community.windows.win_certificate_info – Get information on certificates from a Windows Certificate Store

Note

This plugin is part of the community.windows collection (version 1.9.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.windows.

To use it in a playbook, specify: community.windows.win_certificate_info.

Synopsis

  • Returns information about certificates in a Windows Certificate Store.

Parameters

Parameter Choices/Defaults Comments
store_location
string
    Choices:
  • CurrentUser
  • LocalMachine ←
The location of the store to search.
store_name
string
Default:
"My"
The name of the store to search.
thumbprint
string
The thumbprint as a hex string of a certificate to find.
When specified, filters the certificates return value to a single certificate
See the examples for how to format the thumbprint.

See Also

See also

ansible.windows.win_certificate_store

The official documentation on the ansible.windows.win_certificate_store module.

Examples

- name: Obtain information about a particular certificate in the computer's personal store
  community.windows.win_certificate_info:
    thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27
  register: mycert

# thumbprint can also be lower case
- name: Obtain information about a particular certificate in the computer's personal store
  community.windows.win_certificate_info:
    thumbprint: bd7af104cf1872bdb518d95c9534ea941665fd27
  register: mycert

- name: Obtain information about all certificates in the root store
  community.windows.win_certificate_info:
    store_name: Root
  register: ca

# Import a pfx and then get information on the certificates
- name: Import pfx certificate that is password protected
  ansible.windows.win_certificate_store:
    path: C:\Temp\cert.pfx
    state: present
    password: VeryStrongPasswordHere!
  become: yes
  become_method: runas
  register: mycert

- name: Obtain information on each certificate that was touched
  community.windows.win_certificate_info:
    thumbprint: "{{ item }}"
  register: mycert_stats
  loop: "{{ mycert.thumbprints }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
certificates
list / elements=dictionary
success
A list of information about certificates found in the store, sorted by thumbprint.

 
archived
boolean
success
Indicates that the certificate is archived.

 
cert_data
string
success
The base64 encoded data of the entire certificate.

 
dns_names
list / elements=string
success
Lists the registered dns names for the certificate.

Sample:
['*.m.wikiquote.org', '*.wikipedia.org']
 
extensions
list / elements=dictionary
success
The collection of the certificates extensions.

Sample:
[{'critical': False, 'field': 'Subject Key Identifier', 'value': '88 27 17 09 a9 b6 18 60 8b ec eb ba f6 47 59 c5 52 54 a3 b7'}, {'critical': True, 'field': 'Basic Constraints', 'value': 'Subject Type=CA, Path Length Constraint=None'}, {'critical': False, 'field': 'Authority Key Identifier', 'value': 'KeyID=2b d0 69 47 94 76 09 fe f4 6b 8d 2e 40 a6 f7 47 4d 7f 08 5e'}, {'critical': False, 'field': 'CRL Distribution Points', 'value': '[1]CRL Distribution Point: Distribution Point Name:Full Name:URL=http://crl.apple.com/root.crl'}, {'critical': True, 'field': 'Key Usage', 'value': 'Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)'}, {'critical': False, 'field': None, 'value': '05 00'}]
 
friendly_name
string
success
The associated alias for the certificate.

Sample:
Microsoft Root Authority
 
has_private_key
boolean
success
Indicates that the certificate contains a private key.

 
intended_purposes
list / elements=string
enhanced key usages extension exists.
lists the intended applications for the certificate.

Sample:
['Server Authentication']
 
is_ca
boolean
basic constraints extension exists.
Indicates that the certificate is a certificate authority (CA) certificate.

Sample:
True
 
issued_by
string
success
The certificate issuer's common name.

Sample:
Apple Root CA
 
issued_to
string
success
The certificate's common name.

Sample:
Apple Worldwide Developer Relations Certification Authority
 
issuer
string
success
The certificate issuer's distinguished name.

Sample:
CN=Apple Root CA, OU=Apple Certification Authority, O=Apple Inc., C=US
 
key_usages
list / elements=string
key usages extension exists.
Defines how the certificate key can be used.
If this value is not defined, the key can be used for any purpose.

Sample:
['CrlSign', 'KeyCertSign', 'DigitalSignature']
 
path_length_constraint
integer
basic constraints extension exists
The number of levels allowed in a certificates path.
If this value is 0, the certificate does not have a restriction.

 
public_key
string
success
The base64 encoded public key of the certificate.

 
serial_number
string
success
The serial number of the certificate represented as a hexadecimal string

Sample:
01DEBCC4396DA010
 
signature_algorithm
string
success
The algorithm used to create the certificate's signature

Sample:
sha1RSA
 
ski
string
subject key identifier extension exists.
The certificate's subject key identifier

Sample:
88271709A9B618608BECEBBAF64759C55254A3B7
 
subject
string
success
The certificate's distinguished name.

Sample:
CN=Apple Worldwide Developer Relations Certification Authority, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
 
thumbprint
string
success
The thumbprint as a hex string of the certificate.
The return format will always be upper case.

Sample:
FF6797793A3CD798DC5B2ABEF56F73EDC9F83A64
 
valid_from
float
success
The start date of the certificate represented in seconds since epoch.

Sample:
1360255727
 
valid_from_iso8601
string
success
The start date of the certificate represented as an iso8601 formatted date.

Sample:
2017-12-15T08:39:32Z
 
valid_to
float
success
The expiry date of the certificate represented in seconds since epoch.

Sample:
1675788527
 
valid_to_iso8601
string
success
The expiry date of the certificate represented as an iso8601 formatted date.

Sample:
2086-01-02T08:39:32Z
 
version
integer
success
The x509 format version of the certificate

Sample:
3
exists
boolean
success
Whether any certificates were found in the store.
When thumbprint is specified, returns true only if the certificate mathing the thumbprint exists.

Sample:
True


Authors

  • Micah Hunsberger (@mhunsber)