- name: CA and cert | Check if dest dir exist on remote hosts become: true file: name: "{{ dest.path }}" state: directory delegate_to: "{{ dest.host }}" loop: "{{ item.dest }}" loop_control: loop_var: dest - name: CA and certs | Generate clients certs and keys block: - name: Generate an OpenSSL private client key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key" when: cacert_cert is not defined register: cacert_client_key_gen - name: Generate subject_alt_ips set_fact: client_subject_alt_ips: "{{ item.subject_alt_ips | map('regex_replace', '^', 'IP:') | list }}" when: item.subject_alt_ips is defined - name: Generate subject_alt_names set_fact: client_subject_alt_names: "{{ item.subject_alt_names | map('regex_replace', '^', 'DNS:') | list }}" when: item.subject_alt_names is defined - name: Generate an OpenSSL Certificate Signing Request for client community.crypto.openssl_csr: path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr" privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key" common_name: "{{ item.name }}" register: cacert_client_csr when: - item.subject_alt_names is not defined - item.subject_alt_ips is not defined - name: Generate an OpenSSL Certificate Signing Request for client with subject_alt_name community.crypto.openssl_csr: path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr" privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key" common_name: "{{ item.name }}" subject_alt_name: "{{ ((client_subject_alt_ips | default([])) + (client_subject_alt_names | default([]) + (['DNS:' ~ item.name]))) }}" register: cacert_client_csr when: item.subject_alt_names is defined or item.subject_alt_ips is defined - name: Generate an OpenSSL certificate for client signed with your own CA certificate community.crypto.x509_certificate: path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt" csr_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr" ownca_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt" ownca_privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key" provider: ownca register: cacert_client_cert - name: Get {{ item.name }} OpenSSL crt and key content ansible.builtin.shell: | cat {{ cacert_ssl_gen_path }}/{{ item.name }}.{crt,key} register: concated_crt_key changed_when: false - name: Concatenate and save {{ item.name }} OpenSSL crt and key to single file copy: content: "{{ concated_crt_key.stdout }}" dest: "{{ cacert_ssl_gen_path }}/{{ dest.name | default(item.name) }}.{{ dest.concat }}" loop: "{{ item.dest }}" loop_control: loop_var: dest when: - dest.concat is defined - name: Distribute client certs become: true block: - name: Write {{ item.name }} OpenSSL key copy: src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key" dest: "{{ dest.path }}/{{ dest.name | default(item.name) }}.key" mode: 0600 delegate_to: "{{ dest.host }}" loop: "{{ item.dest }}" loop_control: loop_var: dest when: - dest.concat is not defined - name: Write {{ item.name }} OpenSSL crt copy: src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt" dest: "{{ dest.path }}/{{ dest.name | default(item.name) }}.crt" delegate_to: "{{ dest.host }}" loop: "{{ item.dest }}" loop_control: loop_var: dest when: - dest.concat is not defined - name: Write concatenated {{ item.name }} OpenSSL crt and key copy: src: "{{ cacert_ssl_gen_path }}/{{ dest.name | default(item.name) }}.{{ dest.concat }}" dest: "{{ dest.path }}/{{ dest.name | default(item.name) }}.{{ dest.concat }}" delegate_to: "{{ dest.host }}" loop: "{{ item.dest }}" loop_control: loop_var: dest when: - dest.concat is defined