- block:
    - name: Generate privatekey
      openssl_privatekey:
        path: '{{ output_dir }}/privatekey.pem'

    - name: Generate CSR
      openssl_csr:
        path: '{{ output_dir }}/csr.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        commonName: 'www.ansible.com'

    # keyUsage longname and shortname should be able to be used
    # interchangeably. Hence the long name is specified here
    # but the short name is used to test idempotency for ipsecuser
    # and vice-versa for biometricInfo
    - name: Generate CSR with KU and XKU
      openssl_csr:
        path: '{{ output_dir }}/csr_ku_xku.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        commonName: 'www.ansible.com'
        keyUsage:
          - digitalSignature
          - keyAgreement
        extendedKeyUsage:
          - qcStatements
          - DVCS
          - IPSec User
          - biometricInfo

    - name: Generate CSR with KU and XKU (test idempotency)
      openssl_csr:
        path: '{{ output_dir }}/csr_ku_xku.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        commonName: 'www.ansible.com'
        keyUsage:
          - digitalSignature
          - keyAgreement
        extendedKeyUsage:
          - ipsecUser
          - qcStatements
          - DVCS
          - Biometric Info
      register: csr_ku_xku

    - import_tasks: ../tests/validate.yml

  when: pyopenssl_version.stdout|version_compare('0.15', '>=')