signed certificate with 365 days expiry-time
     shell: "openssl x509 -{{ saml_cert_encryption_type }} -days {{ saml_cert_expiry_days }} -in {{ saml_cert_signing_request_file_name }} -signkey {{ sso_saml_service_provider_key_file_name}} -out {{ sso_saml_service_provider_certificate_file_name }}"
     args:
       chdir: "{{ saml_folder }}"

   become: yes
   when: key.stat.exists == false
	---
	- name: Assert that service provider key file exists
	stat:
	path: "{{ sso_saml_service_provider_key_file_path }}"
	register: key

	- block:
	- name: Create SAML folder
	file:
	path: "{{ saml_folder }}"
	state: directory
	owner: "{{ opdk_user_name }}"
	group: "{{ opdk_group_name }}"

	- name: Generate a passphrase
	command: "openssl rand -base64 48"
	args:
	chdir: "{{ saml_folder }}"
	register: passphrase

	- name: Generate your private key with a passphrase
	command: "openssl genrsa -{{ saml_private_encryption_type }} -passout pass:{{ passphrase.stdout }} -out {{ sso_saml_service_provider_key_file_name}} {{ saml_private_key_size }}"
	args:
	chdir: "{{ saml_folder }}"

	# - name: Calculate 365 days
	# command: date -d '+365 days' +%y%m%d%H%M
	# register: expiry
	#
	# - name: Generate your private key with a passphrase
	# openssl_certificate:
	# path: "{{ sso_saml_service_provider_certificate_file_name }}"
	# privatekey_path: "{{ sso_saml_service_provider_key_file_path }}"
	# csr_path: "{{ saml_cert_signing_request_file_name }}"
	# provider: selfsigned
	# subject: "{{ saml_cert_subject }}"
	# state: present
	# not_after: "{{ expiry.stdout }}"

	- name: Prep to remove passphrase from Key
	copy:
	dest: "{{ saml_folder }}/remove-passphrase-{{ sso_saml_service_provider_key_file_name}}"
	src: "{{ sso_saml_service_provider_key_file_path}}"
	remote_src: yes

	- name: Remove the passphrase from the key
	shell: "openssl rsa -in remove-passphrase-{{ sso_saml_service_provider_key_file_name}} -passin pass:{{ passphrase.stdout }} -out {{ sso_saml_service_provider_key_file_name}}"
	args:
	chdir: "{{ saml_folder }}"

	- name: Clean up passphrase removal file
	file:
	path: "{{ saml_folder }}/remove-passphrase-{{ sso_saml_service_provider_key_file_name}}"
	state: absent

	- name: Generate certificate signing request for CA
	shell: "openssl req -x509 -sha256 -new -passin pass:{{ passphrase.stdout }} -key {{ sso_saml_service_provider_key_file_name}} -out {{ saml_cert_signing_request_file_name }} -subj {{ saml_cert_subject }}"
	args:
	chdir: "{{ saml_folder }}"

	- name: Generate self-signed certificate with 365 days expiry-time
	shell: "openssl x509 -{{ saml_cert_encryption_type }} -days {{ saml_cert_expiry_days }} -in {{ saml_cert_signing_request_file_name }} -signkey {{ sso_saml_service_provider_key_file_name}} -out {{ sso_saml_service_provider_certificate_file_name }}"
	args:
	chdir: "{{ saml_folder }}"

	become: yes
	when: key.stat.exists == false