community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates
Note
This module is part of the community.crypto collection (version 2.22.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.crypto
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_certificate_info
.
Synopsis
This module allows one to query information on OpenSSL certificates.
It uses the cryptography python library to interact with OpenSSL.
Note that this module was called
openssl_certificate_info
when included directly in Ansible up to version 2.9. When moved to the collectioncommunity.crypto
, it was renamed to community.crypto.x509_certificate_info. From Ansible 2.10 on, it can still be used by the old short name (or byansible.builtin.openssl_certificate_info
), which redirects to community.crypto.x509_certificate_info. When using FQCNs or when using the collections keyword, the new name community.crypto.x509_certificate_info should be used to avoid a deprecation warning.
Requirements
The below requirements are needed on the host that executes this module.
If
name_encoding
is set to another value thanignore
, the idna Python library needs to be installed.cryptography >= 1.6
Parameters
Parameter |
Comments |
---|---|
How to encode names (DNS names, URIs, email addresses) in return values.
Note that Choices:
|
|
Determines which crypto backend to use. The default choice is If set to Choices:
|
|
A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is |
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full This action does not modify state. |
Can run in |
|
Support: N/A This action does not modify state. |
Will return details on what has changed (or possibly needs changing in |
Notes
Note
All timestamp values are provided in ASN.1 TIME format, in other words, following the
YYYYMMDDHHMMSSZ
pattern. They are all in UTC.
See Also
See also
- community.crypto.x509_certificate
Generate and/or check OpenSSL certificates.
- community.crypto.x509_certificate_pipe
Generate and/or check OpenSSL certificates.
- community.crypto.x509_certificate_info filter plugin
A filter variant of this module.
- community.crypto.to_serial filter plugin
Convert an integer to a colon-separated list of hex numbers.
Examples
- name: Generate a Self Signed OpenSSL certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
privatekey_path: /etc/ssl/private/ansible.com.pem
csr_path: /etc/ssl/csr/ansible.com.csr
provider: selfsigned
# Get information on the certificate
- name: Get information on generated certificate
community.crypto.x509_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
register: result
- name: Dump information
ansible.builtin.debug:
var: result
# Check whether the certificate is valid or not valid at certain times, fail
# if this is not the case. The first task (x509_certificate_info) collects
# the information, and the second task (assert) validates the result and
# makes the playbook fail in case something is not as expected.
- name: Test whether that certificate is valid tomorrow and/or in three weeks
community.crypto.x509_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
valid_at:
point_1: "+1d"
point_2: "+3w"
register: result
- name: Validate that certificate is valid tomorrow, but not in three weeks
ansible.builtin.assert:
that:
- result.valid_at.point_1 # valid in one day
- not result.valid_at.point_2 # not valid in three weeks
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The certificate’s authority cert issuer as a list of general names. Is See Returned: success Sample: |
|
The certificate’s authority cert serial number. Is This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success Sample: |
|
The certificate’s authority key identifier. The identifier is returned in hexadecimal, with Is Returned: success Sample: |
|
Entries in the Returned: success Sample: |
|
Whether the Returned: success |
|
Whether the certificate is expired (in other words, Returned: success |
|
Entries in the Returned: success Sample: |
|
Whether the Returned: success |
|
Returns a dictionary for every extension OID. Returned: success Sample: |
|
Whether the extension is critical. Returned: success |
|
The Base64 encoded value (in DER format) of the extension. Note that depending on the Returned: success Sample: |
|
Fingerprints of the DER-encoded form of the whole certificate. For every hash algorithm available, the fingerprint is computed. Returned: success Sample: |
|
The certificate’s issuer. Note that for repeated values, only the last one will be returned. Returned: success Sample: |
|
The certificate’s issuer as an ordered list of tuples. Returned: success Sample: |
|
The Issuer URI, if included in the certificate. Will be Returned: success |
|
Entries in the Returned: success Sample: |
|
Whether the Returned: success |
|
Returned: success Sample: |
|
Returned: success Sample: |
|
Returned: success |
|
Whether the Returned: success |
|
The OCSP responder URI, if included in the certificate. Will be Returned: success |
|
Certificate’s public key in PEM format. Returned: success Sample: |
|
Public key data. Depends on the public key’s type. Returned: success |
|
The curve’s name for ECC. Returned: When |
|
The RSA key’s public exponent. Returned: When |
|
The maximum number of bits of a private key. This is basically the bit size of the subgroup used. Returned: When |
|
The This is the element spanning the subgroup of the multiplicative group of the prime field used. Returned: When |
|
The RSA key’s modulus. Returned: When |
|
The This is the prime modulus upon which arithmetic takes place. Returned: When |
|
The This is a prime that divides Returned: When |
|
Bit size of modulus (RSA) or prime number (DSA). Returned: When |
|
The Returned: When |
|
For For Returned: When |
|
Fingerprints of certificate’s public key. For every hash algorithm available, the fingerprint is computed. Returned: success Sample: |
|
The certificate’s public key’s type. One of Will start with Returned: success Sample: |
|
The certificate’s serial number. This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success Sample: |
|
The signature algorithm used to sign the certificate. Returned: success Sample: |
|
The certificate’s subject as a dictionary. Note that for repeated values, only the last one will be returned. Returned: success Sample: |
|
Entries in the See Returned: success Sample: |
|
Whether the Returned: success |
|
The certificate’s subject key identifier. The identifier is returned in hexadecimal, with Is Returned: success Sample: |
|
The certificate’s subject as an ordered list of tuples. Returned: success Sample: |
|
For every time stamp provided in the Returned: success |
|
The certificate version. Returned: success Sample: |