Documentation

bigip_ssl_certificate - Import/Delete certificates from BIG-IP

New in version 2.2.

Synopsis

  • This module will import/delete SSL certificates on BIG-IP LTM. Certificates can be imported from certificate and key files on the local disk, in PEM format.

Requirements (on host that executes module)

  • f5-sdk >= 1.5.0
  • BigIP >= v12

Options

parameter required default choices comments
cert_content
no
When used instead of 'cert_src', sets the contents of a certificate directly to the specified value. This is used with lookup plugins or for anything with formatting or templating. Either one of key_src, key_content, cert_src or cert_content must be provided when state is present.
cert_src
no
This is the local filename of the certificate. Either one of key_src, key_content, cert_src or cert_content must be provided when state is present.
key_content
no
When used instead of 'key_src', sets the contents of a certificate key directly to the specified value. This is used with lookup plugins or for anything with formatting or templating. Either one of key_src, key_content, cert_src or cert_content must be provided when state is present.
key_src
no
This is the local filename of the private key. Either one of key_src, key_content, cert_src or cert_content must be provided when state is present.
name
yes
SSL Certificate Name. This is the cert/key pair name used when importing a certificate/key into the F5. It also determines the filenames of the objects on the LTM (:Partition:name.cer_11111_1 and :Partition_name.key_11111_1).
partition
no Common
BIG-IP partition to use when adding/deleting certificate.
passphrase
no
Passphrase on certificate private key
password
yes
The password for the user account used to connect to the BIG-IP. This option can be omitted if the environment variable F5_PASSWORD is set.
server
yes
The BIG-IP host. This option can be omitted if the environment variable F5_SERVER is set.
server_port
(added in 2.2)
no 443
The BIG-IP server port. This option can be omitted if the environment variable F5_SERVER_PORT is set.
state
yes present
  • present
  • absent
Certificate and key state. This determines if the provided certificate and key is to be made present on the device or absent.
user
yes
The username to connect to the BIG-IP with. This user must have administrative privileges on the device. This option can be omitted if the environment variable F5_USER is set.
validate_certs
(added in 2.0)
no True
  • True
  • False
If no, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates. This option can be omitted if the environment variable F5_VALIDATE_CERTS is set.

Examples

- name: Import PEM Certificate from local disk
  bigip_ssl_certificate:
      name: "certificate-name"
      server: "lb.mydomain.com"
      user: "admin"
      password: "secret"
      state: "present"
      cert_src: "/path/to/cert.crt"
      key_src: "/path/to/key.key"
  delegate_to: localhost

- name: Use a file lookup to import PEM Certificate
  bigip_ssl_certificate:
      name: "certificate-name"
      server: "lb.mydomain.com"
      user: "admin"
      password: "secret"
      state: "present"
      cert_content: "{{ lookup('file', '/path/to/cert.crt') }}"
      key_content: "{{ lookup('file', '/path/to/key.key') }}"
  delegate_to: localhost

- name: "Delete Certificate"
  bigip_ssl_certificate:
      name: "certificate-name"
      server: "lb.mydomain.com"
      user: "admin"
      password: "secret"
      state: "absent"
  delegate_to: localhost

Return Values

Common return values are documented here Return Values, the following are the fields unique to this module:

name description returned type sample
cert_checksum SHA1 checksum of the cert that was provided created or changed string f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0
partition Partition in which the cert/key was created created, changed or deleted string Common
cert_name The name of the SSL certificate. The C(cert_name) and C(key_name) will be equal to each other. created, changed or deleted string cert1
key_checksum SHA1 checksum of the key that was provided created or changed string cf23df2207d99a74fbe169e3eba035e633b65d94
key_name The name of the SSL certificate key. The C(key_name) and C(cert_name) will be equal to each other. created, changed or deleted string key1


Notes

Note

  • Requires the f5-sdk Python package on the host. This is as easy as pip install f5-sdk.
  • Requires the netaddr Python package on the host.
  • If you use this module, you will not be able to remove the certificates and keys that are managed, via the web UI. You can only remove them via tmsh or these modules.

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Support

This module is community maintained without core committer oversight.

For more information on what this means please read Module Support

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.