New in version 2.8.
select_crypto_backend
)The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments |
---|---|---|
path
path
/ required
|
Remote absolute path where the certificate file is loaded from.
|
|
select_crypto_backend
string
|
|
Determines which crypto backend to use.
The default choice is
auto , which tries to use cryptography if available, and falls back to pyopenssl .If set to
pyopenssl , will try to use the pyOpenSSL library.If set to
cryptography , will try to use the cryptography library. |
valid_at
dictionary
|
A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the
valid_at return value for informations on the result.Time can be specified either as relative time or as absolute timestamp.
Time will always be interpreted as UTC.
Valid format is
[+-]timespec | ASN.1 TIME where timespec can be an integer + [w | d | h | m | s] (e.g. +32w1d2h , and ASN.1 TIME (i.e. pattern YYYYMMDDHHMMSSZ ). Note that all timestamps will be treated as being in UTC. |
Note
YYYYMMDDHHMMSSZ
pattern. They are all in UTC.See also
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: /etc/ssl/crt/ansible.com.crt
privatekey_path: /etc/ssl/private/ansible.com.pem
csr_path: /etc/ssl/csr/ansible.com.csr
provider: selfsigned
# Get information on the certificate
- name: Get information on generated certificate
openssl_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
register: result
- name: Dump information
debug:
var: result
# Check whether the certificate is valid or not valid at certain times, fail
# if this is not the case. The first task (openssl_certificate_info) collects
# the information, and the second task (assert) validates the result and
# makes the playbook fail in case something is not as expected.
- name: Test whether that certificate is valid tomorrow and/or in three weeks
openssl_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
valid_at:
point_1: "+1d"
point_2: "+3w"
register: result
- name: Validate that certificate is valid tomorrow, but not in three weeks
assert:
that:
- result.valid_at.point_1 # valid in one day
- not result.valid_at.point_2 # not valid in three weeks
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
basic_constraints
list
|
success |
Entries in the
basic_constraints extension, or none if extension is not present.Sample:
[CA:TRUE, pathlen:1]
|
|
basic_constraints_critical
boolean
|
success |
Whether the
basic_constraints extension is critical. |
|
expired
boolean
|
success |
Whether the certificate is expired (i.e.
notAfter is in the past) |
|
extended_key_usage
list
|
success |
Entries in the
extended_key_usage extension, or none if extension is not present.Sample:
[Biometric Info, DVCS, Time Stamping]
|
|
extended_key_usage_critical
boolean
|
success |
Whether the
extended_key_usage extension is critical. |
|
extensions_by_oid
complex
|
success |
Returns a dictionary for every extension OID
Sample:
{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
|
|
critical
boolean
|
success |
Whether the extension is critical.
|
|
value
string
|
success |
The Base64 encoded value (in DER format) of the extension
Sample:
MAMCAQU=
|
|
issuer
dictionary
|
success |
The certificate's issuer.
Sample:
{"organizationName": "Ansible"}
|
|
key_usage
string
|
success |
Entries in the
key_usage extension, or none if extension is not present.Sample:
[Key Agreement, Data Encipherment]
|
|
key_usage_critical
boolean
|
success |
Whether the
key_usage extension is critical. |
|
not_after
string
|
success |
notAfter date as ASN.1 TIMESample:
20190413202428Z
|
|
not_before
string
|
success |
notBefore date as ASN.1 TIMESample:
20190331202428Z
|
|
ocsp_must_staple
boolean
|
success |
yes if the OCSP Must Staple extension is present, none otherwise. |
|
ocsp_must_staple_critical
boolean
|
success |
Whether the
ocsp_must_staple extension is critical. |
|
public_key
string
|
success |
Certificate's public key in PEM format
Sample:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...
|
|
public_key_fingerprints
dictionary
|
success |
Fingerprints of certificate's public key.
For every hash algorithm available, the fingerprint is computed.
Sample:
{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...
|
|
serial_number
integer
|
success |
The certificate's serial number.
Sample:
1234
|
|
signature_algorithm
string
|
success |
The signature algorithm used to sign the certificate.
Sample:
sha256WithRSAEncryption
|
|
subject
dictionary
|
success |
The certificate's subject.
Sample:
{"commonName": "www.example.com", "emailAddress": "test@example.com"}
|
|
subject_alt_name
list
|
success |
Entries in the
subject_alt_name extension, or none if extension is not present.Sample:
[DNS:www.ansible.com, IP:1.2.3.4]
|
|
subject_alt_name_critical
boolean
|
success |
Whether the
subject_alt_name extension is critical. |
|
valid_at
dictionary
|
success |
For every time stamp provided in the valid_at option, a boolean whether the certificate is valid at that point in time or not.
|
|
version
integer
|
success |
The certificate version.
Sample:
3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.