community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format

Note

This filter plugin is part of the community.crypto collection (version 2.22.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.crypto. You need further requirements to be able to use this filter plugin, see Requirements for details.

To use it in a playbook, specify: community.crypto.x509_crl_info.

New in community.crypto 2.10.0

Synopsis

Requirements

The below requirements are needed on the local controller node that executes this filter.

Input

This describes the input of the filter, the value before | community.crypto.x509_crl_info.

Parameter

Comments

Input

string / required

The content of the X.509 CRL in PEM format.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | community.crypto.x509_crl_info(key1=value1, key2=value2, ...)

Parameter

Comments

list_revoked_certificates

boolean

added in community.crypto 1.7.0

If set to false, the list of revoked certificates is not included in the result.

This is useful when retrieving information on large CRL files. Enumerating all revoked certificates can take some time, including serializing the result as JSON, sending it to the Ansible controller, and decoding it again.

Choices:

  • false

  • true ← (default)

name_encoding

string

How to encode names (DNS names, URIs, email addresses) in return values.

ignore will use the encoding returned by the backend.

idna will convert all labels of domain names to IDNA encoding. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails.

unicode will convert all labels of domain names to Unicode. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails.

Note that idna and unicode require the idna Python library to be installed.

Choices:

  • "ignore" ← (default)

  • "idna"

  • "unicode"

See Also

See also

community.crypto.x509_crl_info

Retrieve information on Certificate Revocation Lists (CRLs).

community.crypto.to_serial filter plugin

Convert an integer to a colon-separated list of hex numbers.

Examples

- name: Show the Organization Name of the CRL's subject
  ansible.builtin.debug:
    msg: >-
      {{
        (
          lookup('ansible.builtin.file', '/path/to/cert.pem')
          | community.crypto.x509_crl_info
        ).issuer.organizationName
      }}

Return Value

Key

Description

Return value

dictionary

Information on the CRL.

Returned: success

digest

string

The signature algorithm used to sign the CRL.

Returned: success

Sample: "sha256WithRSAEncryption"

format

string

Whether the CRL is in PEM format (pem) or in DER format (der).

Returned: success

Can only return:

  • "pem"

  • "der"

Sample: "pem"

issuer

dictionary

The CRL’s issuer.

Note that for repeated values, only the last one will be returned.

See name_encoding for how IDNs are handled.

Returned: success

Sample: {"commonName": "ca.example.com", "organizationName": "Ansible"}

issuer_ordered

list / elements=list

The CRL’s issuer as an ordered list of tuples.

Returned: success

Sample: [["organizationName", "Ansible"], [{"commonName": "ca.example.com"}]]

last_update

string

The point in time from which this CRL can be trusted as ASN.1 TIME.

Returned: success

Sample: "20190413202428Z"

next_update

string

The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME.

Returned: success

Sample: "20190413202428Z"

revoked_certificates

list / elements=dictionary

List of certificates to be revoked.

Returned: success if list_revoked_certificates=true

invalidity_date

string

The point in time it was known/suspected that the private key was compromised or that the certificate otherwise became invalid as ASN.1 TIME.

Returned: success

Sample: "20190413202428Z"

invalidity_date_critical

boolean

Whether the invalidity date extension is critical.

Returned: success

Sample: false

issuer

list / elements=string

The certificate’s issuer.

See name_encoding for how IDNs are handled.

Returned: success

Sample: ["DNS:ca.example.org"]

issuer_critical

boolean

Whether the certificate issuer extension is critical.

Returned: success

Sample: false

reason

string

The value for the revocation reason extension.

Returned: success

Can only return:

  • "unspecified"

  • "key_compromise"

  • "ca_compromise"

  • "affiliation_changed"

  • "superseded"

  • "cessation_of_operation"

  • "certificate_hold"

  • "privilege_withdrawn"

  • "aa_compromise"

  • "remove_from_crl"

Sample: "key_compromise"

reason_critical

boolean

Whether the revocation reason extension is critical.

Returned: success

Sample: false

revocation_date

string

The point in time the certificate was revoked as ASN.1 TIME.

Returned: success

Sample: "20190413202428Z"

serial_number

integer

Serial number of the certificate.

This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as 11:22:33, you need to convert it to that form with community.crypto.to_serial.

Returned: success

Sample: 1234

Authors

  • Felix Fontein (@felixfontein)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.