How to configure automatic certs with ansible and step-ca

Hello, I am SpiderUnderUrBed, I am making this tutorial because setting up automatic self signed certificates, with a solution as versatile took me awhile, and I hope to help give the basis for setting up a CA (certificate authority) where you can request multiple certificates, over the internet even, and reap many benefits you might not get from plain openssl or atleast without the simplicity. I will post my playbook in several blocks and explain each part of it, for the full thing, assemble all the blocks.

---
- name: Set up step-ca and Generate Certificates
  hosts: localhost
  vars:
    step_ca_base_dir: "<your step-ca base dir>"
    certs_dir: "{{ step_ca_base_dir }}/certs"
    ca_root_key_path: "{{ certs_dir }}/root_ca.key"
    ca_root_crt_path: "{{ certs_dir }}/root_ca.crt"
    ca_intermediate_key_path: "{{ certs_dir }}/intermediate_ca.key"
    ca_intermediate_crt_path: "{{ certs_dir }}/intermediate_ca.crt"
    ca_json_path: "{{ step_ca_base_dir }}/ca.json"
    ca_url: "https://localhost:9001"
    root_password: "your_root_password"
    intermediate_password: "your_intermediate_password"
    jwk_password: "test"
    hostname: "{{ hostname }}"

The first thing is to declare all the variables, the hostname being the domain your issuing the cert too, and step_ca_base_dir being the directory where your playbook is, everything else like the location of your CA root key, and CA root crt will be in the configured base dir + certs. You also have ca intermediate key and crt variables, which is important in a PKI stack for the chain of trust. You have a json path, your ca.json will need to look like this (dont mix this up with the yaml):

{
  "root": "<your base dir>/certs/root_ca.crt",
  "federatedRoots": null,
  "crt": "<your base dir>/certs/intermediate_ca.crt",
  "key": "<your base dir>/certs/intermediate_ca.key",
  "address": ":9001",
  "insecureAddress": "9002",
  "dnsNames": [
    "localhost"
  ],
  "logger": {
    "format": "text",
    "level": "info",
    "output": "<your base dir>/logs/ca.log"
  },
  "authority": {
    "provisioners": [
    ],
    "template": {},
    "backdate": "59m0s",
    "certificate": {
      "defaultDuration": "8760h0m0s"
    }
  },
  "tls": {
    "cipherSuites": [
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
    ],
    "minVersion": 1.2,
    "maxVersion": 1.3,
    "renegotiation": false
  },
  "password": "your_password",
  "commonName": "Step Online CA"
}

A provisioner will automatically be configured with this json file, these are just basic settings, but a provisioner is responsible for defining the authentication and authorization rules that determine who is allowed to request a certificate, what certificate they are allowed to obtain, and how to prove their identity.

    - name: Create password file for root certificate
      ansible.builtin.copy:
        dest: "{{ certs_dir }}/root_password.txt"
        content: "{{ root_password }}"
        mode: '0600'

This just makes a file with the root password you entered, which will be used later in a flag for a root certificate.

    - name: Generate Root Certificate
      ansible.builtin.command:
        cmd: "step certificate create 'Root CA' {{ ca_root_crt_path }} {{ ca_root_key_path }} --profile root-ca --password-file {{ certs_dir }}/root_password.txt"

This is where the previous password file is used, this is the root certificate, highest up in our PKI stack, in charge of intermediary certificates which are in turn responsible for your certificates.

    - name: Create password file for intermediate certificate
      ansible.builtin.copy:
        dest: "{{ certs_dir }}/intermediate_password.txt"
        content: "{{ intermediate_password }}"
        mode: '0600'

    - name: Generate Intermediate Certificate
      ansible.builtin.command:
        cmd: "step certificate create 'Intermediate CA' {{ ca_intermediate_crt_path }} {{ ca_intermediate_key_path }} --profile intermediate-ca --ca {{ ca_root_c>

We see a similar pattern here, but with out intermediate certificates, the next in the PKI stack.

    - name: Update ca.json with Certificate Paths
      ansible.builtin.lineinfile:
        path: "{{ ca_json_path }}"
        regexp: '^\s*"root": '
        line: '  "root": "{{ ca_root_crt_path }}",'

This will add the certificate paths into ca.json, it will ensure that it is in it. If you already hard coded a location, you can remove it, but i recommend leaving as is.

    - name: Create password file for JWK
      ansible.builtin.copy:
        dest: "{{ certs_dir }}/jwk_password.txt"
        content: "{{ jwk_password }}"
        mode: '0600'

    - name: Generate JWK keys
      ansible.builtin.command:
        cmd: "step crypto jwk create --kty=EC --curve=P-256 {{ certs_dir }}/public.jwk {{ certs_dir }}/private.jwk --password-file {{ certs_dir }}/jwk_password.t>
      register: provisioner_key_generation

This is a little bit different than the previous password generation for intermediate and root certificates, this will generate a password file, which will be used to make JWK keys, which will be useful in configuring the provisioners.

    - name: Read public JWK file contents
      ansible.builtin.slurp:
        src: "{{ certs_dir }}/public.jwk"
      register: public_jwk_contents

    - name: Parse public JWK file contents
      ansible.builtin.set_fact:
        public_jwk_json: "{{ public_jwk_contents.content | b64decode | from_json }}"

These do three things, uses ansible.builtin.slurp to read the JWK file, a json file with credentials, it will then parse it, using public_jwk_contents and then public_jwk_contents.content will hold the base64 file contents. Finally it parses the public JWK file contents, using set_fact to create a new variable: public_jwk_json, decodes the base64 content, and parses the json structure, the reason for the base64 encoding and decoding as it allows for retention of weird data without any issues with escaping and so on. public_jwk_json finally contains just the key data.

   - name: Format JWK using step crypto jose format
      shell: "sudo cat {{ certs_dir }}/private.jwk | step crypto jose format"
      register: formatted_jwk
      changed_when: false

This runs a shell command too, cat/list the content of the the private jwk file, then pipe that output too step crypto jose format, this will help to get the KID values. It then stores the output of this in formatted_jwk, this will be important for the provisioner.

    - name: Set encryptedKey fact
      set_fact:
        encrypted_key: "{{ formatted_jwk.stdout }}"

    - name: Set provisioner facts
      ansible.builtin.set_fact:
        provisioner_x_value: "{{ public_jwk_json.x }}"
        provisioner_y_value: "{{ public_jwk_json.y }}"
        provisioner_kid_value: "{{ public_jwk_json.kid }}"

This uses everything gathered so far, and sets multiple variables, for example it extracts the previous output from the step crypto jose format, stores theencrypted_key variable with the content. For the other varibles, it sets it according to this: provisioner_x_value: The X-coordinate of the public JWK (used in elliptic curve cryptography). provisioner_y_value: The Y-coordinate of the public JWK, and provisioner_kid_value: The Key ID (KID), a unique identifier for the key.

    - name: Start step-ca server
      ansible.builtin.command: "step-ca --password-file {{ certs_dir }}/intermediate_password.txt {{ ca_json_path }}"
      async: 60
      poll: 0
      ignore_errors: true
      register: step_ca_output

    - name: Wait for step-ca to start
      wait_for:
        port: 443
        host: localhost
        timeout: 30

This starts the step-ca server, uses the intermediate password, you can set another password if you want, it then waits for step-ca to start, some arbitrary timeout to account for it starting. If you want you could maybe decrease it.

- name: Create Certificate
  hosts: ca
  vars:
    step_ca_base_dir: "<base dir>"
    hostname: "{{ hostname }}"
    ca_url: "https://localhost:9001"
    ca_root_crt_path: "{{ step_ca_base_dir }}/certs/root_ca.crt"

This marks the start of a new set of tasks, you need to set your base dir, the ca url, it should be at 9001 unless you configure otherwise in your ca.json, and everything else should be sorted, the actual certificate it requests should be in hostname and ca root crt path should be accounted for.

    - name: Create directory for certs
      ansible.builtin.file:
        path: "{{ step_ca_base_dir }}/{{ hostname }}"
        state: directory
        mode: '0644'

    - name: Create certificate
      ansible.builtin.command: >
        step ca certificate {{ hostname }}
        {{ step_ca_base_dir }}/{{ hostname }}/{{ hostname }}.crt
        {{ step_ca_base_dir }}/{{ hostname }}/{{ hostname }}.key
        --provisioner-password-file={{ step_ca_base_dir }}/certs/jwk_password.txt
        --ca-url={{ ca_url }}
        --root={{ ca_root_crt_path }}
        --not-before=10h
      args:
        creates: "{{ step_ca_base_dir }}/{{ hostname }}/{{ hostname }}.crt"

This is the actual certificate creation process. It creates the directory. Then cren creats the certificate, it makes a directory with the name of the domain, then creates a key file and crt file based on it, it will authenticate using the provisioner password file, it will use the ca url set up earlier, it will use the root crt as that is the center for the pki chain of trust, Sets the not-before time to 10 hours ago so the certificate is valid retroactively from 10 hours before the issuance. It Prevents Recreating Existing Certificates, with this:

args:
  creates: "{{ step_ca_base_dir }}/{{ hostname }}/{{ hostname }}.crt"

What to do from here?

From here you could expand more to set up a ingress, run a docker compose or whatever, to make use of your newly created certificate, maybe import other playbooks. Sky is the limit.