- ``testsite/tls/mail.example.com_imap.key``

   - ``testsite/tls/mail.example.com_smtp.key``

   - ``testsite/tls/xmpp.example.com_xmpp.key``

   - ``testsite/tls/ldap.example.com_ldap.key``

   - ``testsite/tls/web.example.com_https.key``

   - ``testsite/tls/phpfino.example.com_https.key``

   - ``testsite/tls/wsgi.example.com_https.key``

3. Issue TLS certificates corresponding to the generated TLS private keys (make

   sure to use correct FQDN for DNS subject alternative name):

   - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should

     be ``mail.example.com``)

   - ``testsite/tls/mail.example.com_smtp.pem`` (subject alternative name should

     be ``mail.example.com``)

   - ``testsite/tls/xmpp.example.com_xmpp.pem`` (subject alternative name should

     be ``xmpp.example.com``)

   - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should

     be ``ldap.example.com``)

   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

     be ``web.example.com``)

   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

     be ``web.example.com``)

     should be ``phpinfo.example.com``)

   - ``testsite/tls/wsgi.example.com_https.pem`` (subject alternative name

     should be ``wsgi.example.com``)

4. Create ``PEM`` truststore file which contains all CA certificates that form

   CA chain for the issued end entity certificates from previous step at

   location ``testsite/tls/example_ca_chain.pem``. It is very important to

   include the CA chain used for LDAP server.

5. Generate the preseed files:

  .. code-block:: shell

    ansible-playbook playbooks/preseed.yml

6. Install all servers using the generated preseed files.

7. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to

   remove old entries if you are redoing the process). You can easily obtain all

   the necessary fingerprints with command:

   .. code-block:: shell

      ssh-keyscan mail.example.com ldap.example.com xmpp.example.com web.example.com

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. LDAP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "ldap.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. SMTP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "mail.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. PHP Info Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "phpinfo.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. Web Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "web.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. WSGI Hello World Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "wsgi.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. XMPP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "xmpp.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key