community.general.java_cert module – Uses keytool to import/remove certificate to/from java keystore (cacerts)
Note
This module is part of the community.general collection (version 8.6.7).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.general.java_cert
.
Synopsis
This is a wrapper module around keytool, which can be used to import certificates and optionally private keys to a given java keystore, or remove them from it.
Aliases: system.java_cert
Requirements
The below requirements are needed on the host that executes this module.
openssl
keytool
Parameters
Parameter |
Comments |
---|---|
The attributes the resulting filesystem object should have. To get supported flags look at the man page for chattr on the target system. This string should contain the attributes in the same order as the one displayed by lsattr. The |
|
Imported certificate alias. The alias is used when checking for the presence of a certificate in the keystore. |
|
Content of the certificate used to create the keystore. Exactly one of |
|
Local path to load certificate from. Exactly one of |
|
Port to connect to URL. This will be used to create server URL:PORT. Default: |
|
Basic URL to fetch SSL certificate from. Exactly one of |
|
Path to keytool binary if not used we search in PATH for it. Default: |
|
Name of the group that should own the filesystem object, as would be fed to chown. When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. |
|
Create keystore if it does not exist. Choices:
|
|
Keystore password. |
|
Path to keystore. |
|
Keystore type (JCEKS, JKS). |
|
The permissions the resulting filesystem object should have. For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
|
Name of the user that should own the filesystem object, as would be fed to chown. When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. |
|
Alias in the PKCS12 keystore. |
|
Password for importing from PKCS12 keystore. |
|
Local path to load PKCS12 keystore from. Unlike Exactly one of |
|
The level part of the SELinux filesystem object context. This is the MLS/MCS attribute, sometimes known as the When set to |
|
The role part of the SELinux filesystem object context. When set to |
|
The type part of the SELinux filesystem object context. When set to |
|
The user part of the SELinux filesystem object context. By default it uses the When set to |
|
Defines action which can be either certificate import or removal. When state is present, the certificate will always idempotently be inserted into the keystore, even if there already exists a cert alias that is different. Choices:
|
|
Trust imported cert as CAcert. Choices:
|
|
Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Import SSL certificate from google.com to a given cacerts keystore
community.general.java_cert:
cert_url: google.com
cert_port: 443
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit
state: present
- name: Remove certificate with given alias from a keystore
community.general.java_cert:
cert_url: google.com
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit
executable: /usr/lib/jvm/jre7/bin/keytool
state: absent
- name: Import trusted CA from SSL certificate
community.general.java_cert:
cert_path: /opt/certs/rootca.crt
keystore_path: /tmp/cacerts
keystore_pass: changeit
keystore_create: true
state: present
cert_alias: LE_RootCA
trust_cacert: true
- name: Import trusted CA from the SSL certificate stored in the cert_content variable
community.general.java_cert:
cert_content: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
keystore_path: /tmp/cacerts
keystore_pass: changeit
keystore_create: true
state: present
cert_alias: LE_RootCA
trust_cacert: true
- name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
community.general.java_cert:
cert_url: google.com
keystore_path: /tmp/cacerts
keystore_pass: changeit
keystore_create: true
state: present
- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
community.general.java_cert:
pkcs12_path: "/tmp/importkeystore.p12"
cert_alias: default
keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
keystore_pass: changeit
keystore_create: true
state: present
- name: Import SSL certificate to JCEKS keystore
community.general.java_cert:
pkcs12_path: "/tmp/importkeystore.p12"
pkcs12_alias: default
pkcs12_password: somepass
cert_alias: default
keystore_path: /opt/someapp/security/keystore.jceks
keystore_type: "JCEKS"
keystore_pass: changeit
keystore_create: true
state: present
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Executed command to get action done. Returned: success Sample: |
|
Output from stdout of keytool command after execution of given command. Returned: success Sample: |
|
Keytool command execution return value. Returned: success Sample: |