community.crypto.x509_crl_info – Retrieve information on Certificate Revocation Lists (CRLs)
Note
This plugin is part of the community.crypto collection (version 1.9.8).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
To use it in a playbook, specify: community.crypto.x509_crl_info.
New in version 1.0.0: of community.crypto
Requirements
The below requirements are needed on the host that executes this module.
cryptography >= 1.2
Parameters
Parameter |
Comments |
|---|---|
Content of the X.509 CRL in PEM format, or Base64-encoded X.509 CRL. Either path or content must be specified, but not both. |
|
If set to This is useful when retrieving information on large CRL files. Enumerating all revoked certificates can take some time, including serializing the result as JSON, sending it to the Ansible controller, and decoding it again. Choices:
|
|
Remote absolute path where the generated CRL file should be created or is already located. Either path or content must be specified, but not both. |
Notes
Note
All timestamp values are provided in ASN.1 TIME format, in other words, following the
YYYYMMDDHHMMSSZpattern. They are all in UTC.Supports
check_mode.
See Also
See also
- community.crypto.x509_crl
The official documentation on the community.crypto.x509_crl module.
Examples
- name: Get information on CRL
community.crypto.x509_crl_info:
path: /etc/ssl/my-ca.crl
register: result
- name: Print the information
ansible.builtin.debug:
msg: "{{ result }}"
- name: Get information on CRL without list of revoked certificates
community.crypto.x509_crl_info:
path: /etc/ssl/very-large.crl
list_revoked_certificates: false
register: result
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The signature algorithm used to sign the CRL. Returned: success Sample: “sha256WithRSAEncryption” |
|
Whether the CRL is in PEM format ( Returned: success Sample: “pem” |
|
The CRL’s issuer. Note that for repeated values, only the last one will be returned. Returned: success Sample: “{\”organizationName\”: \”Ansible\”, \”commonName\”: \”ca.example.com\”}” |
|
The CRL’s issuer as an ordered list of tuples. Returned: success Sample: “[[\”organizationName\”, \”Ansible\”], [\”commonName\”: \”ca.example.com\”]]” |
|
The point in time from which this CRL can be trusted as ASN.1 TIME. Returned: success Sample: “20190413202428Z” |
|
The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME. Returned: success Sample: “20190413202428Z” |
|
List of certificates to be revoked. Returned: success if list_revoked_certificates=true |
|
The point in time it was known/suspected that the private key was compromised or that the certificate otherwise became invalid as ASN.1 TIME. Returned: success Sample: “20190413202428Z” |
|
Whether the invalidity date extension is critical. Returned: success Sample: false |
|
Whether the certificate issuer extension is critical. Returned: success Sample: false |
|
The value for the revocation reason extension. One of Returned: success Sample: “key_compromise” |
|
Whether the revocation reason extension is critical. Returned: success Sample: false |
|
The point in time the certificate was revoked as ASN.1 TIME. Returned: success Sample: “20190413202428Z” |
|
Serial number of the certificate. Returned: success Sample: 1234 |
Authors
Felix Fontein (@felixfontein)