ansible / ansible.builtin / v2.8.11 / module / openssl_certificate_info Provide information of OpenSSL X.509 certificates | "added in version" 2.8 of ansible.builtin" Authors: Felix Fontein (@felixfontein), Yanis Guenane (@Spredzy), Markus Teufelberger (@MarkusTeufelberger) preview | supported by communityansible.builtin.openssl_certificate_info (v2.8.11) — module
pip
Install with pip install ansible==2.8.11
This module allows one to query information on OpenSSL certificates.
It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with C(select_crypto_backend))
- name: Generate a Self Signed OpenSSL certificate openssl_certificate: path: /etc/ssl/crt/ansible.com.crt privatekey_path: /etc/ssl/private/ansible.com.pem csr_path: /etc/ssl/csr/ansible.com.csr provider: selfsigned
# Get information on the certificate - name: Get information on generated certificate openssl_certificate_info: path: /etc/ssl/crt/ansible.com.crt register: result
- name: Dump information debug: var: result
# Check whether the certificate is valid or not valid at certain times, fail # if this is not the case. The first task (openssl_certificate_info) collects # the information, and the second task (assert) validates the result and # makes the playbook fail in case something is not as expected. - name: Test whether that certificate is valid tomorrow and/or in three weeks openssl_certificate_info: path: /etc/ssl/crt/ansible.com.crt valid_at: point_1: "+1d" point_2: "+3w" register: result
- name: Validate that certificate is valid tomorrow, but not in three weeks assert: that: - result.valid_at.point_1 # valid in one day - not result.valid_at.point_2 # not valid in three weeks
path: description: - Remote absolute path where the certificate file is loaded from. required: true type: path valid_at: description: - A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the C(valid_at) return value for informations on the result. - Time can be specified either as relative time or as absolute timestamp. - Time will always be interpreted as UTC. - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h), and ASN.1 TIME (i.e. pattern C(YYYYMMDDHHMMSSZ)). Note that all timestamps will be treated as being in UTC. type: dict select_crypto_backend: choices: - auto - cryptography - pyopenssl default: auto description: - Determines which crypto backend to use. - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl). - If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library. - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str
basic_constraints: description: Entries in the C(basic_constraints) extension, or C(none) if extension is not present. returned: success sample: '[CA:TRUE, pathlen:1]' type: list basic_constraints_critical: description: Whether the C(basic_constraints) extension is critical. returned: success type: bool expired: description: Whether the certificate is expired (i.e. C(notAfter) is in the past) returned: success type: bool extended_key_usage: description: Entries in the C(extended_key_usage) extension, or C(none) if extension is not present. returned: success sample: '[Biometric Info, DVCS, Time Stamping]' type: list extended_key_usage_critical: description: Whether the C(extended_key_usage) extension is critical. returned: success type: bool extensions_by_oid: contains: critical: description: Whether the extension is critical. returned: success type: bool value: description: The Base64 encoded value (in DER format) of the extension returned: success sample: MAMCAQU= type: str description: Returns a dictionary for every extension OID returned: success sample: '{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}' type: complex issuer: description: The certificate's issuer. returned: success sample: '{"organizationName": "Ansible"}' type: dict key_usage: description: Entries in the C(key_usage) extension, or C(none) if extension is not present. returned: success sample: '[Key Agreement, Data Encipherment]' type: str key_usage_critical: description: Whether the C(key_usage) extension is critical. returned: success type: bool not_after: description: C(notAfter) date as ASN.1 TIME returned: success sample: 20190413202428Z type: str not_before: description: C(notBefore) date as ASN.1 TIME returned: success sample: 20190331202428Z type: str ocsp_must_staple: description: C(yes) if the OCSP Must Staple extension is present, C(none) otherwise. returned: success type: bool ocsp_must_staple_critical: description: Whether the C(ocsp_must_staple) extension is critical. returned: success type: bool public_key: description: Certificate's public key in PEM format returned: success sample: '-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...' type: str public_key_fingerprints: description: - Fingerprints of certificate's public key. - For every hash algorithm available, the fingerprint is computed. returned: success sample: '{''sha256'': ''d4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63'', ''sha512'': ''f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...' type: dict serial_number: description: The certificate's serial number. returned: success sample: 1234 type: int signature_algorithm: description: The signature algorithm used to sign the certificate. returned: success sample: sha256WithRSAEncryption type: str subject: description: The certificate's subject. returned: success sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}' type: dict subject_alt_name: description: Entries in the C(subject_alt_name) extension, or C(none) if extension is not present. returned: success sample: '[DNS:www.ansible.com, IP:1.2.3.4]' type: list subject_alt_name_critical: description: Whether the C(subject_alt_name) extension is critical. returned: success type: bool valid_at: description: For every time stamp provided in the I(valid_at) option, a boolean whether the certificate is valid at that point in time or not. returned: success type: dict version: description: The certificate version. returned: success sample: 3 type: int