--- - name: Generate a private key for root CA become: true openssl_privatekey: path: "/etc/ssl/private/{{ root_ca.slug }}.pem" owner: root group: root mode: u=r,g=,o= type: ECC curve: secp384r1 - name: Generate a CSR for the root CA private key become: true openssl_csr: privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem" path: "/etc/ssl/csr/{{ root_ca.slug }}.csr" owner: root group: root mode: u=r,g=,o= common_name: "{{ root_ca.common_name }}" country_name: "{{ root_ca.country_name }}" locality_name: "{{ root_ca.locality_name }}" organization_name: "{{ root_ca.organization_name }}" state_or_province_name: "{{ root_ca.state_name }}" email_address: "{{ root_ca.email }}" use_common_name_for_san: false basic_constraints_critical: true basic_constraints: - CA:TRUE - pathlen:0 # FIXME: sub CA personnes ? key_usage: - keyCertSign - digitalSignature - cRLSign key_usage_critical: true # FIXME: regénérer quand le certificat est expiré (ne semble pas # le cas actuellement) - name: Generate the root CA certificate become: true openssl_certificate: privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem" csr_path: "/etc/ssl/csr/{{ root_ca.slug }}.csr" path: "/etc/ssl/certs/{{ root_ca.slug }}.pem" owner: root group: root mode: u=r,g=r,o=r provider: selfsigned selfsigned_not_before: "{{ root_ca.not_before }}" selfsigned_not_after: "{{ root_ca.not_after }}" - name: Retrieve the root CA certificate fetch: src: "/etc/ssl/certs/{{ root_ca.slug }}.pem" dest: "loot/certs/{{ root_ca.slug }}.pem" flat: yes ...