community.crypto.openssl_csr_info – Provide information of OpenSSL Certificate Signing Requests (CSR)

Note

This plugin is part of the community.crypto collection (version 1.4.0).

To install it use: ansible-galaxy collection install community.crypto.

To use it in a playbook, specify: community.crypto.openssl_csr_info.

Synopsis

• This module allows one to query information on OpenSSL Certificate Signing Requests (CSR).

• In case the CSR signature cannot be validated, the module will fail. In this case, all return variables are still returned.

• It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with select_crypto_backend). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0.

Requirements

The below requirements are needed on the host that executes this module.

• PyOpenSSL >= 0.15 or cryptography >= 1.3

Parameters

Parameter	Choices/Defaults	Comments
content string added in 1.0.0 of community.crypto		Content of the CSR file. Either path or content must be specified, but not both.
path path		Remote absolute path where the CSR file is loaded from. Either path or content must be specified, but not both.
select_crypto_backend string	Choices: auto ← cryptography pyopenssl	Determines which crypto backend to use. The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl. If set to pyopenssl, will try to use the pyOpenSSL library. If set to cryptography, will try to use the cryptography library. Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0. From that point on, only the cryptography backend will be available.

See Also

See also

community.crypto.openssl_csr

The official documentation on the community.crypto.openssl_csr module.

community.crypto.openssl_csr_pipe

The official documentation on the community.crypto.openssl_csr_pipe module.

Examples

- name: Generate an OpenSSL Certificate Signing Request
  community.crypto.openssl_csr:
    path: /etc/ssl/csr/www.ansible.com.csr
    privatekey_path: /etc/ssl/private/ansible.com.pem
    common_name: www.ansible.com

- name: Get information on the CSR
  community.crypto.openssl_csr_info:
    path: /etc/ssl/csr/www.ansible.com.csr
  register: result

- name: Dump information
  debug:
    var: result

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key		Returned	Description
authority_cert_issuer list / elements=string		success and if the pyOpenSSL backend is not used	The CSR's authority cert issuer as a list of general names. Is none if the AuthorityKeyIdentifier extension is not present. Sample: [DNS:www.ansible.com, IP:1.2.3.4]
authority_cert_serial_number integer		success and if the pyOpenSSL backend is not used	The CSR's authority cert serial number. Is none if the AuthorityKeyIdentifier extension is not present. Sample: 12345
authority_key_identifier string		success and if the pyOpenSSL backend is not used	The CSR's authority key identifier. The identifier is returned in hexadecimal, with : used to separate bytes. Is none if the AuthorityKeyIdentifier extension is not present. Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
basic_constraints list / elements=string		success	Entries in the basic_constraints extension, or none if extension is not present. Sample: [CA:TRUE, pathlen:1]
basic_constraints_critical boolean		success	Whether the basic_constraints extension is critical.
extended_key_usage list / elements=string		success	Entries in the extended_key_usage extension, or none if extension is not present. Sample: [Biometric Info, DVCS, Time Stamping]
extended_key_usage_critical boolean		success	Whether the extended_key_usage extension is critical.
extensions_by_oid dictionary		success	Returns a dictionary for every extension OID Sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
	critical boolean	success	Whether the extension is critical.
	value string	success	The Base64 encoded value (in DER format) of the extension Sample: MAMCAQU=
key_usage string		success	Entries in the key_usage extension, or none if extension is not present. Sample: [Key Agreement, Data Encipherment]
key_usage_critical boolean		success	Whether the key_usage extension is critical.
name_constraints_critical boolean added in 1.1.0 of community.crypto		success	Whether the name_constraints extension is critical. Is none if extension is not present.
name_constraints_excluded list / elements=string added in 1.1.0 of community.crypto		success	List of excluded subtrees the CA cannot sign certificates for. Is none if extension is not present. Sample: ['email:.com']
name_constraints_permitted list / elements=string added in 1.1.0 of community.crypto		success	List of permitted subtrees to sign certificates for. Sample: ['email:.somedomain.com']
ocsp_must_staple boolean		success	yes if the OCSP Must Staple extension is present, none otherwise.
ocsp_must_staple_critical boolean		success	Whether the ocsp_must_staple extension is critical.
public_key string		success	CSR's public key in PEM format Sample: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...
public_key_fingerprints dictionary		success	Fingerprints of CSR's public key. For every hash algorithm available, the fingerprint is computed. Sample: {'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...
signature_valid boolean		success	Whether the CSR's signature is valid. In case the check returns no, the module will fail.
subject dictionary		success	The CSR's subject as a dictionary. Note that for repeated values, only the last one will be returned. Sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}
subject_alt_name list / elements=string		success	Entries in the subject_alt_name extension, or none if extension is not present. Sample: [DNS:www.ansible.com, IP:1.2.3.4]
subject_alt_name_critical boolean		success	Whether the subject_alt_name extension is critical.
subject_key_identifier string		success and if the pyOpenSSL backend is not used	The CSR's subject key identifier. The identifier is returned in hexadecimal, with : used to separate bytes. Is none if the SubjectKeyIdentifier extension is not present. Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
subject_ordered list / elements=list		success	The CSR's subject as an ordered list of tuples. Sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]

Authors

• Felix Fontein (@felixfontein)

• Yanis Guenane (@Spredzy)