Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA.
The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example.
The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.
If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`.