openssl_certificate_info – Provide information of OpenSSL X.509 certificates

From Get docs
Ansible/docs/2.8/modules/openssl certificate info module


openssl_certificate_info – Provide information of OpenSSL X.509 certificates

New in version 2.8.


Synopsis

  • This module allows one to query information on OpenSSL certificates.
  • It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with select_crypto_backend)

Requirements

The below requirements are needed on the host that executes this module.

  • PyOpenSSL >= 0.15 or cryptography >= 1.6

Parameters

Parameter Choices/Defaults Comments

path

path / required

Remote absolute path where the certificate file is loaded from.

select_crypto_backend

string

  • auto

  • cryptography
  • pyopenssl

Determines which crypto backend to use.

The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.

If set to pyopenssl, will try to use the pyOpenSSL library.

If set to cryptography, will try to use the cryptography library.

valid_at

dictionary

A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the valid_at return value for informations on the result.

Time can be specified either as relative time or as absolute timestamp.

Time will always be interpreted as UTC.

Valid format is [+-]timespec | ASN.1 TIME where timespec can be an integer + [w | d | h | m | s] (e.g. +32w1d2h, and ASN.1 TIME (i.e. pattern YYYYMMDDHHMMSSZ). Note that all timestamps will be treated as being in UTC.



Notes

Note

  • All timestamp values are provided in ASN.1 TIME format, i.e. following the YYYYMMDDHHMMSSZ pattern. They are all in UTC.


See Also

See also

openssl_certificate – Generate and/or check OpenSSL certificates
The official documentation on the openssl_certificate module.


Examples

- name: Generate a Self Signed OpenSSL certificate
  openssl_certificate:
    path: /etc/ssl/crt/ansible.com.crt
    privatekey_path: /etc/ssl/private/ansible.com.pem
    csr_path: /etc/ssl/csr/ansible.com.csr
    provider: selfsigned


# Get information on the certificate

- name: Get information on generated certificate
  openssl_certificate_info:
    path: /etc/ssl/crt/ansible.com.crt
  register: result

- name: Dump information
  debug:
    var: result


# Check whether the certificate is valid or not valid at certain times, fail
# if this is not the case. The first task (openssl_certificate_info) collects
# the information, and the second task (assert) validates the result and
# makes the playbook fail in case something is not as expected.

- name: Test whether that certificate is valid tomorrow and/or in three weeks
  openssl_certificate_info:
    path: /etc/ssl/crt/ansible.com.crt
    valid_at:
      point_1: "+1d"
      point_2: "+3w"
  register: result

- name: Validate that certificate is valid tomorrow, but not in three weeks
  assert:
    that:
      - result.valid_at.point_1      # valid in one day
      - not result.valid_at.point_2  # not valid in three weeks

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

basic_constraints

list

success

Entries in the basic_constraints extension, or none if extension is not present.


Sample:

[CA:TRUE, pathlen:1]

basic_constraints_critical

boolean

success

Whether the basic_constraints extension is critical.


expired

boolean

success

Whether the certificate is expired (i.e. notAfter is in the past)


extended_key_usage

list

success

Entries in the extended_key_usage extension, or none if extension is not present.


Sample:

[Biometric Info, DVCS, Time Stamping]

extended_key_usage_critical

boolean

success

Whether the extended_key_usage extension is critical.


extensions_by_oid

complex

success

Returns a dictionary for every extension OID


Sample:

{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}

critical

boolean

success

Whether the extension is critical.


value

string

success

The Base64 encoded value (in DER format) of the extension


Sample:

MAMCAQU=

issuer

dictionary

success

The certificate's issuer.


Sample:

{"organizationName": "Ansible"}

key_usage

string

success

Entries in the key_usage extension, or none if extension is not present.


Sample:

[Key Agreement, Data Encipherment]

key_usage_critical

boolean

success

Whether the key_usage extension is critical.


not_after

string

success

notAfter date as ASN.1 TIME


Sample:

20190413202428Z

not_before

string

success

notBefore date as ASN.1 TIME


Sample:

20190331202428Z

ocsp_must_staple

boolean

success

yes if the OCSP Must Staple extension is present, none otherwise.


ocsp_must_staple_critical

boolean

success

Whether the ocsp_must_staple extension is critical.


public_key

string

success

Certificate's public key in PEM format


Sample:


BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...

public_key_fingerprints

dictionary

success

Fingerprints of certificate's public key.

For every hash algorithm available, the fingerprint is computed.


Sample:

{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...

serial_number

integer

success

The certificate's serial number.


Sample:

1234

signature_algorithm

string

success

The signature algorithm used to sign the certificate.


Sample:

sha256WithRSAEncryption

subject

dictionary

success

The certificate's subject.


Sample:

{"commonName": "www.example.com", "emailAddress": "[email protected]"}

subject_alt_name

list

success

Entries in the subject_alt_name extension, or none if extension is not present.


Sample:

[DNS:www.ansible.com, IP:1.2.3.4]

subject_alt_name_critical

boolean

success

Whether the subject_alt_name extension is critical.


valid_at

dictionary

success

For every time stamp provided in the valid_at option, a boolean whether the certificate is valid at that point in time or not.


version

integer

success

The certificate version.


Sample:

3




Status

Authors

  • Felix Fontein (@felixfontein)
  • Yanis Guenane (@Spredzy)
  • Markus Teufelberger (@MarkusTeufelberger)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/openssl_certificate_info_module.html