File: //lib/python3.9/site-packages/ansible_collections/cisco/ise/playbooks/certificate_management.yml
---
- hosts: ise_servers
gather_facts: false
name: Certificate management
tasks:
# - name: Import certificate into ISE node
# cisco.ise.trusted_certificate_import:
# ise_hostname: "{{ ise_hostname }}"
# ise_username: "{{ ise_username }}"
# ise_password: "{{ ise_password }}"
# ise_verify: "{{ ise_verify }}"
# data: "{{ lookup('file', item) }}"
# description: Root CA public certificate
# name: RootCert
# allowBasicConstraintCAFalse: true
# allowOutOfDateCert: false
# allowSHA1Certificates: true
# trustForCertificateBasedAdminAuth: true
# trustForCiscoServicesAuth: true
# trustForClientAuth: true
# trustForIseAuth: true
# validateCertificateExtensions: true
# with_fileglob:
# - "/Users/rcampos/Downloads/RootCACert.pem"
- name: Generate CSR
cisco.ise.csr_generate:
ise_hostname: "{{ ise_hostname }}"
ise_username: "{{ ise_username }}"
ise_password: "{{ ise_password }}"
ise_verify: "{{ ise_verify }}"
allowWildCardCert: true
subjectCommonName: ise.securitydemo.net
subjectOrgUnit: Sample OU
subjectOrg: Sample Org
subjectCity: San Francisco
subjectState: CA
subjectCountry: US
keyType: ECDSA
keyLength: 1024
digestType: SHA-256
usedFor: MULTI-USEw
register: result
- name: Set ID value to variable
ansible.builtin.set_fact:
csr_id: "{{ result['ise_response']['response'][0]['id']}}"
when: not ansible_check_mode
- name: Pause until the CSR has been signed by the CA
ansible.builtin.pause:
- name: Bind Signed Certificate
cisco.ise.bind_signed_certificate:
ise_hostname: "{{ ise_hostname }}"
ise_username: "{{ ise_username }}"
ise_password: "{{ ise_password }}"
ise_verify: "{{ ise_verify }}"
admin: true
allowExtendedValidity: true
allowOutOfDateCert: true
allowReplacementOfCertificates: true
allowReplacementOfPortalGroupTag: true
data: "{{ lookup('file', item) }}"
hostName: ise.securitydemo.net
name: My Signed Certificate
validateCertificateExtensions: true
id: "{{ csr_id }}"
eap: true
radius: true
pxgrid: true
ims: true
portal: true
with_fileglob:
- /Users/rcampos/Downloads/RootCACert.pem
when: not ansible_check_mode