get_certificate – Get a certificate from a host:port

New in version 2.8.

Synopsis

  • Makes a secure connection and returns information about the presented certificate

Requirements

The below requirements are needed on the host that executes this module.

  • pyOpenSSL >= 0.15

Parameters

Parameter Choices/Defaults Comments
ca_cert
path
A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs.
Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it.
host
string / required
The host to get the cert for (IP is fine)
port
integer / required
The port to connect to
timeout
integer
Default:
10
The timeout in seconds

Notes

Note

  • When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.

Examples

- name: Get the cert from an RDP port
  get_certificate:
    host: "1.2.3.4"
    port: 3389
  delegate_to: localhost
  run_once: true
  register: cert

- name: Get a cert from an https port
  get_certificate:
    host: "www.google.com"
    port: 443
  delegate_to: localhost
  run_once: true
  register: cert

- name: How many days until cert expires
  debug:
    msg: "cert expires in: {{ expire_days }} days."
  vars:
    expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cert
string
success
The certificate retrieved from the port

expired
boolean
success
Boolean indicating if the cert is expired

extensions
list
success
Extensions applied to the cert

issuer
dictionary
success
Information about the issuer of the cert

not_after
string
success
Expiration date of the cert

not_before
string
success
Issue date of the cert

serial_number
string
success
The serial number of the cert

signature_algorithm
string
success
The algorithm used to sign the cert

subject
dictionary
success
Information about the subject of the cert (OU, CN, etc)

version
string
success
The version number of the certificate



Status

Authors

  • John Westcott IV (@john-westcott-iv)

Hint

If you notice any issues in this documentation you can edit this document to improve it.