---
- name: Install pki directory
  ansible.builtin.file:
    path: /etc/pki/
    state: directory
    mode: '0700'
    owner: root
    group: root

- name: Install CA directory
  ansible.builtin.file:
    path: /etc/pki/konchin.com/
    state: directory
    mode: '0700'
    owner: root
    group: root

- name: Create private key for root ca
  community.crypto.openssl_privatekey:
    path: /etc/pki/konchin.com/rootca.key
    cipher: auto
    passphrase: "{{ secret_ca_passphrase }}"

- name: Create CSR for root ca
  community.crypto.openssl_csr_pipe:
    privatekey_path: /etc/pki/konchin.com/rootca.key
    privatekey_passphrase: "{{ secret_ca_passphrase }}"
    common_name: Konchin.com CA
    use_common_name_for_san: false
    basic_constraints:
      - 'CA:TRUE'
    basic_constraints_critical: true
    key_usage:
      - keyCertSign
    key_usage_critical: true
  register: ca_csr

- name: Create cert for root ca
  community.crypto.x509_certificate:
    path: /etc/pki/konchin.com/rootca.pem
    csr_content: "{{ ca_csr.csr }}"
    privatekey_path: /etc/pki/konchin.com/rootca.key
    privatekey_passphrase: "{{ secret_ca_passphrase }}"
    provider: selfsigned