--- - name: Generate key pair openssh_keypair: path: "/etc/ssh/{{ ssh_ca_key_name }}" type: "{{ ssh_ca_key_type }}" comment: "{{ ssh_ca_key_comment }}" register: key_pair - name: Check certificate existance stat: path: "/etc/ssh/{{ ssh_ca_key_name }}-cert.pub" register: cert_state - name: Copy public key to local machine copy: dest: "/tmp/{{ ssh_ca_key_name }}.pub" content: "{{ key_pair.public_key }}" delegate_to: localhost when: not cert_state.stat.exists - name: Generate certificate openssh_cert: path: "/tmp/{{ ssh_ca_key_name }}-cert.pub" principals: "{{ ssh_ca_cert_principals }}" public_key: "/tmp/{{ ssh_ca_key_name }}.pub" signature_algorithm: rsa-sha2-512 signing_key: "{{ role_path }}/files/{{ ssh_ca_signing_key }}" type: "{{ ssh_ca_type }}" valid_from: always valid_to: forever delegate_to: localhost when: not cert_state.stat.exists - name: Copy certificate to host copy: src: "/tmp/{{ ssh_ca_key_name }}-cert.pub" dest: "/etc/ssh/{{ ssh_ca_key_name }}-cert.pub" mode: 0600 when: not cert_state.stat.exists - name: Delete local public key file: path: "/tmp/{{ ssh_ca_key_name }}.pub" state: absent delegate_to: localhost when: not cert_state.stat.exists - name: Delete local certificate file: path: "/tmp/{{ ssh_ca_key_name }}-cert.pub" state: absent delegate_to: localhost when: not cert_state.stat.exists