---

# https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

- name: directory
  file:
    path: "{{ certificate_authority_directory }}"
    #mode: 0700
    state: directory

- name: subdirectories
  file:
    path: "{{ certificate_authority_directory }}/{{ item }}"
    #mode: 0700
    state: directory
  with_items:
    - certs
    - crl
    - csr
    - newcerts

- name: private directory
  file:
    path: "{{ certificate_authority_directory }}/private"
    mode: 0700
    state: directory

- name: private key
  command:
    openssl genrsa
    -out private/ca.key.pem {{ certificate_authority_private_key_size }}
  args:
    chdir: "{{ certificate_authority_directory }}"
    creates: "{{ certificate_authority_directory }}/private/ca.key.pem"

- name: openssl config
  template:
    src: openssl.cnf.j2
    dest: "{{ certificate_authority_directory }}/openssl.cnf"

- name: extensions config
  template:
    src: extensions.cnf.j2
    dest: "{{ certificate_authority_directory }}/extensions.cnf"

- name: index config
  template:
    src: index.attr.j2
    dest: "{{ certificate_authority_directory }}/index.attr"

- name: index
  copy:
    content: ""
    dest: "{{ certificate_authority_directory }}/index"
    force: no

- name: serial
  copy:
    content: "00\n"
    dest: "{{ certificate_authority_directory }}/serial"
    force: no

- name: certificate signing request
  command: openssl req -new
    -config openssl.cnf
    -key private/ca.key.pem
    -days {{ certificate_authority_days }}
    -sha256
    -out csr/ca.csr.pem
    -subj "{{ certificate_authority_subject }}"
  args:
    chdir: "{{ certificate_authority_directory }}"
    creates: "{{ certificate_authority_directory }}/csr/ca.csr.pem"
  #when: certificate_authority_type == "intermediate"

- name: self sign certificate
  command: openssl ca -selfsign -batch
    -config openssl.cnf
    -days {{ certificate_authority_days }}
    -extensions certificate_authority
    -in csr/ca.csr.pem
    -out certs/ca.cert.pem
    -subj "{{ certificate_authority_subject }}"
  args:
    chdir: "{{ certificate_authority_directory }}"
    creates: "{{ certificate_authority_directory }}/certs/ca.cert.pem"
  when: certificate_authority_type == "root"

- name: certificate info
  command: openssl x509 -text -noout -in certs/ca.cert.pem
  args:
    chdir: "{{ certificate_authority_directory }}"
  changed_when: false
  register: _certificate_authority_info

- name: show certificate info
  debug:
    msg: "{{ _certificate_authority_info }}"