Language:
Format:

Language:
Format:

Chapter 21. Requesting certificates by using RHEL system roles

You can use the certificate system role to issue and manage certificates.

21.1. The `certificate` system role

Using the certificate system role, you can manage issuing and renewing TLS and SSL certificates using Ansible Core.

The role uses certmonger as the certificate provider, and currently supports issuing and renewing self-signed certificates and using the IdM integrated certificate authority (CA).

You can use the following variables in your Ansible playbook with the certificate system role:

certificate_wait: to specify if the task should wait for the certificate to be issued.
certificate_requests: to represent each certificate to be issued and its parameters.

Additional resources

/usr/share/ansible/roles/rhel-system-roles.certificate/README.md file
/usr/share/doc/rhel-system-roles/certificate/ directory

21.2. Requesting a new self-signed certificate by using the `certificate` system role

With the certificate system role, you can use Ansible Core to issue self-signed certificates.

This process uses the certmonger provider and requests the certificate through the getcert command.

Prerequisites

You have prepared the control node and the managed nodes
You are logged in to the control node as a user who can run playbooks on the managed nodes.
The account you use to connect to the managed nodes has sudo permissions on them.

Procedure

Create a playbook file, for example ~/playbook.yml, with the following content:
```
---
- hosts: managed-node-01.example.com
  roles:
    - rhel-system-roles.certificate
  vars:
    certificate_requests:
      - name: mycert
        dns: "*.example.com"
        ca: self-sign
```
- Set the name parameter to the desired name of the certificate, such as mycert.
- Set the dns parameter to the domain to be included in the certificate, such as *.example.com.
- Set the ca parameter to self-sign.
By default, certmonger automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew parameter in the Ansible playbook to no.
Validate the playbook syntax:
```
$ ansible-playbook --syntax-check ~/playbook.yml
```
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
```
$ ansible-playbook ~/playbook.yml
```

Additional resources

/usr/share/ansible/roles/rhel-system-roles.certificate/README.md file
/usr/share/doc/rhel-system-roles/certificate/ directory

21.3. Requesting a new certificate from IdM CA by using the `certificate` system role

With the certificate system role, you can use anible-core to issue certificates while using an IdM server with an integrated certificate authority (CA). Therefore, you can efficiently and consistently manage the certificate trust chain for multiple systems when using IdM as the CA.

This process uses the certmonger provider and requests the certificate through the getcert command.

Prerequisites

You have prepared the control node and the managed nodes
You are logged in to the control node as a user who can run playbooks on the managed nodes.
The account you use to connect to the managed nodes has sudo permissions on them.

Procedure

Create a playbook file, for example ~/playbook.yml, with the following content:
```
---
- hosts: managed-node-01.example.com
  roles:
    - rhel-system-roles.certificate
  vars:
    certificate_requests:
      - name: mycert
        dns: www.example.com
        principal: HTTP/www.example.com@EXAMPLE.COM
        ca: ipa
```
- Set the name parameter to the desired name of the certificate, such as mycert.
- Set the dns parameter to the domain to be included in the certificate, such as www.example.com.
- Set the principal parameter to specify the Kerberos principal, such as HTTP/www.example.com@EXAMPLE.COM.
- Set the ca parameter to ipa.
By default, certmonger automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew parameter in the Ansible playbook to no.
Validate the playbook syntax:
```
$ ansible-playbook --syntax-check ~/playbook.yml
```
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
```
$ ansible-playbook ~/playbook.yml
```

Additional resources

/usr/share/ansible/roles/rhel-system-roles.certificate/README.md file
/usr/share/doc/rhel-system-roles/certificate/ directory

21.4. Specifying commands to run before or after certificate issuance by using the `certificate` system role

With the certificate Role, you can use Ansible Core to execute a command before and after a certificate is issued or renewed.

In the following example, the administrator ensures stopping the httpd service before a self-signed certificate for www.example.com is issued or renewed, and restarting it afterwards.

Prerequisites

You have prepared the control node and the managed nodes
You are logged in to the control node as a user who can run playbooks on the managed nodes.
The account you use to connect to the managed nodes has sudo permissions on them.

Procedure

Create a playbook file, for example ~/playbook.yml, with the following content:
```
---
- hosts: managed-node-01.example.com
  roles:
    - rhel-system-roles.certificate
  vars:
    certificate_requests:
      - name: mycert
        dns: www.example.com
        ca: self-sign
        run_before: systemctl stop httpd.service
        run_after: systemctl start httpd.service
```
- Set the name parameter to the desired name of the certificate, such as mycert.
- Set the dns parameter to the domain to be included in the certificate, such as www.example.com.
- Set the ca parameter to the CA you want to use to issue the certificate, such as self-sign.
- Set the run_before parameter to the command you want to execute before this certificate is issued or renewed, such as systemctl stop httpd.service.
- Set the run_after parameter to the command you want to execute after this certificate is issued or renewed, such as systemctl start httpd.service.
By default, certmonger automatically tries to renew the certificate before it expires. You can disable this by setting the auto_renew parameter in the Ansible playbook to no.
Validate the playbook syntax:
```
$ ansible-playbook --syntax-check ~/playbook.yml
```
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
```
$ ansible-playbook ~/playbook.yml
```

Additional resources

/usr/share/ansible/roles/rhel-system-roles.certificate/README.md file
/usr/share/doc/rhel-system-roles/certificate/ directory

Select Your Language

Chapter 21. Requesting certificates by using RHEL system roles

21.1. The `certificate` system role

21.2. Requesting a new self-signed certificate by using the `certificate` system role

21.3. Requesting a new certificate from IdM CA by using the `certificate` system role

21.4. Specifying commands to run before or after certificate issuance by using the `certificate` system role

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Language and Page Formatting Options

Chapter 21. Requesting certificates by using RHEL system roles

21.1. The certificate system role

21.2. Requesting a new self-signed certificate by using the certificate system role

21.3. Requesting a new certificate from IdM CA by using the certificate system role

21.4. Specifying commands to run before or after certificate issuance by using the certificate system role

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links

21.1. The `certificate` system role

21.2. Requesting a new self-signed certificate by using the `certificate` system role

21.3. Requesting a new certificate from IdM CA by using the `certificate` system role

21.4. Specifying commands to run before or after certificate issuance by using the `certificate` system role