community.crypto.x509_crl_info (2.18.0) — module

Install collection

Install with ansible-galaxy collection install community.crypto:==2.18.0

Add to requirements.yml

  collections:
    - name: community.crypto
      version: 2.18.0

Description

This module allows one to retrieve information on Certificate Revocation Lists (CRLs).

Requirements

• If O(name_encoding) is set to another value than V(ignore), the L(idna Python library,https://pypi.org/project/idna/) needs to be installed.
• cryptography >= 1.2

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Get information on CRL
  community.crypto.x509_crl_info:
    path: /etc/ssl/my-ca.crl
  register: result

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Print the information
  ansible.builtin.debug:
    msg: "{{ result }}"

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Get information on CRL without list of revoked certificates
  community.crypto.x509_crl_info:
    path: /etc/ssl/very-large.crl
    list_revoked_certificates: false
  register: result

Inputs

    
path:
    description:
    - Remote absolute path where the generated CRL file should be created or is already
      located.
    - Either O(path) or O(content) must be specified, but not both.
    type: path

content:
    description:
    - Content of the X.509 CRL in PEM format, or Base64-encoded X.509 CRL.
    - Either O(path) or O(content) must be specified, but not both.
    type: str

name_encoding:
    choices:
    - ignore
    - idna
    - unicode
    default: ignore
    description:
    - How to encode names (DNS names, URIs, email addresses) in return values.
    - V(ignore) will use the encoding returned by the backend.
    - V(idna) will convert all labels of domain names to IDNA encoding. IDNA2008 will
      be preferred, and IDNA2003 will be used if IDNA2008 encoding fails.
    - V(unicode) will convert all labels of domain names to Unicode. IDNA2008 will be
      preferred, and IDNA2003 will be used if IDNA2008 decoding fails.
    - B(Note) that V(idna) and V(unicode) require the L(idna Python library,https://pypi.org/project/idna/)
      to be installed.
    type: str

list_revoked_certificates:
    default: true
    description:
    - If set to V(false), the list of revoked certificates is not included in the result.
    - This is useful when retrieving information on large CRL files. Enumerating all revoked
      certificates can take some time, including serializing the result as JSON, sending
      it to the Ansible controller, and decoding it again.
    type: bool
    version_added: 1.7.0
    version_added_collection: community.crypto

Outputs

digest:
  description: The signature algorithm used to sign the CRL.
  returned: success
  sample: sha256WithRSAEncryption
  type: str
format:
  choices:
  - pem
  - der
  description:
  - Whether the CRL is in PEM format (V(pem)) or in DER format (V(der)).
  returned: success
  sample: pem
  type: str
issuer:
  description:
  - The CRL's issuer.
  - Note that for repeated values, only the last one will be returned.
  - See O(name_encoding) for how IDNs are handled.
  returned: success
  sample:
    commonName: ca.example.com
    organizationName: Ansible
  type: dict
issuer_ordered:
  description: The CRL's issuer as an ordered list of tuples.
  elements: list
  returned: success
  sample:
  - - organizationName
    - Ansible
  - - commonName: ca.example.com
  type: list
last_update:
  description: The point in time from which this CRL can be trusted as ASN.1 TIME.
  returned: success
  sample: 20190413202428Z
  type: str
next_update:
  description: The point in time from which a new CRL will be issued and the client
    has to check for it as ASN.1 TIME.
  returned: success
  sample: 20190413202428Z
  type: str
revoked_certificates:
  contains:
    invalidity_date:
      description: 'The point in time it was known/suspected that the private key
        was compromised

        or that the certificate otherwise became invalid as ASN.1 TIME.

        '
      sample: 20190413202428Z
      type: str
    invalidity_date_critical:
      description: Whether the invalidity date extension is critical.
      sample: false
      type: bool
    issuer:
      description:
      - The certificate's issuer.
      - See O(name_encoding) for how IDNs are handled.
      elements: str
      sample:
      - DNS:ca.example.org
      type: list
    issuer_critical:
      description: Whether the certificate issuer extension is critical.
      sample: false
      type: bool
    reason:
      choices:
      - unspecified
      - key_compromise
      - ca_compromise
      - affiliation_changed
      - superseded
      - cessation_of_operation
      - certificate_hold
      - privilege_withdrawn
      - aa_compromise
      - remove_from_crl
      description:
      - The value for the revocation reason extension.
      sample: key_compromise
      type: str
    reason_critical:
      description: Whether the revocation reason extension is critical.
      sample: false
      type: bool
    revocation_date:
      description: The point in time the certificate was revoked as ASN.1 TIME.
      sample: 20190413202428Z
      type: str
    serial_number:
      description:
      - Serial number of the certificate.
      - This return value is an B(integer). If you need the serial numbers as a colon-separated
        hex string, such as C(11:22:33), you need to convert it to that form with
        P(community.crypto.to_serial#filter).
      sample: 1234
      type: int
  description: List of certificates to be revoked.
  elements: dict
  returned: success if O(list_revoked_certificates=true)
  type: list

See also

• community.crypto.x509_crl
• community.crypto.x509_crl_info (filter plugin) : A filter variant of this module.
• community.crypto.to_serial (filter plugin)