- name: Install KRA master
  shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg

- name : Stopping KRA Subsystem
  shell: echo "Stopping Subsystem for enabling Audit logging"
  notify:
    - STOPKRA
    - INC_CONSTANTS

- meta: flush_handlers

- name: Enable SignedAudit
  replace: dest=/etc/pki/{{ topology }}-KRA/kra/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true"

- name: Enable OCSP for KRA
  replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"'

- name: Pointing KRA to correct OCSP port
  replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp

- name: Picking the password in run-time from password.conf of KRA
  shell: grep -i "internal=" /etc/pki/{{ topology }}-KRA/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password

- name: Importing OCSP certificate in kra nssdb
  shell: certutil -A -d /etc/pki/{{ topology }}-KRA/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i  /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password
  notify:
    - STARTKRA
    
- name: Removing file generated with password
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    -  /tmp/test_dir/certutil_password