System CA certificates¶
On Debian GNU/Linux and its derivative distributions, management of Root
Certificate Authority certificates is performed by the
package. This package maintains a list of active Root CA certificates in
/etc/ca-certificates.conf configuration file, and stores the certificates
debops.pki role has several variables which can be used to control what
Root Certificate Authorities are trusted by the system, as well as supports
easy installation of local or custom Root Certificate Authorities.
Configuration of system CA certificates¶
/etc/ca-certificates.conf configuration file specifies which
certificates will be trusted by the system. This is done by specifying names of
certificate files located in
/usr/share/ca-certificates/ directory. The
specified certificate files will be included in the system CA store. If a given
filename is prefixed with
!, a given certificate will be excluded from the
system CA store.
By default, Debian hosts automatically trust new Root Certificate Authorities
added in the
ca-certificates package. To control this, you can use
pki_system_ca_certificates_trust_new boolean variable. Setting this
True will ensure that new Root CA certificates are trusted.
Setting it to
False will not enable new CA certificates automatically.
You can use
pki_system_ca_certificates_whitelist list variables to define which
certificates will be excluded/included in the CA store. Each list element is
a regexp of the certificate file name. If a given file is found in both lists,
it will be excluded from the certificate store.
To find out the names of the certificate files you can use, check the contents
/etc/ca-certificates.conf configuration file.
Blacklist all certificates:
pki_system_ca_certificates_blacklist: - '.*'
Blacklist all certificates provided in the Mozilla CA list:
pki_system_ca_certificates_blacklist: - 'mozilla/.*'
Blacklist all VeriSign certificates:
pki_system_ca_certificates_blacklist: - 'mozilla/VeriSign_.*'
Local Root CA certificates¶
Contents of the
secret/pki/ca-certificates/ directory located on Ansible
Controller will be copied to all of the remote hosts whch
manages, to the
/usr/local/share/ca-certificates/pki/ directory. After
that, they will be automatically added to the system Root CA store by
The internal Root Certificate Authorities created by the
will have their certificates automatically symlinked in the
secret/pki/ca-certificates/ directory. You can prevent that by adding an
item.system_ca: False parameter in the CA configuration variable.