win_certificate_info – Get information on certificates from a Windows Certificate Store

Synopsis

  • Returns information about certificates in a Windows Certificate Store.

Parameters

Parameter Choices/Defaults Comments
store_location
string
    Choices:
  • CurrentUser
  • LocalMachine ←
The location of the store to search.
store_name
string
Default:
"My"
The name of the store to search.
thumbprint
string
The thumbprint as a hex string of a certificate to find.
When specified, filters the certificates return value to a single certificate
See the examples for how to format the thumbprint.

See Also

See also

win_certificate_store – Manages the certificate store
The official documentation on the win_certificate_store module.

Examples

- name: Obtain information about a particular certificate in the computer's personal store
  win_certificate_info:
    thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27
  register: mycert

# thumbprint can also be lower case
- name: Obtain information about a particular certificate in the computer's personal store
  win_certificate_info:
    thumbprint: bd7af104cf1872bdb518d95c9534ea941665fd27
  register: mycert

- name: Obtain information about all certificates in the root store
  win_certificate_info:
    store_name: Root
  register: ca

# Import a pfx and then get information on the certificates
- name: Import pfx certificate that is password protected
  win_certificate_store:
    path: C:\Temp\cert.pfx
    state: present
    password: VeryStrongPasswordHere!
  become: yes
  become_method: runas
  register: mycert

- name: Obtain information on each certificate that was touched
  win_certificate_info:
    thumbprint: "{{ item }}"
  register: mycert_stats
  loop: "{{ mycert.thumbprints }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
certificates
list / elements=dictionary
success
A list of information about certificates found in the store, sorted by thumbprint.

 
archived
boolean
Indicates that the certificate is archived.

 
cert_data
string
The base64 encoded data of the entire certificate.

 
dns_names
list / elements=string
Lists the registered dns names for the certificate.

Sample:
['*.m.wikiquote.org', '*.wikipedia.org']
 
extensions
list / elements=dictionary
The collection of the certificates extensions.

Sample:
[{'critical': False, 'field': 'Subject Key Identifier', 'value': '88 27 17 09 a9 b6 18 60 8b ec eb ba f6 47 59 c5 52 54 a3 b7'}, {'critical': True, 'field': 'Basic Constraints', 'value': 'Subject Type=CA, Path Length Constraint=None'}, {'critical': False, 'field': 'Authority Key Identifier', 'value': 'KeyID=2b d0 69 47 94 76 09 fe f4 6b 8d 2e 40 a6 f7 47 4d 7f 08 5e'}, {'critical': False, 'field': 'CRL Distribution Points', 'value': '[1]CRL Distribution Point: Distribution Point Name:Full Name:URL=http://crl.apple.com/root.crl'}, {'critical': True, 'field': 'Key Usage', 'value': 'Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)'}, {'critical': False, 'field': None, 'value': '05 00'}]
 
friendly_name
string
The associated alias for the certificate.

Sample:
Microsoft Root Authority
 
has_private_key
boolean
Indicates that the certificate contains a private key.

 
intended_purposes
list
enhanced key usages extension exists.
lists the intended applications for the certificate.

Sample:
['Server Authentication']
 
is_ca
boolean
basic constraints extension exists.
Indicates that the certificate is a certificate authority (CA) certificate.

Sample:
True
 
issued_by
string
The certificate issuer's common name.

Sample:
Apple Root CA
 
issued_to
string
The certificate's common name.

Sample:
Apple Worldwide Developer Relations Certification Authority
 
issuer
string
The certificate issuer's distinguished name.

Sample:
CN=Apple Root CA, OU=Apple Certification Authority, O=Apple Inc., C=US
 
key_usages
list / elements=string
key usages extension exists.
Defines how the certificate key can be used.
If this value is not defined, the key can be used for any purpose.

Sample:
['CrlSign', 'KeyCertSign', 'DigitalSignature']
 
path_length_constraint
integer
basic constraints extension exists
The number of levels allowed in a certificates path.
If this value is 0, the certificate does not have a restriction.

 
public_key
string
The base64 encoded public key of the certificate.

 
serial_number
string
The serial number of the certificate represented as a hexadecimal string

Sample:
01DEBCC4396DA010
 
signature_algorithm
string
The algorithm used to create the certificate's signature

Sample:
sha1RSA
 
ski
string
subject key identifier extension exists.
The certificate's subject key identifier

Sample:
88271709A9B618608BECEBBAF64759C55254A3B7
 
subject
string
The certificate's distinguished name.

Sample:
CN=Apple Worldwide Developer Relations Certification Authority, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
 
thumbprint
string
The thumbprint as a hex string of the certificate.
The return format will always be upper case.

Sample:
FF6797793A3CD798DC5B2ABEF56F73EDC9F83A64
 
valid_from
float
The start date of the certificate represented in seconds since epoch.

Sample:
1360255727
 
valid_from_iso8601
string
The start date of the certificate represented as an iso8601 formatted date.

Sample:
2017-12-15T08:39:32Z
 
valid_to
float
The expiry date of the certificate represented in seconds since epoch.

Sample:
1675788527
 
valid_to_iso8601
string
The expiry date of the certificate represented as an iso8601 formatted date.

Sample:
2086-01-02T08:39:32Z
 
version
integer
The x509 format version of the certificate

Sample:
3
exists
boolean
success
Whether any certificates were found in the store.
When thumbprint is specified, returns true only if the certificate mathing the thumbprint exists.

Sample:
True


Status

Authors

  • Micah Hunsberger (@mhunsber)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.