ETH CxS install machine_certificates
General
Installs machine_certificates to access the ETH CxS Network
Playbook installs ETH Root Intermedia Certificate and other certificates used,
generate a csr (certificate request), send a json request to the internal Webservice Api PKI frontend,
downloads a certificate bin encoded payload file, converts the downloaded hash to a pem formatted certificate,
then the key and cert will be transferred to the client and applied with a networkmanager profile
On reboot the Machine will be in the destination network.
Requirements
ETH PKI Frontend (https://pki-frontend.ethz.ch)
Webservice for Certificate Profile created by Wolfgang Sichler, ID Applications (E.g. ETHZ MZ Auto Linux Ansi MAVT)
Access to webservice with dedicated Active Directory User (E.g. Mavt: sa_pki-accwsmavt), including keystore
Active Directory Group for Linux Client Access (E.g. MAVT-managed-certifikate), Linux client has to be in that Group
Network Managed Client IP Range (E.g. Mavt: 10.145.x.x)
Eth root intermediate Certificate
Role Variables
| Variable | Required | Default | Choices | Comments |
|---|---|---|---|---|
| set_cert_ou | yes | true | String | bsp: mavt-managed |
| certificateProfileName | yes | none | String | bsp: ETHZ_MZ_Auto_Linux_Ansi_MAVT |
| active_directory_pki_user | yes | none | String | bsp: sa_pki-accwsmavt |
| active_directory_pki_user_pw | yes | none | string | "password |
| keystore_certificate | yes | none | string | bsp: keystore_sa_pki-accwsmavt.crt.pem |
| keystore_certificate_password | yes | none | string | "password" |
| keystore_certificate_key | yes | none | string | bsp: keystore_sa_pki-accwsmavt.key.pem |
| root_server | yes | none | string | bsp: root-mavt.s4d.ethz.ch |
| enrollment_server | yes | true | string | default: id-s4d-s06.ethz.ch |
| DNS | yes | true | string | default: radius-service.ethz.ch |
| ssid | yes | true | string | default: eth |
| certificate_default_bits | yes | true | string | default: 4096 |
| certificate_default_md | yes | true | string | default: sha256 |
| FQDN | yes | yes | string | default: d.ethz.ch |
| days_until_renew | no | yes | string | default: 30 - not implemented! |
Dependencies
Ansible Pull
Jammy_net Role, Networkimplementiation with certificate
Example Playbook
---
hosts: all
vars:
roles:
- machine_certificates
...
machine_certificates_conf: true
set_cert_ou: mavt-managed
certificateProfileName: ETHZ_MZ_Auto_Linux_Ansi_MAVT
License
BSD
Author Information
Maintainer: Andi Bartholet Support-Contact: s4d-linux-support@id.ethz.ch