Improved SSL certificate generation

Hopefully this time the certificate is accepted as valid.
Previously Thunderbird complained.

group_vars/all

@@ -2,5 +2,17 @@ ispmail_mysql_mailuser_password: fLxsWdf5ABLqwhZr
 
 ispmail_dovecot_auth_mechanisms: plain login
 
+ispmail_postmaster_address: postmaster@example.org
+
 ispmail_populate_test_data: true
 
+ispmail_certificate_country: DE
+ispmail_certificate_state: Hamburg
+ispmail_certificate_location: Hamburg
+ispmail_certificate_organisation: workaround.org
+ispmail_certificate_orgunit: IT-Crowd
+ispmail_certificate_domains:
+  - example.org
+ispmail_certificate_email: postmaster@example.org
+ispmail_certificate_days_valid: 3650
+

roles/ispmail-certificate/tasks/main.yml

@@ -1,6 +1,16 @@
 ---
 - name: Create a self-signed certificate
-  shell: openssl req -new -x509 -days 3650 -subj "/C=DE/ST=Hamburg/L=Hamburg/O=IT/CN={{ansible_fqdn}}" -nodes -sha256 -newkey rsa:4096 -out /etc/ssl/certs/mailserver.pem -keyout /etc/ssl/private/mailserver.pem -extensions v3_ca creates=/etc/ssl/certs/mailserver.pem
+  command: >
+    openssl req -new
+      -x509
+      -nodes
+      -extensions v3_ca
+      -days {{ ispmail_certificate_days_valid }}
+      -subj "/C={{ ispmail_certificate_country }}/ST={{ ispmail_certificate_state }}/L={{ ispmail_certificate_location }}/O={{ ispmail_certificate_organisation }}/OU={{ ispmail_certificate_orgunit }}{% for domain in ispmail_certificate_domains %}/CN={{ domain }}{% endfor %}/emailAddress={{ ispmail_certificate_email }}"
+      -keyout /etc/ssl/private/mailserver.pem
+      -out /etc/ssl/certs/mailserver.pem
+  args:
+    creates: /etc/ssl/certs/mailserver.pem
 - name: Restrict access permissions of the private key
   file: path=/etc/ssl/private/mailserver.pem mode=0640