--- - name: Create the certificate using the private CA tags: [pki, tls, tls_certificate] block: - name: Set the common group between mkcert-ca and ansible ansible.builtin.set_fact: ansible_common_remote_group: ansible - name: Create the certificate (delegate to the CA vm) ansible.builtin.command: cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }} args: chdir: /srv/mkcert-ca creates: "/srv/mkcert-ca/{{ mkcert_cert_name }}" environment: CAROOT: /srv/mkcert-ca/.local/share/mkcert delegate_to: "{{ mkcert_ca_host }}" - name: Manage the certificate installation tags: [pki, tls, tls_certificate] block: - name: Get the certificate and its key from the CA server ansible.builtin.fetch: src: "/srv/mkcert-ca/{{ item }}" dest: "files/{{ item }}" loop: - "{{ mkcert_cert_name }}" - "{{ mkcert_key_name }}" delegate_to: "{{ mkcert_ca_host }}" - name: Copy the certificate to the destination server ansible.builtin.copy: src: "files/{{ mkcert_cert_name }}" dest: "{{ pki_dir }}/certs/{{ mkcert_cert_name }}" owner: root group: root mode: 0444 - name: Copy the certificate to the destination server ansible.builtin.copy: src: "files/{{ mkcert_key_name }}" dest: "{{ pki_dir }}/keys/{{ mkcert_key_name }}" owner: root group: root mode: 0440