top of page
Recent Posts

Install SSL Certificates for Ansible Automation Controller and Automation Hub

Updated: Nov 7, 2021


Let's create our organisation's custom sign certificate and update the SSL certificate on the Ansible Automation and Automation Hub web Interface.


Step 1: To create our root CA key and certificate.

[mhaque@munshi-lab ~ ]$ mkdir ssl_cert
[mhaque@munshi-lab ~ ]$ cd ssl_cert
[mhaque@munshi-lab ssl_cert]$ openssl genrsa -des3 -out myCA.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................+++++
....................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:
[mhaque@munshi-lab ssl_cert]$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:MY
State or Province Name (full name) []:Selangor
Locality Name (eg, city) [Default City]:Subang
Organization Name (eg, company) [Default Company Ltd]:JazakAllah Info
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:munshi-lab.jazakallah.info
Email Address []:root@jazakallah.info
[mhaque@munshi-lab ssl_cert]$ ls -l
total 12
-rw-------. 1 mhaque mhaque 1743 Nov  4 20:55 myCA.key
-rw-rw-r--. 1 mhaque mhaque 1501 Nov  4 20:57 myCA.pem
Note: if you have a root CA server already in place in your organization then ignore step 1.

Step 2: To key file and the certificate request for the Ansible Controller.

[mhaque@munshi-lab ssl_cert]$ cat csr_answer.cfg
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default            = MY
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = Selangor

localityName            = Locality Name (eg, city)
localityName_default            = Subang

0.organizationName        = Organization Name (eg, company)
0.organizationName_default       = JazakAllah Info

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = Blog

commonName                     = ansible4.jazakallah.info
commonName_max            = 64


[ req_ext ]
subjectAltName = @alt_names
[alt_names]

DNS.1   = ansible4.jazakallah.info
IP.1    = 192.168.121.210

[mhaque@munshi-lab ssl_cert]$ cat ca_csr_answer.cfg
subjectAltName = @alt_names
[alt_names]

DNS.1   = ansible4.jazakallah.info
IP.1    = 192.168.121.210
[mhaque@munshi-lab ssl_cert]$ openssl genrsa -out ansible4.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...........................................................................................................................................................................++++
....................++++
e is 65537 (0x010001)
[mhaque@munshi-lab ssl_cert]$ openssl req -new -key ansible4.key -out ansible4.csr -config=csr_answer.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:
State or Province Name (full name) [Selangor]:
Locality Name (eg, city) [Subang]:
Organization Name (eg, company) [JazakAllah Info]:
Organizational Unit Name (eg, section) [Blog]:
ansible4.jazakallah.info []:ansible4.jazakallah.info
[mhaque@munshi-lab ssl_cert]$  openssl req -in ansible4.csr -noout -text | grep DNS
                DNS:ansible4.jazakallah.info, IP Address:192.168.121.210
[mhaque@munshi-lab ssl_cert]$ openssl x509 -req -in ansible4.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out ansible4.crt -days 825 -sha256 -extfile ca_csr_answer.cfg
Signature ok
subject=C = MY, ST = Selangor, L = Subang, O = JazakAllah Info, OU = Blog, CN = ansible4.jazakallah.info
Getting CA Private Key
Enter pass phrase for myCA.key:
[mhaque@munshi-lab ssl_cert]$ openssl x509 -in ansible4.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            76:48:67:a7:57:b8:2f:0c:d0:f8:7a:fb:44:34:bb:80:54:df:3b:01
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = MY, ST = Selangor, L = Subang, O = JazakAllah Info, OU = IT, CN = munshi-lab.jazakallah.info, emailAddress = root@jazakallah.info
        Validity
            Not Before: Nov  4 13:13:48 2021 GMT
            Not After : Feb  7 13:13:48 2024 GMT
        Subject: C = MY, ST = Selangor, L = Subang, O = JazakAllah Info, OU = Blog, CN = ansible4.jazakallah.info
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:d0:61:b1:a2:28:70:bf:a7:10:8a:fd:fb:2f:e9:
                    6e:d2:5a:e8:b3:64:43:12:9b:4f:5c:38:81:d6:b5:
                    6d:4f:1c:a9:2c:ab:3f:1e:9a:60:62:ae:7d:41:14:
                    cb:a1:0a:4a:43:9f:18:6b:2f:f1:e9:8e:be:ea:4c:
                    fb:9c:7b:74:74:84:f3:de:cd:87:84:c9:9f:64:e4:
                    c4:40:17:ab:f0:54:97:5f:eb:a6:fd:f5:4d:4b:af:
                    c5:60:42:0c:1a:f2:16:a2:27:f0:0f:b7:ad:af:78:
                    22:a2:69:6a:30:07:3a:76:9c:bf:ae:5f:8f:69:98:
                    8b:4c:ec:b6:d7:80:0f:9d:b0:08:55:eb:07:70:27:
                    c4:1f:85:42:67:99:98:11:38:32:6a:30:53:d3:87:
                    6b:68:02:79:fb:c9:af:b8:2d:df:05:e5:2b:da:3a:
                    45:45:59:e9:2c:e0:73:2d:a1:5c:97:4b:45:82:dc:
                    5c:bb:e9:5a:86:b2:85:9c:9e:d3:1b:36:72:4a:79:
                    31:ef:e7:ba:bf:e6:4b:c8:36:8c:11:a0:38:03:d5:
                    3e:55:a6:5b:f6:04:ae:8e:8c:ad:df:2f:52:77:fc:
                    88:a6:b6:e5:02:a2:3a:d1:09:e7:57:0f:9a:bc:6e:
                    7e:86:4d:56:dc:59:ed:de:61:a0:79:be:a3:e0:43:
                    c4:b7:56:3e:dc:1d:f5:b1:ee:86:f4:41:c3:0f:9b:
                    2c:3d:2f:c3:b5:47:a2:b1:74:c7:fe:38:ca:39:ee:
                    23:86:14:ce:95:a7:cf:03:66:71:04:15:ed:a4:96:
                    38:12:3a:1a:83:f0:4c:5c:c3:e8:46:a5:c8:3b:30:
                    41:0d:57:41:21:96:51:d1:66:e0:d1:6d:5d:b0:21:
                    c5:32:5c:52:64:fb:11:1c:91:02:1d:ea:f3:9d:81:
                    cb:f2:44:82:96:dc:69:03:8c:e0:3d:10:8e:d5:9f:
                    f3:9b:cf:b2:89:60:a6:04:ea:48:33:18:1e:3e:13:
                    61:56:db:e0:85:52:ce:6f:2c:de:44:55:f0:bd:51:
                    54:63:f4:b5:6f:17:b6:42:d6:d7:0e:e6:2b:9e:ac:
                    e7:c8:c7:e1:6b:5d:e6:36:11:09:2a:0d:71:0d:26:
                    bd:52:31:2b:e0:01:91:01:02:47:75:f7:77:4f:a3:
                    f8:cc:72:70:3f:a9:04:ff:78:2b:a8:d7:d0:89:b7:
                    ee:74:70:3c:3b:c0:53:19:36:43:d8:62:e0:33:e1:
                    4a:88:24:ec:f0:c7:5b:8e:a2:71:11:eb:2d:00:bf:
                    48:a2:4d:5e:d3:02:0e:f7:6d:fe:72:2e:4d:b9:e8:
                    cf:ff:94:f9:ec:39:8c:67:73:a3:ab:25:17:1f:ab:
                    48:e6:cd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:ansible4.jazakallah.info, IP Address:192.168.121.210
    Signature Algorithm: sha256WithRSAEncryption
         8f:8e:19:dd:a2:8e:e2:98:e4:c3:a0:72:d2:58:93:4c:28:5f:
         8f:e1:69:87:72:95:83:95:e7:22:a0:9d:31:35:85:b8:f4:36:
         87:17:05:59:94:5a:87:49:58:95:b6:63:22:02:40:65:17:23:
         60:3e:05:c4:32:1e:d9:45:72:a2:6d:80:9f:24:f5:c0:9c:52:
         9c:c4:a3:ce:96:09:98:d6:fc:37:3a:d2:3a:21:8f:cc:63:22:
         81:01:52:0e:a5:1b:11:b0:40:99:ba:e0:38:32:73:fb:e2:ed:
         5a:f8:13:cc:18:29:a9:1a:5a:08:f2:db:90:3f:8f:4a:4c:18:
         4d:06:1f:c0:6e:75:69:05:ed:dc:c0:b3:c1:e7:19:4b:52:f1:
         c6:d0:78:5c:e6:89:8d:ef:25:4f:03:14:1a:89:64:69:a3:bf:
         0e:39:d9:03:c5:05:75:a0:1d:77:e8:5d:f8:34:fa:c9:87:e2:
         8e:27:a0:11:1e:a7:67:20:79:f8:16:06:5c:a1:0c:90:41:9d:
         a5:7e:33:4b:4d:46:46:d3:9c:8e:d2:d4:0c:f3:f2:51:cc:17:
         0a:a2:b2:88:6d:2d:05:96:d9:50:c2:69:5f:1b:ef:53:d1:cc:
         d6:fa:c1:cb:28:59:66:73:dd:ae:f5:6c:cf:5c:a5:2e:6d:da:
         34:fd:cf:6a
-----BEGIN CERTIFICATE-----
MIIE2zCCA8OgAwIBAgIUdkhnp1e4LwzQ+Hr7RDS7gFTfOwEwDQYJKoZIhvcNAQEL
BQAwgaIxCzAJBgNVBAYTAk1ZMREwDwYDVQQIDAhTZWxhbmdvcjEPMA0GA1UEBwwG
U3ViYW5nMRgwFgYDVQQKDA9KYXpha0FsbGFoIEluZm8xCzAJBgNVBAsMAklUMSMw
IQYDVQQDDBptdW5zaGktbGFiLmphemFrYWxsYWguaW5mbzEjMCEGCSqGSIb3DQEJ
ARYUcm9vdEBqYXpha2FsbGFoLmluZm8wHhcNMjExMTA0MTMxMzQ4WhcNMjQwMjA3
MTMxMzQ4WjB9MQswCQYDVQQGEwJNWTERMA8GA1UECAwIU2VsYW5nb3IxDzANBgNV
BAcMBlN1YmFuZzEYMBYGA1UECgwPSmF6YWtBbGxhaCBJbmZvMQ0wCwYDVQQLDARC
bG9nMSEwHwYDVQQDDBhhbnNpYmxlNC5qYXpha2FsbGFoLmluZm8wggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDQYbGiKHC/pxCK/fsv6W7SWuizZEMSm09c
OIHWtW1PHKksqz8emmBirn1BFMuhCkpDnxhrL/Hpjr7qTPuce3R0hPPezYeEyZ9k
5MRAF6vwVJdf66b99U1Lr8VgQgwa8haiJ/APt62veCKiaWowBzp2nL+uX49pmItM
7LbXgA+dsAhV6wdwJ8QfhUJnmZgRODJqMFPTh2toAnn7ya+4Ld8F5SvaOkVFWeks
4HMtoVyXS0WC3Fy76VqGsoWcntMbNnJKeTHv57q/5kvINowRoDgD1T5Vplv2BK6O
jK3fL1J3/IimtuUCojrRCedXD5q8bn6GTVbcWe3eYaB5vqPgQ8S3Vj7cHfWx7ob0
QcMPmyw9L8O1R6KxdMf+OMo57iOGFM6Vp88DZnEEFe2kljgSOhqD8Excw+hGpcg7
MEENV0EhllHRZuDRbV2wIcUyXFJk+xEckQId6vOdgcvyRIKW3GkDjOA9EI7Vn/Ob
z7KJYKYE6kgzGB4+E2FW2+CFUs5vLN5EVfC9UVRj9LVvF7ZC1tcO5iuerOfIx+Fr
XeY2EQkqDXENJr1SMSvgAZEBAkd193dPo/jMcnA/qQT/eCuo19CJt+50cDw7wFMZ
NkPYYuAz4UqIJOzwx1uOonER6y0Av0iiTV7TAg73bf5yLk256M//lPnsOYxnc6Or
JRcfq0jmzQIDAQABoy0wKzApBgNVHREEIjAgghhhbnNpYmxlNC5qYXpha2FsbGFo
LmluZm+HBMCoedIwDQYJKoZIhvcNAQELBQADggEBAI+OGd2ijuKY5MOgctJYk0wo
X4/haYdylYOV5yKgnTE1hbj0NocXBVmUWodJWJW2YyICQGUXI2A+BcQyHtlFcqJt
gJ8k9cCcUpzEo86WCZjW/Dc60johj8xjIoEBUg6lGxGwQJm64Dgyc/vi7Vr4E8wY
KakaWgjy25A/j0pMGE0GH8BudWkF7dzAs8HnGUtS8cbQeFzmiY3vJU8DFBqJZGmj
vw452QPFBXWgHXfoXfg0+smH4o4noBEep2cgefgWBlyhDJBBnaV+M0tNRkbTnI7S
1Azz8lHMFwqisohtLQWW2VDCaV8b71PRzNb6wcsoWWZz3a71bM9cpS5t2jT9z2o=
-----END CERTIFICATE-----

Step 3: To key file and the certificate request for the Ansible Automation Hub by following step 2.

Note: make sure the IP Address and the Host Name (FQDN) of the Ansible Automation Hub system in the csr_answer.cfg and ca_csr_answer.cfg file.

Now we have to configure the necessary changes in the Ansible Controller and Automation Hub system.



Ansible Controller System:

Step 1: To copy the root CA certificate file as well as the signed certificate and associate key file in this system.

[root@ansible4 ~ ]# scp mhaque@192.168.121.1:/home/mhaque/ssl_cert/*.* .
mhaque@192.168.121.1's password:
ansible4.crt                          100% 1744     9.7MB/s   00:00    
ansible4.csr                          100% 1809    10.4MB/s   00:00    
ansible4.key                          100% 3243    13.6MB/s   00:00    
myCA.pem                              100% 1501     7.0MB/s   00:00    

Step 2: To configure a custom SSL certificate instead of the Self-Signed SSL certificate generated by ansible controller.