diff --git a/tasks/standalone/create_ca.yml b/tasks/standalone/create_ca.yml
index 649a6d6..793afbe 100644
--- a/tasks/standalone/create_ca.yml
+++ b/tasks/standalone/create_ca.yml
@@ -45,6 +45,8 @@
     - name: Generate CA private key for {{ ca.name }}
       community.crypto.openssl_privatekey:
         path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}"
+        passphrase: "{{ ca.key_passphrase | default(omit) }}"
+        cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}"
       register: ca_privkey
 
     - name: Read the serial number for {{ ca.name }}
@@ -56,6 +58,7 @@
       community.crypto.openssl_csr:
         path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no  }}.csr"
         privatekey_path: "{{ ca_privkey.filename }}"
+        privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
         common_name: "{{ ca.cn }}"
         basic_constraints_critical: yes
         basic_constraints: "{{ ca.basic_constraints }}"
@@ -82,6 +85,7 @@
         csr_path: "{{ ca_csr.filename }}"
         provider: 'selfsigned'
         privatekey_path: "{{ ca_privkey.filename }}"
+        privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
         selfsigned_not_after: "{{ ca.not_after }}"
       register: ca_selfsigned_crt
       when:
@@ -97,6 +101,7 @@
         csr_path: "{{ ca_csr.filename }}"
         provider: 'ownca'
         ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}"
+        ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}"
         ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}"
         ownca_not_after: "{{ ca.not_after }}"
       register: ca_ownca_crt
diff --git a/tasks/standalone/create_cert.yml b/tasks/standalone/create_cert.yml
index e972a43..078c54d 100644
--- a/tasks/standalone/create_cert.yml
+++ b/tasks/standalone/create_cert.yml
@@ -25,6 +25,8 @@
     - name: Generate certificate private key for {{ cert.name }}
       community.crypto.openssl_privatekey:
         path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}"
+        passphrase: "{{ cert.key_passphrase | default(omit) }}"
+        cipher: "{{ ('key_passphrase' in cert and cert.key_passphrase) | ternary('auto', omit) }}"
         force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
       register: cert_privkey
 
@@ -32,6 +34,7 @@
       community.crypto.openssl_csr:
         path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}"
         privatekey_path: "{{ cert_privkey.filename }}"
+        privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}"
         common_name: "{{ cert.cn | default(omit) }}"
         basic_constraints_critical: yes
         basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
@@ -53,6 +56,7 @@
         csr_path: "{{ cert_csr.filename }}"
         ownca_path: "{{ _ca_file }}"
         ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}"
+        ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}"
         provider: ownca
         force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
       register: cert_crt