- name: Create CA {{ cacert_ca_name }} block: - name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key" register: cacert_ca_key_gen - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.csr" privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key" use_common_name_for_san: false basic_constraints: - 'CA:TRUE' basic_constraints_critical: yes key_usage: - keyCertSign key_usage_critical: true common_name: "{{ cacert_ca_name }}" register: cacert_ca_csr - name: Generate a Self Signed OpenSSL CA certificate community.crypto.x509_certificate: path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt" csr_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.csr" privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key" provider: selfsigned register: cacert_ca_cert_gen - name: Distribute CA become: true block: - name: CA and cert | Check if dest dir exist on remote hosts file: name: "{{ item.path }}" state: directory delegate_to: "{{ item.host }}" loop: "{{ cacert_ca_copy_to }}" when: - cacert_ca_copy_to is defined - name: Put CA OpenSSL cert copy: src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt" dest: "{{ item.path }}/{{ cacert_ca_name }}.crt" delegate_to: "{{ item.host }}" loop: "{{ cacert_ca_copy_to }}" when: - cacert_ca_copy_to is defined - name: Put CA OpenSSL cert to PKI copy: src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt" dest: "/etc/pki/ca-trust/source/anchors/{{ cacert_ca_name }}.crt" when: - cacert_ca_trust_anchors_update register: ca_trust_anchors delegate_to: "{{ item.host }}" loop: "{{ cacert_ca_copy_to }}" - name: Update CA trust shell: update-ca-trust extract when: - ca_trust_anchors.changed - cacert_ca_trust_anchors_update delegate_to: "{{ item.host }}" loop: "{{ cacert_ca_copy_to }}"