Try SpotterProvide information of OpenSSL X.509 certificates
| "added in version" 2.8 of ansible.builtin"
Authors: Felix Fontein (@felixfontein), Yanis Guenane (@Spredzy), Markus Teufelberger (@MarkusTeufelberger)
preview | supported by community
pipInstall with pip install ansible==2.9.27
This module allows one to query information on OpenSSL certificates.
It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with C(select_crypto_backend)). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in Ansible 2.13.
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: /etc/ssl/crt/ansible.com.crt
privatekey_path: /etc/ssl/private/ansible.com.pem
csr_path: /etc/ssl/csr/ansible.com.csr
provider: selfsigned
# Get information on the certificate
- name: Get information on generated certificate
openssl_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
register: result
- name: Dump information
debug:
var: result
# Check whether the certificate is valid or not valid at certain times, fail
# if this is not the case. The first task (openssl_certificate_info) collects
# the information, and the second task (assert) validates the result and
# makes the playbook fail in case something is not as expected.
- name: Test whether that certificate is valid tomorrow and/or in three weeks
openssl_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
valid_at:
point_1: "+1d"
point_2: "+3w"
register: result
- name: Validate that certificate is valid tomorrow, but not in three weeks
assert:
that:
- result.valid_at.point_1 # valid in one day
- not result.valid_at.point_2 # not valid in three weeks
path:
description:
- Remote absolute path where the certificate file is loaded from.
required: true
type: path
valid_at:
description:
- A dict of names mapping to time specifications. Every time specified here will be
checked whether the certificate is valid at this point. See the C(valid_at) return
value for informations on the result.
- Time can be specified either as relative time or as absolute timestamp.
- Time will always be interpreted as UTC.
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer +
C([w | d | h | m | s]) (e.g. C(+32w1d2h), and ASN.1 TIME (i.e. pattern C(YYYYMMDDHHMMSSZ)).
Note that all timestamps will be treated as being in UTC.
type: dict
select_crypto_backend:
choices:
- auto
- cryptography
- pyopenssl
default: auto
description:
- Determines which crypto backend to use.
- The default choice is C(auto), which tries to use C(cryptography) if available,
and falls back to C(pyopenssl).
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/)
library.
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/)
library.
- Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and
will be removed in Ansible 2.13. From that point on, only the C(cryptography) backend
will be available.
type: str
authority_cert_issuer:
description:
- The certificate's authority cert issuer as a list of general names.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
elements: str
returned: success and if the pyOpenSSL backend is I(not) used
sample: '[DNS:www.ansible.com, IP:1.2.3.4]'
type: list
version_added: '2.9'
version_added_collection: ansible.builtin
authority_cert_serial_number:
description:
- The certificate's authority cert serial number.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
returned: success and if the pyOpenSSL backend is I(not) used
sample: '12345'
type: int
version_added: '2.9'
version_added_collection: ansible.builtin
authority_key_identifier:
description:
- The certificate's authority key identifier.
- The identifier is returned in hexadecimal, with C(:) used to separate bytes.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
returned: success and if the pyOpenSSL backend is I(not) used
sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
type: str
version_added: '2.9'
version_added_collection: ansible.builtin
basic_constraints:
description: Entries in the C(basic_constraints) extension, or C(none) if extension
is not present.
elements: str
returned: success
sample: '[CA:TRUE, pathlen:1]'
type: list
basic_constraints_critical:
description: Whether the C(basic_constraints) extension is critical.
returned: success
type: bool
expired:
description: Whether the certificate is expired (i.e. C(notAfter) is in the past)
returned: success
type: bool
extended_key_usage:
description: Entries in the C(extended_key_usage) extension, or C(none) if extension
is not present.
elements: str
returned: success
sample: '[Biometric Info, DVCS, Time Stamping]'
type: list
extended_key_usage_critical:
description: Whether the C(extended_key_usage) extension is critical.
returned: success
type: bool
extensions_by_oid:
contains:
critical:
description: Whether the extension is critical.
returned: success
type: bool
value:
description: The Base64 encoded value (in DER format) of the extension
returned: success
sample: MAMCAQU=
type: str
description: Returns a dictionary for every extension OID
returned: success
sample: '{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}'
type: dict
issuer:
description:
- The certificate's issuer.
- Note that for repeated values, only the last one will be returned.
returned: success
sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
type: dict
issuer_ordered:
description: The certificate's issuer as an ordered list of tuples.
elements: list
returned: success
sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
type: list
version_added: '2.9'
version_added_collection: ansible.builtin
key_usage:
description: Entries in the C(key_usage) extension, or C(none) if extension is not
present.
returned: success
sample: '[Key Agreement, Data Encipherment]'
type: str
key_usage_critical:
description: Whether the C(key_usage) extension is critical.
returned: success
type: bool
not_after:
description: C(notAfter) date as ASN.1 TIME
returned: success
sample: 20190413202428Z
type: str
not_before:
description: C(notBefore) date as ASN.1 TIME
returned: success
sample: 20190331202428Z
type: str
ocsp_must_staple:
description: C(yes) if the OCSP Must Staple extension is present, C(none) otherwise.
returned: success
type: bool
ocsp_must_staple_critical:
description: Whether the C(ocsp_must_staple) extension is critical.
returned: success
type: bool
ocsp_uri:
description: The OCSP responder URI, if included in the certificate. Will be C(none)
if no OCSP responder URI is included.
returned: success
type: str
version_added: '2.9'
version_added_collection: ansible.builtin
public_key:
description: Certificate's public key in PEM format
returned: success
sample: '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...'
type: str
public_key_fingerprints:
description:
- Fingerprints of certificate's public key.
- For every hash algorithm available, the fingerprint is computed.
returned: success
sample: '{''sha256'': ''d4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63'',
''sha512'': ''f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...'
type: dict
serial_number:
description: The certificate's serial number.
returned: success
sample: 1234
type: int
signature_algorithm:
description: The signature algorithm used to sign the certificate.
returned: success
sample: sha256WithRSAEncryption
type: str
subject:
description:
- The certificate's subject as a dictionary.
- Note that for repeated values, only the last one will be returned.
returned: success
sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}'
type: dict
subject_alt_name:
description: Entries in the C(subject_alt_name) extension, or C(none) if extension
is not present.
elements: str
returned: success
sample: '[DNS:www.ansible.com, IP:1.2.3.4]'
type: list
subject_alt_name_critical:
description: Whether the C(subject_alt_name) extension is critical.
returned: success
type: bool
subject_key_identifier:
description:
- The certificate's subject key identifier.
- The identifier is returned in hexadecimal, with C(:) used to separate bytes.
- Is C(none) if the C(SubjectKeyIdentifier) extension is not present.
returned: success and if the pyOpenSSL backend is I(not) used
sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
type: str
version_added: '2.9'
version_added_collection: ansible.builtin
subject_ordered:
description: The certificate's subject as an ordered list of tuples.
elements: list
returned: success
sample: '[["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]'
type: list
version_added: '2.9'
version_added_collection: ansible.builtin
valid_at:
description: For every time stamp provided in the I(valid_at) option, a boolean
whether the certificate is valid at that point in time or not.
returned: success
type: dict
version:
description: The certificate version.
returned: success
sample: 3
type: int