Creating the SSL certs/keys for for example Apache can easily be done by using the FreeIPA Dogtag CA-server. With some effort, I put it in an Ansible playbook which will install Apache and certficates "on demand".
Sometimes a server needs to be re-installed ("cattle-servers"); why bother about backup/restore when a server can be redeployed within minutes. However, a new certificate needs to created; it seems since I cannot (re)download the private key once created.
Now: is it just impossible to (re) download the private ssl key later on for re-use?
If not possible: FreeIPA vault (KRA) seems a proper way to store private key. Correct?