--- - name: Ensure the custom directories to host certificates are present become: yes file: state: directory recurse: yes path: "{{ gen_tls_remote_certs_dir }}/{{ item.path }}" mode: "{{ item.mode }}" owner: root group: root loop: - {path: local/certs, mode: "0755"} - {path: local/private, mode: "0700"} - name: Check if the client private key exists delegate_to: localhost stat: path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}" register: client_key - name: Generate client private key delegate_to: localhost community.crypto.openssl_privatekey: path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}" size: "{{ gen_tls_client_key_size}}" when: - not client_key.stat.exists - generate_client_cert register: client_key_file - name: Copy the key on the server become: yes copy: src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key}}" dest: "{{ gen_tls_remote_certs_dir }}/local/private/" mode: 0644 owner: root group: root when: client_key_file.changed or gen_tls_force_copy - name: Check if the client CSR exists delegate_to: localhost stat: path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}" register: client_csr - name: Generate CSR and key for client cert delegate_to: localhost community.crypto.openssl_csr: path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}" privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}" common_name: "{{ gen_tls_client_commonname }}" extended_key_usage: - clientAuth when: - not client_csr.stat.exists - generate_client_cert - name: Check if the client cert exists delegate_to: localhost stat: path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}" register: client_crt - name: Create and sign server cert request by CA delegate_to: localhost community.crypto.x509_certificate: path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}" csr_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}" ownca_not_after: "+{{ gen_tls_client_valid_days }}d" ownca_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}" ownca_privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}" provider: ownca when: - not client_crt.stat.exists - generate_client_cert register: client_cert_file - name: Copy the certificate to the remote machine become: yes copy: src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}" dest: "{{ gen_tls_remote_certs_dir }}/local/certs/" mode: 0600 owner: root group: root when: client_cert_file.changed or gen_tls_force_copy