in Ansible, how to create a file in one host which has been created in another auxiliary host - Stack Overflow

I'm trying to automate my OpenVPN setup. My setup is as follows:

• One OpenVPN server
• Multiple OpenVPN clients. Clients authenticate to the OpenVPN server with a certificate
• a 'certificate server' (easy-rsa scripts, really) where I produce the client certs (as a matter of fact, currently certificate server is the same as OpenVPN server... but I would like to change this - definitely not best setup from security perspective)

When I add a new client, I need to:

• create its certifiate (+Pri Key) on host 'certificate server' host
• (retrieve it locally, I reckon, and then) ship it somehow to the OpenVPN client host
• and create ccd entry in OpenVPN server host.

That requires 3 hosts to interact. and a file to be bounced from here to there.

But, ideally, I would like to have the configuration for my client to stay within ONE host definition.

something like

- hosts: openvpn_clients
  tasks:
    ...
    - name: create OpenVPN config
      copy:
        dest: /etc/openvpn/client/client.cert
        content: "{{ go and create it, if possible dynamically, or fetch it - on the 'certificate server' host}}"

But the only way I can think of this working is:

- host: certificate_server
  tasks:
    - name: execute easy-rsa to create client cert
      script: ...
    - name: fetch created certificate
      fetch: ...
- host: openvpn_client:
  ...

In other words: every time I will reconfigure openvpn_client, I will need to step through certificate_server (while my playbook is NOT about reconfiguring certificate_server, so should bear no reference to it ideally...)

Any way to avoid that?