Deploying SSH host keys and certificates with Ansible

If all you have is a hammer … It occurs to me that we can deploy SSH host keys and their certificates to nodes using Ansible, as it has two existing modules we can use for the task: community.crypto.openssh_keypair generates OpenSSH private public key pairs community.crypto.openssh_cert generates OpenSSH user or host certificates Assuming we want a host’s private key to be generated on a node and reside on the node only, and assuming our SSH CA (certification authority) is on the Ansible controller, we can use delegation to localhost for the bits which should happen on the controller. In the following simple playbook I use a block in which I create a temporary unique directory locally into which the public key from the host is copied and signed, and the always portion of the block ensures the directory is cleared out even on error within the block. The public portion of the SSH key pair is returned in openssh_keypair’s metadata. - hosts: d13 gather_facts: yes remote_user: jp vars:…