community.general.java_cert – Uses keytool to import/remove key from java keystore (cacerts)

Note

This plugin is part of the community.general collection.

To install it use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.java_cert.

Synopsis

  • This is a wrapper module around keytool, which can be used to import/remove certificates from a given java keystore.

Parameters

Parameter Choices/Defaults Comments
cert_alias
string
Imported certificate alias.
The alias is used when checking for the presence of a certificate in the keystore.
cert_path
path
Local path to load certificate from.
One of cert_url or cert_path is required to load certificate.
cert_port
integer
Default:
443
Port to connect to URL.
This will be used to create server URL:PORT.
cert_url
string
Basic URL to fetch SSL certificate from.
One of cert_url or cert_path is required to load certificate.
executable
string
Default:
"keytool"
Path to keytool binary if not used we search in PATH for it.
keystore_create
boolean
    Choices:
  • no
  • yes
Create keystore if it does not exist.
keystore_pass
string / required
Keystore password.
keystore_path
path
Path to keystore.
keystore_type
string
Keystore type (JCEKS, JKS).
pkcs12_alias
string
Alias in the PKCS12 keystore.
pkcs12_password
string
Default:
""
Password for importing from PKCS12 keystore.
pkcs12_path
path
Local path to load PKCS12 keystore from.
state
string
    Choices:
  • absent
  • present ←
Defines action which can be either certificate import or removal.
trust_cacert
boolean
added in 0.2.0 of community.general
    Choices:
  • no ←
  • yes
Trust imported cert as CAcert.

Examples

- name: Import SSL certificate from google.com to a given cacerts keystore
  community.general.java_cert:
    cert_url: google.com
    cert_port: 443
    keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
    keystore_pass: changeit
    state: present

- name: Remove certificate with given alias from a keystore
  community.general.java_cert:
    cert_url: google.com
    keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
    keystore_pass: changeit
    executable: /usr/lib/jvm/jre7/bin/keytool
    state: absent

- name: Import trusted CA from SSL certificate
  community.general.java_cert:
    cert_path: /opt/certs/rootca.crt
    keystore_path: /tmp/cacerts
    keystore_pass: changeit
    keystore_create: yes
    state: present
    cert_alias: LE_RootCA
    trust_cacert: True

- name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
  community.general.java_cert:
    cert_url: google.com
    keystore_path: /tmp/cacerts
    keystore_pass: changeit
    keystore_create: yes
    state: present

- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
  community.general.java_cert:
    pkcs12_path: "/tmp/importkeystore.p12"
    cert_alias: default
    keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
    keystore_pass: changeit
    keystore_create: yes
    state: present

- name: Import SSL certificate to JCEKS keystore
  community.general.java_cert:
    pkcs12_path: "/tmp/importkeystore.p12"
    pkcs12_alias: default
    pkcs12_password: somepass
    cert_alias: default
    keystore_path: /opt/someapp/security/keystore.jceks
    keystore_type: "JCEKS"
    keystore_pass: changeit
    keystore_create: yes
    state: present

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cmd
string
success
Executed command to get action done.

Sample:
keytool -importcert -noprompt -keystore
msg
string
success
Output from stdout of keytool command after execution of given command.

Sample:
Module require existing keystore at keystore_path '/tmp/test/cacerts'
rc
integer
success
Keytool command execution return value.

Sample:
0


Authors

  • Adam Hamsik (@haad)