Skip to content

Add vcert playbook examples for TLSPC, TLSDC, and CFPOC #633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sabixx wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add vcert playbook examples for TLSPC, TLSDC, and CFPOC #633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions examples/playbook/CFPOC_HAPROXY.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
config:
connection:
platform: vaas #cloudplatform
credentials:
apiKey: '{{ Env "TLSPC_APIKEY" }}'
certificateTasks:
- name: haproxy # Task Identifier, can be used with
renewBefore: 30d
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{Env "DOMAINS"}}'
country: GB
locality: London
state: London
organization: Venafi
orgUnits:
- vcert
sanDNS:
- '{{Env "DOMAINS"}}'
zone: 'HAProxy\public_le'
installations:
- format: PEM
file: "/etc/ssl/private/haproxy_443.pem"
chainFile: "/etc/ssl/private/haproxy_443.chain"
keyFile: "/etc/ssl/private/haproxy_443.key"
afterInstallAction: "cat /etc/ssl/private/haproxy_443.chain >> /etc/ssl/private/haproxy_443.pem && cat /etc/ssl/private/haproxy_443.key >> /etc/ssl/private/haproxy_443.pem && systemctl restart haproxy"

30 changes: 30 additions & 0 deletions examples/playbook/CFPOC_HTTPD.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
config:
connection:
platform: vaas #cloudplatform
credentials:
apiKey: '{{ Env "TLSPC_APIKEY" }}'
certificateTasks:
- name: httpd # Task Identifier, can be used with
renewBefore: 30d
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{Env "DOMAINS"}}'
country: GB
locality: London
state: London
organization: Venafi
orgUnits:
- vcert
sanDNS:
- '{{Env "DOMAINS"}}'
zone: 'Apache\public_le'
installations:
- format: PEM
file: "/etc/ssl/certs/apache_443.crt"
chainFile: "/etc/ssl/certs/apache_443.chain.crt"
keyFile: "/etc/ssl/private/apache_443.key"
afterInstallAction: "systemctl restart apache2"

30 changes: 30 additions & 0 deletions examples/playbook/CFPOC_NGINX.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
config:
connection:
platform: vaas #cloudplatform
credentials:
apiKey: '{{ Env "TLSPC_APIKEY" }}'
certificateTasks:
- name: nginx # Task Identifier, can be used with
renewBefore: 30d
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{Env "DOMAINS"}}'
country: GB
locality: London
state: London
organization: Venafi
orgUnits:
- vcert
sanDNS:
- '{{Env "DOMAINS"}}'
zone: 'Nginx\public_le'
installations:
- format: PEM
file: "/etc/ssl/certs/nginx_443.crt"
chainFile: "/etc/ssl/certs/nginx_443.chain.crt"
keyFile: "/etc/ssl/private/nginx_443.key"
afterInstallAction: "cat /etc/ssl/certs/nginx_443.chain.crt >> /etc/ssl/certs/nginx_443.crt && systemctl reload nginx"

31 changes: 31 additions & 0 deletions examples/playbook/CFPOC_TOMCAT.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
config:
connection:
platform: vaas #cloudplatform
credentials:
apiKey: '{{ Env "TLSPC_APIKEY" }}'
certificateTasks:
- name: tomcat # Task Identifier, can be used with
renewBefore: 30d
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{Env "DOMAINS"}}'
country: GB
locality: London
state: London
organization: Venafi
orgUnits:
- vcert
sanDNS:
- '{{Env "DOMAINS"}}'
zone: 'Tomcat\public_le'
installations:
- format: JKS
file: '/etc/ssl/private/tomcat_8443.jks'
jksAlias: tomcat8443
jksPassword: '{{ Env "KEYSTOREPASS" }}'
afterInstallAction: "systemctl restart tomcat"
backupFiles: true

29 changes: 29 additions & 0 deletions examples/playbook/CFPOC_TOMCAT_P12.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
config:
connection:
platform: vaas #cloudplatform
credentials:
apiKey: '{{ Env "TLSPC_APIKEY" }}'
certificateTasks:
- name: tomcat # Task Identifier, can be used with
renewBefore: 30d
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{Env "DOMAINS"}}'
country: GB
locality: London
state: London
organization: Venafi
orgUnits:
- vcert
sanDNS:
- '{{Env "DOMAINS"}}'
zone: 'Tomcat\public_le'
installations:
- format: PKCS12
file: '/etc/ssl/private/tomcat_8443.p12'
p12Password: '{{ Env "KEYSTOREPASS" }}'
afterInstallAction: "systemctl restart tomcat"

32 changes: 32 additions & 0 deletions examples/playbook/TLSDC_IIS_DefaultWebSite.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
config:
connection:
platform: tpp
url: https://dc.tlsp.demo # URL to TPP instance
credentials:
accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}'
refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}'
certificateTasks:
- name: IIS # Task Identifier, no relevance in tool run
renewBefore: 30d
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo'
country: GB
locality: London
state: London
organization: Venafi
orgUnits: [IIS]
sanDNS:
- '{{ Hostname | ToLower -}}.venafidemo.com'
zone: 'Certificates\IIS\Pull'
installations:
- format: CAPI
capiLocation: 'LocalMachine\MY'
capiFriendlyName: 'vCert Playbook - TLSDC_IIS_DefaultWebSite'
capiIsNonExportable: True
afterInstallAction: Import-Module Webadministration; Get-WebBinding "Default Web Site" | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IIS_THUMBPRINT, "My")}


30 changes: 30 additions & 0 deletions examples/playbook/TLSDC_IIS_Demo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
config:
connection:
platform: tpp
url: https://dc.tlsp.demo # URL to TPP instance
credentials:
accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}'
refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}'
certificateTasks:
- name: IISDC # Task Identifier, no relevance in tool run
renewBefore: 30d # or percentage like 30%
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo'
country: GB
locality: London
state: London
organization: Venafi
orgUnits: [IIS]
sanDNS:
- '{{ Env "TLSPC_Hostname" }}.tlsp.demo'
zone: 'Certificates\IIS\Pull'
installations:
- format: CAPI
capiLocation: 'LocalMachine\MY'
capiFriendlyName: 'vCert Playbook - TLSDC_IIS_Demo' #when changing this also change the removal command below
capiIsNonExportable: True
afterInstallAction: Import-Module Webadministration; Get-WebBinding tlsDC_Pull | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IISDC_THUMBPRINT, "My")}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSDC_IIS_Demo" -and $_.Thumbprint -ne $Env:VCERT_IISDC_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force }
33 changes: 33 additions & 0 deletions examples/playbook/TLSDC_RDP_Demo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
certificateTasks:
- name: RDP # Task Identifier, no relevance in tool run
renewBefore: 30d # or percentage like 30%
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo'
country: GB
locality: London
state: London
organization: Venafi
orgUnits: [RDP]
zone: 'Certificates\Demo Operational\Pull\RDP'
location:
instance: '{{ Env "TLSPC_Hostname" }}.tlsp.demo'
tlsAddress: '{{ Env "TLSPC_Hostname" }}.tlsp.demo:3389'
zone: 'Installations\Agentless\SLC\Demo Operational\Pull\RDP'
replace: true
installations:
- format: CAPI
capiLocation: 'LocalMachine\MY'
capiFriendlyName: 'vCert Playbook - TLSDC_RDP_Demo' #when changing this also change the removal command below
capiIsNonExportable: True
afterInstallAction: $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path; $result = Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$Env:VCERT_RDP_THUMBPRINT"}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSDC_RDP_Demo" -and $_.Thumbprint -ne $Env:VCERT_RDP_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force }
config:
connection:
platform: tpp
url: https://dc.tlsp.demo # URL to TPP instance
credentials:
accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}'
refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}'
30 changes: 30 additions & 0 deletions examples/playbook/TLSDC_US_IIS_No_Install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
config:
connection:
platform: tpp
url: https://dc.tlsp.demo # URL to TPP instance
#trustBundle: /path/to/my/trustbundle.pem # Optional TrustBundle for TPP connection
credentials:
accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}'
refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}'
certificateTasks:
- name: IIS # Task Identifier, no relevance in tool run
renewBefore: 30%
setEnvVars: ["thumbprint"]
request:
csr: local
subject:
commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.com'
country: GB
locality: London
state: London
organization: Venafi
orgUnits: [vcert]
sanDNS:
- '{{ Hostname | ToLower -}}.venafidemo.com'
zone: 'Certificates\vcert\IIS'
installations:
- format: CAPI
capiLocation: 'LocalMachine\MY'
capiFriendlyName: 'vCert Playbook - TLSDC_US_IIS_No_Install'
capiIsNonExportable: True
#afterInstallAction: Import-Module Webadministration; Get-WebBinding vcert_website | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IIS_THUMBPRINT, "My")}
31 changes: 31 additions & 0 deletions examples/playbook/TLSDC_US_IIS_P12.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
config:
connection:
platform: tpp
url: https://dc.tlsp.demo # URL to TPP instance
#trustBundle: /path/to/my/trustbundle.pem # Optional TrustBundle for TPP connection
credentials:
accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}'
refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}'
certificateTasks:
- name: IIS # Task Identifier, no relevance in tool run
renewBefore: 20%
setEnvVars: ["thumbprint"]
request:
csr: local
subject:
# Templating needs to go between single quotes to avoid issues when refreshing tokens
commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.com'
country: GB
locality: London
state: London
organization: Venafi
orgUnits:
- vcert
sanDNS:
- '{{ Hostname | ToLower -}}.venafidemo.com'
zone: 'Certificates\vcert\IIS'
installations:
- format: PKCS12
useLegacyP12: true
file: 'c:\temp\cert.p12'
p12Password: '{{ Env "P12_PASSWORD" }}'
32 changes: 32 additions & 0 deletions examples/playbook/TLSDC_US_NGINX.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
config:
connection:
platform: tpp
url: https://dc.tlsp.demo # URL to TPP instance
#trustBundle: /path/to/my/trustbundle.pem # Optional TrustBundle for TPP connection
credentials:
accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}'
refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}'
certificateTasks:
- name: nginx # Task Identifier, no relevance in tool run
renewBefore: 20%
setEnvVars: ["thumbprint"]
request:
csr: local
subject:
# Templating needs to go between single quotes to avoid issues when refreshing tokens
commonName: '{{ Env "TLSPC_Hostname" }}.mimlab.io'
country: GB
locality: London
state: London
organization: Venafi
orgUnits:
- vcert
sanDNS:
- '{{ Hostname | ToLower -}}.mimlab.io'
zone: 'Certificates\vcert\nginx'
installations:
- format: PEM
file: "/etc/nginx/ssl/nginx_443.crt"
chainFile: "/etc/nginx/ssl/nginx_443.chain"
keyFile: "/etc/nginx/ssl/nginx_443.key"
afterInstallAction: "cat /etc/nginx/ssl/nginx_443.chain >> /etc/nginx/ssl/nginx_443.crt && sudo nginx -s reload"
32 changes: 32 additions & 0 deletions examples/playbook/TLSPC_EU_ENABLE_WINRM_HTTPS_Demo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
config:
connection:
platform: vaas #cloudplatform
url: https://api.venafi.eu
credentials:
apiKey: '{{ Env "TLSPC_APIKEY" }}'
certificateTasks:
- name: WINRM # Task Identifier, no relevance in tool run
renewBefore: 30d # or percentage like 30%
setEnvVars: ["thumbprint"]
request:
csr: local
keySize: 3072
subject:
commonName: '{{ Env "TLSPC_Hostname" }}'
country: GB
locality: London
state: London
organization: Venafi
orgUnits: [WINRM]
sanDNS:
- '{{ Env "TLSPC_Hostname" }}'
zone: 'WinRM\ztAllowAll'
installations:
- format: CAPI
capiLocation: 'LocalMachine\MY'
capiFriendlyName: 'vCert Playbook - TLSPC_WINRM_Demo'
capiIsNonExportable: True
afterInstallAction: $setting=Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='WINRM-tcp'"; if ($setting) { Set-WmiInstance -Path $setting.__path -Argument @{SSLCertificateSHA1Hash="$Env:VCERT_WINRM_THUMBPRINT"} }; $listener=Get-Item -Path WSMan:\Localhost\Listener\* | Where-Object { $_.Keys -match "HTTPS" }; if ($listener) { Remove-Item -Path $listener.PSPath -Recurse -Force }; New-Item -Path WSMan:\Localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbprint "$Env:VCERT_WINRM_THUMBPRINT" -Force



Loading