---

- name: Create private key for client
  community.crypto.openssl_privatekey:
    path: "{{ certificate_authority_client_path }}/privkey.pem"
    type: "{{ certificate_authority_client_tls_key_type }}"
    passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
    cipher: auto

- name: Create a certificate signing request (CSR) for client certificate without subject alternative names (SANs)
  community.crypto.openssl_csr:
    common_name: "{{ certificate_authority_client_common_name }}"
    extendedKeyUsage:
    - clientAuth
    - serverAuth
    path: "{{ certificate_authority_client_path }}/cert-req.pem"
    privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
    privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
  when: |
    certificate_authority_client_subject_alternative_names is not defined or
    (certificate_authority_client_subject_alternative_names is defined and
    certificate_authority_client_subject_alternative_names | length <= 0)

- name: Create a certificate signing request (CSR) for client certificate with subject alternative names (SANs)
  community.crypto.openssl_csr:
    common_name: "{{ certificate_authority_client_common_name }}"
    extendedKeyUsage:
    - clientAuth
    - serverAuth
    path: "{{ certificate_authority_client_path }}/cert-req.pem"
    privatekey_path: "{{ certificate_authority_client_path }}/privkey.pem"
    privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
    subject_alt_name: "{{ certificate_authority_client_subject_alternative_names | map('regex_replace', '^', 'DNS:') | list | join(',') | quote }}"
  when: certificate_authority_client_subject_alternative_names is defined and
        certificate_authority_client_subject_alternative_names | length > 0

- name: Create signed client certificate - unprotected intermediate Certificate Authority (CA)
  community.crypto.x509_certificate:
    csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
    ownca_not_after: "{{ certificate_authority_client_not_after }}"
    ownca_not_before: "{{ certificate_authority_client_not_before }}"
    ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
    ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
    path: "{{ certificate_authority_client_path }}/cert.pem"
    privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
    provider: ownca
  when: certificate_authority_intermediate_ca_tls_key_passphrase | length <= 0

- name: Create signed client certificate - passphrase protected intermediate Certificate Authority (CA)
  community.crypto.x509_certificate:
    csr_path: "{{ certificate_authority_client_path }}/cert-req.pem"
    ownca_not_after: "{{ certificate_authority_client_not_after }}"
    ownca_not_before: "{{ certificate_authority_client_not_before }}"
    ownca_path: "{{ certificate_authority_intermediate_ca_path }}/cert.pem"
    ownca_privatekey_passphrase: "{{ certificate_authority_intermediate_ca_tls_key_passphrase }}"
    ownca_privatekey_path: "{{ certificate_authority_intermediate_ca_path }}/privkey.pem"
    path: "{{ certificate_authority_client_path }}/cert.pem"
    privatekey_passphrase: "{{ certificate_authority_client_tls_key_passphrase }}"
    provider: ownca
  when: certificate_authority_intermediate_ca_tls_key_passphrase | length > 0