我正在使用模块openssl_pkcs12,我可以从*.pem文件中提取*.crt(CERTIFICATE(,但我不知道如何提取*.key(key(。
代码示例(创建证书并从文件中提取证书(:
- name: Generate PKCS#12 file
local_action:
module: openssl_pkcs12
action: export
path: /tmp/pkcs/ansible.p12
friendly_name: raclette
privatekey_path: /tmp/pkcs/key.pem
certificate_path: /tmp/pkcs/cert.pem
state: present
- name: Dump/Parse PKCS#12 file
local_action:
module: openssl_pkcs12
action: parse
src: /tmp/pkcs/ansible.p12
path: /tmp/pkcs/ansible.pem
state: present
然后,如果我简单地对这两个文件进行sdiff,我可以看到CERTIFICATE完全匹配。key.pem文件:
$ cat key.pem
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCu8twQ9txatJWx
k1cJzQCz38JEZ0Rp/Bt3tOcw+OeSAwL8Ge2vqM6eHNAqCNzCfHI6QxrbYkxd1n+d
pfYQHHdDVAbqeFRdEd7vsyGbAwzmwiYiIZxwRfmpMLltGIOScB5CiJazMIETJ4F5
/8m2UoPXfb2jVxdg/wbZxotIbeUmaaCCpwa/4VF8oeR+Z7KRZzaCFWzIWKZOjLew
j285NSVe+pSUZbbs/YrgoEojG+I/DNBvdIp05Ik/qFnN3ddpgCsds5gWz/vt6OOx
o4luD0maMPJImGTecanaW0qHqE/FzzAPBGQDTVxQeCEYEGQEH0vXywTBo1Mm5SFG
cu4gbQF4XbZzv2qgZy5UO/rdR0zW+Sa6vcrj6YbOPZsN4TtssbUuxkpPQLnoq1pa
KfWDPKUAMmd89X7a6xYpp0Ia383WZ1JGCjONNcnXaF3TYyx9oaLzuv9Zw1u2ndj4
Di9eI+vZXhRFtWGlUSst0wg9fMq2LCThjZDUGvHXNTlZZql+kbnX7rngAjcbH8+M
Frokir+wmSy1n7/muYaNscOeLQvVGz3VXoZVy9qSJI5/DUP1trDDCIEzuBzlRMEr
8BxnONFPOVt6k242oDhCWIOp8AEWkb0HRbjyxL8Ij6+B+03bzz2PmhP/lndrPP92
QFgaBfyBOt1cS5xMFIuo8pwwxBcObQIDAQABAoICAFKuan0F/jxMDlcfOEpkfYmF
Ha3wVC/2uxCHCaBmciLak4WLx352PDgTi/nhuFueLuoEHuRB/691mVhrP/B7U44Z
Xy9e8RgPQxprwV0eQvGoHheRZPrWx1hDs86wgDYsENEG9pn3OXlQ+WssDSvCsZad
UYuptF3eCWHQ6LCxZ1QRJY+52oHCvh018eQfpA/+BI/UClZhNy/2ZzXlg/44dNH/
gUrlC1/Tr9fbSU5wdiuwJa4XGPyHqanRKagWySCON1JRN3bIktrsbvfcPy4pwXJC
4a6Xf0x10X1mGcIlNJZbBe6C97Vr0U4iiBl0XaBpHhH9W+EcDEdckK5X0Ny4R7HQ
Jt6RriJ9nw+O6jahPRczOAvL6XGcKqiwnOJXNgj6Rv0m7CZXcfvL09jT6uFGE9yu
rYMjxwVhLgNMq9JUJNlFXsueasAdDMTuC1QCcHcK6RNyLT0+d3p9qRpObyTdiI7V
xCIm6FzH9hN4Xp1pOTMpQRpT8J/wLWysgUG9fmOhIeHSwVgzn9a+hYRmVrgOBmIh
ZGEMIynEqiI/rm22yLQT7w9c5n3/7gTK4+zvzLpQrkSmaIQ7n7SY6ojVEoiLz9Au
YoC3lBKvYdPePWz3/TNjEUhHGR1eHhBJjfYAerJBeYyrnt8xyIgD85PCgvQINuGj
vBan9Mu2qiRMf/ZzH0xtAoIBAQDUMlMZgu3OX04pXQDlaX9AxY8HGDjhr3d5lyZZ
qNak2PG12JwOfAk58ZR7mpHwq3fOzFyTFNUerKskaqeF3VwD755hHbufUw8HtYuK
6NEI3tmudZSfzDQT7pJ/yePAFSiEwYZKMAWUBMqVgo77D8ynS8Nw+7xrthH6sY5R
9jdEj7U6gkPVuNJI2sYmsAjnfRdZjolpN/WNfgh3EJYEsZ+Go05O7oU81WR3rto5
UHqwoASjRSqTPHjrZ6P7e1u35Lk9L9O9h6+vecpPkq0L0v34bLR54DhWelLHWRf0
JFwum3DX0DNvIrbRG5rI3rcq2YYC+mj5gLA39N0eW/eXMCY/AoIBAQDTECS1xMAt
wr10TkDs8fXVCIA58Kc7WRrQw4jw7UNFYwAGp9O3FAxwzxDhYQ6p4i91an7Fdrd/
/xmJeCbwcsbKXriC+Jad4x2eZ63MeWLb9i2T5Ikkz5lf36K2+aFlfPoCpln+zqRK
VIEXPJ5ZeSaLv1d7AVGiR2BG/JzMJZHO92ECscu5X9csPCcUmqGP2YVjkUqzBUs5
NXvy7Sy6yvkyjTnwJRf5ruynOPWwdF49nIXr7IKkax7sVG75EqEcO9dvn1Cg0H99
WTNoa1QceS7Sa9POPYLR88G6obbiDbaB5Xj7JnDXg/ebFG9D8U+FrK6LbQB+xQQy
1HrsZDxKa1hTAoIBABBTNtV1nzoLVwYTo6gCr8mZ6WEQWf/y8ewm1sp7FNhl4GKv
IYJzxHnyvgusXqH3byY3zr96ENNlUV1h3zWLTDL5UmQCV5bwWu2q5+tt8fcOvgyP
+zk4CqGl7xtput3iQtXD1cMLYsJ6g+NwwfNKyeHtEEI2+84FmeiBlIN1v9bEf5ra
vsFIkNUOD8SWMnksxIkdUDEKHxgdpCUU35XI3I8NLU8hRprhh/M1PpC+QlIoXXL6
NUZSlrL1rEYCvZGuRRoR/eZM9BU593ibvjh0qRlds5zUxUDR9GBl2FPuIDFtwAa6
e9qG/y2jRAtEJy9iwM6l2UGoxuXnLsPRK4E0MR0CggEAceJKDJInKAnl8/Wtbqx3
+wTlO14wvgMsRuza3TUIkU4D25N+11BIDi6May/Vm7Dh7rcRxDZ0eOoKu3RLfn5P
6S4G3RSJIJRFjQ1gZ+4ve4Rvv1cW8PfbSDIBOD2l6n7u37Mm6ChT2Y+TQBiDUL/g
HpOV/lcN10QwHN19NWIoNMaiX7PTuyiNj969L47oEhhKsxjYd5QprKrBQKjc88VF
hRNS6dL6Bs1uACTp3NZNa20jjdNGArWSL+63GkoFCJj5e8840CzwPZB9/p+6+Moi
i4OG+8eQ6Pxf0fYkGgFQMvLAvrNVO9SHK/RwvPZd9EDixXSBSeXAiDTCRv8m0Pju
5QKCAQAfDC0NiESaPl8KFiayJ8p3FswG4DK7kBXo6l3+EAhYpF4FY1/zEtrtTBPe
hPx383IDI6BAJjfhUEeqH7j1MpFAFhnNIEmXGEW1RPb+cwzQMwuykTz7zazCSZW5
Kc/FTa5V7ZySiVBKDxt4C6zuv/JiCZh+1+lq7gq7UnyLrPH78K4Pu8tcQdh/fLEo
dSozinRy32edVN3pumoiDHKZJNQM1E/mSb6pNBUTlGpz6vWPXydpyGhY0waCCe1e
Pv1MBPySvPC0y4uzFdvo9qNxyU4XfcIS59kUsejSpbt8T8Yn6EXbls9vDkx+kZkJ
M9Rr9JD8a436neGHNJkWu3VJ2Glh
-----END PRIVATE KEY-----
cert.pem文件:
$ cat cert.pem
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIUG/3tOSqHmegHuFDtlKpf4nHcx3MwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMTIyMjIyNDNaFw0yMDEx
MTEyMjIyNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCu8twQ9txatJWxk1cJzQCz38JEZ0Rp/Bt3tOcw+OeS
AwL8Ge2vqM6eHNAqCNzCfHI6QxrbYkxd1n+dpfYQHHdDVAbqeFRdEd7vsyGbAwzm
wiYiIZxwRfmpMLltGIOScB5CiJazMIETJ4F5/8m2UoPXfb2jVxdg/wbZxotIbeUm
aaCCpwa/4VF8oeR+Z7KRZzaCFWzIWKZOjLewj285NSVe+pSUZbbs/YrgoEojG+I/
DNBvdIp05Ik/qFnN3ddpgCsds5gWz/vt6OOxo4luD0maMPJImGTecanaW0qHqE/F
zzAPBGQDTVxQeCEYEGQEH0vXywTBo1Mm5SFGcu4gbQF4XbZzv2qgZy5UO/rdR0zW
+Sa6vcrj6YbOPZsN4TtssbUuxkpPQLnoq1paKfWDPKUAMmd89X7a6xYpp0Ia383W
Z1JGCjONNcnXaF3TYyx9oaLzuv9Zw1u2ndj4Di9eI+vZXhRFtWGlUSst0wg9fMq2
LCThjZDUGvHXNTlZZql+kbnX7rngAjcbH8+MFrokir+wmSy1n7/muYaNscOeLQvV
Gz3VXoZVy9qSJI5/DUP1trDDCIEzuBzlRMEr8BxnONFPOVt6k242oDhCWIOp8AEW
kb0HRbjyxL8Ij6+B+03bzz2PmhP/lndrPP92QFgaBfyBOt1cS5xMFIuo8pwwxBcO
bQIDAQABo1MwUTAdBgNVHQ4EFgQUUF6sGcQCTi3PG7fgy83/9ey/F6cwHwYDVR0j
BBgwFoAUUF6sGcQCTi3PG7fgy83/9ey/F6cwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEAGvocNhi6SD2nG0LNVC8F9Tbk65o33yVMOXF5Sqwth0SM
uIIXYUIxCX/Z1bq6FQqZQtborHUNLAg6Ffz/N1klZgicz7J0+hLClls4cH/Murgx
QLjhf64H9FrhorBUhxwXgFwk2wTPGyULM8G2wFw2Ulk51fA8B5QhgxThjSv/up2m
hm+ekSbrgxytKOTST84GSTC60lWAfFjbVnzTerq0QPw+IUekSsFrcGQZ2NBrrT8E
nUNFV53BNIP8z4qDsoLR2BtDJjkvULhriwKzmkjmImqRV/s+/y68B+a3ZfW3PjOa
SxflBSgq79kBWYDn+35XvlQwq+Nm0M6Qa21SzOKnxyKTepfyTpbJDpsKO6hdETCn
pHE84cTvoBPspfyRX1VZFKTfTOkNEhd0WSx+E1HEHTefnts6z3vodXNXZa5VRUHf
C74p7fdeRplA9jBTcMUFVubiAmqPR2o+g4M+wmWosUekUjWDxtD4RiSHsGVLY9he
6ltWpJin/bBUKTuy2NyBzsg96liB/8pQ6U5XDA+KmneAX/umd6JtUqNY9zBE/lWS
20nkAGghP+wqKrT0BCXBygoOgYm8NQ3TapqxeFcyRGSa3TQFIERAHqHvJVpoPl9P
L8JiXjoPThU+gpCEVswCiWX+dlh7yrec0MRUSHP/upZqG4s0OjrTbmuBOhccYQw=
-----END CERTIFICATE-----
然后,为了使完整的.pem文件简单地执行:cat cert.pem key.pem > complete.pem,可以在这里找到更多信息(如何从.key和.crt文件中获取.pem文件?(。
目前我使用的外壳模块示例如下:
- name: Export Cert from Certificate
shell: "openssl pkcs12 -in {{ fullFile }} -nokeys -out {{ certFile }} -passin pass:{{ password }}"
delegate_to: localhost
- name: Export Key from Certificate
shell: "openssl pkcs12 -in {{ fullFile }} -nocerts -nodes -out {{ keyFile }} -passin pass:{{ password }}"
delegate_to: localhost
我在网上搜索了替代模块,例如(openssl_certificate、openssl_csr和openssl_privatekey(。有没有其他模块可以提取用Ansible编写的key.pem?
非常基本的解决方案,但现在我们开始。。。
从上一个任务中,您得到一个包含私钥和证书的文件/tmp/ansible.pem。基本上:
-----BEGIN PRIVATE KEY-----
[Key content here]
[...]
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[Cert content here]
[...]
-----END CERTIFICATE-----
以下任务将读取文件并提取每个元素。
备注:
- 我在本地进行了所有测试,所以我使用文件查找来获取内容。如果该文件在远程计算机上,则必须调整以下内容,并在本地获取内容或获取文件
- 默认情况下,cert-regex将是gready,如果存在serveral,则返回pem文件中的所有cert。如果你想要每个单独的证书,你也必须适应这种情况,并提取几次
- name: Get the key part
debug:
msg: >-
{{
lookup('file', '/tmp/ansible.pem') |
regex_replace("[sS.]*(-----BEGIN PRIVATE KEY-----[sS.]*-----END PRIVATE KEY-----)[sS.]*", "1")
}}
- name: Get the cert part
debug:
msg: >-
{{
lookup('file', '/tmp/ansible.pem') |
regex_replace("[sS.]*(-----BEGIN CERTIFICATE-----[sS.]*-----END CERTIFICATE-----)[sS.]*", "1")
}}