certificate chain files

defaults/main.yml

@@ -1,5 +1,7 @@
 certificate_name: "{{ certificate_common_name | regex_replace(' ', '_') }}"
 certificate_file: "{{ certificate_directory }}/certs/{{ certificate_name }}.cert.pem"
+certificate_chain_file: "{{ certificate_directory }}/certs/{{ certificate_name }}.chain.pem"
+certificate_fullchain_file: "{{ certificate_directory }}/certs/{{ certificate_name }}.fullchain.pem"
 
 certificate_private_key_file: "{{ certificate_directory }}/private/{{ certificate_name }}.key.pem"
 certificate_private_key_size: 4096

tasks/provider-ca.yml

@@ -23,7 +23,7 @@
   delegate_to: "{{ certificate_authority_host }}"
 
 - name: sign certificate with ca
-  command: openssl ca -selfsign -batch -notext
+  command: openssl ca -batch -notext
     -config cnf/ca.cnf
     -in csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem
     -out certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem
@@ -47,3 +47,21 @@
   copy:
     src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
     dest: "{{ certificate_file }}"
+
+- name: fetch root certificate chain
+  fetch:
+    src: "{{ certificate_authority_directory }}/certs/ca.fullchain.pem"
+    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.chain.pem
+    flat: yes
+    fail_on_missing: yes
+  delegate_to: "{{ certificate_authority_host }}"
+
+- name: copy root certificate chain
+  copy:
+    src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.chain.pem
+    dest: "{{ certificate_chain_file }}"
+
+- name: create full certificate chain
+  template:
+    src: fullchain.pam.j2
+    dest: "{{ certificate_fullchain_file }}"

templates/fullchain.pam.j2

@@ -0,0 +1,2 @@
+{{ lookup('file','host_files/'+inventory_hostname+'/certificate/'+certificate_name+'.cert.pem') }}
+{{ lookup('file','host_files/'+inventory_hostname+'/certificate/'+certificate_name+'.chain.pem') }}