System CA certificates
On Debian GNU/Linux and it's derivative distributions, management of Root
Certificate Authority certificates is performed by the ca-certificates
package. This package maintains a list of active Root CA certificates in the
/etc/ca-certificates.conf
configuration file, and stores the certificates
themselves in the /etc/ssl/certs/
directory.
The debops.pki
role has several variables which can be used to control what
Root Certificate Authorities are trusted by the system, as well as supports
easy installation of local or custom Root Certificate Authorities.
Configuration of system CA certificates
The /etc/ca-certificates.conf
configuration file specifies which
certificates will be trusted by the system. This is done by specifying names of
certificate files located in the /usr/share/ca-certificates/
directory.
The specified certificate files will be included in the system CA store. If a
given filename is prefixed with !
, a given certificate will be excluded
from the system CA store.
By default, Debian hosts automatically trust new Root Certificate Authorities
added in the ca-certificates
package. To control this, you can use
pki_system_ca_certificates_trust_new
boolean variable. Setting this
variable to True
will ensure that new Root CA certificates are trusted.
Setting it to False
will not enable new CA certificates automatically.
You can use pki_system_ca_certificates_blacklist
and
pki_system_ca_certificates_whitelist
list variables to define which
certificates will be excluded/included in the CA store. Each list element is
a regexp of the certificate file name. If a given file is found in both lists,
it will be excluded from the certificate store.
To find out the names of the certificate files you can use, check the contents
of the /etc/ca-certificates.conf
configuration file.
Examples
Blacklist all certificates:
pki_system_ca_certificates_blacklist:
- '.*'
Blacklist all certificates provided in the Mozilla CA list:
pki_system_ca_certificates_blacklist:
- 'mozilla/.*'
Blacklist all VeriSign certificates:
pki_system_ca_certificates_blacklist:
- '.*VeriSign.*'
Local Root CA certificates
Contents of the secret/pki/ca-certificates/
directory located on the
Ansible Controller will be copied to all of the remote hosts by the
debops.pki
role, to the /usr/local/share/ca-certificates/pki/
directory. After that, they will be automatically added to the system Root CA
store using the update-ca-certificates script.
Note that already present CA certificates on remote hosts with the same name are not updated after the first download unless the CA certificates are by host.
The internal Root Certificate Authorities created by the debops.pki
role
will have their certificates automatically symlinked in the
secret/pki/ca-certificates/
directory. You can prevent that by adding an
item.system_ca: False
parameter in the CA configuration variable.