ansible / ansible.builtin / v2.4.0.0-1 / module / openssl_csr Generate OpenSSL Certificate Signing Request (CSR) | "added in version" 2.4 of ansible.builtin" Authors: Yanis Guenane (@Spredzy) preview | supported by communityansible.builtin.openssl_csr (v2.4.0.0-1) — module
pip
Install with pip install ansible==2.4.0.0.post1
This module allows one to (re)generate OpenSSL certificate signing requests. It uses the pyOpenSSL python library to interact with openssl. This module supports the subjectAltName as well as the keyUsage and extendedKeyUsage extensions. Note: At least one of common_name or subject_alt_name must be specified. This module uses file common arguments to specify generated file permissions.
# Generate an OpenSSL Certificate Signing Request - openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem common_name: www.ansible.com
# Generate an OpenSSL Certificate Signing Request with a # passphrase protected private key - openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem privatekey_passphrase: ansible common_name: www.ansible.com
# Generate an OpenSSL Certificate Signing Request with Subject information - openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem country_name: FR organization_name: Ansible email_address: jdoe@ansible.com common_name: www.ansible.com
# Generate an OpenSSL Certificate Signing Request with subjectAltName extension - openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem subject_alt_name: 'DNS:www.ansible.com,DNS:m.ansible.com'
# Force re-generate an OpenSSL Certificate Signing Request - openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem force: True common_name: www.ansible.com
# Generate an OpenSSL Certificate Signing Request with special key usages - openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem common_name: www.ansible.com key_usage: - digitlaSignature - keyAgreement extended_key_usage: - clientAuth
path: description: - Name of the folder in which the generated OpenSSL certificate signing request will be written required: true force: choices: - true - false default: false description: - Should the certificate signing request be forced regenerated by this ansible module required: false state: choices: - present - absent default: present description: - Whether the certificate signing request should exist or not, taking action if the state is different from what is stated. required: false digest: default: sha256 description: - Digest used when signing the certificate signing request with the private key required: false version: default: 3 description: - Version of the certificate signing request required: false key_usage: aliases: - keyUsage description: - This defines the purpose (e.g. encipherment, signature, certificate signing) of the key contained in the certificate. - This can either be a 'comma separated string' or a YAML list. required: false common_name: aliases: - CN - commonName description: - commonName field of the certificate signing request subject required: false country_name: aliases: - C - countryName description: - countryName field of the certificate signing request subject required: false email_address: aliases: - E - emailAddress description: - emailAddress field of the certificate signing request subject required: false locality_name: aliases: - L - localityName description: - localityName field of the certificate signing request subject required: false privatekey_path: description: - Path to the privatekey to use when signing the certificate signing request required: true subject_alt_name: aliases: - subjectAltName description: - SAN extension to attach to the certificate signing request - This can either be a 'comma separated string' or a YAML list. required: false organization_name: aliases: - O - organizationName description: - organizationName field of the certificate signing request subject required: false extended_key_usage: aliases: - extKeyUsage - extendedKeyUsage description: - Additional restrictions (e.g. client authentication, server authentication) on the allowed purposes for which the public key may be used. - This can either be a 'comma separated string' or a YAML list. required: false key_usage_critical: aliases: - keyUsage_critical description: - Should the keyUsage extension be considered as critical required: false privatekey_passphrase: description: - The passphrase for the privatekey. required: false state_or_province_name: aliases: - ST - stateOrProvinceName description: - stateOrProvinceName field of the certificate signing request subject required: false organizational_unit_name: aliases: - OU - organizationalUnitName description: - organizationalUnitName field of the certificate signing request subject required: false subject_alt_name_critical: aliases: - subjectAltName_critical description: - Should the subjectAltName extension be considered as critical required: false extended_key_usage_critical: aliases: - extKeyUsage_critical - extendedKeyUsage_critical description: - Should the extkeyUsage extension be considered as critical required: false
extendedKeyUsage: description: Additional restriction on the public key purposes returned: changed or success sample: - clientAuth type: list filename: description: Path to the generated Certificate Signing Request returned: changed or success sample: /etc/ssl/csr/www.ansible.com.csr type: string keyUsage: description: Purpose for which the public key may be used returned: changed or success sample: - digitalSignature - keyAgreement type: list privatekey: description: Path to the TLS/SSL private key the CSR was generated for returned: changed or success sample: /etc/ssl/private/ansible.com.pem type: string subject: description: A dictionnary of the subject attached to the CSR returned: changed or success sample: CN: www.ansible.com O: Ansible type: list subjectAltName: description: The alternative names this CSR is valid for returned: changed or success sample: - DNS:www.ansible.com - DNS:m.ansible.com type: list