openssl_certificate_info – Provide information of OpenSSL X.509 certificates¶

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
See Also
Examples
Return Values
Status

Synopsis ¶

This module allows one to query information on OpenSSL certificates.
It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with select_crypto_backend). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in Ansible 2.13.

Requirements ¶

The below requirements are needed on the host that executes this module.

PyOpenSSL >= 0.15 or cryptography >= 1.6

Parameters ¶

Parameter	Choices/Defaults	Comments
path path / required		Remote absolute path where the certificate file is loaded from.
select_crypto_backend string	Choices: auto ← cryptography pyopenssl	Determines which crypto backend to use. The default choice is `auto`, which tries to use `cryptography` if available, and falls back to `pyopenssl`. If set to `pyopenssl`, will try to use the pyOpenSSL library. If set to `cryptography`, will try to use the cryptography library. Please note that the `pyopenssl` backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the `cryptography` backend will be available.
valid_at dictionary		A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the `valid_at` return value for informations on the result. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is `[+-]timespec \| ASN.1 TIME` where timespec can be an integer + `[w \| d \| h \| m \| s]` (e.g. `+32w1d2h`, and ASN.1 TIME (i.e. pattern `YYYYMMDDHHMMSSZ`). Note that all timestamps will be treated as being in UTC.

Notes ¶

Note

All timestamp values are provided in ASN.1 TIME format, i.e. following the YYYYMMDDHHMMSSZ pattern. They are all in UTC.

Examples ¶

- name: Generate a Self Signed OpenSSL certificate
  openssl_certificate:
    path: /etc/ssl/crt/ansible.com.crt
    privatekey_path: /etc/ssl/private/ansible.com.pem
    csr_path: /etc/ssl/csr/ansible.com.csr
    provider: selfsigned


# Get information on the certificate

- name: Get information on generated certificate
  openssl_certificate_info:
    path: /etc/ssl/crt/ansible.com.crt
  register: result

- name: Dump information
  debug:
    var: result


# Check whether the certificate is valid or not valid at certain times, fail
# if this is not the case. The first task (openssl_certificate_info) collects
# the information, and the second task (assert) validates the result and
# makes the playbook fail in case something is not as expected.

- name: Test whether that certificate is valid tomorrow and/or in three weeks
  openssl_certificate_info:
    path: /etc/ssl/crt/ansible.com.crt
    valid_at:
      point_1: "+1d"
      point_2: "+3w"
  register: result

- name: Validate that certificate is valid tomorrow, but not in three weeks
  assert:
    that:
      - result.valid_at.point_1      # valid in one day
      - not result.valid_at.point_2  # not valid in three weeks

Return Values ¶

Common return values are documented here, the following are the fields unique to this module:

Key		Returned	Description
authority_cert_issuer list / elements=string added in 2.9		success and if the pyOpenSSL backend is not used	The certificate's authority cert issuer as a list of general names. Is `none` if the `AuthorityKeyIdentifier` extension is not present. Sample: [DNS:www.ansible.com, IP:1.2.3.4]
authority_cert_serial_number integer added in 2.9		success and if the pyOpenSSL backend is not used	The certificate's authority cert serial number. Is `none` if the `AuthorityKeyIdentifier` extension is not present. Sample: 12345
authority_key_identifier string added in 2.9		success and if the pyOpenSSL backend is not used	The certificate's authority key identifier. The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `AuthorityKeyIdentifier` extension is not present. Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
basic_constraints list / elements=string		success	Entries in the `basic_constraints` extension, or `none` if extension is not present. Sample: [CA:TRUE, pathlen:1]
basic_constraints_critical boolean		success	Whether the `basic_constraints` extension is critical.
expired boolean		success	Whether the certificate is expired (i.e. `notAfter` is in the past)
extended_key_usage list / elements=string		success	Entries in the `extended_key_usage` extension, or `none` if extension is not present. Sample: [Biometric Info, DVCS, Time Stamping]
extended_key_usage_critical boolean		success	Whether the `extended_key_usage` extension is critical.
extensions_by_oid dictionary		success	Returns a dictionary for every extension OID Sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
	critical boolean	success	Whether the extension is critical.
	value string	success	The Base64 encoded value (in DER format) of the extension Sample: MAMCAQU=
issuer dictionary		success	The certificate's issuer. Note that for repeated values, only the last one will be returned. Sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
issuer_ordered list / elements=list added in 2.9		success	The certificate's issuer as an ordered list of tuples. Sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
key_usage string		success	Entries in the `key_usage` extension, or `none` if extension is not present. Sample: [Key Agreement, Data Encipherment]
key_usage_critical boolean		success	Whether the `key_usage` extension is critical.
not_after string		success	`notAfter` date as ASN.1 TIME Sample: 20190413202428Z
not_before string		success	`notBefore` date as ASN.1 TIME Sample: 20190331202428Z
ocsp_must_staple boolean		success	`yes` if the OCSP Must Staple extension is present, `none` otherwise.
ocsp_must_staple_critical boolean		success	Whether the `ocsp_must_staple` extension is critical.
ocsp_uri string added in 2.9		success	The OCSP responder URI, if included in the certificate. Will be `none` if no OCSP responder URI is included.
public_key string		success	Certificate's public key in PEM format Sample: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...
public_key_fingerprints dictionary		success	Fingerprints of certificate's public key. For every hash algorithm available, the fingerprint is computed. Sample: {'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...
serial_number integer		success	The certificate's serial number. Sample: 1234
signature_algorithm string		success	The signature algorithm used to sign the certificate. Sample: sha256WithRSAEncryption
subject dictionary		success	The certificate's subject as a dictionary. Note that for repeated values, only the last one will be returned. Sample: {"commonName": "www.example.com", "emailAddress": "[email protected]"}
subject_alt_name list / elements=string		success	Entries in the `subject_alt_name` extension, or `none` if extension is not present. Sample: [DNS:www.ansible.com, IP:1.2.3.4]
subject_alt_name_critical boolean		success	Whether the `subject_alt_name` extension is critical.
subject_key_identifier string added in 2.9		success and if the pyOpenSSL backend is not used	The certificate's subject key identifier. The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `SubjectKeyIdentifier` extension is not present. Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
subject_ordered list / elements=list added in 2.9		success	The certificate's subject as an ordered list of tuples. Sample: [["commonName", "www.example.com"], ["emailAddress": "[email protected]"]]
valid_at dictionary		success	For every time stamp provided in the valid_at option, a boolean whether the certificate is valid at that point in time or not.
version integer		success	The certificate version. Sample: 3

Status ¶

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors¶

Felix Fontein (@felixfontein)
Yanis Guenane (@Spredzy)
Markus Teufelberger (@MarkusTeufelberger)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.