add crl endpoint support

README.md

@@ -60,3 +60,21 @@ Then, don't forget to remode the file `ca.key`.
 ## How does it works ?
 
 The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.
+
+## Add a CRL endpoint
+
+If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`.
+
+```
+crl_distribution_points:
+  - full_name: "URI:https://ca.example.com/revocations.crl"
+    reasons:
+      - key_compromise
+      - ca_compromise
+      - affiliation_changed
+      - superseded
+      - cessation_of_operation
+      - certificate_hold
+      - privilege_withdrawn
+      - aa_compromise
+```

group_vars/all.yml

@@ -1,4 +1,15 @@
 ---
+crl_distribution_points:
+  - full_name: "URI:https://ca.example.com/revocations.crl"
+    reasons:
+      - key_compromise
+      - ca_compromise
+      - affiliation_changed
+      - superseded
+      - cessation_of_operation
+      - certificate_hold
+      - privilege_withdrawn
+      - aa_compromise
 ca_cert: |
   -----BEGIN CERTIFICATE-----
   MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL

roles/generate-cert/tasks/main.yml

@@ -32,7 +32,6 @@
         size: "{{ key_size | default(omit) }}"
       delegate_to: localhost
     
-    # TODO: add a revocation methode, most probably crl, with crl_distribution_points
     - name: Generate a Certificate Signing Request
       become: false
       openssl_csr:
@@ -51,6 +50,7 @@
         key_usage: "{{ key_usage }}"
         key_usage_critical: yes
         subject_alt_name: "{{ subject_alt_name | default(omit) }}"
+        crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
       delegate_to: localhost
     
     - name: Put the CA in a file