community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format

Note

This filter plugin is part of the community.crypto collection (version 2.18.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.crypto. You need further requirements to be able to use this filter plugin, see Requirements for details.

To use it in a playbook, specify: community.crypto.x509_certificate_info.

New in community.crypto 2.10.0

Synopsis

Requirements

The below requirements are needed on the local controller node that executes this filter.

Input

This describes the input of the filter, the value before | community.crypto.x509_certificate_info.

Parameter

Comments

Input

string / required

The content of the X.509 certificate in PEM format.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | community.crypto.x509_certificate_info(key1=value1, key2=value2, ...)

Parameter

Comments

name_encoding

string

How to encode names (DNS names, URIs, email addresses) in return values.

ignore will use the encoding returned by the backend.

idna will convert all labels of domain names to IDNA encoding. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails.

unicode will convert all labels of domain names to Unicode. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails.

Note that idna and unicode require the idna Python library to be installed.

Choices:

  • "ignore" ← (default)

  • "idna"

  • "unicode"

See Also

See also

community.crypto.x509_certificate_info

Provide information of OpenSSL X.509 certificates.

community.crypto.to_serial filter plugin

Convert an integer to a colon-separated list of hex numbers.

Examples

- name: Show the Subject Alt Names of the certificate
  ansible.builtin.debug:
    msg: >-
      {{
        (
          lookup('ansible.builtin.file', '/path/to/cert.pem')
          | community.crypto.x509_certificate_info
        ).subject_alt_name | join(', ')
      }}

Return Value

Key

Description

Return value

dictionary

Information on the certificate.

Returned: success

authority_cert_issuer

list / elements=string

The certificate’s authority cert issuer as a list of general names.

Is none if the AuthorityKeyIdentifier extension is not present.

See name_encoding for how IDNs are handled.

Returned: success

Sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]

authority_cert_serial_number

integer

The certificate’s authority cert serial number.

Is none if the AuthorityKeyIdentifier extension is not present.

This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as 11:22:33, you need to convert it to that form with community.crypto.to_serial.

Returned: success

Sample: 12345

authority_key_identifier

string

The certificate’s authority key identifier.

The identifier is returned in hexadecimal, with : used to separate bytes.

Is none if the AuthorityKeyIdentifier extension is not present.

Returned: success

Sample: "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33"

basic_constraints

list / elements=string

Entries in the basic_constraints extension, or none if extension is not present.

Returned: success

Sample: ["CA:TRUE", "pathlen:1"]

basic_constraints_critical

boolean

Whether the basic_constraints extension is critical.

Returned: success

expired

boolean

Whether the certificate is expired (in other words, notAfter is in the past).

Returned: success

extended_key_usage

list / elements=string

Entries in the extended_key_usage extension, or none if extension is not present.

Returned: success

Sample: ["Biometric Info", "DVCS", "Time Stamping"]

extended_key_usage_critical

boolean

Whether the extended_key_usage extension is critical.

Returned: success

extensions_by_oid

dictionary

Returns a dictionary for every extension OID.

Returned: success

Sample: {"1.3.6.1.5.5.7.1.24": {"critical": false, "value": "MAMCAQU="}}

critical

boolean

Whether the extension is critical.

Returned: success

value

string

The Base64 encoded value (in DER format) of the extension.

Note that depending on the cryptography version used, it is not possible to extract the ASN.1 content of the extension, but only to provide the re-encoded content of the extension in case it was parsed by cryptography. This should usually result in exactly the same value, except if the original extension value was malformed.

Returned: success

Sample: "MAMCAQU="

fingerprints

dictionary

Fingerprints of the DER-encoded form of the whole certificate.

For every hash algorithm available, the fingerprint is computed.

Returned: success

Sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."

issuer

dictionary

The certificate’s issuer.

Note that for repeated values, only the last one will be returned.

Returned: success

Sample: {"commonName": "ca.example.com", "organizationName": "Ansible"}

issuer_ordered

list / elements=list

The certificate’s issuer as an ordered list of tuples.

Returned: success

Sample: [["organizationName", "Ansible"], [{"commonName": "ca.example.com"}]]

issuer_uri

string

The Issuer URI, if included in the certificate. Will be none if no issuer URI is included.

Returned: success

key_usage

string

Entries in the key_usage extension, or none if extension is not present.

Returned: success

Sample: "['Key Agreement', 'Data Encipherment']"

key_usage_critical

boolean

Whether the key_usage extension is critical.

Returned: success

not_after

string

notAfter date as ASN.1 TIME.

Returned: success

Sample: "20190413202428Z"

not_before

string

notBefore date as ASN.1 TIME.

Returned: success

Sample: "20190331202428Z"

ocsp_must_staple

boolean

true if the OCSP Must Staple extension is present, none otherwise.

Returned: success

ocsp_must_staple_critical

boolean

Whether the ocsp_must_staple extension is critical.

Returned: success

ocsp_uri

string

The OCSP responder URI, if included in the certificate. Will be none if no OCSP responder URI is included.

Returned: success

public_key

string

Certificate’s public key in PEM format.

Returned: success

Sample: "-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A..."

public_key_data

dictionary

Public key data. Depends on the public key’s type.

Returned: success

curve

string

The curve’s name for ECC.

Returned: When _value.public_key_type=ECC

exponent

integer

The RSA key’s public exponent.

Returned: When _value.public_key_type=RSA

exponent_size

integer

The maximum number of bits of a private key. This is basically the bit size of the subgroup used.

Returned: When _value.public_key_type=ECC

g

integer

The g value for DSA.

This is the element spanning the subgroup of the multiplicative group of the prime field used.

Returned: When _value.public_key_type=DSA

modulus

integer

The RSA key’s modulus.

Returned: When _value.public_key_type=RSA

p

integer

The p value for DSA.

This is the prime modulus upon which arithmetic takes place.

Returned: When _value.public_key_type=DSA

q

integer

The q value for DSA.

This is a prime that divides p - 1, and at the same time the order of the subgroup of the multiplicative group of the prime field used.

Returned: When _value.public_key_type=DSA

size

integer

Bit size of modulus (RSA) or prime number (DSA).

Returned: When _value.public_key_type=RSA or _value.public_key_type=DSA

x

integer

The x coordinate for the public point on the elliptic curve.

Returned: When _value.public_key_type=ECC

y

integer

For _value.public_key_type=ECC, this is the y coordinate for the public point on the elliptic curve.

For _value.public_key_type=DSA, this is the publicly known group element whose discrete logarithm with respect to g is the private key.

Returned: When _value.public_key_type=DSA or _value.public_key_type=ECC

public_key_fingerprints

dictionary

Fingerprints of certificate’s public key.

For every hash algorithm available, the fingerprint is computed.

Returned: success

Sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."

public_key_type

string

The certificate’s public key’s type.

One of RSA, DSA, ECC, Ed25519, X25519, Ed448, or X448.

Will start with unknown if the key type cannot be determined.

Returned: success

Sample: "RSA"

serial_number

integer

The certificate’s serial number.

This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as 11:22:33, you need to convert it to that form with community.crypto.to_serial.

Returned: success

Sample: 1234

signature_algorithm

string

The signature algorithm used to sign the certificate.

Returned: success

Sample: "sha256WithRSAEncryption"

subject

dictionary

The certificate’s subject as a dictionary.

Note that for repeated values, only the last one will be returned.

Returned: success

Sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}

subject_alt_name

list / elements=string

Entries in the subject_alt_name extension, or none if extension is not present.

See name_encoding for how IDNs are handled.

Returned: success

Sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]

subject_alt_name_critical

boolean

Whether the subject_alt_name extension is critical.

Returned: success

subject_key_identifier

string

The certificate’s subject key identifier.

The identifier is returned in hexadecimal, with : used to separate bytes.

Is none if the SubjectKeyIdentifier extension is not present.

Returned: success

Sample: "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33"

subject_ordered

list / elements=list

The certificate’s subject as an ordered list of tuples.

Returned: success

Sample: [["commonName", "www.example.com"], [{"emailAddress": "test@example.com"}]]

version

integer

The certificate version.

Returned: success

Sample: 3

Authors

  • Felix Fontein (@felixfontein)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.