current state

defaults/main.yml

@@ -1,15 +1,16 @@
 certificate_name: "{{ certificate_common_name | regex_replace(' ', '_') }}"
-certificate_file: "{{ certificate_directory }}/{{ certificate_name }}.cert.pem"
+certificate_file: "{{ certificate_directory }}/certs/{{ certificate_name }}.cert.pem"
 
-certificate_private_key_file: "{{ certificate_private_directory }}/{{ certificate_name }}.key.pem"
+certificate_private_key_file: "{{ certificate_directory }}/private/{{ certificate_name }}.key.pem"
 certificate_private_key_size: 4096
 
-certificate_signing_request_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.pem"
-certificate_signing_request_config_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.cnf"
+certificate_signing_request_file: "{{ certificate_directory }}/csr/{{ certificate_name }}.csr.pem"
+certificate_signing_request_config_file: "{{ certificate_directory }}/cnf/{{ certificate_name }}.csr.cnf"
 
 certificate_authority: false
-certificate_key_usage:
-  - digitalSignature
-  - keyEncipherment
-#certificate_extended_key_usage:
+
+# certificate_key_usage:
+#   - digitalSignature
+#   - keyEncipherment
+# certificate_extended_key_usage:
 #  - serverAuth

handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: stat certificate
+  stat:
+    path: "{{ certificate_file }}"
+  register: _certificate_stat
+  listen: certificate changed

tasks/csr.yml

@@ -23,6 +23,6 @@
   changed_when: false
   register: _certificate_signing_request_info
 
-- name: certificate signing request debug
-  debug:
-    msg: "{{ _certificate_signing_request_info.stdout_lines }}"
+# - name: certificate signing request debug
+#   debug:
+#     msg: "{{ _certificate_signing_request_info.stdout_lines }}"

tasks/directory.yml

@@ -0,0 +1,22 @@
+---
+
+- name: directory
+  file:
+    path: "{{ certificate_directory }}"
+    state: directory
+
+- name: subdirectories
+  file:
+    path: "{{ certificate_directory }}/{{item}}"
+    state: directory
+  with_items:
+    - certs
+    - csr
+    - cnf
+    - private
+
+- name: private directory
+  file:
+    path: "{{ certificate_authority_directory }}/private"
+    mode: 0700
+    state: directory

tasks/key.yml

@@ -9,3 +9,4 @@
     creates: "{{ certificate_private_key_file }}"
   environment:
     PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
+  notify: certificate changed

tasks/main.yml

@@ -1,5 +1,8 @@
 ---
 
+- include: directory.yml
+  when: certificate_directory is defined
+
 - name: setup
   include: setup_{{ansible_os_family}}.yml
 

tasks/provider-ca.yml

@@ -0,0 +1,49 @@
+---
+
+- include: key.yml
+- include: csr.yml
+
+- name: certificate host_files directory
+  local_action: file
+  args:
+    path: host_files/{{inventory_hostname}}/certificate
+    state: directory
+
+- name: fetch certificate signing request
+  fetch:
+    src: "{{ certificate_signing_request_file }}"
+    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
+    flat: yes
+    fail_on_missing: yes
+
+- name: copy certificate signing request
+  copy:
+    src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
+    dest: "{{ certificate_authority_directory }}/csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem"
+  delegate_to: "{{ certificate_authority_host }}"
+
+- name: sign certificate with ca
+  command: openssl ca -selfsign -batch -notext
+    -config cnf/ca.cnf
+    -in csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem
+    -out certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem
+    {{ certificate_authority_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
+  args:
+    chdir: "{{ certificate_authority_directory }}"
+    creates: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
+  environment:
+    PRIVATE_KEY_PASSWORD: "{{ certificate_authority_private_key_password | default('') }}"
+  delegate_to: "{{ certificate_authority_host }}"
+
+- name: fetch certificate
+  fetch:
+    src: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
+    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
+    flat: yes
+    fail_on_missing: yes
+  delegate_to: "{{ certificate_authority_host }}"
+
+- name: copy certificate
+  copy:
+    src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
+    dest: "{{ certificate_file }}"

tasks/provider-letsencrypt.yml

@@ -0,0 +1 @@
+---

tasks/provider-selfsigned.yml

@@ -15,3 +15,4 @@
     creates: "{{ certificate_file }}"
   environment:
     PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
+  notify: certificate changed

templates/certificate_extensions.cnf.j2

@@ -3,7 +3,9 @@
 [certificate_extensions]
 # Extensions for server certificates (`man x509v3_config`).
 basicConstraints = critical, {{ certificate_basic_constraints | join(', ') }}
+{% if certificate_key_usage is defined %}
 keyUsage = critical, {{ certificate_key_usage | join(', ') }}
+{% endif %}
 {% if certificate_extended_key_usage is defined  and  certificate_extended_key_usage %}
 extendedKeyUsage=critical, {{ certificate_extended_key_usage | join(', ') }}
 {% endif %}

templates/csr.cnf.j2

@@ -18,7 +18,7 @@ L = {{certificate_locality}}
 {% if certificate_organization is defined%}
 O = {{certificate_organization}}
 {% endif %}
-{% if certificate_organizational_unit is defined%}/OU=
+{% if certificate_organizational_unit is defined%}
 OU = {{certificate_organizational_unit}}
 {% endif %}
 CN = {{certificate_common_name}}