diff --git a/tasks/main.yml b/tasks/main.yml
index ffb8612..15130eb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -7,13 +7,47 @@
     comment: "{{ ssh_ca_key_comment }}"
   register: key_pair
 
+- name: Check certificate existance
+  stat:
+    path: "/etc/ssh/{{ ssh_ca_key_name }}-cert.pub"
+  register: cert_state
+
+- name: Copy public key to local machine
+  copy:
+    dest: "/tmp/{{ ssh_ca_key_name }}.pub"
+    content: "{{ key_pair.public_key }}"
+  when: not cert_state.stat.exists
+
 - name: Generate certificate
   openssh_cert:
-    path: "/etc/ssh/{{ ssh_ca_key_name }}-cert.pub"
+    path: "/tmp/{{ ssh_ca_key_name }}-cert.pub"
     principals: "{{ ssh_ca_cert_principals }}"
-    public_key: "/etc/ssh/{{ ssh_ca_key_name }}.pub"
+    public_key: "/tmp/{{ ssh_ca_key_name }}.pub"
     signature_algorithm: rsa-sha2-512
     signing_key: "{{ role_path }}/files/{{ ssh_ca_signing_key }}"
     type: "{{ ssh_ca_type }}"
     valid_from: always
     valid_to: forever
+  delegate_to: localhost
+  when: not cert_state.stat.exists
+
+- name: Copy certificate to host
+  copy:
+    src: "/tmp/{{ ssh_ca_key_name }}-cert.pub"
+    dest: "/etc/ssh/{{ ssh_ca_key_name }}-cert.pub"
+    mode: 0600
+  when: not cert_state.stat.exists
+
+- name: Delete local public key
+  file:
+    path: "/tmp/{{ ssh_ca_key_name }}.pub"
+    state: absent
+  delegate_to: localhost
+  when: not cert_state.stat.exists
+
+- name: Delete local certificate
+  file:
+    path: "/tmp/{{ ssh_ca_key_name }}-cert.pub"
+    state: absent
+  delegate_to: localhost
+  when: not cert_state.stat.exists