added roles opensslCA and opensslServer. opensslCA will configure a CA....

added roles opensslCA and opensslServer. opensslCA will configure a CA. opensslServer will cause an node to which this is applied to generate an SSL certificate. The certificate is fairly generic (can be used for ldap server or web servers) but you probably want to customise this role or make it a dependency of an actual role. Consider it an example

roles/opensslCA/meta/main.yml

+---
+depdenencies:
+  - {role: commonVars }

roles/opensslCA/tasks/main.yml

+---
+- name : make ca dir
+  file: path={{ x509cadir }} owner=root group=root state=directory
+  sudo: true
+
+- name : make newcerts dir
+  file: path={{ x509cadir }}/newcerts owner=root group=root state=directory
+  sudo: true
+
+- name : make private dir
+  file: path={{ x509cadir }}/private mode=700 owner=root group=root state=directory
+  sudo: true
+
+- name: initialise ca
+  shell: echo 01 > serial ; touch index.txt
+  args: 
+    chdir: "{{ x509cadir }}"
+    creates: index.txt
+  sudo: true
+
+- name: template openssl.cnf
+  template: dest={{ x509cadir }}/openssl.cnf src=openssl_cnf.j2
+  sudo: true
+
+- name: generate key
+  shell: openssl genrsa -out private/cakey.pem 2048
+  args:
+    chdir: "{{ x509cadir }}"
+    creates: private/cakey.pem
+  sudo: true
+
+- name: generate cert
+  shell: openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf
+  args:
+    chdir: "{{ x509cadir }}"
+    creates: cacert.pem
+  sudo: true

roles/opensslCA/templates/openssl_cnf.j2

+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir= {{ x509cadir }}
+certs = $dir/certs
+new_certs_dir = $dir/newcerts
+crl_dir = $dir/crl
+crl = $dir/crl.pem
+crlnumber   = $dir/crlnumber
+database = $dir/index.txt
+private_key = $dir/private/cakey.pem
+RANDFILE = $dir/private/.rand
+x509_extensions = usr_cert
+name_opt    = ca_default        # Subject Name options
+cert_opt    = ca_default        # Certificate field options
+default_days    = 365           # how long to certify for
+default_crl_days= 30            # how long before next CRL
+default_md  = default       # use public key default MD
+preserve    = no            # keep passed DN ordering
+policy      = policy_match
+certificate = $dir/cacert.pem
+serial = $dir/serial
+email_in_dn = no
+unique_subject = no
+
+[ req ]
+distinguished_name = default_name
+prompt = no
+
+[ default_name ] 
+countryName = NA
+stateOrProvinceName = NA
+organizationName    = NA
+commonName = ca
+
+[ policy_match ]
+countryName     = match
+stateOrProvinceName = match
+organizationName    = match
+organizationalUnitName  = optional
+commonName      = supplied
+emailAddress        = optional
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsComment           = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+

roles/opensslCA/vars/main.yml

+---
+x509cadir: /var/ca

roles/opensslServer/tasks/main.yml

+- include_vars: roles/opensslca/vars/main.yml
+
+- name: install system packages apt
+  apt: name=openssl state=installed update_cache=true
+  sudo: true
+  when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+  yum: name=openssl state=installed
+  sudo: true
+  when: ansible_os_family == 'RedHat'
+
+- name : make csr dir
+  file: path={{ csrdir }} owner=root group=root state=directory
+  sudo: true
+
+- name : make private dir
+  file: path={{ csrdir }}/private mode=700 owner=root group=root state=directory
+  sudo: true
+
+- name: template openssl.cnf
+  template: dest={{ csrdir }}/openssl.cnf src=openssl_cnf.j2
+  sudo: true
+
+- name: generate key
+  shell: openssl genrsa -out private/key.pem 2048
+  args:
+    chdir: "{{ csrdir }}"
+    creates: private/key.pem
+  sudo: true
+  register: needCert
+
+- name: generate csr
+  shell: openssl req -new -key private/key.pem -out {{ certname }}.csr -days 3650 -config openssl.cnf
+  args:
+    chdir: "{{ csrdir }}"
+    creates: "{{ certname }}.csr"
+  sudo: true
+  when: needCert|changed
+
+#
+# Copy the CSR from the host to localhost, then from localhost to the CA server
+#
+
+
+
+- name: copy csr to localhost
+  shell: scp {{ hostvars[ansible_hostname]['ansible_user_id'] }}@{{ ansible_ssh_host }}:/{{ csrdir }}/{{ certname }}.csr /tmp/{{ certname }}.csr
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+
+- name: echo vars
+  shell: echo {{ causer }}@{{ ca_ssh_host }}
+
+- name: copy csr to CA
+  shell: scp /tmp/{{ certname }}.csr {{ causer }}@{{ ca_ssh_host }}:/tmp/{{ certname }}.csr
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+
+
+#
+# Signing tasks
+# 
+
+- name: sign certs
+  shell: yes | openssl ca -config {{ cadir }}/openssl.cnf -days 3650 -in /tmp/{{ certname }}.csr -out /tmp/{{ certname }}.cert
+  sudo: true
+  delegate_to: "{{ cahost }}"
+  when: needCert|changed
+
+#
+# Copy cert from cahost to localhost then back to ansible_host
+#
+
+- name: copy cert to localhost
+  shell: scp {{ causer }}@{{ ca_ssh_host }}:/tmp/{{ certname }}.cert /tmp/{{ certname }}.cert
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+
+- name: copy cert to ansible_host
+  copy: src=/tmp/{{ certname }}.cert dest={{ csrdir }}/{{ certname }}.cert
+  sudo: True
+  when: needCert|changed

roles/opensslServer/templates/openssl_cnf.j2

+[ req ]
+distinguished_name = default_name
+prompt = no
+
+[ default_name ]
+countryName = NA
+stateOrProvinceName = NA
+organizationName    = NA
+commonName = {{ ansible_hostname }}.{{ ansible_domain }}
+

roles/opensslServer/vars/main.yml

+---
+csrdir: /var/x509csr
+certname: "{{ ansible_hostname }}"
+cahost: "{{ groups['x509ca'][0] }}"
+ca_ssh_host: "{{ hostvars[cahost]['ansible_ssh_host'] }}"
+causer: "{{ hostvars[cahost]['ansible_user_id'] }}"
+cadir: "{{ x509cadir }}"