top of page
Recent Posts

Install SSL Certificates for Ansible Automation Controller and Automation Hub

Updated: Nov 7, 2021


Let's create our organisation's custom sign certificate and update the SSL certificate on the Ansible Automation and Automation Hub web Interface.


Step 1: To create our root CA key and certificate.

[mhaque@munshi-lab ~ ]$ mkdir ssl_cert
[mhaque@munshi-lab ~ ]$ cd ssl_cert
[mhaque@munshi-lab ssl_cert]$ openssl genrsa -des3 -out myCA.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................+++++
....................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:
[mhaque@munshi-lab ssl_cert]$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:MY
State or Province Name (full name) []:Selangor
Locality Name (eg, city) [Default City]:Subang
Organization Name (eg, company) [Default Company Ltd]:JazakAllah Info
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:munshi-lab.jazakallah.info
Email Address []:root@jazakallah.info
[mhaque@munshi-lab ssl_cert]$ ls -l
total 12
-rw-------. 1 mhaque mhaque 1743 Nov  4 20:55 myCA.key
-rw-rw-r--. 1 mhaque mhaque 1501 Nov  4 20:57 myCA.pem
Note: if you have a root CA server already in place in your organization then ignore step 1.

Step 2: To key file and the certificate request for the Ansible Controller.

[mhaque@munshi-lab ssl_cert]$ cat csr_answer.cfg
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default            = MY
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = Selangor

localityName            = Locality Name (eg, city)
localityName_default            = Subang

0.organizationName        = Organization Name (eg, company)
0.organizationName_default       = JazakAllah Info

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = Blog

commonName                     = ansible4.jazakallah.info
commonName_max            = 64


[ req_ext ]
subjectAltName = @alt_names
[alt_names]

DNS.1   = ansible4.jazakallah.info
IP.1    = 192.168.121.210

[mhaque@munshi-lab ssl_cert]$ cat ca_csr_answer.cfg
subjectAltName = @alt_names
[alt_names]

DNS.1   = ansible4.jazakallah.info
IP.1    = 192.168.121.210
[mhaque@munshi-lab ssl_cert]$ openssl genrsa -out ansible4.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...........................................................................................................................................................................++++
....................++++
e is 65537 (0x010001)
[mhaque@munshi-lab ssl_cert]$ openssl req -new -key ansible4.key -out ansible4.csr -config=csr_answer.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:
State or Province Name (full name) [Selangor]:
Locality Name (eg, city) [Subang]:
Organization Name (eg, company) [JazakAllah Info]:
Organizational Unit Name (eg, section) [Blog]:
ansible4.jazakallah.info []:ansible4.jazakallah.info
[mhaque@munshi-lab ssl_cert]$  openssl req -in ansible4.csr -noout -text | grep DNS
                DNS:ansible4.jazakallah.info, IP Address:192.168.121.210
[mhaque@munshi-lab ssl_cert]$ openssl x509 -req -in ansible4.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out ansible4.crt -days 825 -sha256 -extfile ca_csr_answer.cfg
Signature ok
subject=C = MY, ST = Selangor, L = Subang, O = JazakAllah Info, OU = Blog, CN = ansible4.jazakallah.info
Getting CA Private Key
Enter pass phrase for myCA.key:
[mhaque@munshi-lab ssl_cert]$ openssl x509 -in ansible4.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            76:48:67:a7:57:b8:2f:0c:d0:f8:7a:fb:44:34:bb:80:54:df:3b:01
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = MY, ST = Selangor, L = Subang, O = JazakAllah Info, OU = IT, CN = munshi-lab.jazakallah.info, emailAddress = root@jazakallah.info
        Validity
            Not Before: Nov  4 13:<