--- - name: Ensure the directory containing the cert exist file: path: "{{ directory }}" state: directory - name: Test if the key already exist stat: path: "{{ directory }}/{{ cname }}.key" register: key_file - name: Generate private key become: false openssl_privatekey: path: "/tmp/ansible_hacky_pki_{{ cname }}.key" mode: u=rw,g=,o= size: "{{ key_size | default(omit) }}" delegate_to: localhost when: not key_file.stat.exists # TODO: add a revocation methode, most probably crl, with crl_distribution_points - name: Generate a Certificate Signing Request become: false openssl_csr: path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key" common_name: "{{ cname }}" country_name: "{{ country_name | default(omit) }}" locality_name: "{{ locality_name | default(omit) }}" state_or_province_name: "{{ state_or_province_name | default(omit) }}" organization_name: "{{ organization_name | default(omit) }}" organizational_unit_name: "{{ organizational_unit_name | default(omit) }}" email_address: "{{ email_address | default(omit) }}" basic_constraints: - CA:FALSE # syntax? basic_constraints_critical: yes key_usage: "{{ key_usage }}" key_usage_critical: yes subject_alt_name: "{{ subject_alt_name | default(omit) }}" delegate_to: localhost when: not key_file.stat.exists - name: Send private key to the server copy: src: "/tmp/ansible_hacky_pki_{{ cname }}.key" dest: "{{ directory }}/{{ cname }}.key" owner: "{{ owner | default('root') }}" group: "{{ group | default('root') }}" mode: "{{ key_mode | default('u=rw,g=,o=') }}" when: not key_file.stat.exists # Clean up - name: Remove the local cert key become: false file: path: "/tmp/ansible_hacky_pki_{{ cname }}.key" state: absent delegate_to: localhost when: not key_file.stat.exists - name: Remove the CSR become: false file: path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" state: absent delegate_to: localhost when: not key_file.stat.exists