ansible.builtin.win_certificate_store (v2.7.17) — module

Manages the certificate store

| "added in version" 2.5 of ansible.builtin"

Authors: Jordan Borean (@jborean93)

preview | supported by community

Install Ansible via pip

Install with pip install ansible==2.7.17


Used to import/export and remove certificates and keys from the local certificate store.

This module is not used to create certificates and will only manage existing certs as a file or in the store.

It can be used to import PEM, DER, P7B, PKCS12 (PFX) certificates and export PEM, DER and PKCS12 certificates.

Usage examples

  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: import a certificate
    path: C:\Temp\cert.pem
    state: present
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: import pfx certificate that is password protected
    path: C:\Temp\cert.pfx
    state: present
    password: VeryStrongPasswordHere!
  become: yes
  become_method: runas
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: import pfx certificate without password and set private key as un-exportable
    path: C:\Temp\cert.pfx
    state: present
    key_exportable: no
  # usually you don't set this here but it is for illustrative purposes
    ansible_winrm_transport: credssp
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: remove a certificate based on file thumbprint
    path: C:\Temp\cert.pem
    state: absent
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: remove a certificate based on thumbprint
    thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27
    state: absent
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: remove certificate based on thumbprint is CurrentUser/TrustedPublishers store
    thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27
    state: absent
    store_location: CurrentUser
    store_name: TrustedPublisher
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: export certificate as der encoded file
    path: C:\Temp\cert.cer
    state: exported
    file_type: der
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: export certificate and key as pfx encoded file
    path: C:\Temp\cert.pfx
    state: exported
    file_type: pkcs12
    password: AnotherStrongPass!
  become: yes
  become_method: runas
  become_user: SYSTEM
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: import certificate be used by IIS
    path: C:\Temp\cert.pfx
    file_type: pkcs12
    password: StrongPassword!
    store_location: LocalMachine
    key_storage: machine
    state: present


    - The path to a certificate file.
    - This is required when I(state) is C(present) or C(exported).
    - When I(state) is C(absent) and I(thumbprint) is not specified, the thumbprint is
      derived from the certificate at this path.
    type: path

    - absent
    - exported
    - present
    default: present
    - If C(present), will ensure that the certificate at I(path) is imported into the
      certificate store specified.
    - If C(absent), will ensure that the certificate specified by I(thumbprint) or the
      thumbprint of the cert at I(path) is removed from the store specified.
    - If C(exported), will ensure the file at I(path) is a certificate specified by I(thumbprint).
    - When exporting a certificate, if I(path) is a directory then the module will fail,
      otherwise the file will be replaced if needed.

    - The password of the pkcs12 certificate key.
    - This is used when reading a pkcs12 certificate file or the password to set when
      C(state=exported) and C(file_type=pkcs12).
    - If the pkcs12 file has no password set or no password should be set on the exported
      file, do not set this option.

    - der
    - pem
    - pkcs12
    default: der
    - The file type to export the certificate as when C(state=exported).
    - C(der) is a binary ASN.1 encoded file.
    - C(pem) is a base64 encoded file of a der file in the OpenSSL form.
    - C(pkcs12) (also known as pfx) is a binary container that contains both the certificate
      and private key unlike the other options.
    - When C(pkcs12) is set and the private key is not exportable or accessible by the
      current user, it will throw an exception.

    - AddressBook
    - AuthRoot
    - CertificateAuthority
    - Disallowed
    - My
    - Root
    - TrustedPeople
    - TrustedPublisher
    default: My
    - The store name to use when importing a certificate or searching for a certificate.
    - 'C(AddressBook): The X.509 certificate store for other users'
    - 'C(AuthRoot): The X.509 certificate store for third-party certificate authorities
    - 'C(CertificateAuthority): The X.509 certificate store for intermediate certificate
      authorities (CAs)'
    - 'C(Disallowed): The X.509 certificate store for revoked certificates'
    - 'C(My): The X.509 certificate store for personal certificates'
    - 'C(Root): The X.509 certificate store for trusted root certificate authorities (CAs)'
    - 'C(TrustedPeople): The X.509 certificate store for directly trusted people and resources'
    - 'C(TrustedPublisher): The X.509 certificate store for directly trusted publishers'

    - The thumbprint as a hex string to either export or remove.
    - See the examples for how to specify the thumbprint.

    - default
    - machine
    - user
    default: default
    - Specifies where Windows will store the private key when it is imported.
    - When set to C(default), the default option as set by Windows is used, typically
    - When set to C(machine), the key is stored in a path accessible by various users.
    - When set to C(user), the key is stored in a path only accessible by the current
    - Used when C(state=present) only and cannot be changed once imported.
    - See U(
      for more details.

    default: 'yes'
    - Whether to allow the private key to be exported.
    - If C(no), then this module and other process will only be able to export the certificate
      and the private key cannot be exported.
    - Used when C(state=present) only.
    type: bool

    - CurrentUser
    - LocalMachine
    default: LocalMachine
    - The store location to use when importing a certificate or searching for a certificate.


  description: A list of certificate thumbprints that were touched by the module.
  returned: success
  - BC05633694E675449136679A658281F17A191087
  type: list