---
- name: Generate a private key for root CA
  become: true
  openssl_privatekey:
    path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
    owner: root
    group: root
    mode: u=r,g=,o=
    type: ECC
    curve: secp384r1

- name: Generate a CSR for the root CA private key
  become: true
  openssl_csr:
    privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
    path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
    owner: root
    group: root
    mode: u=r,g=,o=
    common_name: "{{ root_ca.common_name }}"
    country_name: "{{ root_ca.country_name }}"
    locality_name: "{{ root_ca.locality_name }}"
    organization_name: "{{ root_ca.organization_name }}"
    state_or_province_name: "{{ root_ca.state_name }}"
    email_address: "{{ root_ca.email }}"
    use_common_name_for_san: false
    basic_constraints_critical: true
    basic_constraints:
      - CA:TRUE
      - pathlen:0  # FIXME: sub CA personnes ?
    key_usage:
      - keyCertSign
      - cRLSign
    key_usage_critical: true

# FIXME: regénérer quand le certificat est expiré (ne semble pas
# le cas actuellement)
- name: Generate the root CA certificate
  become: true
  openssl_certificate:
    privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
    csr_path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
    path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
    owner: root
    group: root
    mode: u=r,g=r,o=r
    provider: selfsigned
    selfsigned_not_before: "{{ root_ca.not_before }}"
    selfsigned_not_after: "{{ root_ca.not_after }}"

- name: Retrieve the root CA certificate
  fetch:
    src: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
    dest: "loot/certs/{{ root_ca.slug }}.pem"
    flat: yes
...