community.crypto.x509_certificate module – Generate and/or check OpenSSL certificates
Note
This module is part of the community.crypto collection (version 2.22.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.crypto
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_certificate
.
Synopsis
It implements a notion of provider (one of
selfsigned
,ownca
,acme
, andentrust
) for your certificate.It uses the cryptography python library to interact with OpenSSL.
Note that this module was called
openssl_certificate
when included directly in Ansible up to version 2.9. When moved to the collectioncommunity.crypto
, it was renamed to community.crypto.x509_certificate. From Ansible 2.10 on, it can still be used by the old short name (or byansible.builtin.openssl_certificate
), which redirects to community.crypto.x509_certificate. When using FQCNs or when using the collections keyword, the new name community.crypto.x509_certificate should be used to avoid a deprecation warning.Please note that the module regenerates existing certificate if it does not match the module’s options, or if it seems to be corrupt. If you are concerned that this could overwrite your existing certificate, consider using the
backup
option.The
ownca
provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).This module allows one to (re)generate OpenSSL certificates.
Requirements
The below requirements are needed on the host that executes this module.
acme-tiny >= 4.0.0 (if using the
acme
provider)cryptography >= 1.6 (if using
selfsigned
orownca
provider)
Parameters
Parameter |
Comments |
---|---|
The path to the accountkey for the This is only used by the |
|
Include the intermediate certificate to the generated certificate This is only used by the Note that this is only available for older versions of Choices:
|
|
The path to the ACME challenge directory that is served on http://<HOST>:80/.well-known/acme-challenge/ This is only used by the |
|
The ACME directory to use. You can use any directory that supports the ACME protocol, such as Buypass or Let’s Encrypt. Let’s Encrypt recommends using their staging server while developing jobs. https://letsencrypt.org/docs/staging-environment/. Default: |
|
The attributes the resulting filesystem object should have. To get supported flags look at the man page for This string should contain the attributes in the same order as the one displayed by The |
|
Create a backup file including a timestamp so you can get the original certificate back if you overwrote it with a new one by accident. Choices:
|
|
Content of the Certificate Signing Request (CSR) used to generate this certificate. This is mutually exclusive with |
|
Path to the Certificate Signing Request (CSR) used to generate this certificate. This is mutually exclusive with |
|
The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. This is only used by the This is required if the provider is |
|
The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. This is only used by the This is required if the provider is |
|
The key (password) for authentication to the Entrust Certificate Services (ECS) API. This is only used by the This is required if the provider is |
|
The path to the specification file defining the Entrust Certificate Services (ECS) API configuration. You can use this to keep a local copy of the specification to avoid downloading it every time the module is used. This is only used by the Default: |
|
The username for authentication to the Entrust Certificate Services (ECS) API. This is only used by the This is required if the provider is |
|
Specify the type of certificate requested. This is only used by the Choices:
|
|
The point in time at which the certificate stops being valid. Time can be specified either as relative time or as an absolute timestamp. A valid absolute time format is A valid relative time format is Time will always be interpreted as UTC. Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate. The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used. The minimum certificate lifetime is 90 days, and maximum is three years. If this value is not specified, the certificate will stop being valid 365 days the date of issue. This is only used by the Please note that this value is not covered by the Default: |
|
The email of the requester of the certificate (for tracking purposes). This is only used by the This is required if the provider is |
|
The name of the requester of the certificate (for tracking purposes). This is only used by the This is required if the provider is |
|
The phone number of the requester of the certificate (for tracking purposes). This is only used by the This is required if the provider is |
|
Generate the certificate, even if it already exists. Choices:
|
|
Name of the group that should own the filesystem object, as would be fed to When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. |
|
Whether the “not before” and “not after” timestamps should be ignored for idempotency checks. It is better to keep the default value Choices:
|
|
The permissions the resulting filesystem object should have. For those used to Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
|
Content of the CA (Certificate Authority) certificate. This is only used by the This is mutually exclusive with |
|
Create a Authority Key Identifier from the CA’s certificate. If the CSR provided a authority key identifier, it is ignored. The Authority Key Identifier is generated from the CA certificate’s Subject Key Identifier, if available. If it is not available, the CA certificate’s public key will be used. This is only used by the Note that this is only supported if the Choices:
|
|
Whether to create the Subject Key Identifier (SKI) from the public key. A value of A value of A value of This is only used by the Note that this is only supported if the Choices:
|
|
The digest algorithm to be used for the This is only used by the Default: |
|
The point in time at which the certificate stops being valid. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is If this value is not specified, the certificate will stop being valid 10 years from now. Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see https://support.apple.com/en-us/HT210176 for more details. Default: |
|
The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is If this value is not specified, the certificate will start being valid from now. Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the Default: |
|
Remote absolute path of the CA (Certificate Authority) certificate. This is only used by the This is mutually exclusive with |
|
Content of the CA (Certificate Authority) private key to use when signing the certificate. This is only used by the This is mutually exclusive with |
|
The passphrase for the This is only used by the |
|
Path to the CA (Certificate Authority) private key to use when signing the certificate. This is only used by the This is mutually exclusive with |
|
The version of the Nowadays it should almost always be This is only used by the Default: |
|
Name of the user that should own the filesystem object, as would be fed to When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. |
|
Remote absolute path where the generated certificate file should be created or is already located. |
|
Content of the private key to use when signing the certificate. This is mutually exclusive with |
|
The passphrase for the This is required if the private key is password protected. |
|
Path to the private key to use when signing the certificate. This is mutually exclusive with |
|
Name of the provider to use to generate/retrieve the OpenSSL certificate. Please see the examples on how to emulate it with community.crypto.x509_certificate_info, community.crypto.openssl_csr_info, community.crypto.openssl_privatekey_info and ansible.builtin.assert. The Required if Choices:
|
|
If set to Choices:
|
|
Determines which crypto backend to use. The default choice is If set to Choices:
|
|
The level part of the SELinux filesystem object context. This is the MLS/MCS attribute, sometimes known as the When set to |
|
Whether to create the Subject Key Identifier (SKI) from the public key. A value of A value of A value of This is only used by the Note that this is only supported if the Choices:
|
|
Digest algorithm to be used when self-signing the certificate. This is only used by the Default: |
|
The point in time at which the certificate stops being valid. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is If this value is not specified, the certificate will stop being valid 10 years from now. Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see https://support.apple.com/en-us/HT210176 for more details. Default: |
|
The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is If this value is not specified, the certificate will start being valid from now. Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the Default: |
|
Version of the Nowadays it should almost always be This is only used by the Default: |
|
The role part of the SELinux filesystem object context. When set to |
|
The type part of the SELinux filesystem object context. When set to |
|
The user part of the SELinux filesystem object context. By default it uses the When set to |
|
Whether the certificate should exist or not, taking action if the state is different from what is stated. Choices:
|
|
Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
|
Support: full |
Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. |
Notes
Note
All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
Date specified should be UTC. Minutes and seconds are mandatory.
For security reason, when you use
ownca
provider, you should NOT run community.crypto.x509_certificate on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine.For the
selfsigned
provider,csr_path
andcsr_content
are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.
See Also
See also
- community.crypto.x509_certificate_pipe
Generate and/or check OpenSSL certificates.
- community.crypto.openssl_csr
Generate OpenSSL Certificate Signing Request (CSR).
- community.crypto.openssl_csr_pipe
Generate OpenSSL Certificate Signing Request (CSR).
- community.crypto.openssl_dhparam
Generate OpenSSL Diffie-Hellman Parameters.
- community.crypto.openssl_pkcs12
Generate OpenSSL PKCS#12 archive.
- community.crypto.openssl_privatekey
Generate OpenSSL private keys.
- community.crypto.openssl_privatekey_pipe
Generate OpenSSL private keys without disk access.
- community.crypto.openssl_publickey
Generate an OpenSSL public key from its private key.
Examples
- name: Generate a Self Signed OpenSSL certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
privatekey_path: /etc/ssl/private/ansible.com.pem
csr_path: /etc/ssl/csr/ansible.com.csr
provider: selfsigned
- name: Generate an OpenSSL certificate signed with your own CA certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr_path: /etc/ssl/csr/ansible.com.csr
ownca_path: /etc/ssl/crt/ansible_CA.crt
ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem
provider: ownca
- name: Generate a Let's Encrypt Certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr_path: /etc/ssl/csr/ansible.com.csr
provider: acme
acme_accountkey_path: /etc/ssl/private/ansible.com.pem
acme_challenge_path: /etc/ssl/challenges/ansible.com/
- name: Force (re-)generate a new Let's Encrypt Certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr_path: /etc/ssl/csr/ansible.com.csr
provider: acme
acme_accountkey_path: /etc/ssl/private/ansible.com.pem
acme_challenge_path: /etc/ssl/challenges/ansible.com/
force: true
- name: Generate an Entrust certificate via the Entrust Certificate Services (ECS) API
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr_path: /etc/ssl/csr/ansible.com.csr
provider: entrust
entrust_requester_name: Jo Doe
entrust_requester_email: jdoe@ansible.com
entrust_requester_phone: 555-555-5555
entrust_cert_type: STANDARD_SSL
entrust_api_user: apiusername
entrust_api_key: a^lv*32!cd9LnT
entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-key.crt
entrust_api_specification_path: /etc/ssl/entrust/api-docs/cms-api-2.1.0.yaml
# The following example shows how to emulate the behavior of the removed
# "assertonly" provider with the x509_certificate_info, openssl_csr_info,
# openssl_privatekey_info and assert modules:
- name: Get certificate information
community.crypto.x509_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
# for valid_at, invalid_at and valid_in
valid_at:
one_day_ten_hours: "+1d10h"
fixed_timestamp: 20200331202428Z
ten_seconds: "+10"
register: result
- name: Get CSR information
community.crypto.openssl_csr_info:
# Verifies that the CSR signature is valid; module will fail if not
path: /etc/ssl/csr/ansible.com.csr
register: result_csr
- name: Get private key information
community.crypto.openssl_privatekey_info:
path: /etc/ssl/csr/ansible.com.key
register: result_privatekey
- name: Check conditions on certificate, CSR, and private key
ansible.builtin.assert:
that:
# When private key was specified for assertonly, this was checked:
- result.public_key == result_privatekey.public_key
# When CSR was specified for assertonly, this was checked:
- result.public_key == result_csr.public_key
- result.subject_ordered == result_csr.subject_ordered
- result.extensions_by_oid == result_csr.extensions_by_oid
# signature_algorithms check
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha512WithRSAEncryption'"
# subject and subject_strict
- "result.subject.commonName == 'ansible.com'"
- "result.subject | length == 1" # the number must be the number of entries you check for
# issuer and issuer_strict
- "result.issuer.commonName == 'ansible.com'"
- "result.issuer | length == 1" # the number must be the number of entries you check for
# has_expired
- not result.expired
# version
- result.version == 3
# key_usage and key_usage_strict
- "'Data Encipherment' in result.key_usage"
- "result.key_usage | length == 1" # the number must be the number of entries you check for
# extended_key_usage and extended_key_usage_strict
- "'DVCS' in result.extended_key_usage"
- "result.extended_key_usage | length == 1" # the number must be the number of entries you check for
# subject_alt_name and subject_alt_name_strict
- "'dns:ansible.com' in result.subject_alt_name"
- "result.subject_alt_name | length == 1" # the number must be the number of entries you check for
# not_before and not_after
- "result.not_before == '20190331202428Z'"
- "result.not_after == '20190413202428Z'"
# valid_at, invalid_at and valid_in
- "result.valid_at.one_day_ten_hours" # for valid_at
- "not result.valid_at.fixed_timestamp" # for invalid_at
- "result.valid_at.ten_seconds" # for valid_in
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Name of backup file created. Returned: changed and if Sample: |
|
The (current or generated) certificate’s content. Returned: if |
|
Path to the generated certificate. Returned: changed or success Sample: |