In order to deploy the test site, the following steps would normally be taken:

1. If you do not wish to have the hassle of creating the private keys and

   issuing certificates, run the following commands to get this done for you

   automatically, and skip to step 5 (otherwise follow steps 2 through 4):

   .. code-block:: shell

     certtool --sec-param high --generate-privkey --outfile tls/example_ca.key

     certtool --template tls/templates/example_ca.cfg --generate-self-signed --load-privkey tls/example_ca.key --outfile tls/example_ca.pem

     cp tls/example_ca.pem tls/example_ca_chain.pem

     for template in tls/templates/*.cfg; do

         entity_basename="$(basename "$template" .cfg)"

         [[ $entity_basename == example_ca ]] && continue

         certtool --sec-param normal --generate-privkey --outfile "tls/$entity_basename.key"

         certtool --generate-certificate \

           --load-ca-privkey "tls/example_ca.key" \

           --load-ca-certificate "tls/example_ca.pem" \

           --template "$template" \

           --load-privkey "tls/${entity_basename}.key" \

           --outfile "tls/${entity_basename}.pem"

     done

2. Create TLS private keys (relative to top level directory):

   - ``testsite/tls/mail.example.com_imap.key``

   - ``testsite/tls/mail.example.com_smtp.key``

   - ``testsite/tls/xmpp.example.com_xmpp.key``

   - ``testsite/tls/ldap.example.com_ldap.key``

   - ``testsite/tls/web.example.com_https.key``

   - ``testsite/tls/phpfino.example.com_https.key``

   - ``testsite/tls/wsgi.example.com_https.key``

3. Issue TLS certificates corresponding to the generated TLS private keys (make

   sure to use correct FQDN for DNS subject alternative name):

   - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should

     be ``mail.example.com``)

   - ``testsite/tls/mail.example.com_smtp.pem`` (subject alternative name should

     be ``mail.example.com``)

   - ``testsite/tls/xmpp.example.com_xmpp.pem`` (subject alternative name should

     be ``xmpp.example.com``)

   - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should

     be ``ldap.example.com``)

   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

     be ``web.example.com``)

   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

     be ``web.example.com``)

     should be ``phpinfo.example.com``)

   - ``testsite/tls/wsgi.example.com_https.pem`` (subject alternative name

     should be ``wsgi.example.com``)

4. Create ``PEM`` truststore file which contains all CA certificates that form

   CA chain for the issued end entity certificates from previous step at

   location ``testsite/tls/example_ca_chain.pem``. It is very important to

   include the CA chain used for LDAP server.

5. Generate the preseed files:

  .. code-block:: shell

    ansible-playbook playbooks/preseed.yml

6. Install all servers using the generated preseed files.

7. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to

   remove old entries if you are redoing the process). You can easily obtain all

   the necessary fingerprints with command:

   .. code-block:: shell

      ssh-keyscan mail.example.com ldap.example.com xmpp.example.com web.example.com

8. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic

   environment for Ansible runs on all servers:

  .. code-block:: shell

    ansible-playbook playbooks/bootstrap.yml

9. Finally, apply configuration on all servers:

  .. code-block:: shell

    ansible-playbook playbooks/site.yml

The playbooks and configurations for test site make a couple of assumptions:

* Each server will be set-up with an operating system user ``admin``, capable of

  running the sudo commands.

* The password for operating system user ``admin`` is hard-coded to ``admin``.

* An SSH ``authorized_keys`` file is set-up for the operating system user

  ``admin``. The SSH key stored in it will be read from location

  ``~/.ssh/id_rsa.pub`` (i.e. from home directory of user running the Ansible

  commands).

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. LDAP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "ldap.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. SMTP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "mail.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. PHP Info Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "phpinfo.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. Web Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "web.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. WSGI Hello World Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "wsgi.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. XMPP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "xmpp.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key