Try SpotterLocal keys and certificates in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify certificate feature and local category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Local keys and certificates.
fortinet.fortios.fortios_certificate_local:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
certificate_local:
acme_ca_url: "<your_own_value>"
acme_domain: "<your_own_value>"
acme_email: "<your_own_value>"
acme_renew_window: "30"
acme_rsa_key_size: "2048"
auto_regenerate_days: "0"
auto_regenerate_days_warning: "0"
ca_identifier: "myId_10"
certificate: "<your_own_value>"
cmp_path: "<your_own_value>"
cmp_regeneration_method: "keyupate"
cmp_server: "<your_own_value>"
cmp_server_cert: "<your_own_value> (source certificate.ca.name certificate.remote.name)"
comments: "<your_own_value>"
csr: "<your_own_value>"
enroll_protocol: "none"
est_ca_id: "<your_own_value>"
est_client_cert: "<your_own_value> (source certificate.local.name)"
est_http_password: "<your_own_value>"
est_http_username: "<your_own_value>"
est_server: "<your_own_value>"
est_server_cert: "<your_own_value> (source certificate.ca.name certificate.remote.name)"
est_srp_password: "<your_own_value>"
est_srp_username: "<your_own_value>"
ike_localid: "<your_own_value>"
ike_localid_type: "asn1dn"
last_updated: "2147483647"
name: "default_name_30"
name_encoding: "printable"
password: "<your_own_value>"
private_key: "<your_own_value>"
private_key_retain: "enable"
range: "global"
scep_password: "<your_own_value>"
scep_url: "<your_own_value>"
source: "factory"
source_ip: "84.230.14.43"
state: "<your_own_value>"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
certificate_local:
default: null
description:
- Local keys and certificates.
suboptions:
acme_ca_url:
description:
- The URL for the ACME CA server (Let"s Encrypt is the ).
type: str
acme_domain:
description:
- A valid domain that resolves to this FortiGate unit.
type: str
acme_email:
description:
- Contact email address that is required by some CAs like LetsEncrypt.
type: str
acme_renew_window:
description:
- Beginning of the renewal window (in days before certificate expiration, 30 by
default).
type: int
acme_rsa_key_size:
description:
- Length of the RSA private key of the generated cert (Minimum 2048 bits).
type: int
auto_regenerate_days:
description:
- Number of days to wait before expiry of an updated local certificate is requested
(0 = disabled).
type: int
auto_regenerate_days_warning:
description:
- Number of days to wait before an expiry warning message is generated (0 = disabled).
type: int
ca_identifier:
description:
- CA identifier of the CA server for signing via SCEP.
type: str
certificate:
description:
- PEM format certificate.
type: str
cmp_path:
description:
- Path location inside CMP server.
type: str
cmp_regeneration_method:
choices:
- keyupate
- renewal
description:
- CMP auto-regeneration method.
type: str
cmp_server:
description:
- Address and port for CMP server (format = address:port).
type: str
cmp_server_cert:
description:
- CMP server certificate. Source certificate.ca.name certificate.remote.name.
type: str
comments:
description:
- Comment.
type: str
csr:
description:
- Certificate Signing Request.
type: str
enroll_protocol:
choices:
- none
- scep
- cmpv2
- acme2
- est
description:
- Certificate enrollment protocol.
type: str
est_ca_id:
description:
- CA identifier of the CA server for signing via EST.
type: str
est_client_cert:
description:
- Certificate used to authenticate this FortiGate to EST server. Source certificate.local.name.
type: str
est_http_password:
description:
- HTTP Authentication password for signing via EST.
type: str
est_http_username:
description:
- HTTP Authentication username for signing via EST.
type: str
est_server:
description:
- Address and port for EST server (e.g. https://example.com:1234).
type: str
est_server_cert:
description:
- EST server"s certificate must be verifiable by this certificate to be authenticated.
Source certificate.ca.name certificate.remote.name.
type: str
est_srp_password:
description:
- EST SRP authentication password.
type: str
est_srp_username:
description:
- EST SRP authentication username.
type: str
ike_localid:
description:
- Local ID the FortiGate uses for authentication as a VPN client.
type: str
ike_localid_type:
choices:
- asn1dn
- fqdn
description:
- IKE local ID type.
type: str
last_updated:
description:
- Time at which certificate was last updated.
type: int
name:
description:
- Name.
required: true
type: str
name_encoding:
choices:
- printable
- utf8
description:
- Name encoding method for auto-regeneration.
type: str
password:
description:
- Password as a PEM file.
type: str
private_key:
description:
- PEM format key encrypted with a password.
type: str
private_key_retain:
choices:
- enable
- disable
description:
- Enable/disable retention of private key during SCEP renewal .
type: str
range:
choices:
- global
- vdom
description:
- Either a global or VDOM IP address range for the certificate.
type: str
scep_password:
description:
- SCEP server challenge password for auto-regeneration.
type: str
scep_url:
description:
- SCEP server URL.
type: str
source:
choices:
- factory
- user
- bundle
description:
- Certificate source type.
type: str
source_ip:
description:
- Source IP address for communications to the SCEP server.
type: str
state:
description:
- Certificate Signing Request State.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str