fortinet.fortios.fortios_vpn_certificate_setting – VPN certificate setting in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_vpn_certificate_setting.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter

Comments

access_token

string

Token-based authentication. Generated from GUI of Fortigate.

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • no ← (default)

  • yes

member_path

string

Member attribute path to operate on.

Delimited by a slash character if there are more than one attribute.

Parameter marked with member_path is legitimate for doing member operation.

member_state

string

Add or delete a member under specified attribute path.

When member_state is specified, the state option is ignored.

Choices:

  • present

  • absent

vdom

string

Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Default: “root”

vpn_certificate_setting

dictionary

VPN certificate setting.

certname_dsa1024

string

1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_dsa2048

string

2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_ecdsa256

string

256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_ecdsa384

string

384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_ecdsa521

string

521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_ed25519

string

253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_ed448

string

456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_rsa1024

string

1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_rsa2048

string

2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

certname_rsa4096

string

4096 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.

check_ca_cert

string

Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted .

Choices:

  • enable

  • disable

check_ca_chain

string

Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted .

Choices:

  • enable

  • disable

cmp_key_usage_checking

string

Enable/disable server certificate key usage checking in CMP mode .

Choices:

  • enable

  • disable

cmp_save_extra_certs

string

Enable/disable saving extra certificates in CMP mode.

Choices:

  • enable

  • disable

cn_allow_multi

string

When searching for a matching certificate, allow mutliple CN fields in certificate subject name .

Choices:

  • disable

  • enable

cn_match

string

When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.

Choices:

  • substring

  • value

crl_verification

dictionary

CRL verification options.

chain_crl_absence

string

CRL verification option when CRL of any certificate in chain is absent .

Choices:

  • ignore

  • revoke

expiry

string

CRL verification option when CRL is expired .

Choices:

  • ignore

  • revoke

leaf_crl_absence

string

CRL verification option when leaf CRL is absent .

Choices:

  • ignore

  • revoke

interface

string

Specify outgoing interface to reach server. Source system.interface.name.

interface_select_method

string

Specify how to select outgoing interface to reach server.

Choices:

  • auto

  • sdwan

  • specify

ocsp_default_server

string

Default OCSP server. Source vpn.certificate.ocsp-server.name.

ocsp_option

string

Specify whether the OCSP URL is from certificate or configured OCSP server.

Choices:

  • certificate

  • server

ocsp_status

string

Enable/disable receiving certificates using the OCSP.

Choices:

  • enable

  • disable

ssl_min_proto_version

string

Minimum supported protocol version for SSL/TLS connections .

Choices:

  • default

  • SSLv3

  • TLSv1

  • TLSv1-1

  • TLSv1-2

ssl_ocsp_option

string

Specify whether the OCSP URL is from the certificate or the default OCSP server.

Choices:

  • certificate

  • server

ssl_ocsp_source_ip

string

Source IP address to use to communicate with the OCSP server.

ssl_ocsp_status

string

Enable/disable SSL OCSP.

Choices:

  • enable

  • disable

strict_crl_check

string

Enable/disable strict mode CRL checking.

Choices:

  • enable

  • disable

strict_ocsp_check

string

Enable/disable strict mode OCSP checking.

Choices:

  • enable

  • disable

subject_match

string

When searching for a matching certificate, control how to find matches in the certificate subject name.

Choices:

  • substring

  • value

subject_set

string

When searching for a matching certificate, control how to do RDN set matching with certificate subject name .

Choices:

  • subset

  • superset

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- collections:
  - fortinet.fortios
  connection: httpapi
  hosts: fortigate01
  vars:
    ansible_httpapi_port: 443
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    vdom: root
  tasks:
  - name: fortios_vpn_certificate_setting
    fortios_vpn_certificate_setting:
      vdom: root
      vpn_certificate_setting:
        certname_dsa1024: Fortinet_SSL_DSA1024
        certname_dsa2048: Fortinet_SSL_DSA2048
        certname_ecdsa256: Fortinet_SSL_ECDSA256
        certname_ecdsa384: Fortinet_SSL_ECDSA384
        certname_ecdsa521: Fortinet_SSL_ECDSA521
        certname_ed25519: Fortinet_SSL_ED25519
        certname_ed448: Fortinet_SSL_ED448
        certname_rsa1024: Fortinet_SSL_RSA1024
        certname_rsa2048: Fortinet_SSL_RSA2048
        certname_rsa4096: Fortinet_SSL_RSA4096
        check_ca_cert: enable
        check_ca_chain: disable
        cmp_key_usage_checking: enable
        cmp_save_extra_certs: disable
        cn_match: substring
        interface_select_method: auto
        ocsp_option: server
        ocsp_status: disable
        ssl_min_proto_version: default
        ssl_ocsp_source_ip: 0.0.0.0
        strict_crl_check: disable
        strict_ocsp_check: disable
        subject_match: substring

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

build

string

Build number of the fortigate image

Returned: always

Sample: “1547”

http_method

string

Last method used to provision the content into FortiGate

Returned: always

Sample: “PUT”

http_status

string

Last result given by FortiGate on last operation applied

Returned: always

Sample: “200”

mkey

string

Master key (id) used in the last call to FortiGate

Returned: success

Sample: “id”

name

string

Name of the table used to fulfill the request

Returned: always

Sample: “urlfilter”

path

string

Path of the table used to fulfill the request

Returned: always

Sample: “webfilter”

revision

string

Internal revision number

Returned: always

Sample: “17.0.2.10658”

serial

string

Serial number of the unit

Returned: always

Sample: “FGVMEVYYQT3AB5352”

status

string

Indication of the operation’s result

Returned: always

Sample: “success”

vdom

string

Virtual domain used

Returned: always

Sample: “root”

version

string

Version of the FortiGate

Returned: always

Sample: “v5.6.3”

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)