---

  - name: Generate client private key
    local_action:
      module: openssl_privatekey
      path: "{{cert_dir}}/{{tls_client_key}}"
      size: "{{tls_client_key_size}}"
    run_once: true
    when: generate_client_cert

  - name: Generate CSR and key for client cert
    local_action:
      module: |
        shell if [ ! -e {{cert_dir}}/{{tls_client_csr}} ]
        then
        openssl req -newkey rsa:{{tls_client_key_size}} -nodes -subj "/CN={{tls_client_commonname}}" \
        -keyout "{{cert_dir}}/{{tls_client_key}}" -out "{{cert_dir}}/{{tls_client_csr}}"
        fi
    args:
      executable: /bin/bash
    ignore_errors: true
    run_once: true
    when: generate_client_cert

  - name: Add required extension for client authentication
    local_action:
      module: >
        shell echo extendedKeyUsage = clientAuth >> {{cert_dir}}/{{tls_client_extfile}}
    ignore_errors: true
    run_once: true
    when: generate_client_cert

  # @AB TODO: using OpenSSL CA serial file does not always generate unique serial when running playbook against multiple hosts
  - name: Sign client cert request with CA
    local_action:
      module: |
        shell if [ ! -e {{cert_dir}}/{{tls_client_cert}} ]
        then
        openssl x509 -req -sha256 -days {{tls_client_valid_days}} -CA {{cert_dir}}/{{tls_ca_cert}} -CAkey {{cert_dir}}/{{tls_ca_key}} \
        -set_serial {{ 999999999 | random }} -in {{cert_dir}}/{{tls_client_csr}} -out {{cert_dir}}/{{tls_client_cert}} -extfile {{cert_dir}}/{{tls_client_extfile}}
        fi
    args:
      executable: /bin/bash
    ignore_errors: true
    run_once: true
    when: generate_client_cert