Try SpotterProvide information for OpenSSL private keys
| "added in version" 2.8 of ansible.builtin"
Authors: Felix Fontein (@felixfontein), Yanis Guenane (@Spredzy)
preview | supported by community
pipInstall with pip install ansible==2.9.27
This module allows one to query information on OpenSSL private keys.
In case the key consistency checks fail, the module will fail as this indicates a faked private key. In this case, all return variables are still returned. Note that key consistency checks are not available all key types; if none is available, C(none) is returned for C(key_is_consistent).
It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with C(select_crypto_backend)). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in Ansible 2.13.
- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
openssl_privatekey:
path: /etc/ssl/private/ansible.com.pem
- name: Get information on generated key
openssl_privatekey_info:
path: /etc/ssl/private/ansible.com.pem
register: result
- name: Dump information
debug:
var: result
path:
description:
- Remote absolute path where the private key file is loaded from.
required: true
type: path
passphrase:
description:
- The passphrase for the private key.
type: str
select_crypto_backend:
choices:
- auto
- cryptography
- pyopenssl
default: auto
description:
- Determines which crypto backend to use.
- The default choice is C(auto), which tries to use C(cryptography) if available,
and falls back to C(pyopenssl).
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/)
library.
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/)
library.
- Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and
will be removed in Ansible 2.13. From that point on, only the C(cryptography) backend
will be available.
type: str
return_private_key_data:
default: false
description:
- Whether to return private key data.
- Only set this to C(yes) when you want private information about this key to leave
the remote machine.
- 'WARNING: you have to make sure that private key data isn''t accidentally logged!'
type: bool
can_load_key:
description: Whether the module was able to load the private key from disk
returned: always
type: bool
can_parse_key:
description: Whether the module was able to parse the private key
returned: always
type: bool
key_is_consistent:
description:
- Whether the key is consistent. Can also return C(none) next to C(yes) and C(no),
to indicate that consistency couldn't be checked.
- In case the check returns C(no), the module will fail.
returned: always
type: bool
private_data:
description:
- Private key data. Depends on key type.
returned: success and when I(return_private_key_data) is set to C(yes)
type: dict
public_data:
description:
- Public key data. Depends on key type.
returned: success
type: dict
public_key:
description: Private key's public key in PEM format
returned: success
sample: '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...'
type: str
public_key_fingerprints:
description:
- Fingerprints of private key's public key.
- For every hash algorithm available, the fingerprint is computed.
returned: success
sample: '{''sha256'': ''d4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63'',
''sha512'': ''f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...'
type: dict
type:
description:
- The key's type.
- One of C(RSA), C(DSA), C(ECC), C(Ed25519), C(X25519), C(Ed448), or C(X448).
- Will start with C(unknown) if the key type cannot be determined.
returned: success
sample: RSA
type: str