openssl_certificate_info – Provide information of OpenSSL X.509 certificates¶
New in version 2.8.
Synopsis¶
This module allows one to query information on OpenSSL certificates.
It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with
select_crypto_backend
). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in Ansible 2.13.
Requirements¶
The below requirements are needed on the host that executes this module.
PyOpenSSL >= 0.15 or cryptography >= 1.6
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
path
path
/ required
|
Remote absolute path where the certificate file is loaded from.
|
|
select_crypto_backend
string
|
|
Determines which crypto backend to use.
The default choice is
auto , which tries to use cryptography if available, and falls back to pyopenssl .If set to
pyopenssl , will try to use the pyOpenSSL library.If set to
cryptography , will try to use the cryptography library.Please note that the
pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the cryptography backend will be available. |
valid_at
dictionary
|
A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the
valid_at return value for informations on the result.Time can be specified either as relative time or as absolute timestamp.
Time will always be interpreted as UTC.
Valid format is
[+-]timespec | ASN.1 TIME where timespec can be an integer + [w | d | h | m | s] (e.g. +32w1d2h , and ASN.1 TIME (i.e. pattern YYYYMMDDHHMMSSZ ). Note that all timestamps will be treated as being in UTC. |
Notes¶
Note
All timestamp values are provided in ASN.1 TIME format, i.e. following the
YYYYMMDDHHMMSSZ
pattern. They are all in UTC.
See Also¶
See also
- openssl_certificate – Generate and/or check OpenSSL certificates
The official documentation on the openssl_certificate module.
Examples¶
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: /etc/ssl/crt/ansible.com.crt
privatekey_path: /etc/ssl/private/ansible.com.pem
csr_path: /etc/ssl/csr/ansible.com.csr
provider: selfsigned
# Get information on the certificate
- name: Get information on generated certificate
openssl_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
register: result
- name: Dump information
debug:
var: result
# Check whether the certificate is valid or not valid at certain times, fail
# if this is not the case. The first task (openssl_certificate_info) collects
# the information, and the second task (assert) validates the result and
# makes the playbook fail in case something is not as expected.
- name: Test whether that certificate is valid tomorrow and/or in three weeks
openssl_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
valid_at:
point_1: "+1d"
point_2: "+3w"
register: result
- name: Validate that certificate is valid tomorrow, but not in three weeks
assert:
that:
- result.valid_at.point_1 # valid in one day
- not result.valid_at.point_2 # not valid in three weeks
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
authority_cert_issuer
list
/ elements=string
added in 2.9 |
success and if the pyOpenSSL backend is not used |
The certificate's authority cert issuer as a list of general names.
Is
none if the AuthorityKeyIdentifier extension is not present.Sample:
[DNS:www.ansible.com, IP:1.2.3.4]
|
|
authority_cert_serial_number
integer
added in 2.9 |
success and if the pyOpenSSL backend is not used |
The certificate's authority cert serial number.
Is
none if the AuthorityKeyIdentifier extension is not present.Sample:
12345
|
|
authority_key_identifier
string
added in 2.9 |
success and if the pyOpenSSL backend is not used |
The certificate's authority key identifier.
The identifier is returned in hexadecimal, with
: used to separate bytes.Is
none if the AuthorityKeyIdentifier extension is not present.Sample:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
|
|
basic_constraints
list
/ elements=string
|
success |
Entries in the
basic_constraints extension, or none if extension is not present.Sample:
[CA:TRUE, pathlen:1]
|
|
basic_constraints_critical
boolean
|
success |
Whether the
basic_constraints extension is critical. |
|
expired
boolean
|
success |
Whether the certificate is expired (i.e.
notAfter is in the past) |
|
extended_key_usage
list
/ elements=string
|
success |
Entries in the
extended_key_usage extension, or none if extension is not present.Sample:
[Biometric Info, DVCS, Time Stamping]
|
|
extended_key_usage_critical
boolean
|
success |
Whether the
extended_key_usage extension is critical. |
|
extensions_by_oid
dictionary
|
success |
Returns a dictionary for every extension OID
Sample:
{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
|
|
critical
boolean
|
success |
Whether the extension is critical.
|
|
value
string
|
success |
The Base64 encoded value (in DER format) of the extension
Sample:
MAMCAQU=
|
|
issuer
dictionary
|
success |
The certificate's issuer.
Note that for repeated values, only the last one will be returned.
Sample:
{"organizationName": "Ansible", "commonName": "ca.example.com"}
|
|
issuer_ordered
list
/ elements=list
added in 2.9 |
success |
The certificate's issuer as an ordered list of tuples.
Sample:
[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
|
|
key_usage
string
|
success |
Entries in the
key_usage extension, or none if extension is not present.Sample:
[Key Agreement, Data Encipherment]
|
|
key_usage_critical
boolean
|
success |
Whether the
key_usage extension is critical. |
|
not_after
string
|
success |
notAfter date as ASN.1 TIMESample:
20190413202428Z
|
|
not_before
string
|
success |
notBefore date as ASN.1 TIMESample:
20190331202428Z
|
|
ocsp_must_staple
boolean
|
success |
yes if the OCSP Must Staple extension is present, none otherwise. |
|
ocsp_must_staple_critical
boolean
|
success |
Whether the
ocsp_must_staple extension is critical. |
|
ocsp_uri
string
added in 2.9 |
success |
The OCSP responder URI, if included in the certificate. Will be
none if no OCSP responder URI is included. |
|
public_key
string
|
success |
Certificate's public key in PEM format
Sample:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...
|
|
public_key_fingerprints
dictionary
|
success |
Fingerprints of certificate's public key.
For every hash algorithm available, the fingerprint is computed.
Sample:
{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...
|
|
serial_number
integer
|
success |
The certificate's serial number.
Sample:
1234
|
|
signature_algorithm
string
|
success |
The signature algorithm used to sign the certificate.
Sample:
sha256WithRSAEncryption
|
|
subject
dictionary
|
success |
The certificate's subject as a dictionary.
Note that for repeated values, only the last one will be returned.
Sample:
{"commonName": "www.example.com", "emailAddress": "[email protected]"}
|
|
subject_alt_name
list
/ elements=string
|
success |
Entries in the
subject_alt_name extension, or none if extension is not present.Sample:
[DNS:www.ansible.com, IP:1.2.3.4]
|
|
subject_alt_name_critical
boolean
|
success |
Whether the
subject_alt_name extension is critical. |
|
subject_key_identifier
string
added in 2.9 |
success and if the pyOpenSSL backend is not used |
The certificate's subject key identifier.
The identifier is returned in hexadecimal, with
: used to separate bytes.Is
none if the SubjectKeyIdentifier extension is not present.Sample:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
|
|
subject_ordered
list
/ elements=list
added in 2.9 |
success |
The certificate's subject as an ordered list of tuples.
Sample:
[["commonName", "www.example.com"], ["emailAddress": "[email protected]"]]
|
|
valid_at
dictionary
|
success |
For every time stamp provided in the valid_at option, a boolean whether the certificate is valid at that point in time or not.
|
|
version
integer
|
success |
The certificate version.
Sample:
3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]
Authors¶
Felix Fontein (@felixfontein)
Yanis Guenane (@Spredzy)
Markus Teufelberger (@MarkusTeufelberger)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.