---
# create a CA to create SSL certs just for transport encryption
#
- name: "Ensure directory for selfsigned CA"
  file:
    path: "{{ selfsigned_ca_dir }}"
    state: directory
    mode: "0755"
    owner: root
    group: root

- name: "Create private key with password protection"
  community.crypto.openssl_privatekey:
    path: "{{ selfsigned_ca_dir }}/ca-certificate.key"
    passphrase: "{{ selfsigned_ca_private_key_passphrase }}"
    cipher: auto

- name: "Create certificate signing request (CSR) for CA certificate"
  community.crypto.openssl_csr_pipe:
    privatekey_path: "{{ selfsigned_ca_dir }}/ca-certificate.key"
    privatekey_passphrase: "{{ selfsigned_ca_private_key_passphrase }}"
    common_name: "SMARDIGO Ansible CA {{ stage }}"
    use_common_name_for_san: false
    basic_constraints:
      - "CA:TRUE"
    basic_constraints_critical: yes
    key_usage:
      - keyCertSign
    key_usage_critical: true
  register: ca_csr

- name: "Create self-signed CA certificate from CSR"
  community.crypto.x509_certificate:
    path: "{{ selfsigned_ca_dir }}/ca-certificate.pem"
    csr_content: "{{ ca_csr.csr }}"
    privatekey_path: "{{ selfsigned_ca_dir }}/ca-certificate.key"
    privatekey_passphrase: "{{ selfsigned_ca_private_key_passphrase }}"
    provider: selfsigned