ansible_collections/cisco/ise/playbooks/certificate_management.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

---
- hosts: ise_servers
  gather_facts: false
  name: Certificate management
  tasks:
    # - name: Import certificate into ISE node
    #   cisco.ise.trusted_certificate_import:
    #     ise_hostname: "{{ ise_hostname }}"
    #     ise_username: "{{ ise_username }}"
    #     ise_password: "{{ ise_password }}"
    #     ise_verify: "{{ ise_verify }}"
    #     data: "{{ lookup('file', item) }}"
    #     description: Root CA public certificate
    #     name: RootCert
    #     allowBasicConstraintCAFalse: true
    #     allowOutOfDateCert: false
    #     allowSHA1Certificates: true
    #     trustForCertificateBasedAdminAuth: true
    #     trustForCiscoServicesAuth: true
    #     trustForClientAuth: true
    #     trustForIseAuth: true
    #     validateCertificateExtensions: true
    #   with_fileglob:
    #     - "/Users/rcampos/Downloads/RootCACert.pem"

    - name: Generate CSR
      cisco.ise.csr_generate:
        ise_hostname: "{{ ise_hostname }}"
        ise_username: "{{ ise_username }}"
        ise_password: "{{ ise_password }}"
        ise_verify: "{{ ise_verify }}"
        allowWildCardCert: true
        subjectCommonName: ise.securitydemo.net
        subjectOrgUnit: Sample OU
        subjectOrg: Sample Org
        subjectCity: San Francisco
        subjectState: CA
        subjectCountry: US
        keyType: ECDSA
        keyLength: 1024
        digestType: SHA-256
        usedFor: MULTI-USEw
      register: result

    - name: Set ID value to variable
      ansible.builtin.set_fact:
        csr_id: "{{ result['ise_response']['response'][0]['id']}}"
      when: not ansible_check_mode

    - name: Pause until the CSR has been signed by the CA
      ansible.builtin.pause:
    - name: Bind Signed Certificate
      cisco.ise.bind_signed_certificate:
        ise_hostname: "{{ ise_hostname }}"
        ise_username: "{{ ise_username }}"
        ise_password: "{{ ise_password }}"
        ise_verify: "{{ ise_verify }}"
        admin: true
        allowExtendedValidity: true
        allowOutOfDateCert: true
        allowReplacementOfCertificates: true
        allowReplacementOfPortalGroupTag: true
        data: "{{ lookup('file', item) }}"
        hostName: ise.securitydemo.net
        name: My Signed Certificate
        validateCertificateExtensions: true
        id: "{{ csr_id }}"
        eap: true
        radius: true
        pxgrid: true
        ims: true
        portal: true
      with_fileglob:
        - /Users/rcampos/Downloads/RootCACert.pem
      when: not ansible_check_mode