eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this when a CSR already exists and IdM CA should issue a certificate for a host or service principal.

Boundary
Mutating
Authority
idm, certificate-authority, collection
Evidence
command-output

Request an IdM certificate

When To Use This

Use this when a CSR already exists and IdM CA should issue a certificate for a host or service principal.

Required Authority

The IdM CA issues the certificate. Private key generation and storage stay outside the module.

Safety Boundary

This workflow is mutating. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Inputs

  • CSR content or controller-local CSR path
  • Principal name
  • Optional certificate profile or sub-CA

Steps

  1. Generate and protect the private key outside the module.
  2. Submit the CSR through cert_request.
  3. Write the issued certificate or return safe metadata for downstream tasks.
- name: Request certificate from IdM CA
  eigenstate.ipa.cert_request:
    principal: HTTP/app.example.com
    csr_file: /secure/csr/http-app.csr
    destination: /secure/certs/http-app.crt
    server: idm-01.example.com
    kerberos_keytab: /runner/env/ipa/automation.keytab
    mode: "0644"

Example Certificate Request

This playbook sends an existing CSR to IdM and writes only the issued certificate; private key generation stays outside the module.

request-certificate.yml

---
- name: Request a service certificate from IdM
  hosts: app_servers
  become: true
  gather_facts: false
  tasks:
    - name: Submit CSR and install returned certificate
      eigenstate.ipa.cert_request:
        principal: "HTTP/{{ inventory_hostname }}@EXAMPLE.COM"
        csr_file: /etc/pki/tls/private/app.csr
        destination: /etc/pki/tls/certs/app.pem
        mode: "0644"
        server: idm-01.example.com
        kerberos_keytab: /runner/env/ipa/automation.keytab
        verify: /etc/ipa/ca.crt

Run It

ansible-playbook -i inventory.eigenstate_ipa.yml request-certificate.yml

Expected Evidence

The module returns certificate metadata and writes the issued certificate when destination is set.

TASK [Request certificate from IdM CA] *********************************
changed: [localhost] => {
    "changed": true,
    "principal": "HTTP/app.example.com@EXAMPLE.COM",
    "destination": "/secure/certs/http-app.crt",
    "metadata": {
        "serial_number": "01AB12CD34EF",
        "subject": "CN=app.example.com,O=Example",
        "issuer": "CN=Certificate Authority,O=Example",
        "revoked": false
    }
}

Troubleshooting

  • CSR rejected: verify principal, SANs, profile, and CA policy.
  • Private key missing: create it before calling the module.
  • Wrong issuer: verify profile and sub-CA options.