---
# tasks file for generate-tls-certs

  - name: Generate CA private key
    local_action:
      module: openssl_privatekey
      path: "{{cert_dir}}/{{tls_ca_key}}"
      size: "{{tls_ca_key_size}}"
    run_once: true
    when: generate_ca_cert

  - name: Generate self-signed cert for CA
    local_action:
      module: >
        shell openssl req -x509 -new -days {{tls_ca_valid_days}} -sha256 -nodes -key {{cert_dir}}/{{tls_ca_key}} -out {{cert_dir}}/{{tls_ca_cert}}
        -subj "{% if tls_ca_country is defined%}/C={{tls_ca_country}}{% endif %}{% if tls_ca_state is defined%}/ST={{tls_ca_state}}{% endif %}{% if tls_ca_locality is defined %}/L={{tls_ca_locality}}{% endif %}{% if tls_ca_organization is defined %}/O={{tls_ca_organization}}{% endif %}{% if tls_ca_organizationalunit is defined %}/OU={{tls_ca_organizationalunit}}{% endif %}/CN={{tls_ca_commonname}}{% if tls_ca_email is defined %}/emailAddress={{tls_ca_email}}{% endif %}"
    ignore_errors: true
    run_once: true
    when: generate_ca_cert

  - name: Generate client private key
    local_action:
      module: openssl_privatekey
      path: "{{cert_dir}}/{{tls_client_key}}"
      size: "{{tls_client_key_size}}"
    run_once: true
    when: generate_client_cert

  - name: Generate CSR and key for client cert
    local_action:
      module: >
        shell openssl req -newkey rsa:{{tls_client_key_size}} -nodes -subj "/CN={{tls_client_commonname}}"
        -keyout "{{cert_dir}}/{{tls_client_key}}" -out "{{cert_dir}}/{{tls_client_csr}}"
    ignore_errors: true
    run_once: true
    when: generate_client_cert

  - name: Add required extension for client authentication
    local_action:
      module: >
        shell echo extendedKeyUsage = clientAuth >> {{cert_dir}}/{{tls_client_extfile}}
    ignore_errors: true
    run_once: true
    when: generate_client_cert

  # @AB TODO: using OpenSSL CA serial file does not always generate unique serial when running playbook against multiple hosts
  - name: Sign client cert request with CA
    local_action:
      module: >
        shell openssl x509 -req -sha256 -days {{tls_client_valid_days}} -CA {{cert_dir}}/{{tls_ca_cert}} -CAkey {{cert_dir}}/{{tls_ca_key}}
        -set_serial {{ 999999999 | random }} -in {{cert_dir}}/{{tls_client_csr}} -out {{cert_dir}}/{{tls_client_cert}} -extfile {{cert_dir}}/{{tls_client_extfile}}
    ignore_errors: true
    run_once: true
    when: generate_client_cert

  # Generate server cert
  - name: Create CSR for server cert
    local_action:
      module: >
        shell openssl req -newkey rsa:{{tls_server_key_size}} -nodes -subj "/CN={{inventory_hostname}}"
        -keyout "{{cert_dir}}/{{inventory_hostname_short}}.key" -out "{{cert_dir}}/{{inventory_hostname_short}}.csr"
    ignore_errors: true
    when: generate_server_cert

  - name: Generate certificate extensions file
    local_action:
      module: template
      src: templates/server-cert-extfile.cnf.j2
      dest: "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"
    when: generate_server_cert

  - name: Sign server cert request by CA
    local_action:
      module: >
        shell openssl x509 -req -sha256 -days {{tls_server_valid_days}}
        -CA "{{cert_dir}}/{{tls_ca_cert}}" -CAkey "{{cert_dir}}/{{tls_ca_key}}" -set_serial {{ 999999999 | random }}
        -in "{{cert_dir}}/{{inventory_hostname_short}}.csr" -out "{{cert_dir}}/{{inventory_hostname_short}}.pem"
        -extfile "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"
    ignore_errors: true
    when: generate_server_cert