Regenerate certificate on CA's subject change. (#402)

tests/integration/targets/x509_certificate/tasks/ownca.yml

@@ -14,14 +14,20 @@
 
 - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
   openssl_csr:
-    path: '{{ remote_tmp_dir }}/ca_csr.csr'
+    path: '{{ item.path }}'
     privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
-    subject:
-      commonName: Example CA
+    subject: '{{ item.subject }}'
     useCommonNameForSAN: no
     basic_constraints:
     - 'CA:TRUE'
     basic_constraints_critical: yes
+  loop:
+    - path: '{{ remote_tmp_dir }}/ca_csr.csr'
+      subject:
+        commonName: Example CA
+    - path: '{{ remote_tmp_dir }}/ca_csr2.csr'
+      subject:
+        commonName: Example CA 2
 
 - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
   openssl_csr:
@@ -62,6 +68,15 @@
       - result_check_mode is changed
       - result is changed
 
+- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate with different commonName
+  x509_certificate:
+    path: '{{ remote_tmp_dir }}/ca_cert2.pem'
+    csr_path: '{{ remote_tmp_dir }}/ca_csr2.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+
 - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
   x509_certificate:
     path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
@@ -110,6 +125,42 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   check_mode: yes
 
+- name: (OwnCA, {{select_crypto_backend}}) Copy ownca certificate to new file to check regeneration
+  copy:
+    src: '{{ remote_tmp_dir }}/ownca_cert.pem'
+    dest: '{{ item }}'
+    remote_src: true
+  loop:
+    - '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
+    - '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
+
+- name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA subject
+  x509_certificate:
+    path: '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
+    csr_path: '{{ remote_tmp_dir }}/csr.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    ownca_path: '{{ remote_tmp_dir }}/ca_cert2.pem'
+    ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+    return_content: yes
+  register: ownca_certificate_ca_subject_changed
+
+- name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA key
+  x509_certificate:
+    path: '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
+    csr_path: '{{ remote_tmp_dir }}/csr.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    ownca_path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
+    ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
+    ownca_privatekey_passphrase: hunter2
+    provider: ownca
+    ownca_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+    return_content: yes
+  register: ownca_certificate_ca_key_changed
+
 - name: (OwnCA, {{select_crypto_backend}}) Get certificate information
   community.crypto.x509_certificate_info:
     path: '{{ remote_tmp_dir }}/ownca_cert.pem'

tests/integration/targets/x509_certificate/tests/validate_ownca.yml

@@ -31,6 +31,12 @@
       - ownca_certificate.notBefore == ownca_certificate_idempotence.notBefore
       - ownca_certificate.notAfter == ownca_certificate_idempotence.notAfter
 
+- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate regeneration
+  assert:
+    that:
+      - ownca_certificate_ca_subject_changed is changed
+      - ownca_certificate_ca_key_changed is changed
+
 - name: (OwnCA validation, {{select_crypto_backend}}) Read certificate
   slurp:
     src: '{{ remote_tmp_dir }}/ownca_cert.pem'