diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml
index 74225025564e58ce68f7c2e35f1592fc1bad5a20..7b5f566263c59688c1b6fcfd1007ed13adc3adbd 100644
--- a/roles/rke2/tasks/main.yml
+++ b/roles/rke2/tasks/main.yml
@@ -19,6 +19,9 @@
 - include_tasks: kubeconfig.yml
   when: state != 'absent' and 'master' in group_names
 
+- include_tasks: privkey.yml
+  when: state != 'absent' and 'master' in group_names
+
 - name: uninstall rke2
   command: rke2-uninstall.sh
   when: rke2_installed.stat.exists and state == 'absent'
diff --git a/roles/rke2/tasks/privkey.yml b/roles/rke2/tasks/privkey.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a7ea03b3db9a493d2fba0debc863daa8e2721d4b
--- /dev/null
+++ b/roles/rke2/tasks/privkey.yml
@@ -0,0 +1,17 @@
+
+- name: wait for private key to exist
+  wait_for:
+    path: /var/lib/rancher/rke2/server/tls/service.key
+
+- name: generate public key from private key for jwks 
+  shell: |
+    openssl rsa -in /var/lib/rancher/rke2/server/tls/service.key -pubout -out /var/lib/rancher/rke2/server/tls/service.pub
+  
+
+- name: fetch public key from master
+  ansible.builtin.fetch:
+    src: /var/lib/rancher/rke2/server/tls/service.pub
+    dest: service.pub
+    flat: yes
+
+