From bdc699fceeb8da55ba296b55bc8ec16d8304ead1 Mon Sep 17 00:00:00 2001
From: Christoph Haas <email@christoph-haas.de>
Date: Sat, 17 Oct 2015 13:46:41 +0200
Subject: [PATCH] Setting bit length of certificate to 4096 bits

---
 roles/ispmail-certificate/tasks/main.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/roles/ispmail-certificate/tasks/main.yml b/roles/ispmail-certificate/tasks/main.yml
index b5801ba..35c8368 100644
--- a/roles/ispmail-certificate/tasks/main.yml
+++ b/roles/ispmail-certificate/tasks/main.yml
@@ -1,14 +1,13 @@
 ---
 - name: Create a self-signed certificate
   command: >
-    openssl req -new
-      -x509
-      -nodes
-      -extensions v3_ca
+    openssl req -newkey rsa:4096
+      -nodes -sha512 -x509
       -days {{ ispmail_certificate_days_valid }}
+      -nodes
       -subj "/C={{ ispmail_certificate_country }}/ST={{ ispmail_certificate_state }}/L={{ ispmail_certificate_location }}/O={{ ispmail_certificate_organisation }}/OU={{ ispmail_certificate_orgunit }}{% for domain in ispmail_certificate_domains %}/CN={{ domain }}{% endfor %}/emailAddress={{ ispmail_certificate_email }}"
-      -keyout /etc/ssl/private/mailserver.pem
       -out /etc/ssl/certs/mailserver.pem
+      -keyout /etc/ssl/private/mailserver.pem
   args:
     creates: /etc/ssl/certs/mailserver.pem
 - name: Restrict access permissions of the private key