---

- include_role:
    name: certificate
  vars:
    certificate_name: ca
    certificate_provider: manual
    certificate_authority: true
    certificate_key_usage:
      - digitalSignature
      - cRLSign
      - keyCertSign
    certificate_directory: "{{ certificate_authority_directory }}"
    certificate_file: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
    certificate_signing_request_file: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
    certificate_signing_request_config_file: "{{ certificate_authority_directory }}/cnf/ca.csr.cnf"
    certificate_private_key_file: "{{ certificate_authority_directory }}/private/ca.key.pem"
    certificate_private_key_password: "{{ certificate_authority_private_key_password }}"

- name: self sign certificate
  command: openssl ca -selfsign -batch -notext
    -config cnf/ca.cnf
    -in csr/ca.csr.pem
    -out certs/ca.cert.pem
    {{ certificate_authority_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
  args:
    chdir: "{{ certificate_authority_directory }}"
    creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_authority_private_key_password | default('') }}"
  when: certificate_authority_type == "root"

# - name: certificate stat
#   stat:
#     path: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
#   register: _certificate_authority_stat
#   changed_when: not _certificate_authority_stat.stat.exists
#   notify: self sign certificate

# - debug:
#     msg: "{{ _certificate_authority_stat }}"