---

# creating a minimal ca

- name: Certificates | Internal | Minimal CA | Checking config
  ansible.builtin.assert:
    that:
      - config_ca.ca.key_size in CERT_HC.options.key_size.ca
      - config_ca.ca.email is none or config_ca.ca.email | validate_email

- name: Certificates | Internal | Minimal CA | Creating ca directory
  ansible.builtin.file:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}"
    state: directory
    mode: 0750
    owner: "{{ config_ca.owner_key }}"
    group: "{{ config_ca.group_key }}"
  changed_when: false

- name: Certificates | Internal | Minimal CA | Generate ca private key (encrypted key)
  community.crypto.openssl_privatekey:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_key }}"
    passphrase: "{{ config_ca.ca.pwd }}"
    select_crypto_backend: "{{ config_ca.ca.backend }}"
    cipher: "{{ config_ca.ca.cipher }}"
    size: "{{ config_ca.ca.key_size }}"
    type: "{{ config_ca.ca.key_type }}"
    regenerate: "{{ config_ca.ca.regenerate }}"
    mode: "{{ config_ca.mode_key }}"
    owner: "{{ config_ca.owner_key }}"
    group: "{{ config_ca.group_key }}"
  no_log: true
  when: config_ca.ca.pwd | default(none, true) is not none

- name: Certificates | Internal | Minimal CA | Generate ca private key (plain key)
  community.crypto.openssl_privatekey:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_key }}"
    select_crypto_backend: "{{ config_ca.ca.backend }}"
    size: "{{ config_ca.ca.key_size }}"
    type: "{{ config_ca.ca.key_type }}"
    regenerate: "{{ config_ca.ca.regenerate }}"
    mode: "{{ config_ca.mode_key }}"
    owner: "{{ config_ca.owner_key }}"
    group: "{{ config_ca.group_key }}"
  no_log: true
  when: config_ca.ca.pwd | default(none, true) is none

# NOTE: for details see https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html

- name: Certificates | Internal | Minimal CA | Generating ca signing-request (encrypted key)
  community.crypto.openssl_csr:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_csr }}"
    select_crypto_backend: "{{ config_ca.ca.backend }}"
    privatekey_path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_key }}"
    privatekey_passphrase: "{{ config_ca.ca.pwd }}"
    basic_constraints: ['CA:TRUE', 'pathlen:2']
    basic_constraints_critical: true
    key_usage: ['cRLSign', 'digitalSignature', 'keyCertSign']
    key_usage_critical: true
    digest: "{{ config_ca.ca.digest }}"
    common_name: "{{ config_ca.ca.cn }}"
    organization_name: "{{ config_ca.ca.org }}"
    country_name: "{{ config_ca.ca.country }}"
    state_or_province_name: "{{ config_ca.ca.state }}"
    locality_name: "{{ config_ca.ca.locality }}"
    email_address: "{{ config_ca.ca.email }}"
    mode: "{{ config_ca.mode_cert }}"
    owner: "{{ config_ca.owner_cert }}"
    group: "{{ config_ca.group_cert }}"
  no_log: true
  when: config_ca.ca.pwd | default(none, true) is not none

- name: Certificates | Internal | Minimal CA | Generating ca signing-request (plain key)
  community.crypto.openssl_csr:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_csr }}"
    select_crypto_backend: "{{ config_ca.ca.backend }}"
    privatekey_path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_key }}"
    basic_constraints: ['CA:TRUE', 'pathlen:2']
    basic_constraints_critical: true
    key_usage: ['cRLSign', 'digitalSignature', 'keyCertSign']
    key_usage_critical: true
    digest: "{{ config_ca.ca.digest }}"
    common_name: "{{ config_ca.ca.cn }}"
    organization_name: "{{ config_ca.ca.org }}"
    country_name: "{{ config_ca.ca.country }}"
    state_or_province_name: "{{ config_ca.ca.state }}"
    locality_name: "{{ config_ca.ca.locality }}"
    email_address: "{{ config_ca.ca.email }}"
    mode: "{{ config_ca.mode_cert }}"
    owner: "{{ config_ca.owner_cert }}"
    group: "{{ config_ca.group_cert }}"
  no_log: true
  when: config_ca.ca.pwd | default(none, true) is none

- name: Certificates | Internal | Minimal CA | Generating ca certificate (encrypted key)
  community.crypto.x509_certificate:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_cert }}"
    select_crypto_backend: "{{ config_ca.ca.backend }}"
    csr_path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_csr }}"
    privatekey_path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_key }}"
    privatekey_passphrase: "{{ config_ca.ca.pwd }}"
    provider: selfsigned
    selfsigned_not_after: "+{{ config_ca.ca.valid_days }}d"
    mode: "{{ config_ca.mode_cert }}"
    owner: "{{ config_ca.owner_cert }}"
    group: "{{ config_ca.group_cert }}"
  no_log: true
  when: config_ca.ca.pwd | default(none, true) is not none

- name: Certificates | Internal | Minimal CA | Generating ca certificate (plain key)
  community.crypto.x509_certificate:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_cert }}"
    select_crypto_backend: "{{ config_ca.ca.backend }}"
    privatekey_path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_key }}"
    csr_path: "{{ config_ca.ca.path | default(config_ca.path, true) }}/ca.{{ config_ca.extension_csr }}"
    provider: selfsigned
    selfsigned_not_after: "+{{ config_ca.ca.valid_days }}d"
    mode: "{{ config_ca.mode_cert }}"
    owner: "{{ config_ca.owner_cert }}"
    group: "{{ config_ca.group_cert }}"
  no_log: true
  when: config_ca.ca.pwd | default(none, true) is none