it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revoke already issued certificates on re-enroll

Browse source
This commit is contained in:
Finn Hercke 2025-03-11 12:49:33 +01:00
parent 831f453512
commit 4b982205ba
1 changed files with 35 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
roles/lmn_wlan_8021x/tasks/main.yml
View file

@ -3,6 +3,34 @@
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
path: /etc/ssl/private/{{ ssid }}.key path: /etc/ssl/private/{{ ssid }}.key
- name: Check if a certificate is already issued to client
stat:
path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
register: cert_already_issued
delegate_to: radius_server
- name: Revoke already existing client certificate
community.crypto.x509_crl:
path: "/etc/freeradius/3.0/certs/ca.crl"
privatekey_path: "/etc/freeradius/3.0/certs/ca.key"
privatekey_passphrase: "{{ radiusca_password }}"
crl_mode: "update"
issuer:
C: "DE"
ST: "Baden-Wuerttemberg"
L: "Reutlingen"
O: "Ferdinand-von-Steinbeis-Schule Reutlingen"
emailAddress: "admin@steinbeis.schule"
CN: "Radius Certificate Authority"
last_update: "+0s"
next_update: "+365d"
revoked_certificates:
- path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
revocation_date: 20250311120100Z
reason: "unspecified"
delegate_to: radius_server
when: cert_already_issued.stat.exists
- name: Create CSR for client certificate - name: Create CSR for client certificate
community.crypto.openssl_csr_pipe: community.crypto.openssl_csr_pipe:
common_name: "{{ ansible_hostname }}" common_name: "{{ ansible_hostname }}"
@ -32,24 +60,19 @@
mode: '0755' mode: '0755'
delegate_to: radius_server delegate_to: radius_server
- name: Copy client certificate to radius-server
ansible.builtin.copy:
dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
mode: "0644"
content: "{{ certificate.certificate }}"
delegate_to: radius_server
- name: Write certificate to client - name: Write certificate to client
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/ssl/certs/{{ ssid }}.crt dest: /etc/ssl/certs/{{ ssid }}.crt
mode: '0644' mode: '0644'
content: "{{ certificate.certificate }}" content: "{{ certificate.certificate }}"
- name: Extract Serial from Certificate
ansible.builtin.command: 'openssl x509 -noout -serial -in /etc/ssl/certs/{{ ssid }}.crt'
register: cert_serial
changed_when: cert_serial.rc != 0
- name: Create issued-Notice-file on radius-server
ansible.builtin.copy:
dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}"
mode: '0644'
content: "{{ cert_serial.stdout }}"
delegate_to: radius_server
- name: Check if NetworkManager config exists {{ ssid }} - name: Check if NetworkManager config exists {{ ssid }}
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/NetworkManager/system-connections/{{ ssid }}.nmconnection path: /etc/NetworkManager/system-connections/{{ ssid }}.nmconnection