community.crypto.openssl_certificate_info – Provide information of OpenSSL X.509 certificates
community.crypto.openssl_certificate_info – Provide information of OpenSSL X.509 certificates
Note
This plugin is part of the community.crypto collection (version 1.3.0).
To install it use: ansible-galaxy collection install community.crypto
.
To use it in a playbook, specify: community.crypto.openssl_certificate_info
.
Synopsis
- This module allows one to query information on OpenSSL certificates.
- It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with
select_crypto_backend
). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0. - Note that this module was called
openssl_certificate_info
when included directly in Ansible up to version 2.9. When moved to the collectioncommunity.crypto
, it was renamed to community.crypto.x509_certificate_info. From Ansible 2.10 on, it can still be used by the old short name (or byansible.builtin.openssl_certificate_info
), which redirects tocommunity.crypto.x509_certificate_info
. When using FQCNs or when using the collections keyword, the new name community.crypto.x509_certificate_info should be used to avoid a deprecation warning.
Requirements
The below requirements are needed on the host that executes this module.
- PyOpenSSL >= 0.15 or cryptography >= 1.6
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
content string added in 1.0.0 of community.crypto |
Content of the X.509 certificate in PEM format. Either path or content must be specified, but not both. | |
path path |
Remote absolute path where the certificate file is loaded from. Either path or content must be specified, but not both. | |
select_crypto_backend string |
|
Determines which crypto backend to use. The default choice is If set to If set to Please note that the |
valid_at dictionary |
A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid format is |
Notes
Note
- All timestamp values are provided in ASN.1 TIME format, i.e. following the
YYYYMMDDHHMMSSZ
pattern. They are all in UTC.
See Also
See also
- community.crypto.x509_certificate
- The official documentation on the community.crypto.x509_certificate module.
- community.crypto.x509_certificate_pipe
- The official documentation on the community.crypto.x509_certificate_pipe module.
Examples
- name: Generate a Self Signed OpenSSL certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
privatekey_path: /etc/ssl/private/ansible.com.pem
csr_path: /etc/ssl/csr/ansible.com.csr
provider: selfsigned
# Get information on the certificate
- name: Get information on generated certificate
community.crypto.x509_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
register: result
- name: Dump information
debug:
var: result
# Check whether the certificate is valid or not valid at certain times, fail
# if this is not the case. The first task (x509_certificate_info) collects
# the information, and the second task (assert) validates the result and
# makes the playbook fail in case something is not as expected.
- name: Test whether that certificate is valid tomorrow and/or in three weeks
community.crypto.x509_certificate_info:
path: /etc/ssl/crt/ansible.com.crt
valid_at:
point_1: "+1d"
point_2: "+3w"
register: result
- name: Validate that certificate is valid tomorrow, but not in three weeks
assert:
that:
- result.valid_at.point_1 # valid in one day
- not result.valid_at.point_2 # not valid in three weeks
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
authority_cert_issuer list / elements=string |
success and if the pyOpenSSL backend is not used |
The certificate's authority cert issuer as a list of general names. Is
Sample: [DNS:www.ansible.com, IP:1.2.3.4] | |
authority_cert_serial_number integer |
success and if the pyOpenSSL backend is not used |
The certificate's authority cert serial number. Is
Sample: 12345 | |
authority_key_identifier string |
success and if the pyOpenSSL backend is not used |
The certificate's authority key identifier. The identifier is returned in hexadecimal, with Is
Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33 | |
basic_constraints list / elements=string |
success |
Entries in the
Sample: [CA:TRUE, pathlen:1] | |
basic_constraints_critical boolean |
success |
Whether the
| |
expired boolean |
success |
Whether the certificate is expired (i.e.
| |
extended_key_usage list / elements=string |
success |
Entries in the
Sample: [Biometric Info, DVCS, Time Stamping] | |
extended_key_usage_critical boolean |
success |
Whether the
| |
extensions_by_oid dictionary |
success |
Returns a dictionary for every extension OID
Sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}} | |
critical boolean |
success |
Whether the extension is critical.
| |
value string |
success |
The Base64 encoded value (in DER format) of the extension
Sample: MAMCAQU= | |
fingerprints dictionary added in 1.2.0 of community.crypto |
success |
Fingerprints of the DER-encoded form of the whole certificate. For every hash algorithm available, the fingerprint is computed.
Sample: {'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1... | |
issuer dictionary |
success |
The certificate's issuer. Note that for repeated values, only the last one will be returned.
Sample: {"organizationName": "Ansible", "commonName": "ca.example.com"} | |
issuer_ordered list / elements=list |
success |
The certificate's issuer as an ordered list of tuples.
Sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]] | |
key_usage string |
success |
Entries in the
Sample: [Key Agreement, Data Encipherment] | |
key_usage_critical boolean |
success |
Whether the
| |
not_after string |
success |
Sample: 20190413202428Z | |
not_before string |
success |
Sample: 20190331202428Z | |
ocsp_must_staple boolean |
success |
| |
ocsp_must_staple_critical boolean |
success |
Whether the
| |
ocsp_uri string |
success |
The OCSP responder URI, if included in the certificate. Will be
| |
public_key string |
success |
Certificate's public key in PEM format
Sample: BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A... | |
public_key_fingerprints dictionary |
success |
Fingerprints of certificate's public key. For every hash algorithm available, the fingerprint is computed.
Sample: {'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1... | |
serial_number integer |
success |
The certificate's serial number.
Sample: 1234 | |
signature_algorithm string |
success |
The signature algorithm used to sign the certificate.
Sample: sha256WithRSAEncryption | |
subject dictionary |
success |
The certificate's subject as a dictionary. Note that for repeated values, only the last one will be returned.
Sample: {"commonName": "www.example.com", "emailAddress": "[email protected]"} | |
subject_alt_name list / elements=string |
success |
Entries in the
Sample: [DNS:www.ansible.com, IP:1.2.3.4] | |
subject_alt_name_critical boolean |
success |
Whether the
| |
subject_key_identifier string |
success and if the pyOpenSSL backend is not used |
The certificate's subject key identifier. The identifier is returned in hexadecimal, with Is
Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33 | |
subject_ordered list / elements=list |
success |
The certificate's subject as an ordered list of tuples.
Sample: [["commonName", "www.example.com"], ["emailAddress": "[email protected]"]] | |
valid_at dictionary |
success |
For every time stamp provided in the valid_at option, a boolean whether the certificate is valid at that point in time or not.
| |
version integer |
success |
The certificate version.
Sample: 3 |
Authors
- Felix Fontein (@felixfontein)
- Yanis Guenane (@Spredzy)
- Markus Teufelberger (@MarkusTeufelberger)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/community/crypto/openssl_certificate_info_module.html