---

- name: private key
  command: openssl genrsa
    -out "{{certificate_private_key_file}}"
    {{ certificate_private_key_password is defined | ternary('-aes256 -passout env:PRIVATE_KEY_PASSWORD','') }}
    {{ certificate_private_key_size }}
  args:
    creates: "{{ certificate_private_key_file }}"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
  notify: certificate changed