Initial commit. This repo contains ansible CM that describes ECG infrastructure.

A test server (acacia root server) is already included in the inventory, with an ecg admin account.

secret/pki/authorities/domain/config/authority.conf

@@ -0,0 +1,30 @@
+# Configuration file generated by pki-authority
+
+config['pki_default_root_sign_multiplier']='12'
+config['pki_library']='openssl'
+config['name_constraints_critical']='True'
+config['crl']='True'
+config['pki_default_ca_sign_multiplier']='10'
+config['subject']='o=Ecogood/ou=Domain CA'
+config['pki_default_domain_dn']=''
+config['pki_default_domain']=''
+config['issuer_name']='root'
+config['key_size']='4096'
+config['name_constraints']='True'
+config['private_file_mode']='600'
+config['private_dir_mode']='700'
+config['public_file_mode']='644'
+config['domain']='ecogood.org'
+config['root_sign_days']=''
+config['ocsp']='True'
+config['ca_sign_days']=''
+config['pki_default_cert_sign_multiplier']='3'
+config['pki_default_sign_base']='365'
+config['pki_default_fqdn']='blacknode'
+config['system_ca']='true'
+config['public_dir_mode']='755'
+config['ca_type']=''
+config['alt_authority']=''
+config['subdomain']='domain-ca'
+config['cert_sign_days']=''
+config['name']='domain'

secret/pki/authorities/domain/config/openssl-request.conf

@@ -0,0 +1,15 @@
+# Configuration file generated by pki-authority
+
+[ req ]
+default_md             = sha256
+default_bits           = 4096
+default_keyfile        = private/key.pem
+prompt                 = no
+encrypt_key            = no
+distinguished_name     = ca_dn
+utf8                   = yes
+string_mask            = utf8only
+
+[ ca_dn ]
+organizationName=Ecogood
+organizationalUnitName=Domain CA

secret/pki/authorities/domain/config/openssl-sign.conf

@@ -0,0 +1,59 @@
+# Configuration file generated by pki-authority
+
+[ default ]
+name                    = domain-ca
+domain_suffix           = ecogood.org
+aia_url                 = http://$name.$domain_suffix/crt/
+crl_url                 = http://$name.$domain_suffix/crl/
+ocsp_url                = http://$name.$domain_suffix/ocsp/
+default_ca              = ca_default
+name_opt                = utf8,esc_ctrl,multiline,lname,align
+
+[ ca_default ]
+home                    = .
+database                = $home/database/index
+serial                  = $home/database/serial
+crlnumber               = $home/database/crlnumber
+certificate             = $home/subject/cert.pem
+private_key             = $home/private/key.pem
+RANDFILE                = $home/private/random
+new_certs_dir           = $home/certs
+unique_subject          = no
+policy                  = policy_default
+x509_extensions         = extension_default
+copy_extensions         = copy
+default_days            = 1095
+default_crl_days        = 30
+default_md              = sha256
+
+[ crl_info ]
+URI.0                   = $crl_url
+
+[ issuer_info ]
+caIssuers;URI.0         = $aia_url
+OCSP;URI.0              = $ocsp_url
+
+[ extension_ocsp ]
+authorityKeyIdentifier  = keyid:always
+basicConstraints        = critical, CA:false
+extendedKeyUsage        = OCSPSigning
+keyUsage                = critical, digitalSignature
+subjectKeyIdentifier    = hash
+
+[ policy_default ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+[ extension_default ]
+authorityInfoAccess     = @issuer_info
+authorityKeyIdentifier  = keyid:always, issuer:always
+basicConstraints        = critical, CA:FALSE
+crlDistributionPoints   = @crl_info
+extendedKeyUsage        = clientAuth, serverAuth
+keyUsage                = critical, digitalSignature, keyEncipherment
+subjectKeyIdentifier    = hash
+