--- - name: create mangaged-ca CA directories loop: "{{ managed_ca_authorities | list }}" file: path: "/etc/ssl/managed-ca/{{ item }}" state: directory owner: root group: root mode: 0700 - name: create managed-ca CA private keys loop: "{{ managed_ca_authorities | dict2items }}" loop_control: label: "{{ item.key }}" openssl_privatekey: path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem" type: "{{ item.value.key.type | default(omit) }}" size: "{{ item.value.key.size | default(omit) }}" owner: root group: root mode: 0600 - name: create signing request for managed-ca CA certificates loop: "{{ managed_ca_authorities | dict2items }}" loop_control: label: "{{ item.key }}" openssl_csr: path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem" privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem" common_name: "{{ item.value.cert.common_name | default(item.key) }}" use_common_name_for_san: no country_name: "{{ item.value.cert.country_name | default(omit) }}" locality_name: "{{ item.value.cert.locality_name | default(omit) }}" organization_name: "{{ item.value.cert.organization_name | default(omit) }}" organizational_unit_name: "{{ item.value.cert.organizational_unit_name | default(omit) }}" state_or_province_name: "{{ item.value.cert.state_or_province_name | default(omit) }}" key_usage: - cRLSign - keyCertSign key_usage_critical: yes basic_constraints: - 'CA:TRUE' - 'pathlen:0' basic_constraints_critical: yes - name: create managed-ca CA certificates loop: "{{ managed_ca_authorities | dict2items }}" loop_control: label: "{{ item.key }}" openssl_certificate: path: "/etc/ssl/managed-ca/{{ item.key }}/crt.pem" csr_path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem" privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem" provider: selfsigned selfsigned_digest: "{{ item.value.cert.digest | default(omit) }}" selfsigned_not_before: "{{ item.value.cert.not_before | default(omit) }}" selfsigned_not_after: "{{ item.value.cert.not_after | default(omit) }}" selfsigned_create_subject_key_identifier: always_create