---
managed_ca_cert_hostnames: "{{ x509_certificate_hostnames }}"
managed_ca_cert_name: "{{ x509_certificate_name | default(managed_ca_cert_hostnames[0]) }}"

managed_ca_cert_base_dir: "/etc/ssl"

managed_ca_cert_default_renew_margin: "+30d"
managed_ca_cert_config: "{{ x509_certificate_config }}"
# managed_ca_cert_config:
#   path: "{{ managed_ca_cert_base_dir }}/{{ managed_ca_cert_name }}"
#   mode: "0750"
#   owner: root
#   group: www-data
#   ca:
#     host: inventory_name_of_ca_host
#     name: my-ca
#   key:
#     mode: "0640"
#     owner: root
#     group: www-data
#     type: RSA
#     size: 4096
#   cert:
#     mode: "0644"
#     owner: root
#     group: www-data
#     common_name: foo
#     san_extra:
#     - "IP:192.0.2.1"
#     country_name: "AT"
#     locality_name: "Graz"
#     organization_name: "spreadspace"
#     organizational_unit_name: "ansible"
#     state_or_province_name: "Styria"
#     basic_constraints:
#     - "CA:FALSE"
#     basic_constraints_critical: no
#     key_usage:
#     - digitalSignature
#     - keyAgreement
#     key_usage_critical: yes
#     extended_key_usage:
#     - serverAuth
#     extended_key_usage_critical: yes
#     create_subject_key_identifier: yes
#     digest: sha256
#     not_before: +0h
#     not_after: +520w
#     renew_margin: +42d