Try SpotterHorizon enrollment plugin
Authors: Evertrust R&D (@EverTrust)
This plugin has a corresponding action plugin.
Install with ansible-galaxy collection install evertrust.horizon:==1.3.0
collections:
- name: evertrust.horizon
version: 1.3.0Performs an enrollment against the Horizon API.
- name: Enrolling a certificate in a centralized way
evertrust.horizon.horizon_enroll:
endpoint: "https://<horizon-endpoint>"
x_api_id: "<horizon-id>"
x_api_key: "<horizon-password>"
mode: "centralized"
password: "examplePassword"
key_type: "rsa-2048"
profile: "exampleProfile"
subject:
cn.1: "exampleCN"
sans:
dnsname: "exampleDnsname"
labels:
snow_id: "value1"
exp_tech: "value2"
- name: Enrolling a certificate in a decentralized way with a CSR
evertrust.horizon.horizon_enroll:
endpoint: "https://<horizon-endpoint>"
x_api_id: "<horizon-id>"
x_api_key: "<horizon-password>"
mode: "decentralized"
csr: |
-----BEGIN CERTIFICATE REQUEST-----
// Content
-----END CERTIFICATE REQUEST-----
password: "examplePassword"
key_type: "rsa-2048"
profile: "exampleProfile"
subject:
cn.1: "exampleCN"
ou.1: "exampleFirstOU"
ou.2: "exampleSecondOU"
sans:
dnsname:
- "exampleDnsName1"
- "exampleDnsName2"
labels:
snow_id: "value1"
exp_tech: "value2"
- name: Enrolling a certificate in a decentralized way with csr path
evertrust.horizon.horizon_enroll:
endpoint: "https://<horizon-endpoint>"
x_api_id: "<horizon-id>"
x_api_key: "<horizon-password>"
mode: "decentralized"
csr:
src: "/the/path/to/my/CSR.csr"
password: "examplePassword"
key_type: "rsa-2048"
profile: "exampleProfile"
subject:
cn.1: "exampleCN"
ou:
- "exampleFirstOU"
- "exampleSecondOU"
sans:
dnsname: "exampleDnsName"
labels:
label1: "value1"
label2: "value2"
csr:
description:
- A certificate signing request, or the path to the CSR file.
- If none is provided, one will be generated on-the-fly.
required: false
suboptions:
src:
description: The path to a CSR file
required: false
type: path
type: str
mode:
choices:
- centralized
- decentralized
description:
- Enrollment mode.
- If empty, will be inferred from the Horizon certificate profile configuration.
required: false
type: str
sans:
description:
- Certificate's subject alternative names (SANs) of the certificate.
- 'Authorized values are : [dnsname, rfc822name, ipaddress, othername_upn, othername_guid,
uri].'
required: false
type: dict
team:
description: Certificate's team.
required: false
type: str
owner:
description: Certificate's owner
required: false
type: str
labels:
description: Certificate's labels.
required: false
type: dict
profile:
description: Name of the profile that will be used to enroll the certificate.
required: true
type: str
subject:
description:
- Certificate's subject.
- You can either give the description of the subject, or the full DN.
- If you give the dn, other values won't be used.
required: true
type: dict
endpoint:
description:
- Your Horizon instance base endpoint.
- It must include the protocol (https://) and no trailing slash nor path.
required: true
type: str
key_type:
choices:
- rsa-2048
- rsa-3072
- rsa-4096
- ec-secp256r1
- ec-secp384r1
description: Key type
required: true
type: str
password:
description:
- Security password for the certificate.
- Password policies will be applied to check validity.
- Required only if the enrollement is centralized and the password generation mode
is not random.
required: false
type: str
x_api_id:
description:
- Horizon identifier
- Required if you use credentials authentication
required: false
type: str
ca_bundle:
description:
- Path of a CA bundle used to validate the Horizon instance SSL certificate.
required: false
type: path
x_api_key:
description:
- Horizon password
- Required if you use credentials authentication
required: false
type: str
client_key:
description:
- Path of a client certificate's key.
- Required if you use certificate based authentication
required: false
type: path
client_cert:
description:
- Path of a client certificate.
- Required if you use certificate based authentication
required: false
type: path
contact_email:
description:
- Certificate's contact email.
- Default value will be the requester contact email adress.
required: false
type: str
certificate:
contains:
_id:
description: Horizon internal ID.
returned: If specifically requested
type: str
certificate:
description: The certificate's PEM-encoded content.
returned: If specifically requested
type: str
contactEmail:
description: The certificate's contact email. It will be used to send notifications
about the certificate's expiration and revocation.
returned: If specifically requested
type: str
crlSynchronized:
description: Whether the certificate's revocation status is synchronized with
a CRL.
returned: If present and specifically requested
type: bool
discoveredTrusted:
description: If the certificate was discovered and is found to be issued by
an existing trusted CA, this field will be set to true. If the certificate
was discovered and is not found to be issued by an existing trusted CA, this
field will be set to false. If the certificate was not discovered, this field
will be null.
returned: If present and specifically requested
type: bool
discoveryData:
contains:
hostnames:
description: The certificate's host hostnames (netscan only).
elements: str
returned: If present
type: list
ip:
description: The certificate's host ip.
returned: Always
type: string
operatingSystems:
description: The certificate's host operating system (localscan only).
elements: str
returned: If present
type: list
paths:
description: The path to the certificate on the host machine (localscan
only).
elements: str
returned: If present
type: list
sources:
description: Information on the type of discovery that discovered this certificate.
elements: str
returned: Always
type: list
tlsPorts:
contains:
port:
description: The number of the port.
returned: Always
type: int
version:
description: Protocol version used.
returned: Always
type: string
description: The ports on which the certificate is exposed for https connexion.
elements: dict
returned: If present
type: list
usages:
description: The path of the configuration files that were used to find
the certificates.
elements: str
returned: If present
type: list
description: A list of metadata containing information on where the certificate
was discovered.
elements: dict
returned: Only if the certificate was discovered
type: list
discoveryInfo:
contains:
campaign:
description: The discovery campaign's name.
returned: Always
type: string
identifier:
description: Identifier of the user that discovered this certificate.
returned: If present
type: str
lastDiscoveryDate:
description: When this certificate was discovered for the last time.
returned: Always
type: int
description: A list of metadata containing information on how and when the certificate
was discovered.
elements: dict
returned: If present and specifically requested
type: list
dn:
description: The certificate's Distinguished Name.
returned: If specifically requested
type: str
extensions:
contains:
key:
description: The extension's type.
returned: Always
type: string
value:
description: The extension's value.
returned: Always
type: string
description: The certificate's extensions.
elements: dict
returned: If present and specifically requested
type: list
grades:
contains:
grade:
description: The grade awarded by the grading policy.
returned: always
type: str
name:
description: The name of the grading policy.
returned: always
type: str
description: The certificate's grades for the enabled grading policies.
elements: dict
returned: If specifically requested
type: list
holderId:
description: The certificate's holder ID. This is a computed field that is used
to count how many similar certificates are in use simultaneously by the same
holder.
returned: If specifically requested
type: str
issuer:
description: The certificate's issuer Distinguished Name.
returned: If specifically requested
type: str
keyType:
description: The certificate's key type.
returned: If specifically requested
type: str
labels:
contains:
key:
description: The label's name.
returned: Always
type: string
value:
description: The label's value.
returned: Always
type: string
description: The certificate's labels.
elements: dict
returned: If present and specifically requested
type: list
metadata:
contains:
key:
description: The metadata name.
returned: Always
type: string
value:
description: The metadata value
returned: Always
type: string
description: The certificate's technical metadata used internally.
elements: dict
returned: If specifically requested
type: list
module:
description: The certificate's module.
returned: If specifically requested
type: str
notAfter:
description: The certificate's expiration date in milliseconds since the epoch.
returned: If specifically requested
type: int
notBefore:
description: The certificate's start date in milliseconds since the epoch.
returned: If specifically requested
type: int
owner:
description: The certificate's owner. This is a reference to a local identity
identifier.
returned: If specifically requested
type: str
profile:
description: The certificate's profile.
returned: If present and specifically requested
type: str
publicKeyThumbprint:
description: The certificate's public key thumbprint.
returned: If specifically requested
type: str
revocationDate:
description: The certificate's revocation date in milliseconds since the epoch.
This field is only present if the certificate is revoked.
returned: If present and specifically requested
type: int
revocationReason:
description: The certificate's revocation reason.
returned: If specifically requested
type: str
revoked:
description: Whether the certificate is revoked.
returned: If present and specifically requested
type: bool
selfSigned:
description: Whether the certificate is self-signed.
returned: If specifically requested
type: bool
serial:
description: The certificate's serial number.
returned: If present and specifically requested
type: str
signingAlgorithm:
description: The certificate's signing algorithm.
returned: If specifically requested
type: str
subjectAlternateNames:
contains:
sanType:
description: The type of the SAN
returned: Always
type: str
value:
description: The value of the SAN
returned: Always
type: str
description: The certificate's Subject Alternate Names.
elements: dict
returned: If specifically requested
type: list
team:
description: The certificate's team. This is a reference to a team identifier.
It will be used to determine the certificate's permissions and send notifications.
returned: If specifically requested
type: str
thirdPartyData:
contains:
connector:
description: The third party connector name on which this certificate is
synchronized.
returned: Always
type: string
fingerprint:
description: The fingerprint of this certificate on the third party.
returned: If present
type: string
id:
description: The Id of this certificate on the third party.
returned: Always
type: string
pushDate:
description: The date when the certificate was pushed to this third party.
returned: If present
type: int
removeDate:
description: The date when the certificate was removed from this third party
(in case of revocation).
returned: If present
type: int
description: The certificate's information about synchronization with Horizon
supported third parties.
elements: dict
returned: If present and specifically requested
type: list
thumbprint:
description: The certificate's thumbprint.
returned: If specifically requested
type: str
triggerResults:
contains:
detail:
description: Contains details on this trigger's execution.
returned: If present
type: str
event:
description: The event that triggered the trigger.
returned: Always
type: str
lastExecutionDate:
description: The last time this trigger was executed for this certificate
and this event.
returned: Always
type: int
name:
description: The name of the trigger that was executed.
returned: Always
type: str
nextDelay:
description: Time that will be waited between the next and the next+1 execution
of this trigger.
returned: If present
type: str
nextExecutionDate:
description: The next scheduled execution time for this trigger.
returned: If present
type: int
retries:
description: The number of remaining tries before the trigger is abandoned.
returned: If present
type: int
retryable:
description: Is this trigger manually retryable.
returned: Always
type: bool
status:
description: The status of the trigger after its execution.
returned: Always
type: str
triggerType:
description: The type of the trigger.
returned: Always
type: str
description: The result of the execution of triggers on this certificate.
elements: dict
returned: If present and specifically requested.
type: list
description: The certificate that was generated for this request. This is only available
after the request has been approved.
returned: Always
type: dict
chain:
description: Certificate's trust chain.
returned: Always
type: str
key:
description: Certificate's private key.
returned: If enrollement mode is "centralized" or if a key pair was generated on-the-fly
type: str
p12:
description: Base64-encoded PKCS#12
returned: If enrollement mode is "centralized" or if a key pair was generated on-the-fly
type: str
p12_password:
description: PKCS#12 password
returned: If enrollement mode is "centralized" or if a key pair was generated on-the-fly
type: str