Support to regen realm private keys on specified intervals about ansible-pki HOT 3 OPEN

I see an issue with this - at the moment the hosts themselves execute the pki-realm script periodically to perform operations like renewal of ACME certificates. The script detects if the currently used certificate is valid, and if not it switches to the "next best" certificate in order: external, acme, internal, selfsigned. If we add an option to regenerate the private keys, the internal certificates will be broken since the internal CA located on the Ansble Controller would not have signed the certificate, resulting in the key/cert mismatch. I suppose that the key regeneration could be tied to the Ansible runs themselves and done periodically, but there's no guarantee that the run is performed periodically at all. Although that shouldn't be an issue in this case.

from ansible-pki.

I suppose that the key regeneration could be tied to the Ansible runs themselves and done periodically, but there's no guarantee that the run is performed periodically at all.

Right. I would not really depend on that.

Maybe older private keys could be saved in the CA directory which still has a valid cert using this key.

from ansible-pki.

For the common deployments using DebOps, e. g. VPSes or so using LE, key regeneration should be the default. I suspect that internal CAs or external CAs are used very infrequently for such deployments. For such cases we could recommend in the docs to disable pki_internal which could then switch on key regeneration for each cert if no external certs are provided (or maybe even then as suggested above).

Ref: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#12-protect-private-keys

from ansible-pki.