-
Notifications
You must be signed in to change notification settings - Fork 107
TLS SSL Certificates
TODO: document how to renew certificates.
Site certificates came from GoDaddy. GSA offers external certificates for free.
Each host is configured with a GSA internal host certificate. Internal network traffic should be encrypted over TLS/SSL. This is also required for security compliance.
We use a single certificate per inventory/environment. Wildcard certificates are not allowed by GSA, so we include all hosts via Subject Alternate Names (SANs). To get a new certificate from GSA:
- Create a CSR per steps below.
- Submit a Service Now request to GSA. Once approved by your supervisor, you can attach the CSR to the request.
- GSA will attach the signed certificate to the ticket.
We have a bash script to generate the CSR for you. First, change directory to /ansible.
$ cd ansible
If you have existing keys in the ansible vault, you must copy them to gen-csr-out and they should follow the name template data-gov-bsp-<inventory>.key. If you do not copy the keys, new keys will be generated. Pull requests welcome.
Run the gen-csr.sh with the inventory name.
$ ./bin/gen-csr.sh staging
The script reads all hosts from the inventory and generates a CSR that includes all necessary SANs. The CSR is created in /ansible/gen-csr-out. You can inspect the CSR with openssl.
$ openssl req -text -noout -in gen-csr-out/data-gov-bsp-staging.csr
The GSA certificate is in PEM format. It can be added to the inventory as a variable.
If you created a new key, you must copy the key into the ansible vault.