Allow to generate private keys on the Ansible controller

[ypid]

As recommended/explained on BetterCrypto.org in "Random Number Generators" -> "Recommendations" VMs and embedded systems might have a low entropy pool. It would be nice to allow to generate realm private keys on the Ansible controller, transfer them to remote systems and then destroy them on the Ansible controller. This should not necessarily be the default but could be as the Ansible controller is part of the TCB of remote systems.

[drybjed]

The current role supports this in a way - you can provide your own private keys through the secret/pki/ directory with your external certificates - they will be used to generate the certificate requests for ACME and internal/selfsigned certificates as well.

I'm not sure how much private key generation would complicate things - do we want to support only per-host keys, or per-group and global as well? This currently can be done depending on which directory you put your private key. Anyhow, a thing to think about. You should also remember to use GnuTLS to generate the private keys so that services like OpenLDAP or others compiled against GnuTLS library can work correctly.

[ypid]

Sounds good.

do we want to support only per-host keys, or per-group and global as well?

I guess supporting all of them would be good.