x509_certificate without csr_path

[rightaway]

SUMMARY

An explicit csr_path shouldn't be required when generating an openssl certificate. A valid command to generate a certificate is openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365, which doesn't require a csr file.

ansible/ansible#68736 was closed saying to post here.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

openssl_certificate

[MarkusTeufelberger]

Some fields in a certificate that are very commonly used are only present in a CSR. OpenSSL will use some defaults in your example (e.g. which extensions to use) and go through a whole interactive Q&A session to ask you for these fields that are usually in a CSR (fields for the Subject of the certificate).

What's your use case that uses this type of self-signed certificates?

[rightaway]

With the example command I showed it's just for using in local development. Thought if a field isn't required on the command line it's better if not required in ansible.

[felixfontein]

@rightaway do I understand you correctly that you want a certificate without any special properties? I.e. no common name, no SANs, nothing else that's not absolutely necessary (like public key, signature, serial number)?

[rightaway]

Basically the same certificate as generated by the command in the first message. The ansible module shouldn't impose any restrictions that the command line doesn't.

[felixfontein]

For the acme and ownca providers, a CSR is always needed (for acme it simply makes no sense without, and for ownca we need the public key somehow). For the selfsigned provider, we could allow to not specify the CSR since we already have the private key provided. In that case, we could adjust the provider to internally create a CSR which contains no information except the public key, and continues from there.

[felixfontein]

resolved_by_pr #129