community.general.java_cert – Uses keytool to import/remove certificate to/from java keystore (cacerts)
Note
This plugin is part of the community.general collection (version 3.8.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.java_cert
.
Synopsis
This is a wrapper module around keytool, which can be used to import certificates and optionally private keys to a given java keystore, or remove them from it.
Requirements
The below requirements are needed on the host that executes this module.
openssl
keytool
Parameters
Parameter |
Comments |
---|---|
Imported certificate alias. The alias is used when checking for the presence of a certificate in the keystore. |
|
Local path to load certificate from. Exactly one of |
|
Port to connect to URL. This will be used to create server URL:PORT. Default: 443 |
|
Basic URL to fetch SSL certificate from. Exactly one of |
|
Path to keytool binary if not used we search in PATH for it. Default: “keytool” |
|
Create keystore if it does not exist. Choices:
|
|
Keystore password. |
|
Path to keystore. |
|
Keystore type (JCEKS, JKS). |
|
Alias in the PKCS12 keystore. |
|
Password for importing from PKCS12 keystore. Default: “” |
|
Local path to load PKCS12 keystore from. Unlike Exactly one of |
|
Defines action which can be either certificate import or removal. When state is present, the certificate will always idempotently be inserted into the keystore, even if there already exists a cert alias that is different. Choices:
|
|
Trust imported cert as CAcert. Choices:
|
Examples
- name: Import SSL certificate from google.com to a given cacerts keystore
community.general.java_cert:
cert_url: google.com
cert_port: 443
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit
state: present
- name: Remove certificate with given alias from a keystore
community.general.java_cert:
cert_url: google.com
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit
executable: /usr/lib/jvm/jre7/bin/keytool
state: absent
- name: Import trusted CA from SSL certificate
community.general.java_cert:
cert_path: /opt/certs/rootca.crt
keystore_path: /tmp/cacerts
keystore_pass: changeit
keystore_create: yes
state: present
cert_alias: LE_RootCA
trust_cacert: True
- name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
community.general.java_cert:
cert_url: google.com
keystore_path: /tmp/cacerts
keystore_pass: changeit
keystore_create: yes
state: present
- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
community.general.java_cert:
pkcs12_path: "/tmp/importkeystore.p12"
cert_alias: default
keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
keystore_pass: changeit
keystore_create: yes
state: present
- name: Import SSL certificate to JCEKS keystore
community.general.java_cert:
pkcs12_path: "/tmp/importkeystore.p12"
pkcs12_alias: default
pkcs12_password: somepass
cert_alias: default
keystore_path: /opt/someapp/security/keystore.jceks
keystore_type: "JCEKS"
keystore_pass: changeit
keystore_create: yes
state: present
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Executed command to get action done. Returned: success Sample: “keytool -importcert -noprompt -keystore” |
|
Output from stdout of keytool command after execution of given command. Returned: success Sample: “Module require existing keystore at keystore_path \u0027/tmp/test/cacerts\u0027” |
|
Keytool command execution return value. Returned: success Sample: “0” |
Authors
Adam Hamsik (@haad)