this us usually implemented as Ansible role
ansible-role-win-sql-certificate ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── get-first-certificate-thumbprint-issued-by.yml │ ├── get-first-certificate-thumbprint.yml │ └── main.yml
./defaults/main.yml
---
# defaults file for ansible-role-win-sql-certificate
sql_server_version_major_path_prefix: 'MSSQL12'
sql_server_instance_name: MSSQLSERVER
sql_server_registry_supersocketnetlib: 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\{{ sql_server_version_major_path_prefix }}.{{ sql_server_instance_name }}\MSSQLServer\SuperSocketNetLib'
sql_server_service_account: 'NT Service\{{ sql_server_instance_name }}'
sql_server_service_name: '{{ sql_server_instance_name }}'
sql_server_certificate_machinekey_dir: 'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys'
# define sql_server_ad_service_account_name if running using an AD account.
# otherwise fallback to sql_server_service_account
# sql_server_ad_service_account_name: "MYDOMAIN\\somesqlserviceaccount"
# If you define sql_server_certificate_thumbprint then this certificat must exist
# sql_server_certificate_thumbprint: 'd673b6b2d7768eff649fb06fa16e3a13b15bb255'
# if you define sql_server_first_certificate_issued_by then the first certificate in the
# certificate store matching the criteria is used
# sql_server_first_certificate_issued_by: 'LAB-RootCA'
./handlers/main.yml
---
# handlers file for ansible-role-win-sql-certificate
- name: restart sql service
ansible.windows.win_service:
name: '{{ sql_server_service_name }}'
state: restarted
./tasks/get-first-certificate-thumbprint-issued-by.yml
---
- name: Obtain information about a particular certificate in the computer's personal store
community.windows.win_certificate_info:
store_location: 'LocalMachine'
register: result_machine_certificates
# - debug:
# var: result_machine_certificates
- set_fact:
sql_server_certificate_thumbprint: '{{ result_machine_certificates.certificates | selectattr("issued_by", "equalto", sql_server_first_certificate_issued_by) | map(attribute="thumbprint") | first | lower }}'
when:
- sql_server_first_certificate_issued_by is defined
- result_machine_certificates is defined
- result_machine_certificates.exists
- result_machine_certificates.certificates is defined
- result_machine_certificates.certificates | length > 0
- debug:
var: sql_server_certificate_thumbprint
when: sql_server_certificate_thumbprint is defined
./tasks/get-first-certificate-thumbprint.yml
---
- name: Obtain information about a particular certificate in the computer's personal store
community.windows.win_certificate_info:
store_location: 'LocalMachine'
register: result_machine_certificates
# - debug:
# var: result_machine_certificates
- set_fact:
sql_server_certificate_thumbprint: '{{ result_machine_certificates.certificates | map(attribute="thumbprint") | first | lower }}'
when:
- result_machine_certificates is defined
- result_machine_certificates.exists
- result_machine_certificates.certificates is defined
- result_machine_certificates.certificates | length > 0
- debug:
var: sql_server_certificate_thumbprint
when: sql_server_certificate_thumbprint is defined
./tasks/main.yml
---
- ansible.builtin.include_tasks: "get-first-certificate-thumbprint-issued-by.yml"
when:
- sql_server_certificate_thumbprint is not defined
- sql_server_first_certificate_issued_by is defined
- ansible.builtin.include_tasks: "get-first-certificate-thumbprint.yml"
when:
- sql_server_certificate_thumbprint is not defined
- sql_server_first_certificate_issued_by is not defined
- name: set sql certificate thumbprint in registry
ansible.windows.win_regedit:
path: '{{ sql_server_registry_supersocketnetlib }}'
name: 'Certificate'
data: '{{ sql_server_certificate_thumbprint }}'
type: string
notify:
- restart sql service
when: sql_server_certificate_thumbprint is defined
- name: set sql force ssl in registry
ansible.windows.win_regedit:
path: '{{ sql_server_registry_supersocketnetlib }}'
name: 'ForceEncryption'
data: 1
type: dword
notify:
- restart sql service
when: sql_server_certificate_thumbprint is defined
- name: get certificate machine keyname
win_shell: |
$certThumbprint = "{{ sql_server_certificate_thumbprint }}"
$cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq ($certThumbprint -replace '\s','')}
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
write-host $keyName
register: result_cert_machine_key
changed_when: false
when: sql_server_certificate_thumbprint is defined
- debug:
var: result_cert_machine_key
when: result_cert_machine_key is defined
- name: set acl on certificate machine keyname
win_acl:
path: '{{ sql_server_certificate_machinekey_dir }}\{{ result_cert_machine_key.stdout_lines[0] }}'
user: '{{ sql_server_ad_service_account_name | default(sql_server_service_account) }}'
rights: FullControl
type: allow
state: present
notify:
- restart sql service
when:
- result_cert_machine_key is defined
- result_cert_machine_key.stdout_lines is defined
- result_cert_machine_key.stdout_lines | length > 0