You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

How to create self-signed certificates

The community.crypto collection offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.

For creating any kind of certificate, you always have to start with a private key. You can use the community.crypto.openssl_privatekey module to create a private key. If you only specify path, the default parameters will be used. This will result in a 4096 bit RSA private key:

- name: Create private key (RSA, 4096 bits)
  community.crypto.openssl_privatekey:
    path: /path/to/certificate.key

You can specify type to select another key type, size to select a different key size (only available for RSA and DSA keys), or passphrase if you want to store the key password-protected:

- name: Create private key (X25519) with password protection
  community.crypto.openssl_privatekey:
    path: /path/to/certificate.key
    type: X25519
    passphrase: changeme

To create a very simple self-signed certificate with no specific information, you can proceed directly with the community.crypto.x509_certificate module:

- name: Create simple self-signed certificate
  community.crypto.x509_certificate:
    path: /path/to/certificate.pem
    privatekey_path: /path/to/certificate.key
    provider: selfsigned

(If you used passphrase for the private key, you have to provide privatekey_passphrase.)

You can use selfsigned_not_after to define when the certificate expires (default: in roughly 10 years), and selfsigned_not_before to define from when the certificate is valid (default: now).

To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the community.crypto.x509_certificate module. If you do not need the CSR file, you can use the community.crypto.openssl_csr_pipe module as in the example below. (To store it to disk, use the community.crypto.openssl_csr module instead.)

- name: Create certificate signing request (CSR) for self-signed certificate
  community.crypto.openssl_csr_pipe:
    privatekey_path: /path/to/certificate.key
    common_name: ansible.com
    organization_name: Ansible, Inc.
    subject_alt_name:
      - "DNS:ansible.com"
      - "DNS:www.ansible.com"
      - "DNS:docs.ansible.com"
  register: csr

- name: Create self-signed certificate from CSR
  community.crypto.x509_certificate:
    path: /path/to/certificate.pem
    csr_content: "{{ csr.csr }}"
    privatekey_path: /path/to/certificate.key
    provider: selfsigned