community.crypto.x509_crl – Generate Certificate Revocation Lists (CRLs)¶
Note
This plugin is part of the community.crypto collection (version 1.3.0).
To install it use: ansible-galaxy collection install community.crypto
.
To use it in a playbook, specify: community.crypto.x509_crl
.
New in version 1.0.0: of community.crypto
Synopsis¶
This module allows one to (re)generate or update Certificate Revocation Lists (CRLs).
Certificates on the revocation list can be either specified via serial number and (optionally) their issuer, or as a path to a certificate file in PEM format.
Requirements¶
The below requirements are needed on the host that executes this module.
cryptography >= 1.2
Parameters¶
Notes¶
Note
All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
Date specified should be UTC. Minutes and seconds are mandatory.
Examples¶
- name: Generate a CRL
community.crypto.x509_crl:
path: /etc/ssl/my-ca.crl
privatekey_path: /etc/ssl/private/my-ca.pem
issuer:
CN: My CA
last_update: "+0s"
next_update: "+7d"
revoked_certificates:
- serial_number: 1234
revocation_date: 20190331202428Z
issuer:
CN: My CA
- serial_number: 2345
revocation_date: 20191013152910Z
reason: affiliation_changed
invalidity_date: 20191001000000Z
- path: /etc/ssl/crt/revoked-cert.pem
revocation_date: 20191010010203Z
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
backup_file
string
|
changed and if backup is yes |
Name of backup file created.
Sample:
/path/to/[email protected]:22~
|
|
crl
string
|
if state is present and return_content is yes |
The (current or generated) CRL's content.
Will be the CRL itself if format is
pem , and Base64 of the CRL if format is der . |
|
digest
string
|
success |
The signature algorithm used to sign the CRL.
Sample:
sha256WithRSAEncryption
|
|
filename
string
|
changed or success |
Path to the generated CRL
Sample:
/path/to/my-ca.crl
|
|
format
string
|
success |
Whether the CRL is in PEM format (
pem ) or in DER format (der ).Sample:
pem
|
|
issuer
dictionary
|
success |
The CRL's issuer.
Note that for repeated values, only the last one will be returned.
Sample:
{"organizationName": "Ansible", "commonName": "ca.example.com"}
|
|
issuer_ordered
list
/ elements=list
|
success |
The CRL's issuer as an ordered list of tuples.
Sample:
[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
|
|
last_update
string
|
success |
The point in time from which this CRL can be trusted as ASN.1 TIME.
Sample:
20190413202428Z
|
|
next_update
string
|
success |
The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME.
Sample:
20190413202428Z
|
|
privatekey
string
|
changed or success |
Path to the private CA key
Sample:
/path/to/my-ca.pem
|
|
revoked_certificates
list
/ elements=dictionary
|
success |
List of certificates to be revoked.
|
|
invalidity_date
string
|
success |
The point in time it was known/suspected that the private key was compromised
or that the certificate otherwise became invalid as ASN.1 TIME.
Sample:
20190413202428Z
|
|
invalidity_date_critical
boolean
|
success |
Whether the invalidity date extension is critical.
|
|
issuer
list
/ elements=string
|
success |
The certificate's issuer.
Sample:
["DNS:ca.example.org"]
|
|
issuer_critical
boolean
|
success |
Whether the certificate issuer extension is critical.
|
|
reason
string
|
success |
The value for the revocation reason extension.
One of
unspecified , key_compromise , ca_compromise , affiliation_changed , superseded , cessation_of_operation , certificate_hold , privilege_withdrawn , aa_compromise , and remove_from_crl .Sample:
key_compromise
|
|
reason_critical
boolean
|
success |
Whether the revocation reason extension is critical.
|
|
revocation_date
string
|
success |
The point in time the certificate was revoked as ASN.1 TIME.
Sample:
20190413202428Z
|
|
serial_number
integer
|
success |
Serial number of the certificate.
Sample:
1234
|
Authors¶
Felix Fontein (@felixfontein)