From 7368a241f2255ad8ba40c77451101a63d7c6cdd8 Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Thu, 9 Sep 2021 18:02:00 +0200
Subject: [PATCH] first draft for the crs

---
 roles/generate-cert/tasks/main.yml | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
index 451f2dd..2799fe5 100644
--- a/roles/generate-cert/tasks/main.yml
+++ b/roles/generate-cert/tasks/main.yml
@@ -1,8 +1,4 @@
 ---
-- name: Test
-  ansible.builtin.debug:
-    msg: "Test"
-
 - name: Ensure the directory containing the cert exist
   file:
     path: "{{ directory }}"
@@ -22,6 +18,31 @@
   delegate_to: localhost
   when: not key_file.stat.exists
 
+- name: Generate a Certificate Signing Request
+  become: false
+  openssl_csr:
+    path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+    private_key_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+    common_name: "{{ cname }}"
+    country_name: "{{ country_name | default(omit) }}"
+    locality_name: "{{ locality_name | default(omit) }}"
+    state_or_province_name: "{{ state_or_province_name | default(omit) }}"
+    organization_name: "{{ organization_name | default(omit) }}"
+    organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
+    email_address: "{{ email_address | default(omit) }}"
+    basic_constraints:
+      - CA:FALSE # syntax?
+    basic_contraints_critical: yes
+    key_usage: # need more works on this
+      - digitalSignature
+      - keyEncipherment
+      - clientAuth
+    key_usage_critical: yes
+    subject_alt_name: "{{ subject_alt_name | default(omit) }}"
+    # TODO: add a revocation methode, most probably crl, with crl_distribution_points
+  delegate_to: localhost
+  when: no key_file.stat exists
+
 - name: Send private key to the server
   copy:
     src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
@@ -31,7 +52,6 @@
     mode: "{{ key_mode | default('u=rw,g=,o=') }}"
   when: not key_file.stat.exists
 
-
 # Clean up
 - name: Remove the local cert key
   become: false