Additional Required Attributes openssl_csr

[smatterchew]

SUMMARY

I need to be able to apply required attributes to the CSR to support NDES. The cert issuer is AD CS with the NDES application.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

openssl_csr

ADDITIONAL INFORMATION

The current process uses the template module to create an openssl config file:

[req]
default_bits={{ certreq_bits }}
prompt=no
default_md={{ certreq_md }}
req_extensions=req_ext
distinguished_name=dn
string_mask=nombstr
utf8=no
attributes=req_attributes

[ req_attributes ]
challengePassword={{ certreq_challenge_password }}

[ dn ]
C={{ certreq_dn_country }}
ST={{ certreq_dn_state }}
L={{ certreq_dn_location }}
O={{ certreq_dn_org }}
OU={{ certreq_dn_ou }}
CN={{ certreq_dn_cn }}

[ req_ext ]
subjectAltName=@alt_names

[ alt_names ]
{% for san in certreq_san_list %}
DNS.{{ loop.index }}={{ san }}
{% endfor %}

From research, trial, and error, the pieces I need to be able to add to the CSR from the above example are:

string_mask=nombstr
utf8=no
attributes=req_attributes

[ req_attributes ]
challengePassword={{ certreq_challenge_password }}

The next logical step is to generate the CSR.

- name: "Generate the CSR"
  become: true
  become_user: root
  command: |-
    openssl req -new -{{ certreq_md }} 
    -nodes -out {{ certreq_csr }} 
    -newkey rsa:{{ certreq_bits }} 
    -keyout {{ certreq_key }} 
    -config {{ certreq_config }}

At this point I can use sscep to submit the CSR to the NDES app on AD CS.

Using v2.2.4 of the community.crypto collection.

[ansible@ansibledev ~]$ ansible-galaxy collection list | grep community.crypto
community.crypto                    2.2.4

Thank you for your consideration.

[felixfontein]

Related to #401.

[8ar10der]

+1