- set_fact:
    basepath: "/etc/ssl"
- set_fact:
    cert_paths:
      csrpath: "{{ basepath + '/' + certname + '.csr' }}"
      capath: "{{ basepath + '/' + certname + '.ca' }}"
      keypath: "{{ basepath + '/private/' + certname + '.key' }}"
      certpath: "{{ basepath + '/' + certname + '.crt' }}"
      chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}"
      fullpath: "{{ basepath + '/private/' + certname + '.complete.pem' }}"
- set_fact:
    cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname}, recursive=True ) }}"
- set_fact:
    cert_backend: "{{ {}|combine(certificates.backends[cert.backend], cert.backend_override|d({}), recursive=True) }}"

- debug:
    verbosity: 1
    var: cert
- debug:
    verbosity: 1
    var: cert_backend
- debug:
    verbosity: 1
    var: certificates.certs[certname]

- name: "generate key for {{ certname }}"
  openssl_privatekey:
    path: "{{ cert.keypath }}"
    size: 4096
    type: RSA
    mode: 0640
    owner: root
    group: ssl-cert

- name: "generate csr for {{ certname }}"
  openssl_csr:
    path: "{{ cert.csrpath }}"
    privatekey_path: "{{ cert.keypath }}"
    common_name: "{% if cert.cn %}{{ cert.cn }}{% elif cert.san|length > 0  %}{{ cert.san[0] }}{% else %}{{ cert.name }}{% endif %}"
    subject_alt_name: "{{ cert.san | map('regex_replace', '^', 'DNS:') | list }}"
  register: task_generate_csr