---
- name: Install www directory
  ansible.builtin.file:
    path: /etc/pki/www.konchin.com
    state: directory
    mode: '0700'
    owner: root
    group: root

- name: Create private key for www
  community.crypto.openssl_privatekey:
    path: /etc/pki/www.konchin.com/cert.key

- name: Create CSR for www
  community.crypto.openssl_csr_pipe:
    privatekey_path: /etc/pki/www.konchin.com/cert.key
    subject_alt_name:
      - 'DNS:www.konchin.com'
      - 'DNS:*.konchin.com'
  register: csr

- name: Sign with root ca
  community.crypto.x509_certificate:
    path: /etc/pki/www.konchin.com/cert.pem
    csr_content: "{{ csr.csr }}"
    provider: ownca
    ownca_path: /etc/pki/konchin.com/rootca.pem
    ownca_privatekey_path: /etc/pki/konchin.com/rootca.key
    ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
    ownca_not_after: +365d  # valid for one year
    ownca_not_before: "-1d"  # valid since yesterday