community.crypto.openssl_csr_info – Provide information of OpenSSL Certificate Signing Requests (CSR)
community.crypto.openssl_csr_info – Provide information of OpenSSL Certificate Signing Requests (CSR)
Note
This plugin is part of the community.crypto collection (version 1.3.0).
To install it use: ansible-galaxy collection install community.crypto
.
To use it in a playbook, specify: community.crypto.openssl_csr_info
.
Synopsis
- This module allows one to query information on OpenSSL Certificate Signing Requests (CSR).
- In case the CSR signature cannot be validated, the module will fail. In this case, all return variables are still returned.
- It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with
select_crypto_backend
). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0.
Requirements
The below requirements are needed on the host that executes this module.
- PyOpenSSL >= 0.15 or cryptography >= 1.3
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
content string added in 1.0.0 of community.crypto |
Content of the CSR file. Either path or content must be specified, but not both. | |
path path |
Remote absolute path where the CSR file is loaded from. Either path or content must be specified, but not both. | |
select_crypto_backend string |
|
Determines which crypto backend to use. The default choice is If set to If set to Please note that the |
See Also
See also
- community.crypto.openssl_csr
- The official documentation on the community.crypto.openssl_csr module.
- community.crypto.openssl_csr_pipe
- The official documentation on the community.crypto.openssl_csr_pipe module.
Examples
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
common_name: www.ansible.com
- name: Get information on the CSR
community.crypto.openssl_csr_info:
path: /etc/ssl/csr/www.ansible.com.csr
register: result
- name: Dump information
debug:
var: result
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
authority_cert_issuer list / elements=string |
success and if the pyOpenSSL backend is not used |
The CSR's authority cert issuer as a list of general names. Is
Sample: [DNS:www.ansible.com, IP:1.2.3.4] | |
authority_cert_serial_number integer |
success and if the pyOpenSSL backend is not used |
The CSR's authority cert serial number. Is
Sample: 12345 | |
authority_key_identifier string |
success and if the pyOpenSSL backend is not used |
The CSR's authority key identifier. The identifier is returned in hexadecimal, with Is
Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33 | |
basic_constraints list / elements=string |
success |
Entries in the
Sample: [CA:TRUE, pathlen:1] | |
basic_constraints_critical boolean |
success |
Whether the
| |
extended_key_usage list / elements=string |
success |
Entries in the
Sample: [Biometric Info, DVCS, Time Stamping] | |
extended_key_usage_critical boolean |
success |
Whether the
| |
extensions_by_oid dictionary |
success |
Returns a dictionary for every extension OID
Sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}} | |
critical boolean |
success |
Whether the extension is critical.
| |
value string |
success |
The Base64 encoded value (in DER format) of the extension
Sample: MAMCAQU= | |
key_usage string |
success |
Entries in the
Sample: [Key Agreement, Data Encipherment] | |
key_usage_critical boolean |
success |
Whether the
| |
name_constraints_critical boolean added in 1.1.0 of community.crypto |
success |
Whether the Is
| |
name_constraints_excluded list / elements=string added in 1.1.0 of community.crypto |
success |
List of excluded subtrees the CA cannot sign certificates for. Is
Sample: ['email:.com'] | |
name_constraints_permitted list / elements=string added in 1.1.0 of community.crypto |
success |
List of permitted subtrees to sign certificates for.
Sample: ['email:.somedomain.com'] | |
ocsp_must_staple boolean |
success |
| |
ocsp_must_staple_critical boolean |
success |
Whether the
| |
public_key string |
success |
CSR's public key in PEM format
Sample: BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A... | |
public_key_fingerprints dictionary |
success |
Fingerprints of CSR's public key. For every hash algorithm available, the fingerprint is computed.
Sample: {'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1... | |
signature_valid boolean |
success |
Whether the CSR's signature is valid. In case the check returns
| |
subject dictionary |
success |
The CSR's subject as a dictionary. Note that for repeated values, only the last one will be returned.
Sample: {"commonName": "www.example.com", "emailAddress": "[email protected]"} | |
subject_alt_name list / elements=string |
success |
Entries in the
Sample: [DNS:www.ansible.com, IP:1.2.3.4] | |
subject_alt_name_critical boolean |
success |
Whether the
| |
subject_key_identifier string |
success and if the pyOpenSSL backend is not used |
The CSR's subject key identifier. The identifier is returned in hexadecimal, with Is
Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33 | |
subject_ordered list / elements=list |
success |
The CSR's subject as an ordered list of tuples.
Sample: [["commonName", "www.example.com"], ["emailAddress": "[email protected]"]] |
Authors
- Felix Fontein (@felixfontein)
- Yanis Guenane (@Spredzy)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/community/crypto/openssl_csr_info_module.html