current state

tasks/certificate.yml

@@ -0,0 +1,41 @@
+---
+
+- include_role:
+    name: certificate
+  vars:
+    certificate_name: ca
+    certificate_provider: manual
+    certificate_authority: true
+    certificate_key_usage:
+      - digitalSignature
+      - cRLSign
+      - keyCertSign
+    certificate_directory: "{{ certificate_authority_directory }}"
+    certificate_file: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
+    certificate_signing_request_file: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
+    certificate_signing_request_config_file: "{{ certificate_authority_directory }}/csr/ca.csr.cnf"
+    certificate_private_key_file: "{{ certificate_authority_directory }}/private/ca.key.pem"
+    certificate_private_key_password: "{{ certificate_authority_private_key_password }}"
+
+- name: self sign certificate
+  command: openssl ca -selfsign -batch -notext
+    -config cnf/ca.cnf
+    -in csr/ca.csr.pem
+    -out certs/ca.cert.pem
+    {{ certificate_authority_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
+  args:
+    chdir: "{{ certificate_authority_directory }}"
+    creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
+  environment:
+    PRIVATE_KEY_PASSWORD: "{{ certificate_authority_private_key_password | default('') }}"
+  when: certificate_authority_type == "root"
+
+# - name: certificate stat
+#   stat:
+#     path: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
+#   register: _certificate_authority_stat
+#   changed_when: not _certificate_authority_stat.stat.exists
+#   notify: self sign certificate
+
+# - debug:
+#     msg: "{{ _certificate_authority_stat }}"

tasks/directory.yml

@@ -5,18 +5,17 @@
 - name: directory
   file:
     path: "{{ certificate_authority_directory }}"
-    #mode: 0700
     state: directory
 
 - name: subdirectories
   file:
     path: "{{ certificate_authority_directory }}/{{ item }}"
-    #mode: 0700
     state: directory
   with_items:
     - certs
     - crl
     - csr
+    - cnf
     - newcerts
 
 - name: private directory
@@ -42,7 +41,7 @@
     dest: "{{ certificate_authority_directory }}/serial"
     force: no
 
-- name: openssl config
+- name:  config
   template:
-    src: openssl.cnf.j2
-    dest: "{{ certificate_authority_directory }}/openssl.cnf"
+    src: ca.cnf.j2
+    dest: "{{ certificate_authority_directory }}/cnf/ca.cnf"

tasks/main.yml

@@ -4,42 +4,4 @@
 
 - include: directory.yml
 
-- include_role:
-    name: certificate
-  vars:
-    certificate_name: ca
-    certificate_provider: manual
-    certificate_authority: true
-    certificate_key_usage:
-      - digitalSignature
-      - cRLSign
-      - keyCertSign
-    certificate_directory: "{{ certificate_authority_directory }}"
-    certificate_file: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
-    certificate_signing_request_file: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
-    certificate_signing_request_config_file: "{{ certificate_authority_directory }}/csr/ca.csr.cnf"
-    certificate_private_key_file: "{{ certificate_authority_directory }}/private/ca.key.pem"
-
-- name: self sign certificate
-  command: openssl ca -selfsign -batch -notext
-    -config openssl.cnf
-    -in csr/ca.csr.pem
-    -out certs/ca.cert.pem
-    {{ certificate_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
-  args:
-    chdir: "{{ certificate_authority_directory }}"
-    creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
-  environment:
-    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
-  when: certificate_authority_type == "root"
-
-- name: certificate info
-  command: openssl x509 -text -noout -in certs/ca.cert.pem
-  args:
-    chdir: "{{ certificate_authority_directory }}"
-  changed_when: false
-  register: _certificate_authority_info
-
-- name: certificate debug
-  debug:
-    msg: "{{ _certificate_authority_info.stdout_lines }}"
+- include: certificate.yml