---
- name: Generate the private key
  become: yes
  openssl_privatekey:
    path: "/etc/ssl/private/{{ certificate.slug }}.pem"
    owner: root
    group: root
    mode: u=r,g=,o=
    type: ECC
    curve: secp384r1

- name: Generate the CSR
  become: yes
  openssl_csr:
    privatekey_path: "/etc/ssl/private/{{ certificate.slug }}.pem"
    path: "/etc/ssl/csr/{{ certificate.slug }}.csr"
    owner: root
    group: root
    mode: u=r,g=r,o=r
    common_name: "{{ certificate.common_name }}"
    # À terme, tous les champs seront définis via les overrides
    # directement à la génération du certificat.
    # On ne veut pas le faire ici, car c'est effectué sur des hôtes
    # potentiellement compromis, et ils pourraient générer une CSR
    # arbitraire et la faire signer à l'AC (qui sera possiblement
    # acceptée par les navigateurs des techniciens).
    use_common_name_for_san: true
    basic_constraints:
      - CA:FALSE
    basic_constraints_critical: true
    key_usage:
      - digitalSignature
      - keyEncipherment
    key_usage_critical: true
    extended_key_usage:
      - serverAuth
    extended_key_usage_critical: true

- name: Download the CSR to local
  fetch:
    src: "/etc/ssl/csr/{{ certificate.slug }}.csr"
    dest: "loot/csr/ext/{{ certificate.slug }}.csr"
    flat: yes

- name: Create directories for CSRs and certificates
  become: true
  file:
    state: directory
    name: "{{ item }}"
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
  loop:
    - /etc/ssl/csr/ext
    - /etc/ssl/certs/ext

- name: Upload the CSR to CA server
  become: true
  copy:
    # FIXME: on devrait faire un répertoire "incoming" pour
    # pas réecrire la CSR et le certificat de l'AC !
    src: "loot/csr/ext/{{ certificate.slug }}.csr"
    dest: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
    owner: root
    group: root
    mode: u=r,g=r,o=r
  delegate_to: "{{ openssl_ca_host }}"

- name: Generate the certificate from CSR
  become: yes
  openssl_certificate:
    ownca_privatekey_path: "/etc/ssl/private/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
    ownca_path: "/etc/ssl/certs/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
    csr_path: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
    path: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
    owner: root
    group: root
    mode: u=r,g=r,o=r
    provider: ownca
    ownca_not_before: "{{ certificate.not_before }}"
    ownca_not_after: "{{ certificate.not_after }}"
    ownca_locality_name: "{{ hostvars[openssl_ca_host].root_ca.locality_name }}"
    ownca_country_name: "{{ hostvars[openssl_ca_host].root_ca.country_name }}"
  delegate_to: "{{ openssl_ca_host }}"

- name: Retrieve the certificate
  fetch:
    src: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
    dest: "loot/certs/ext/{{ certificate.slug }}.pem"
    flat: yes
  delegate_to: "{{ openssl_ca_host }}"

- name: Send the certificate to host
  become: yes
  copy:
    src: "loot/certs/ext/{{ certificate.slug }}.pem"
    dest: "/etc/ssl/certs/{{ certificate.slug }}.pem"
    owner: root
    group: root
    mode: u=r,g=r,o=r
...