From 3c259e30b8b3fca7929e12639a7528c3155d8e87 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 16 Apr 2025 18:07:27 +0200
Subject: [PATCH] Also generate a certificate able to do client authentication.

---
 defaults/main.yml                     |  4 ++--
 tasks/certificate_from_private_ca.yml | 22 ++++++++++++++++++++--
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 7736e34..051d997 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -207,9 +207,9 @@ self_signed_subject: "/CN={{ ansible_fqdn }} self signed"
 
 mkcert_create_certificate: false
 mkcert_cert_name: "{{ ansible_fqdn }}.pem"
-mkcert_cert_dest_path: "{{ pki_dir }}/certs/{{ mkcert_cert_name }}"
+mkcert_cert_dest_path: "{{ pki_dir }}/certs"
 mkcert_key_name: "{{ ansible_fqdn }}-key.pem"
-mkcert_key_dest_path: "{{ pki_dir }}/keys/{{ mkcert_key_name }}"
+mkcert_key_dest_path: "{{ pki_dir }}/keys"
 mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {% for ip in ansible_all_ipv4_addresses %}{{ ip }} {% endfor %}"
 mkcert_ca_host: localhost
 
diff --git a/tasks/certificate_from_private_ca.yml b/tasks/certificate_from_private_ca.yml
index d9688e2..a7d3b95 100644
--- a/tasks/certificate_from_private_ca.yml
+++ b/tasks/certificate_from_private_ca.yml
@@ -16,6 +16,16 @@
         CAROOT: /srv/mkcert-ca/.local/share/mkcert
       delegate_to: "{{ mkcert_ca_host }}"
 
+   - name: certificate_from_private_ca | Create the certificate (delegate to the CA vm)
+      ansible.builtin.command:
+        cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
+      args:
+        chdir: /srv/mkcert-ca
+        creates: "/srv/mkcert-ca/client-{{ mkcert_cert_name }}"
+      environment:
+        CAROOT: /srv/mkcert-ca/.local/share/mkcert
+      delegate_to: "{{ mkcert_ca_host }}"
+
 - name: certificate_from_private_ca | Manage the certificate installation
   tags: [pki, tls, tls_certificate]
   block:
@@ -27,20 +37,28 @@
       loop:
         - "{{ mkcert_cert_name }}"
         - "{{ mkcert_key_name }}"
+        - "client-{{ mkcert_cert_name }}"
+        - "client-{{ mkcert_key_name }}"
       delegate_to: "{{ mkcert_ca_host }}"
 
     - name: certificate_from_private_ca | Copy the certificate to the destination server
       ansible.builtin.copy:
-        src: "files/{{ mkcert_cert_name }}"
+        src: "files/{{ item }}"
         dest: "{{ mkcert_cert_dest_path }}"
         owner: root
         group: root
         mode: 0444
+      loop:
+        - "{{ mkcert_cert_name }}"
+        - "client-{{ mkcert_cert_name }}"
 
     - name: certificate_from_private_ca | Copy the certificate to the destination server
       ansible.builtin.copy:
-        src: "files/{{ mkcert_key_name }}"
+        src: "files/{{ item }}"
         dest: "{{ mkcert_key_dest_path }}"
         owner: root
         group: root
         mode: 0440
+      loop:
+        - "{{ mkcert_key_name }}"
+        - "client-{{ mkcert_key_name }}"