---
- name: Manage the PKI directory
  when: not java_keystore_use_default
  tags: java_keystore
  block:
    - name: Create the PKI directory
      ansible.builtin.file:
        dest: "{{ java_keystore_dir }}"
        state: directory
        owner: root
        group: root
        mode: "0755"

- name: Import a certificate generated by a mkcert CA into a keystore
  when:
    - java_keystore_certs_list is defined
    - mkcert_create_certificate is defined and mkcert_create_certificate
  tags: [java_keystore, java_keystore_mkcert]
  block:
    - name: Generate a PKCS12 from the certificate and key produced by mkcert
      community.crypto.openssl_pkcs12:
        action: export
        friendly_name: "{{ java_keystore_cert_alias }}"
        path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12"
        certificate_path: "{{ mkcert_cert_dest_path }}"
        privatekey_path: "{{ mkcert_key_dest_path }}"
        other_certificates: '{{ java_trusted_certificates_list }}'
        passphrase: "{{ java_keystore_pwd }}"
        owner: root
        group: root
        mode: "0600"
        state: present

    - name: Import the CA certificate
      community.general.java_cert:
        pkcs12_path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12"
        pkcs12_alias: "{{ java_keystore_cert_alias }}"
        pkcs12_password: "{{ java_keystore_pwd }}"
        cert_alias: "{{ java_keystore_cert_alias }}"
        keystore_path: "{{ java_keystore_file }}"
        keystore_pass: "{{ java_keystore_pwd }}"
        keystore_type: JKS
        keystore_create: true
        state: present

- name: Import a certificate generated by a Letsencrypt into a keystore
  when:
    - java_keystore_certs_list is defined
    - letsencrypt_acme_install is defined and letsencrypt_acme_install
  tags: [java_keystore, java_keystore_letsencrypt, letsencrypt]
  block:
    - name: Generate a PKCS12 from the certificate and key produced by Letsencrypt
      community.crypto.openssl_pkcs12:
        action: export
        friendly_name: "{{ java_keystore_cert_alias }}"
        path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12"
        privatekey_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/privkey"
        other_certificates:
          - '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
        other_certificates_parse_all: true
        passphrase: "{{ java_keystore_pwd }}"
        owner: root
        group: root
        mode: "0600"
        state: present

    - name: Import the CA certificate
      community.general.java_cert:
        pkcs12_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12"
        cert_alias: "{{ java_keystore_cert_alias }}"
        pkcs12_alias: "{{ java_keystore_cert_alias }}"
        pkcs12_password: "{{ java_keystore_pwd }}"
        keystore_path: "{{ java_keystore_file }}"
        keystore_pass: "{{ java_keystore_pwd }}"
        keystore_type: JKS
        keystore_create: true
        state: present