Install SSL Certificates for Ansible Automation Controller and Automation Hub
Updated: Nov 7, 2021
Let's create our organisation's custom sign certificate and update the SSL certificate on the Ansible Automation and Automation Hub web Interface.
Step 1: To create our root CA key and certificate.
[mhaque@munshi-lab ~ ]$ mkdir ssl_cert
[mhaque@munshi-lab ~ ]$ cd ssl_cert
[mhaque@munshi-lab ssl_cert]$ openssl genrsa -des3 -out myCA.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................+++++
....................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:
[mhaque@munshi-lab ssl_cert]$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:MY
State or Province Name (full name) []:Selangor
Locality Name (eg, city) [Default City]:Subang
Organization Name (eg, company) [Default Company Ltd]:JazakAllah Info
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:munshi-lab.jazakallah.info
Email Address []:root@jazakallah.info
[mhaque@munshi-lab ssl_cert]$ ls -l
total 12
-rw-------. 1 mhaque mhaque 1743 Nov 4 20:55 myCA.key
-rw-rw-r--. 1 mhaque mhaque 1501 Nov 4 20:57 myCA.pem
Note: if you have a root CA server already in place in your organization then ignore step 1.
Step 2: To key file and the certificate request for the Ansible Controller.
[mhaque@munshi-lab ssl_cert]$ cat csr_answer.cfg
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = MY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Selangor
localityName = Locality Name (eg, city)
localityName_default = Subang
0.organizationName = Organization Name (eg, company)
0.organizationName_default = JazakAllah Info
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Blog
commonName = ansible4.jazakallah.info
commonName_max = 64
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ansible4.jazakallah.info
IP.1 = 192.168.121.210
[mhaque@munshi-lab ssl_cert]$ cat ca_csr_answer.cfg
subjectAltName = @alt_names
[alt_names]
DNS.1 = ansible4.jazakallah.info
IP.1 = 192.168.121.210
[mhaque@munshi-lab ssl_cert]$ openssl genrsa -out ansible4.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...........................................................................................................................................................................++++
....................++++
e is 65537 (0x010001)
[mhaque@munshi-lab ssl_cert]$ openssl req -new -key ansible4.key -out ansible4.csr -config=csr_answer.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:
State or Province Name (full name) [Selangor]:
Locality Name (eg, city) [Subang]:
Organization Name (eg, company) [JazakAllah Info]:
Organizational Unit Name (eg, section) [Blog]:
ansible4.jazakallah.info []:ansible4.jazakallah.info
[mhaque@munshi-lab ssl_cert]$ openssl req -in ansible4.csr -noout -text | grep DNS
DNS:ansible4.jazakallah.info, IP Address:192.168.121.210
[mhaque@munshi-lab ssl_cert]$ openssl x509 -req -in ansible4.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out ansible4.crt -days 825 -sha256 -extfile ca_csr_answer.cfg
Signature ok
subject=C = MY, ST = Selangor, L = Subang, O = JazakAllah Info, OU = Blog, CN = ansible4.jazakallah.info
Getting CA Private Key
Enter pass phrase for myCA.key:
[mhaque@munshi-lab ssl_cert]$ openssl x509 -in ansible4.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:48:67:a7:57:b8:2f:0c:d0:f8:7a:fb:44:34:bb:80:54:df:3b:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = MY, ST = Selangor, L = Subang, O = JazakAllah Info, OU = IT, CN = munshi-lab.jazakallah.info, emailAddress = root@jazakallah.info
Validity
Not Before: Nov 4 13:<