roles/ca_cert: custom algorithm and broker chain

Allows custom (non-ed25519) algorithm and verification of broken trust
chain, to work with current stable ca_manager implementation.

roles/ca_cert/defaults/main.yaml

@@ -8,6 +8,7 @@ ca_cert_renew_private_key: true
 ca_cert_tls_subj: '{{ openssl_x509_prefix}}/OU=Server/CN={{ ca_cert_common_name }}'
 ca_cert_tls_ca_path: '/etc/ssl/root_ca.crt'
 ca_cert_tls_key_path: '/etc/ssl/{{ ca_cert_common_name }}.key'
+ca_cert_tls_key_algorithm: 'ed25519'
 ca_cert_tls_csr_path: '/etc/ssl/{{ ca_cert_common_name }}.csr'
 ca_cert_tls_cert_path: '/etc/ssl/{{ ca_cert_common_name }}.crt'
 ca_cert_ssh_ca_path: '/etc/ssh/user_ca.pub'

roles/ca_cert/tasks/main.yaml

@@ -3,6 +3,7 @@
   command: >
     openssl verify
     -CAfile {{ ca_cert_tls_ca_path }}
+    -untrusted {{ ca_cert_tls_cert_path }}
     -verify_hostname {{ ca_cert_common_name }}
     {{ ca_cert_tls_cert_path }}
   register: ca_cert_tls_cert_is_valid
@@ -68,7 +69,7 @@
     - name: 'RENEW | TLS | create private key (if not exists)'
       command: >
         openssl genpkey
-        -algorithm ed25519
+        -algorithm {{ ca_cert_tls_key_algorithm }}
         -out {{ ca_cert_tls_key_path }}
       args:
         creates: >-