community.crypto.x509_crl module – Generate Certificate Revocation Lists (CRLs)
Note
This module is part of the community.crypto collection (version 2.22.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.crypto
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_crl
.
New in community.crypto 1.0.0
Synopsis
This module allows one to (re)generate or update Certificate Revocation Lists (CRLs).
Certificates on the revocation list can be either specified by serial number and (optionally) their issuer, or as a path to a certificate file in PEM format.
Requirements
The below requirements are needed on the host that executes this module.
If
name_encoding
is set to another value thanignore
, the idna Python library needs to be installed.cryptography >= 1.2
Parameters
Parameter |
Comments |
---|---|
The attributes the resulting filesystem object should have. To get supported flags look at the man page for chattr on the target system. This string should contain the attributes in the same order as the one displayed by lsattr. The |
|
Create a backup file including a timestamp so you can get the original CRL back if you overwrote it with a new one by accident. Choices:
|
|
Defines how to process entries of existing CRLs. If set to If set to The default value is This parameter was called Choices:
|
|
Digest algorithm to be used when signing the CRL. Default: |
|
Should the CRL be forced to be regenerated. Choices:
|
|
Whether the CRL file should be in PEM or DER format. If an existing CRL file does match everything but Choices:
|
|
Name of the group that should own the filesystem object, as would be fed to chown. When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. |
|
Whether the timestamps Use this in combination with relative timestamps for these values to get idempotency. Choices:
|
|
Key/value pairs that will be present in the issuer name field of the CRL. If you need to specify more than one value with the same key, use a list as value. If the order of the components is important, use One of Mutually exclusive with |
|
A list of dictionaries, where every dictionary must contain one key/value pair. This key/value pair will be present in the issuer name field of the CRL. If you want to specify more than one value with the same key in a row, you can use a list as value. One of Mutually exclusive with |
|
The point in time from which this CRL can be trusted. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is Note that if using relative time this module is NOT idempotent, except when Default: |
|
How to encode names (DNS names, URIs, email addresses) in return values.
Note that Choices:
|
|
The absolute latest point in time by which this Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is Note that if using relative time this module is NOT idempotent, except when Required if |
|
Name of the user that should own the filesystem object, as would be fed to chown. When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. |
|
Remote absolute path where the generated CRL file should be created or is already located. |
|
The content of the CA’s private key to use when signing the CRL. Either |
|
The passphrase for the This is required if the private key is password protected. |
|
Path to the CA’s private key to use when signing the CRL. Either |
|
If set to Choices:
|
|
List of certificates to be revoked. Required if |
|
Content of a certificate in PEM format. The serial number and issuer will be extracted from the certificate. Mutually exclusive with |
|
The point in time it was known/suspected that the private key was compromised or that the certificate otherwise became invalid. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is Note that if using relative time this module is NOT idempotent. This will NOT change when |
|
Whether the invalidity date extension should be critical. Choices:
|
|
The certificate’s issuer. Example: |
|
Whether the certificate issuer extension should be critical. Choices:
|
|
Path to a certificate in PEM format. The serial number and issuer will be extracted from the certificate. Mutually exclusive with |
|
The value for the revocation reason extension. Choices:
|
|
Whether the revocation reason extension should be critical. Choices:
|
|
The point in time the certificate was revoked. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is Note that if using relative time this module is NOT idempotent, except when Default: |
|
Serial number of the certificate. Mutually exclusive with This option accepts integers or hex octet strings, depending on the value of If If You can use the filters community.crypto.parse_serial and community.crypto.to_serial to convert these two representations. |
|
The level part of the SELinux filesystem object context. This is the MLS/MCS attribute, sometimes known as the When set to |
|
This option determines which values will be accepted for If set to If set to Choices:
|
|
The role part of the SELinux filesystem object context. When set to |
|
The type part of the SELinux filesystem object context. When set to |
|
The user part of the SELinux filesystem object context. By default it uses the When set to |
|
Whether the CRL file should exist or not, taking action if the state is different from what is stated. Choices:
|
|
Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
|
Support: full |
Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. |
Notes
Note
All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
Date specified should be UTC. Minutes and seconds are mandatory.
See Also
See also
- community.crypto.parse_serial filter plugin
Convert a serial number as a colon-separated list of hex numbers to an integer.
- community.crypto.to_serial filter plugin
Convert an integer to a colon-separated list of hex numbers.
Examples
- name: Generate a CRL
community.crypto.x509_crl:
path: /etc/ssl/my-ca.crl
privatekey_path: /etc/ssl/private/my-ca.pem
issuer:
CN: My CA
last_update: "+0s"
next_update: "+7d"
revoked_certificates:
- serial_number: 1234
revocation_date: 20190331202428Z
issuer:
CN: My CA
- serial_number: 2345
revocation_date: 20191013152910Z
reason: affiliation_changed
invalidity_date: 20191001000000Z
- path: /etc/ssl/crt/revoked-cert.pem
revocation_date: 20191010010203Z
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Name of backup file created. Returned: changed and if Sample: |
|
The (current or generated) CRL’s content. Will be the CRL itself if Returned: if |
|
The signature algorithm used to sign the CRL. Returned: success Sample: |
|
Path to the generated CRL. Returned: changed or success Sample: |
|
Whether the CRL is in PEM format ( Returned: success Can only return:
Sample: |
|
The CRL’s issuer. Note that for repeated values, only the last one will be returned. See Returned: success Sample: |
|
The CRL’s issuer as an ordered list of tuples. Returned: success Sample: |
|
The point in time from which this CRL can be trusted as ASN.1 TIME. Returned: success Sample: |
|
The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME. Returned: success Sample: |
|
Path to the private CA key. Returned: changed or success Sample: |
|
List of certificates to be revoked. Returned: success |
|
The point in time it was known/suspected that the private key was compromised or that the certificate otherwise became invalid as ASN.1 TIME. Returned: success Sample: |
|
Whether the invalidity date extension is critical. Returned: success Sample: |
|
The certificate’s issuer. See Returned: success Sample: |
|
Whether the certificate issuer extension is critical. Returned: success Sample: |
|
The value for the revocation reason extension. Returned: success Can only return:
Sample: |
|
Whether the revocation reason extension is critical. Returned: success Sample: |
|
The point in time the certificate was revoked as ASN.1 TIME. Returned: success Sample: |
|
Serial number of the certificate. This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success Sample: |