first draft for the crs

roles/generate-cert/tasks/main.yml

@@ -1,8 +1,4 @@
 ---
-- name: Test
-  ansible.builtin.debug:
-    msg: "Test"
-
 - name: Ensure the directory containing the cert exist
   file:
     path: "{{ directory }}"
@@ -22,6 +18,31 @@
   delegate_to: localhost
   when: not key_file.stat.exists
 
+- name: Generate a Certificate Signing Request
+  become: false
+  openssl_csr:
+    path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+    private_key_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+    common_name: "{{ cname }}"
+    country_name: "{{ country_name | default(omit) }}"
+    locality_name: "{{ locality_name | default(omit) }}"
+    state_or_province_name: "{{ state_or_province_name | default(omit) }}"
+    organization_name: "{{ organization_name | default(omit) }}"
+    organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
+    email_address: "{{ email_address | default(omit) }}"
+    basic_constraints:
+      - CA:FALSE # syntax?
+    basic_contraints_critical: yes
+    key_usage: # need more works on this
+      - digitalSignature
+      - keyEncipherment
+      - clientAuth
+    key_usage_critical: yes
+    subject_alt_name: "{{ subject_alt_name | default(omit) }}"
+    # TODO: add a revocation methode, most probably crl, with crl_distribution_points
+  delegate_to: localhost
+  when: no key_file.stat exists
+
 - name: Send private key to the server
   copy:
     src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
@@ -31,7 +52,6 @@
     mode: "{{ key_mode | default('u=rw,g=,o=') }}"
   when: not key_file.stat.exists
 
-
 # Clean up
 - name: Remove the local cert key
   become: false