community.crypto.x509_crl_info – Retrieve information on Certificate Revocation Lists (CRLs)

Note

This plugin is part of the community.crypto collection (version 1.9.2).

To install it use: ansible-galaxy collection install community.crypto.

To use it in a playbook, specify: community.crypto.x509_crl_info.

New in version 1.0.0: of community.crypto

Synopsis

  • This module allows one to retrieve information on Certificate Revocation Lists (CRLs).

Requirements

The below requirements are needed on the host that executes this module.

  • cryptography >= 1.2

Parameters

Parameter Choices/Defaults Comments
content
string
Content of the X.509 CRL in PEM format, or Base64-encoded X.509 CRL.
Either path or content must be specified, but not both.
list_revoked_certificates
boolean
added in 1.7.0 of community.crypto
    Choices:
  • no
  • yes ←
If set to false, the list of revoked certificates is not included in the result.
This is useful when retrieving information on large CRL files. Enumerating all revoked certificates can take some time, including serializing the result as JSON, sending it to the Ansible controller, and decoding it again.
path
path
Remote absolute path where the generated CRL file should be created or is already located.
Either path or content must be specified, but not both.

Notes

Note

  • All timestamp values are provided in ASN.1 TIME format, in other words, following the YYYYMMDDHHMMSSZ pattern. They are all in UTC.

  • Supports check_mode.

See Also

See also

community.crypto.x509_crl

The official documentation on the community.crypto.x509_crl module.

Examples

- name: Get information on CRL
  community.crypto.x509_crl_info:
    path: /etc/ssl/my-ca.crl
  register: result

- name: Print the information
  ansible.builtin.debug:
    msg: "{{ result }}"

- name: Get information on CRL without list of revoked certificates
  community.crypto.x509_crl_info:
    path: /etc/ssl/very-large.crl
    list_revoked_certificates: false
  register: result

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
digest
string
success
The signature algorithm used to sign the CRL.

Sample:
sha256WithRSAEncryption
format
string
success
Whether the CRL is in PEM format (pem) or in DER format (der).

Sample:
pem
issuer
dictionary
success
The CRL's issuer.
Note that for repeated values, only the last one will be returned.

Sample:
{"organizationName": "Ansible", "commonName": "ca.example.com"}
issuer_ordered
list / elements=list
success
The CRL's issuer as an ordered list of tuples.

Sample:
[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
last_update
string
success
The point in time from which this CRL can be trusted as ASN.1 TIME.

Sample:
20190413202428Z
next_update
string
success
The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME.

Sample:
20190413202428Z
revoked_certificates
list / elements=dictionary
success if list_revoked_certificates=true
List of certificates to be revoked.

 
invalidity_date
string
success
The point in time it was known/suspected that the private key was compromised or that the certificate otherwise became invalid as ASN.1 TIME.

Sample:
20190413202428Z
 
invalidity_date_critical
boolean
success
Whether the invalidity date extension is critical.

 
issuer
list / elements=string
success
The certificate's issuer.

Sample:
["DNS:ca.example.org"]
 
issuer_critical
boolean
success
Whether the certificate issuer extension is critical.

 
reason
string
success
The value for the revocation reason extension.
One of unspecified, key_compromise, ca_compromise, affiliation_changed, superseded, cessation_of_operation, certificate_hold, privilege_withdrawn, aa_compromise, and remove_from_crl.

Sample:
key_compromise
 
reason_critical
boolean
success
Whether the revocation reason extension is critical.

 
revocation_date
string
success
The point in time the certificate was revoked as ASN.1 TIME.

Sample:
20190413202428Z
 
serial_number
integer
success
Serial number of the certificate.

Sample:
1234


Authors

  • Felix Fontein (@felixfontein)