roles/pki-intermediate-ca/tasks/main.yml

---
# pki-ca/tasks/main.yml

- name: Create PKI directory
  become: yes
  file:
    dest: "{{ pki_dir }}"
    state: directory
    owner: "{{ ansible_user_id }}"
    mode: 0755

- name: Create intermediate CA directory
  become: yes
  file:
    dest: "{{ pki_dir }}/intermediate_ca"
    state: directory
    owner: "{{ ansible_user_id }}"
    mode: 0755

- name: Create intermediate CA openssl.cnf from template
  template:
    src: openssl_im.cnf.j2
    dest: "{{ pki_dir }}/intermediate_ca/openssl.cnf"
    force: no

- name: Create subdirs for intermediate CA
  file:
    dest: "{{ pki_dir }}/intermediate_ca/{{ item }}"
    state: directory
  with_items:
    - certs
    - crl
    - csr
    - newcerts

- name: Create private CA directory
  file:
    dest: "{{ pki_dir }}/intermediate_ca/private"
    state: directory
    mode: 0700

- name: Create serial file
  copy:
    dest: "{{ pki_dir }}/intermediate_ca/serial"
    content: "01"
    force: no

- name: Create empty index file if it doesn't exist
  copy:
    dest: "{{ pki_dir }}/intermediate_ca/index.txt"
    content: ""
    force: no

- name: Save intermediate passphrase to intermediate_ca/private/ca_im_phrase
  copy:
    dest: "{{ pki_dir }}/intermediate_ca/private/ca_im_phrase"
    content: "{{ ca_im_phrase }}"
    mode: 0400

- name: Generate intermediate key
  command: >
    openssl genrsa -aes256
      -out {{ pki_dir }}/intermediate_ca/private/im_key.pem
      -passout file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
      {{ ca_size }}
  args:
    creates: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"

- name: Set permissions on intermediate key
  file:
    dest: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"
    mode: 0400

- name: Create intermediate CSR
  command: >
    openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
      -key {{ pki_dir }}/intermediate_ca/private/im_key.pem
      -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
      -new -sha256 -subj "{{ ca_im_subj }}"
      -out {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
  args:
    creates: "{{ pki_dir }}/intermediate_ca/certs/intermediate_ca_csr.pem"
  environment:
    KEY_ALTNAMES: ""

- name: Create intermediate cert from CSR with root CA
  command: >
    openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
      -extensions v3_intermediate_ca
      -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
      -days {{ ca_im_days }} -md {{ ca_digest }}
      -in {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
      -out {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
  args:
    creates: "{{ pki_dir }}/intermediate_ca/certs/im_cert.pem"

- name: Verify intemediate cert
  command: >
    openssl verify
      -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
      {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
  register: im_verify
  tags:
     - skip_ansible_lint # diagnostic command

- name: Assert that verify of intermediate cert succeeded
  assert:
    that: "'OK' in '{{ im_verify.stdout }}'"

- name: Get the root cert into ca_cert var
  command: >
    openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
  register: ca_cert
  tags:
     - skip_ansible_lint # concat of files

- name: Get the intermediate cert into im_cert var
  command: >
    openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
  register: im_cert
  tags:
     - skip_ansible_lint # concat of files

- name: Create intermediate cert chain
  copy:
    dest: "{{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem"
    content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"