fortinet / fortinet.fortios / 2.3.6 / module / fortios_vpn_certificate_setting VPN certificate setting in Fortinet's FortiOS and FortiGate. | "added in version" 2.0.0 of fortinet.fortios" Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communityfortinet.fortios.fortios_vpn_certificate_setting (2.3.6) — module
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections: - name: fortinet.fortios version: 2.3.6
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: VPN certificate setting. fortinet.fortios.fortios_vpn_certificate_setting: vdom: "{{ vdom }}" vpn_certificate_setting: cert_expire_warning: "14" certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)" certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)" certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)" certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)" certname_ecdsa521: "<your_own_value> (source vpn.certificate.local.name)" certname_ed25519: "<your_own_value> (source vpn.certificate.local.name)" certname_ed448: "<your_own_value> (source vpn.certificate.local.name)" certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)" certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)" certname_rsa4096: "<your_own_value> (source vpn.certificate.local.name)" check_ca_cert: "enable" check_ca_chain: "enable" cmp_key_usage_checking: "enable" cmp_save_extra_certs: "enable" cn_allow_multi: "disable" cn_match: "substring" crl_verification: chain_crl_absence: "ignore" expiry: "ignore" leaf_crl_absence: "ignore" interface: "<your_own_value> (source system.interface.name)" interface_select_method: "auto" ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)" ocsp_option: "certificate" ocsp_status: "enable" proxy: "<your_own_value>" proxy_password: "<your_own_value>" proxy_port: "8080" proxy_username: "<your_own_value>" source_ip: "84.230.14.43" ssl_min_proto_version: "default" ssl_ocsp_option: "certificate" ssl_ocsp_source_ip: "<your_own_value>" ssl_ocsp_status: "enable" strict_crl_check: "enable" strict_ocsp_check: "enable" subject_match: "substring" subject_set: "subset"
vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str enable_log: default: false description: - Enable/Disable logging for task. required: false type: bool member_path: description: - Member attribute path to operate on. - Delimited by a slash character if there are more than one attribute. - Parameter marked with member_path is legitimate for doing member operation. type: str access_token: description: - Token-based authentication. Generated from GUI of Fortigate. required: false type: str member_state: choices: - present - absent description: - Add or delete a member under specified attribute path. - When member_state is specified, the state option is ignored. type: str vpn_certificate_setting: default: null description: - VPN certificate setting. suboptions: cert_expire_warning: description: - Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning (0 - 100). type: int certname_dsa1024: description: - 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_dsa2048: description: - 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_ecdsa256: description: - 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_ecdsa384: description: - 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_ecdsa521: description: - 521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_ed25519: description: - 253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_ed448: description: - 456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_rsa1024: description: - 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_rsa2048: description: - 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str certname_rsa4096: description: - 4096 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str check_ca_cert: choices: - enable - disable description: - Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted . type: str check_ca_chain: choices: - enable - disable description: - Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted . type: str cmp_key_usage_checking: choices: - enable - disable description: - Enable/disable server certificate key usage checking in CMP mode . type: str cmp_save_extra_certs: choices: - enable - disable description: - Enable/disable saving extra certificates in CMP mode . type: str cn_allow_multi: choices: - disable - enable description: - When searching for a matching certificate, allow multiple CN fields in certificate subject name . type: str cn_match: choices: - substring - value description: - When searching for a matching certificate, control how to do CN value matching with certificate subject name . type: str crl_verification: description: - CRL verification options. suboptions: chain_crl_absence: choices: - ignore - revoke description: - CRL verification option when CRL of any certificate in chain is absent . type: str expiry: choices: - ignore - revoke description: - CRL verification option when CRL is expired . type: str leaf_crl_absence: choices: - ignore - revoke description: - CRL verification option when leaf CRL is absent . type: str type: dict interface: description: - Specify outgoing interface to reach server. Source system.interface.name. type: str interface_select_method: choices: - auto - sdwan - specify description: - Specify how to select outgoing interface to reach server. type: str ocsp_default_server: description: - Default OCSP server. Source vpn.certificate.ocsp-server.name. type: str ocsp_option: choices: - certificate - server description: - Specify whether the OCSP URL is from certificate or configured OCSP server. type: str ocsp_status: choices: - enable - mandatory - disable description: - Enable/disable receiving certificates using the OCSP. type: str proxy: description: - Proxy server FQDN or IP for OCSP/CA queries during certificate verification. type: str proxy_password: description: - Proxy server password. type: str proxy_port: description: - Proxy server port (1 - 65535). type: int proxy_username: description: - Proxy server user name. type: str source_ip: description: - Source IP address for dynamic AIA and OCSP queries. type: str ssl_min_proto_version: choices: - default - SSLv3 - TLSv1 - TLSv1-1 - TLSv1-2 - TLSv1-3 description: - Minimum supported protocol version for SSL/TLS connections . type: str ssl_ocsp_option: choices: - certificate - server description: - Specify whether the OCSP URL is from the certificate or the default OCSP server. type: str ssl_ocsp_source_ip: description: - Source IP address to use to communicate with the OCSP server. type: str ssl_ocsp_status: choices: - enable - disable description: - Enable/disable SSL OCSP. type: str strict_crl_check: choices: - enable - disable description: - Enable/disable strict mode CRL checking. type: str strict_ocsp_check: choices: - enable - disable description: - Enable/disable strict mode OCSP checking. type: str subject_match: choices: - substring - value description: - When searching for a matching certificate, control how to do RDN value matching with certificate subject name . type: str subject_set: choices: - subset - superset description: - When searching for a matching certificate, control how to do RDN set matching with certificate subject name . type: str type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str