drybjed
commented
7 years ago I see an issue with this - at the moment the hosts themselves execute the pki-realm script periodically to perform operations like renewal of ACME certificates. The script detects if the currently used certificate is valid, and if not it switches to the "next best" certificate in order: external, acme, internal, selfsigned. If we add an option to regenerate the private keys, the internal certificates will be broken since the internal CA located on the Ansble Controller would not have signed the certificate, resulting in the key/cert mismatch. I suppose that the key regeneration could be tied to the Ansible runs themselves and done periodically, but there's no guarantee that the run is performed periodically at all. Although that shouldn't be an issue in this case.
ypid
Currently, the realm key used for all certificates of this realm (internal, external, ACME) is created on realm creation. In the case of ACME and LE, the certificate is renewed at least all 3 months. Other certs are rotated less frequently. It should be possible to specify the wanted private key renewal period which can happen at cert renewal.
Ref: https://letsencrypt.org/2015/11/09/why-90-days.html