remove the key file from localhost

README.md

@@ -6,6 +6,8 @@ The Public Certificate of the CA and its Private Key are ansible variables. Make
 
 ## Dependencies
 
+You need to have the `cryptography` python library available on the localhost and on the remote hosts.
+
 ## Generate a CA
 
 ### Generate a key
@@ -56,3 +58,5 @@ Then, don't forget to remode the file `ca.key`.
 
 
 ## How does it works ?
+
+The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.

example.yml

@@ -4,4 +4,5 @@
   roles:
     - generate-cert
   vars:
-    path: /tmp/test-client
+    directory: /tmp/test-pki
+    cname: test-client

roles/generate-cert/tasks/main.yml

@@ -3,10 +3,40 @@
   ansible.builtin.debug:
     msg: "Test"
 
+- name: Ensure the directory containing the cert exist
+  file:
+    path: "{{ directory }}"
+    state: directory
+
+- name: Test if the key already exist
+  stat:
+    path: "{{ directory }}/{{ cname }}.key"
+  register: key_file
+
 - name: Generate private key
+  become: false
   openssl_privatekey:
-    path: "{{ path }}.key"
-    owner: "{{ owner | default(omit) }}"
-    group: "{{ group | default(omit) }}"
-    mode: "{{ key_mode | default(omit) }}"
+    path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+    mode: u=rw,g=,o=
     size: "{{ key_size | default(omit) }}"
+  delegate_to: localhost
+  when: not key_file.stat.exists
+
+- name: Send private key to the server
+  copy:
+    src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+    dest: "{{ directory }}/{{ cname }}.key"
+    owner: "{{ owner | default('root') }}"
+    group: "{{ group | default('root') }}"
+    mode: "{{ key_mode | default('u=rw,g=,o=') }}"
+  when: not key_file.stat.exists
+
+
+# Clean up
+- name: Remove the local cert key
+  become: false
+  file:
+    path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+    state: absent
+  delegate_to: localhost
+  when: not key_file.stat.exists