Skip to main content

Ansible OpenSSL

This Integration is part of the Ansible Linux Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This integration enables the management of certificates on Linux hosts directly from XSOAR using Ansible. The Ansible engine is self-contained and pre-configured as part of this pack onto your XSOAR server, all you need to do is provide credentials you are ready to use the feature rich commands. This integration functions without any agents or additional software installed on the hosts by utilising SSH combined with Python.

To use this integration, configure an instance of this integration. This will associate a credential to be used to access hosts when commands are run. The commands from this integration will take the Linux host address(es) as an input, and use the saved credential associated to the instance to execute. Create separate instances if multiple credentials are required.

Requirements#

The Linux host(s) being managed requires Python >= 2.6. Different commands will use different underlying Ansible modules, and may have their own unique package requirements. Refer to the individual command documentation for further information.

Network Requirements#

By default, TCP port 22 will be used to initiate a SSH connection to the Linux host.

The connection will be initiated from the XSOAR engine/server specified in the instance settings.

Credentials#

This integration supports a number of methods of authenticating with the Linux Host:

  1. Username & Password entered into the integration
  2. Username & Password credential from the XSOAR credential manager
  3. Username and SSH Key from the XSOAR credential manager

Permissions#

Whilst un-privileged Linux user privileges can be used, a SuperUser account is recommended as most commands will require elevated permissions to execute.

Privilege Escalation#

Ansible can use existing privilege escalation systems to allow a user to execute tasks as another. Different from the user that logged into the machine (remote user). This is done using existing privilege escalation tools, which you probably already use or have configured, like sudo, su, or doas. Unless you are remoting into the system as root (uid 0) you will need to escalate your privileges to a super user. Use the Integration parameters Escalate Privileges, Privilege Escalation Method, Privilege Escalation User, Privileges Escalation Password to configure this.

Concurrency#

This integration supports execution of commands against multiple hosts concurrently. The host parameter accepts a list of addresses, and will run the command in parallel as per the Concurrency Factor value.

Further information#

This integration is powered by Ansible 2.9. Further information can be found on that the following locations:

Configure Ansible OpenSSL on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Ansible OpenSSL .

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    UsernameThe credentials to associate with the instance. SSH keys can be configured using the credential manager.True
    PasswordTrue
    Default SSH PortThe default port to use if one is not specified in the commands `host` argument.True
    Concurrency FactorIf multiple hosts are specified in a command, how many hosts should be interacted with concurrently.True
    Escalate PrivilegesAnsible allows you to ‘become’ another user, different from the user that
    logged into the machine (remote user).
    True
    Privilege Escalation MethodWhich privilege escalation method should be used.True
    Privilege Escalation UserSet the user you become through privilege escalationFalse
    Privilege Escalation PasswordSet the privilege escalation password.False

Testing#

This integration does not support testing from the integration management screen. Instead it is recommended to use the !openssl-certificate-info command providing an example host and path to a certificate as the command argument. This command will connect to the specified host with the configured credentials in the integration, and if successful output information about the certificate at the path.

Complex Command Inputs#

Some commands may require structured input arguments such as lists or dictionary, these can be provided in standard JSON notation wrapped in double curly braces. For example a argument called dns_servers that accepts a list of server IPs 8.8.8.8 and 8.8.4.4 would be entered as dns_servers="{{ ['8.8.8.8', '8.8.4.4'] }}".

Other more advanced data manipulation tools such as Ansible/Jinja2 filters can also be used in-line. For example to get a random number between 0 and 60 you can use {{ 60 | random }}.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

openssl-certificate#


Generate and/or check OpenSSL certificates Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_certificate_module.html

Base Command#

openssl-certificate

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
stateWhether the certificate should exist or not, taking action if the state is different from what is stated. Possible values are: absent, present. Default is present.Optional
pathRemote absolute path where the generated certificate file should be created or is already located.Required
providerName of the provider to use to generate/retrieve the OpenSSL certificate.
The assertonly provider will not generate files and fail if the certificate file is missing.
The assertonly provider has been deprecated in Ansible 2.9 and will be removed in Ansible 2.13. Please see the examples on how to emulate it with openssl_certificate_info, openssl_csr_info, openssl_privatekey_info and assert.
The entrust provider was added for Ansible 2.9 and requires credentials for the https://www.entrustdatacard.com/products/categories/ssl-certificates,Entrust Certificate Services (ECS) API.
Required if state is present. Possible values are: acme, assertonly, entrust, ownca, selfsigned.
Optional
forceGenerate the certificate, even if it already exists. Possible values are: Yes, No. Default is No.Optional
csr_pathPath to the Certificate Signing Request (CSR) used to generate this certificate.
This is not required in assertonly mode.
Optional
privatekey_pathPath to the private key to use when signing the certificate.Optional
privatekey_passphraseThe passphrase for the privatekey_path.
This is required if the private key is password protected.
Optional
selfsigned_versionVersion of the selfsigned certificate.
Nowadays it should almost always be 3.
This is only used by the selfsigned provider. Default is 3.
Optional
selfsigned_digestDigest algorithm to be used when self-signing the certificate.
This is only used by the selfsigned provider. Default is sha256.
Optional
selfsigned_not_beforeThe point in time the certificate is valid from.
Time can be specified either as relative time or as absolute timestamp.
Time will always be interpreted as UTC.
Valid format is [+-]timespec \| ASN.1 TIME where timespec can be an integer + [w \| d \| h \| m \| s] (e.g. +32w1d2h.
Note that if using relative time this module is NOT idempotent.
If this value is not specified, the certificate will start being valid from now.
This is only used by the selfsigned provider. Default is +0s.
Optional
selfsigned_not_afterThe point in time at which the certificate stops being valid.
Time can be specified either as relative time or as absolute timestamp.
Time will always be interpreted as UTC.
Valid format is [+-]timespec \| ASN.1 TIME where timespec can be an integer + [w \| d \| h \| m \| s] (e.g. +32w1d2h.
Note that if using relative time this module is NOT idempotent.
If this value is not specified, the certificate will stop being valid 10 years from now.
This is only used by the selfsigned provider. Default is +3650d.
Optional
selfsigned_create_subject_key_identifierWhether to create the Subject Key Identifier (SKI) from the public key.
A value of create_if_not_provided (default) only creates a SKI when the CSR does not provide one.
A value of always_create always creates a SKI. If the CSR provides one, that one is ignored.
A value of never_create never creates a SKI. If the CSR provides one, that one is used.
This is only used by the selfsigned provider.
Note that this is only supported if the cryptography backend is used!. Possible values are: create_if_not_provided, always_create, never_create. Default is create_if_not_provided.
Optional
ownca_pathRemote absolute path of the CA (Certificate Authority) certificate.
This is only used by the ownca provider.
Optional
ownca_privatekey_pathPath to the CA (Certificate Authority) private key to use when signing the certificate.
This is only used by the ownca provider.
Optional
ownca_privatekey_passphraseThe passphrase for the ownca_privatekey_path.
This is only used by the ownca provider.
Optional
ownca_digestThe digest algorithm to be used for the ownca certificate.
This is only used by the ownca provider. Default is sha256.
Optional
ownca_versionThe version of the ownca certificate.
Nowadays it should almost always be 3.
This is only used by the ownca provider. Default is 3.
Optional
ownca_not_beforeThe point in time the certificate is valid from.
Time can be specified either as relative time or as absolute timestamp.
Time will always be interpreted as UTC.
Valid format is [+-]timespec \| ASN.1 TIME where timespec can be an integer + [w \| d \| h \| m \| s] (e.g. +32w1d2h.
Note that if using relative time this module is NOT idempotent.
If this value is not specified, the certificate will start being valid from now.
This is only used by the ownca provider. Default is +0s.
Optional
ownca_not_afterThe point in time at which the certificate stops being valid.
Time can be specified either as relative time or as absolute timestamp.
Time will always be interpreted as UTC.
Valid format is [+-]timespec \| ASN.1 TIME where timespec can be an integer + [w \| d \| h \| m \| s] (e.g. +32w1d2h.
Note that if using relative time this module is NOT idempotent.
If this value is not specified, the certificate will stop being valid 10 years from now.
This is only used by the ownca provider. Default is +3650d.
Optional
ownca_create_subject_key_identifierWhether to create the Subject Key Identifier (SKI) from the public key.
A value of create_if_not_provided (default) only creates a SKI when the CSR does not provide one.
A value of always_create always creates a SKI. If the CSR provides one, that one is ignored.
A value of never_create never creates a SKI. If the CSR provides one, that one is used.
This is only used by the ownca provider.
Note that this is only supported if the cryptography backend is used!. Possible values are: create_if_not_provided, always_create, never_create. Default is create_if_not_provided.
Optional
ownca_create_authority_key_identifierCreate a Authority Key Identifier from the CA's certificate. If the CSR provided a authority key identifier, it is ignored.
The Authority Key Identifier is generated from the CA certificate's Subject Key Identifier, if available. If it is not available, the CA certificate's public key will be used.
This is only used by the ownca provider.
Note that this is only supported if the cryptography backend is used!. Possible values are: Yes, No. Default is Yes.
Optional
acme_accountkey_pathThe path to the accountkey for the acme provider.
This is only used by the acme provider.
Optional
acme_challenge_pathThe path to the ACME challenge directory that is served on http://<HOST>:80/.well-known/acme-challenge/
This is only used by the acme provider.
Optional
acme_chainInclude the intermediate certificate to the generated certificate
This is only used by the acme provider.
Note that this is only available for older versions of acme-tiny. New versions include the chain automatically, and setting acme_chain to yes results in an error. Possible values are: Yes, No. Default is No.
Optional
signature_algorithmsA list of algorithms that you would accept the certificate to be signed with (e.g. ['sha256WithRSAEncryption', 'sha512WithRSAEncryption']).
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
issuerThe key/value pairs that must be present in the issuer name field of the certificate.
If you need to specify more than one value with the same key, use a list as value.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
issuer_strictIf set to yes, the issuer field must contain only these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly. Possible values are: Yes, No. Default is No.
Optional
subjectThe key/value pairs that must be present in the subject name field of the certificate.
If you need to specify more than one value with the same key, use a list as value.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
subject_strictIf set to yes, the subject field must contain only these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly. Possible values are: Yes, No. Default is No.
Optional
has_expiredChecks if the certificate is expired/not expired at the time the module is executed.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly. Possible values are: Yes, No. Default is No.
Optional
versionThe version of the certificate.
Nowadays it should almost always be 3.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
valid_atThe certificate must be valid at this point in time.
The timestamp is formatted as an ASN.1 TIME.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
invalid_atThe certificate must be invalid at this point in time.
The timestamp is formatted as an ASN.1 TIME.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
not_beforeThe certificate must start to become valid at this point in time.
The timestamp is formatted as an ASN.1 TIME.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
not_afterThe certificate must expire at this point in time.
The timestamp is formatted as an ASN.1 TIME.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
valid_inThe certificate must still be valid at this relative time offset from now.
Valid format is [+-]timespec \| number_of_seconds where timespec can be an integer + [w \| d \| h \| m \| s] (e.g. +32w1d2h.
Note that if using this parameter, this module is NOT idempotent.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
key_usageThe key_usage extension field must contain all these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
key_usage_strictIf set to yes, the key_usage extension field must contain only these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly. Possible values are: Yes, No. Default is No.
Optional
extended_key_usageThe extended_key_usage extension field must contain all these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
extended_key_usage_strictIf set to yes, the extended_key_usage extension field must contain only these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly. Possible values are: Yes, No. Default is No.
Optional
subject_alt_nameThe subject_alt_name extension field must contain these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly.
Optional
subject_alt_name_strictIf set to yes, the subject_alt_name extension field must contain only these values.
This is only used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly. Possible values are: Yes, No. Default is No.
Optional
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library.
Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the cryptography backend will be available. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional
backupCreate a backup file including a timestamp so you can get the original certificate back if you overwrote it with a new one by accident.
This is not used by the assertonly provider.
This option is deprecated since Ansible 2.9 and will be removed with the assertonly provider in Ansible 2.13. For alternatives, see the example on replacing assertonly. Possible values are: Yes, No. Default is No.
Optional
entrust_cert_typeSpecify the type of certificate requested.
This is only used by the entrust provider. Possible values are: STANDARD_SSL, ADVANTAGE_SSL, UC_SSL, EV_SSL, WILDCARD_SSL, PRIVATE_SSL, PD_SSL, CDS_ENT_LITE, CDS_ENT_PRO, SMIME_ENT. Default is STANDARD_SSL.
Optional
entrust_requester_emailThe email of the requester of the certificate (for tracking purposes).
This is only used by the entrust provider.
This is required if the provider is entrust.
Optional
entrust_requester_nameThe name of the requester of the certificate (for tracking purposes).
This is only used by the entrust provider.
This is required if the provider is entrust.
Optional
entrust_requester_phoneThe phone number of the requester of the certificate (for tracking purposes).
This is only used by the entrust provider.
This is required if the provider is entrust.
Optional
entrust_api_userThe username for authentication to the Entrust Certificate Services (ECS) API.
This is only used by the entrust provider.
This is required if the provider is entrust.
Optional
entrust_api_keyThe key (password) for authentication to the Entrust Certificate Services (ECS) API.
This is only used by the entrust provider.
This is required if the provider is entrust.
Optional
entrust_api_client_cert_pathThe path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.
This is only used by the entrust provider.
This is required if the provider is entrust.
Optional
entrust_api_client_cert_key_pathThe path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.
This is only used by the entrust provider.
This is required if the provider is entrust.
Optional
entrust_not_afterThe point in time at which the certificate stops being valid.
Time can be specified either as relative time or as an absolute timestamp.
A valid absolute time format is ASN.1 TIME such as 2019-06-18.
A valid relative time format is [+-]timespec where timespec can be an integer + [w \| d \| h \| m \| s], such as +365d or +32w1d2h).
Time will always be interpreted as UTC.
Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate.
The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used.
The minimum certificate lifetime is 90 days, and maximum is three years.
If this value is not specified, the certificate will stop being valid 365 days the date of issue.
This is only used by the entrust provider. Default is +365d.
Optional
entrust_api_specification_pathThe path to the specification file defining the Entrust Certificate Services (ECS) API configuration.
You can use this to keep a local copy of the specification to avoid downloading it every time the module is used.
This is only used by the entrust provider. Default is https://cloud.entrust.net/EntrustCloud/documentation/cms-api-2.1.0.yaml.
Optional
modeThe permissions the resulting file or directory should have.
For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.
As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, u+rwx or u=rw,g=r,o=r).
Optional
ownerName of the user that should own the file/directory, as would be fed to chown.Optional
groupName of the group that should own the file/directory, as would be fed to chown.Optional
seuserThe user part of the SELinux file context.
By default it uses the system policy, where applicable.
When set to _default, it will use the user portion of the policy if available.
Optional
seroleThe role part of the SELinux file context.
When set to _default, it will use the role portion of the policy if available.
Optional
setypeThe type part of the SELinux file context.
When set to _default, it will use the type portion of the policy if available.
Optional
selevelThe level part of the SELinux file context.
This is the MLS/MCS attribute, sometimes known as the range.
When set to _default, it will use the level portion of the policy if available. Default is s0.
Optional
unsafe_writesInfluence when to use atomic operation to prevent data corruption or inconsistent reads from the target file.
By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.
This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes).
IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Possible values are: Yes, No. Default is No.
Optional
attributesThe attributes the resulting file or directory should have.
To get supported flags look at the man page for chattr on the target system.
This string should contain the attributes in the same order as the one displayed by lsattr.
The = operator is assumed as default, otherwise + or - operators need to be included in the string.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslCertificate.filenamestringPath to the generated Certificate
OpenSSL.OpensslCertificate.backup_filestringName of backup file created.

Command Example#

!openssl-certificate host="123.123.123.123" path="/etc/ssl/crt/ansible.com.crt" privatekey_path="/etc/ssl/private/ansible.com.pem" csr_path="/etc/ssl/csr/www.ansible.com.csr" provider="selfsigned"

Context Example#

{
"OpenSSL": {
"OpensslCertificate": {
"changed": false,
"csr": "/etc/ssl/csr/www.ansible.com.csr",
"filename": "/etc/ssl/crt/ansible.com.crt",
"host": "123.123.123.123",
"notAfter": "20310706075859Z",
"notBefore": "20210708075859Z",
"privatekey": "/etc/ssl/private/ansible.com.pem",
"serial_number": 7.301123280537633e+46,
"status": "SUCCESS"
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

  • changed: False
  • csr: /etc/ssl/csr/www.ansible.com.csr
  • filename: /etc/ssl/crt/ansible.com.crt
  • notAfter: 20310706075859Z
  • notBefore: 20210708075859Z
  • privatekey: /etc/ssl/private/ansible.com.pem
  • serial_number: 73011232805376328985612064552790767398333247880

openssl-certificate-info#


Provide information of OpenSSL X.509 certificates Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_certificate_info_module.html

Base Command#

openssl-certificate-info

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
pathRemote absolute path where the certificate file is loaded from.Required
valid_atA dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the valid_at return value for informations on the result.
Time can be specified either as relative time or as absolute timestamp.
Time will always be interpreted as UTC.
Valid format is [+-]timespec \| ASN.1 TIME where timespec can be an integer + [w \| d \| h \| m \| s] (e.g. +32w1d2h, and ASN.1 TIME (i.e. pattern YYYYMMDDHHMMSSZ). Note that all timestamps will be treated as being in UTC.
Optional
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library.
Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the cryptography backend will be available. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslCertificateInfo.expiredbooleanWhether the certificate is expired (i.e. `notAfter` is in the past)
OpenSSL.OpensslCertificateInfo.basic_constraintsunknownEntries in the `basic_constraints` extension, or `none` if extension is not present.
OpenSSL.OpensslCertificateInfo.basic_constraints_criticalbooleanWhether the `basic_constraints` extension is critical.
OpenSSL.OpensslCertificateInfo.extended_key_usageunknownEntries in the `extended_key_usage` extension, or `none` if extension is not present.
OpenSSL.OpensslCertificateInfo.extended_key_usage_criticalbooleanWhether the `extended_key_usage` extension is critical.
OpenSSL.OpensslCertificateInfo.extensions_by_oidunknownReturns a dictionary for every extension OID
OpenSSL.OpensslCertificateInfo.key_usagestringEntries in the `key_usage` extension, or `none` if extension is not present.
OpenSSL.OpensslCertificateInfo.key_usage_criticalbooleanWhether the `key_usage` extension is critical.
OpenSSL.OpensslCertificateInfo.subject_alt_nameunknownEntries in the `subject_alt_name` extension, or `none` if extension is not present.
OpenSSL.OpensslCertificateInfo.subject_alt_name_criticalbooleanWhether the `subject_alt_name` extension is critical.
OpenSSL.OpensslCertificateInfo.ocsp_must_stapleboolean`yes` if the OCSP Must Staple extension is present, `none` otherwise.
OpenSSL.OpensslCertificateInfo.ocsp_must_staple_criticalbooleanWhether the `ocsp_must_staple` extension is critical.
OpenSSL.OpensslCertificateInfo.issuerunknownThe certificate's issuer.
Note that for repeated values, only the last one will be returned.
OpenSSL.OpensslCertificateInfo.issuer_orderedunknownThe certificate's issuer as an ordered list of tuples.
OpenSSL.OpensslCertificateInfo.subjectunknownThe certificate's subject as a dictionary.
Note that for repeated values, only the last one will be returned.
OpenSSL.OpensslCertificateInfo.subject_orderedunknownThe certificate's subject as an ordered list of tuples.
OpenSSL.OpensslCertificateInfo.not_afterstring`notAfter` date as ASN.1 TIME
OpenSSL.OpensslCertificateInfo.not_beforestring`notBefore` date as ASN.1 TIME
OpenSSL.OpensslCertificateInfo.public_keystringCertificate's public key in PEM format
OpenSSL.OpensslCertificateInfo.public_key_fingerprintsunknownFingerprints of certificate's public key.
For every hash algorithm available, the fingerprint is computed.
OpenSSL.OpensslCertificateInfo.signature_algorithmstringThe signature algorithm used to sign the certificate.
OpenSSL.OpensslCertificateInfo.serial_numbernumberThe certificate's serial number.
OpenSSL.OpensslCertificateInfo.versionnumberThe certificate version.
OpenSSL.OpensslCertificateInfo.valid_atunknownFor every time stamp provided in the `valid_at` option, a boolean whether the certificate is valid at that point in time or not.
OpenSSL.OpensslCertificateInfo.subject_key_identifierstringThe certificate's subject key identifier.

The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `SubjectKeyIdentifier` extension is not present. | | OpenSSL.OpensslCertificateInfo.authority_key_identifier | string | The certificate's authority key identifier. The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `AuthorityKeyIdentifier` extension is not present. | | OpenSSL.OpensslCertificateInfo.authority_cert_issuer | unknown | The certificate's authority cert issuer as a list of general names. Is `none` if the `AuthorityKeyIdentifier` extension is not present. | | OpenSSL.OpensslCertificateInfo.authority_cert_serial_number | number | The certificate's authority cert serial number. Is `none` if the `AuthorityKeyIdentifier` extension is not present. | | OpenSSL.OpensslCertificateInfo.ocsp_uri | string | The OCSP responder URI, if included in the certificate. Will be `none` if no OCSP responder URI is included. |

Command Example#

!openssl-certificate-info host="123.123.123.123" path="/etc/ssl/crt/ansible.com.crt"

Context Example#

{
"OpenSSL": {
"OpensslCertificateInfo": {
"authority_cert_issuer": null,
"authority_cert_serial_number": null,
"authority_key_identifier": null,
"basic_constraints": null,
"basic_constraints_critical": false,
"changed": false,
"expired": false,
"extended_key_usage": null,
"extended_key_usage_critical": false,
"extensions_by_oid": {
"1.1.1.1": {
"critical": false,
"value": "BBRtlXuXV61dCrNybX135iGY0y8Yxg=="
},
"1.1.1.2": {
"critical": false,
"value": "MBGCD3d3dy5hbnNpYmxlLmNvbQ=="
}
},
"fingerprints": {
"blake2b": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14:11:11:11:11:11:11:11:15:11:11:11:11:11:11:11:16:11:11:11:11:11:11:11:17:11:11:11:11:11:11:11:18",
"blake2s": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"md5": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha1": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_128": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14"
},
"host": "123.123.123.123",
"issuer": {
"commonName": "www.ansible.com"
},
"issuer_ordered": [
[
"commonName",
"www.ansible.com"
]
],
"key_usage": null,
"key_usage_critical": false,
"not_after": "20310706075859Z",
"not_before": "20210708075859Z",
"ocsp_must_staple": null,
"ocsp_must_staple_critical": false,
"ocsp_uri": null,
"public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2JSDcBy4bxZU7jC5I0p6\n550ylJDYog5bb60it9bK0QZ9N9pGbCSAaWf1untaYr3zrZysFcmeaQKS75utx7Mc\nUgzbiGwTgLJk2fya5cdiMTzQEAwjbnDnmOPviPabXxuR7ZImitD9HF3UkLbpoBAl\nPBPz8h0/kzfvkx+tTiZ+jbFzGqxaV1/5+4VAiaTJ30pNU3Sqk2VeuZJOfllPBYT7\njcJF113bvl/NdhkFaOwMwLwhh4R6Q44UR5aW9zZWREXm+ku46QMbfM3KWNcH0Zfn\n+mgRcFI38jxGe3oWQFgS1lW6ftcCMkobDgA618CGz1OM1QRX7h2qN+9gLCqmcPwg\nQXghLUharRdKXN7Oj9wFBXpiDPNlRyVT5WDBBmxGbZT3GTL2GyI3wButKQuD0rpm\n59+665QuQWWRxdi/bUzQjO70zcw0sMvvnoQBEVSdJPn6NabSiuooiN9barcAdBOP\nN0T27qrZkhgWPO3Cyb+wZV9NxG8PMBFp1jfDlG5mD9lUsUsitJFoS8wfWiouyaIk\n6DG301+bpxSWHxYkEMZg7D5grrq5Ziut7gC+va/Vm49KXrmheLSOI42n/LOWHYoy\nPgTOPJTDB0/S2vR2SUmtDOCs8ENpSQfg8Jl0xepK68bMEDpBlWypz+7y155iJBSp\n0c404Rh6Mlq65yD+C8l30y8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"public_key_fingerprints": {
"blake2b": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"blake2s": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"md5": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha1": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_128": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14"
},
"serial_number": 7.301123280537633e+46,
"signature_algorithm": "sha256WithRSAEncryption",
"status": "SUCCESS",
"subject": {
"commonName": "www.ansible.com"
},
"subject_alt_name": [
"DNS:www.ansible.com"
],
"subject_alt_name_critical": false,
"subject_key_identifier": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"subject_ordered": [
[
"commonName",
"www.ansible.com"
]
],
"valid_at": {},
"version": 3
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

  • authority_cert_issuer: None

  • authority_cert_serial_number: None

  • authority_key_identifier: None

  • basic_constraints: None

  • basic_constraints_critical: False

  • changed: False

  • expired: False

  • extended_key_usage: None

  • extended_key_usage_critical: False

  • key_usage: None

  • key_usage_critical: False

  • not_after: 20310706075859Z

  • not_before: 20210708075859Z

  • ocsp_must_staple: None

  • ocsp_must_staple_critical: False

  • ocsp_uri: None

  • public_key: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2JSDcBy4bxZU7jC5I0p6 550ylJDYog5bb60it9bK0QZ9N9pGbCSAaWf1untaYr3zrZysFcmeaQKS75utx7Mc UgzbiGwTgLJk2fya5cdiMTzQEAwjbnDnmOPviPabXxuR7ZImitD9HF3UkLbpoBAl PBPz8h0/kzfvkx+tTiZ+jbFzGqxaV1/5+4VAiaTJ30pNU3Sqk2VeuZJOfllPBYT7 jcJF113bvl/NdhkFaOwMwLwhh4R6Q44UR5aW9zZWREXm+ku46QMbfM3KWNcH0Zfn +mgRcFI38jxGe3oWQFgS1lW6ftcCMkobDgA618CGz1OM1QRX7h2qN+9gLCqmcPwg QXghLUharRdKXN7Oj9wFBXpiDPNlRyVT5WDBBmxGbZT3GTL2GyI3wButKQuD0rpm 59+665QuQWWRxdi/bUzQjO70zcw0sMvvnoQBEVSdJPn6NabSiuooiN9barcAdBOP N0T27qrZkhgWPO3Cyb+wZV9NxG8PMBFp1jfDlG5mD9lUsUsitJFoS8wfWiouyaIk 6DG301+bpxSWHxYkEMZg7D5grrq5Ziut7gC+va/Vm49KXrmheLSOI42n/LOWHYoy PgTOPJTDB0/S2vR2SUmtDOCs8ENpSQfg8Jl0xepK68bMEDpBlWypz+7y155iJBSp 0c404Rh6Mlq65yD+C8l30y8CAwEAAQ== -----END PUBLIC KEY-----

  • serial_number: 73011232805376328985612064552790767398333247880

  • signature_algorithm: sha256WithRSAEncryption

  • subject_alt_name_critical: False

  • subject_key_identifier: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14

  • version: 3

  • Extensions_By_Oid#

    • 1.1.1.1#

      • critical: False
      • value: BBRtlXuXV61dCrNybX135iGY0y8Yxg==
    • 1.1.1.2#

      • critical: False
      • value: MBGCD3d3dy5hbnNpYmxlLmNvbQ==
  • Fingerprints#

    • blake2b: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14:11:11:11:11:11:11:11:15:11:11:11:11:11:11:11:16:11:11:11:11:11:11:11:17:11:11:11:11:11:11:11:18
    • blake2s: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • md5: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha1: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_128: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
  • Issuer#

  • Issuer_Ordered#

  • List#

  • Public_Key_Fingerprints#

    • blake2b: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • blake2s: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • md5: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha1: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_128: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
  • Subject#

  • Subject_Alt_Name#

  • Subject_Ordered#

  • List#

  • Valid_At#

openssl-csr#


Generate OpenSSL Certificate Signing Request (CSR) Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_csr_module.html

Base Command#

openssl-csr

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
stateWhether the certificate signing request should exist or not, taking action if the state is different from what is stated. Possible values are: absent, present. Default is present.Optional
digestThe digest used when signing the certificate signing request with the private key. Default is sha256.Optional
privatekey_pathThe path to the private key to use when signing the certificate signing request.
Required if state is present.
Optional
privatekey_passphraseThe passphrase for the private key.
This is required if the private key is password protected.
Optional
versionThe version of the certificate signing request.
The only allowed value according to RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1 is 1. Default is 1.
Optional
forceShould the certificate signing request be forced regenerated by this ansible module. Possible values are: Yes, No. Default is No.Optional
pathThe name of the file into which the generated OpenSSL certificate signing request will be written.Required
subjectKey/value pairs that will be present in the subject name field of the certificate signing request.
If you need to specify more than one value with the same key, use a list as value.
Optional
country_nameThe countryName field of the certificate signing request subject.Optional
state_or_province_nameThe stateOrProvinceName field of the certificate signing request subject.Optional
locality_nameThe localityName field of the certificate signing request subject.Optional
organization_nameThe organizationName field of the certificate signing request subject.Optional
organizational_unit_nameThe organizationalUnitName field of the certificate signing request subject.Optional
common_nameThe commonName field of the certificate signing request subject.Optional
email_addressThe emailAddress field of the certificate signing request subject.Optional
subject_alt_nameSAN extension to attach to the certificate signing request.
This can either be a 'comma separated string' or a YAML list.
Values must be prefixed by their options. (i.e., email, URI, DNS, RID, IP, dirName, otherName and the ones specific to your CA)
Note that if no SAN is specified, but a common name, the common name will be added as a SAN except if useCommonNameForSAN is set to false.
More at https://tools.ietf.org/html/rfc5280#section-4.2.1.6.
Optional
subject_alt_name_criticalShould the subjectAltName extension be considered as critical.Optional
use_common_name_for_sanIf set to yes, the module will fill the common name in for subject_alt_name with DNS: prefix if no SAN is specified. Possible values are: Yes, No. Default is Yes.Optional
key_usageThis defines the purpose (e.g. encipherment, signature, certificate signing) of the key contained in the certificate.Optional
key_usage_criticalShould the keyUsage extension be considered as critical.Optional
extended_key_usageAdditional restrictions (e.g. client authentication, server authentication) on the allowed purposes for which the public key may be used.Optional
extended_key_usage_criticalShould the extkeyUsage extension be considered as critical.Optional
basic_constraintsIndicates basic constraints, such as if the certificate is a CA.Optional
basic_constraints_criticalShould the basicConstraints extension be considered as critical.Optional
ocsp_must_stapleIndicates that the certificate should contain the OCSP Must Staple extension (https://tools.ietf.org/html/rfc7633).Optional
ocsp_must_staple_criticalShould the OCSP Must Staple extension be considered as critical
Note that according to the RFC, this extension should not be marked as critical, as old clients not knowing about OCSP Must Staple are required to reject such certificates (see https://tools.ietf.org/html/rfc7633#section-4).
Optional
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library.
Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the cryptography backend will be available. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional
backupCreate a backup file including a timestamp so you can get the original CSR back if you overwrote it with a new one by accident. Possible values are: Yes, No. Default is No.Optional
create_subject_key_identifierCreate the Subject Key Identifier from the public key.
Please note that commercial CAs can ignore the value, respectively use a value of their own choice instead. Specifying this option is mostly useful for self-signed certificates or for own CAs.
Note that this is only supported if the cryptography backend is used!. Possible values are: Yes, No. Default is No.
Optional
subject_key_identifierThe subject key identifier as a hex string, where two bytes are separated by colons.
Example: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs.
Note that this option can only be used if create_subject_key_identifier is no.
Note that this is only supported if the cryptography backend is used!.
Optional
authority_key_identifierThe authority key identifier as a hex string, where two bytes are separated by colons.
Example: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
If specified, authority_cert_issuer must also be specified.
Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs.
Note that this is only supported if the cryptography backend is used!
The AuthorityKeyIdentifier will only be added if at least one of authority_key_identifier, authority_cert_issuer and authority_cert_serial_number is specified.
Optional
authority_cert_issuerNames that will be present in the authority cert issuer field of the certificate signing request.
Values must be prefixed by their options. (i.e., email, URI, DNS, RID, IP, dirName, otherName and the ones specific to your CA)
Example: DNS:ca.example.org
If specified, authority_key_identifier must also be specified.
Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs.
Note that this is only supported if the cryptography backend is used!
The AuthorityKeyIdentifier will only be added if at least one of authority_key_identifier, authority_cert_issuer and authority_cert_serial_number is specified.
Optional
authority_cert_serial_numberThe authority cert serial number.
Note that this is only supported if the cryptography backend is used!
Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs.
The AuthorityKeyIdentifier will only be added if at least one of authority_key_identifier, authority_cert_issuer and authority_cert_serial_number is specified.
Optional
modeThe permissions the resulting file or directory should have.
For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.
As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, u+rwx or u=rw,g=r,o=r).
Optional
ownerName of the user that should own the file/directory, as would be fed to chown.Optional
groupName of the group that should own the file/directory, as would be fed to chown.Optional
seuserThe user part of the SELinux file context.
By default it uses the system policy, where applicable.
When set to _default, it will use the user portion of the policy if available.
Optional
seroleThe role part of the SELinux file context.
When set to _default, it will use the role portion of the policy if available.
Optional
setypeThe type part of the SELinux file context.
When set to _default, it will use the type portion of the policy if available.
Optional
selevelThe level part of the SELinux file context.
This is the MLS/MCS attribute, sometimes known as the range.
When set to _default, it will use the level portion of the policy if available. Default is s0.
Optional
unsafe_writesInfluence when to use atomic operation to prevent data corruption or inconsistent reads from the target file.
By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.
This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes).
IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Possible values are: Yes, No. Default is No.
Optional
attributesThe attributes the resulting file or directory should have.
To get supported flags look at the man page for chattr on the target system.
This string should contain the attributes in the same order as the one displayed by lsattr.
The = operator is assumed as default, otherwise + or - operators need to be included in the string.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslCsr.privatekeystringPath to the TLS/SSL private key the CSR was generated for
OpenSSL.OpensslCsr.filenamestringPath to the generated Certificate Signing Request
OpenSSL.OpensslCsr.subjectunknownA list of the subject tuples attached to the CSR
OpenSSL.OpensslCsr.subjectAltNameunknownThe alternative names this CSR is valid for
OpenSSL.OpensslCsr.keyUsageunknownPurpose for which the public key may be used
OpenSSL.OpensslCsr.extendedKeyUsageunknownAdditional restriction on the public key purposes
OpenSSL.OpensslCsr.basicConstraintsunknownIndicates if the certificate belongs to a CA
OpenSSL.OpensslCsr.ocsp_must_staplebooleanIndicates whether the certificate has the OCSP Must Staple feature enabled
OpenSSL.OpensslCsr.backup_filestringName of backup file created.

Command Example#

!openssl-csr host="123.123.123.123" path="/etc/ssl/csr/www.ansible.com.csr" privatekey_path="/etc/ssl/private/ansible.com.pem" common_name="www.ansible.com"

Context Example#

{
"OpenSSL": {
"OpensslCsr": {
"basicConstraints": null,
"changed": false,
"extendedKeyUsage": null,
"filename": "/etc/ssl/csr/www.ansible.com.csr",
"host": "123.123.123.123",
"keyUsage": null,
"name_constraints_excluded": [],
"name_constraints_permitted": [],
"ocspMustStaple": false,
"privatekey": "/etc/ssl/private/ansible.com.pem",
"status": "SUCCESS",
"subject": [
[
"CN",
"www.ansible.com"
]
],
"subjectAltName": [
"DNS:www.ansible.com"
]
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

  • basicConstraints: None
  • changed: False
  • extendedKeyUsage: None
  • filename: /etc/ssl/csr/www.ansible.com.csr
  • keyUsage: None
  • ocspMustStaple: False
  • privatekey: /etc/ssl/private/ansible.com.pem
  • Name_Constraints_Excluded#

  • Name_Constraints_Permitted#

  • Subject#

  • List#

  • Subjectaltname#

openssl-csr-info#


Provide information of OpenSSL Certificate Signing Requests (CSR) Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_csr_info_module.html

Base Command#

openssl-csr-info

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
pathRemote absolute path where the CSR file is loaded from.Required
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library.
Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the cryptography backend will be available. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslCsrInfo.signature_validbooleanWhether the CSR's signature is valid.
In case the check returns `no`, the module will fail.
OpenSSL.OpensslCsrInfo.basic_constraintsunknownEntries in the `basic_constraints` extension, or `none` if extension is not present.
OpenSSL.OpensslCsrInfo.basic_constraints_criticalbooleanWhether the `basic_constraints` extension is critical.
OpenSSL.OpensslCsrInfo.extended_key_usageunknownEntries in the `extended_key_usage` extension, or `none` if extension is not present.
OpenSSL.OpensslCsrInfo.extended_key_usage_criticalbooleanWhether the `extended_key_usage` extension is critical.
OpenSSL.OpensslCsrInfo.extensions_by_oidunknownReturns a dictionary for every extension OID
OpenSSL.OpensslCsrInfo.key_usagestringEntries in the `key_usage` extension, or `none` if extension is not present.
OpenSSL.OpensslCsrInfo.key_usage_criticalbooleanWhether the `key_usage` extension is critical.
OpenSSL.OpensslCsrInfo.subject_alt_nameunknownEntries in the `subject_alt_name` extension, or `none` if extension is not present.
OpenSSL.OpensslCsrInfo.subject_alt_name_criticalbooleanWhether the `subject_alt_name` extension is critical.
OpenSSL.OpensslCsrInfo.ocsp_must_stapleboolean`yes` if the OCSP Must Staple extension is present, `none` otherwise.
OpenSSL.OpensslCsrInfo.ocsp_must_staple_criticalbooleanWhether the `ocsp_must_staple` extension is critical.
OpenSSL.OpensslCsrInfo.subjectunknownThe CSR's subject as a dictionary.
Note that for repeated values, only the last one will be returned.
OpenSSL.OpensslCsrInfo.subject_orderedunknownThe CSR's subject as an ordered list of tuples.
OpenSSL.OpensslCsrInfo.public_keystringCSR's public key in PEM format
OpenSSL.OpensslCsrInfo.public_key_fingerprintsunknownFingerprints of CSR's public key.
For every hash algorithm available, the fingerprint is computed.
OpenSSL.OpensslCsrInfo.subject_key_identifierstringThe CSR's subject key identifier.

The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `SubjectKeyIdentifier` extension is not present. | | OpenSSL.OpensslCsrInfo.authority_key_identifier | string | The CSR's authority key identifier. The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `AuthorityKeyIdentifier` extension is not present. | | OpenSSL.OpensslCsrInfo.authority_cert_issuer | unknown | The CSR's authority cert issuer as a list of general names. Is `none` if the `AuthorityKeyIdentifier` extension is not present. | | OpenSSL.OpensslCsrInfo.authority_cert_serial_number | number | The CSR's authority cert serial number. Is `none` if the `AuthorityKeyIdentifier` extension is not present. |

Command Example#

!openssl-csr-info host="123.123.123.123" path="/etc/ssl/csr/www.ansible.com.csr"

Context Example#

{
"OpenSSL": {
"OpensslCsrInfo": {
"authority_cert_issuer": null,
"authority_cert_serial_number": null,
"authority_key_identifier": null,
"basic_constraints": null,
"basic_constraints_critical": false,
"changed": false,
"extended_key_usage": null,
"extended_key_usage_critical": false,
"extensions_by_oid": {
"1.1.1.2": {
"critical": false,
"value": "MBGCD3d3dy5hbnNpYmxlLmNvbQ=="
}
},
"host": "123.123.123.123",
"key_usage": null,
"key_usage_critical": false,
"name_constraints_critical": false,
"name_constraints_excluded": null,
"name_constraints_permitted": null,
"ocsp_must_staple": null,
"ocsp_must_staple_critical": false,
"public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2JSDcBy4bxZU7jC5I0p6\n550ylJDYog5bb60it9bK0QZ9N9pGbCSAaWf1untaYr3zrZysFcmeaQKS75utx7Mc\nUgzbiGwTgLJk2fya5cdiMTzQEAwjbnDnmOPviPabXxuR7ZImitD9HF3UkLbpoBAl\nPBPz8h0/kzfvkx+tTiZ+jbFzGqxaV1/5+4VAiaTJ30pNU3Sqk2VeuZJOfllPBYT7\njcJF113bvl/NdhkFaOwMwLwhh4R6Q44UR5aW9zZWREXm+ku46QMbfM3KWNcH0Zfn\n+mgRcFI38jxGe3oWQFgS1lW6ftcCMkobDgA618CGz1OM1QRX7h2qN+9gLCqmcPwg\nQXghLUharRdKXN7Oj9wFBXpiDPNlRyVT5WDBBmxGbZT3GTL2GyI3wButKQuD0rpm\n59+665QuQWWRxdi/bUzQjO70zcw0sMvvnoQBEVSdJPn6NabSiuooiN9barcAdBOP\nN0T27qrZkhgWPO3Cyb+wZV9NxG8PMBFp1jfDlG5mD9lUsUsitJFoS8wfWiouyaIk\n6DG301+bpxSWHxYkEMZg7D5grrq5Ziut7gC+va/Vm49KXrmheLSOI42n/LOWHYoy\nPgTOPJTDB0/S2vR2SUmtDOCs8ENpSQfg8Jl0xepK68bMEDpBlWypz+7y155iJBSp\n0c404Rh6Mlq65yD+C8l30y8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"public_key_fingerprints": {
"blake2b": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"blake2s": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"md5": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha1": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_128": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14"
},
"signature_valid": true,
"status": "SUCCESS",
"subject": {
"commonName": "www.ansible.com"
},
"subject_alt_name": [
"DNS:www.ansible.com"
],
"subject_alt_name_critical": false,
"subject_key_identifier": null,
"subject_ordered": [
[
"commonName",
"www.ansible.com"
]
]
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

  • authority_cert_issuer: None

  • authority_cert_serial_number: None

  • authority_key_identifier: None

  • basic_constraints: None

  • basic_constraints_critical: False

  • changed: False

  • extended_key_usage: None

  • extended_key_usage_critical: False

  • key_usage: None

  • key_usage_critical: False

  • name_constraints_critical: False

  • name_constraints_excluded: None

  • name_constraints_permitted: None

  • ocsp_must_staple: None

  • ocsp_must_staple_critical: False

  • public_key: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2JSDcBy4bxZU7jC5I0p6 550ylJDYog5bb60it9bK0QZ9N9pGbCSAaWf1untaYr3zrZysFcmeaQKS75utx7Mc UgzbiGwTgLJk2fya5cdiMTzQEAwjbnDnmOPviPabXxuR7ZImitD9HF3UkLbpoBAl PBPz8h0/kzfvkx+tTiZ+jbFzGqxaV1/5+4VAiaTJ30pNU3Sqk2VeuZJOfllPBYT7 jcJF113bvl/NdhkFaOwMwLwhh4R6Q44UR5aW9zZWREXm+ku46QMbfM3KWNcH0Zfn +mgRcFI38jxGe3oWQFgS1lW6ftcCMkobDgA618CGz1OM1QRX7h2qN+9gLCqmcPwg QXghLUharRdKXN7Oj9wFBXpiDPNlRyVT5WDBBmxGbZT3GTL2GyI3wButKQuD0rpm 59+665QuQWWRxdi/bUzQjO70zcw0sMvvnoQBEVSdJPn6NabSiuooiN9barcAdBOP N0T27qrZkhgWPO3Cyb+wZV9NxG8PMBFp1jfDlG5mD9lUsUsitJFoS8wfWiouyaIk 6DG301+bpxSWHxYkEMZg7D5grrq5Ziut7gC+va/Vm49KXrmheLSOI42n/LOWHYoy PgTOPJTDB0/S2vR2SUmtDOCs8ENpSQfg8Jl0xepK68bMEDpBlWypz+7y155iJBSp 0c404Rh6Mlq65yD+C8l30y8CAwEAAQ== -----END PUBLIC KEY-----

  • signature_valid: True

  • subject_alt_name_critical: False

  • subject_key_identifier: None

  • Extensions_By_Oid#

    • 1.1.1.2#

      • critical: False
      • value: MBGCD3d3dy5hbnNpYmxlLmNvbQ==
  • Public_Key_Fingerprints#

    • blake2b: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • blake2s: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • md5: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha1: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_128: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
  • Subject#

  • Subject_Alt_Name#

  • Subject_Ordered#

  • List#

openssl-dhparam#


Generate OpenSSL Diffie-Hellman Parameters Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_dhparam_module.html

Base Command#

openssl-dhparam

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
stateWhether the parameters should exist or not, taking action if the state is different from what is stated. Possible values are: absent, present. Default is present.Optional
sizeSize (in bits) of the generated DH-params. Default is 4096.Optional
forceShould the parameters be regenerated even it it already exists. Possible values are: Yes, No. Default is No.Optional
pathName of the file in which the generated parameters will be saved.Required
backupCreate a backup file including a timestamp so you can get the original DH params back if you overwrote them with new ones by accident. Possible values are: Yes, No. Default is No.Optional
modeThe permissions the resulting file or directory should have.
For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.
As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, u+rwx or u=rw,g=r,o=r).
Optional
ownerName of the user that should own the file/directory, as would be fed to chown.Optional
groupName of the group that should own the file/directory, as would be fed to chown.Optional
seuserThe user part of the SELinux file context.
By default it uses the system policy, where applicable.
When set to _default, it will use the user portion of the policy if available.
Optional
seroleThe role part of the SELinux file context.
When set to _default, it will use the role portion of the policy if available.
Optional
setypeThe type part of the SELinux file context.
When set to _default, it will use the type portion of the policy if available.
Optional
selevelThe level part of the SELinux file context.
This is the MLS/MCS attribute, sometimes known as the range.
When set to _default, it will use the level portion of the policy if available. Default is s0.
Optional
unsafe_writesInfluence when to use atomic operation to prevent data corruption or inconsistent reads from the target file.
By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.
This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes).
IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Possible values are: Yes, No. Default is No.
Optional
attributesThe attributes the resulting file or directory should have.
To get supported flags look at the man page for chattr on the target system.
This string should contain the attributes in the same order as the one displayed by lsattr.
The = operator is assumed as default, otherwise + or - operators need to be included in the string.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslDhparam.sizenumberSize (in bits) of the Diffie-Hellman parameters.
OpenSSL.OpensslDhparam.filenamestringPath to the generated Diffie-Hellman parameters.
OpenSSL.OpensslDhparam.backup_filestringName of backup file created.

openssl-pkcs12#


Generate OpenSSL PKCS#12 archive Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_pkcs12_module.html

Base Command#

openssl-pkcs12

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
actionexport or parse a PKCS#12. Possible values are: export, parse. Default is export.Optional
other_certificatesList of other certificates to include. Pre 2.8 this parameter was called ca_certificates.Optional
certificate_pathThe path to read certificates and private keys from.
Must be in PEM format.
Optional
forceShould the file be regenerated even if it already exists. Possible values are: Yes, No. Default is No.Optional
friendly_nameSpecifies the friendly name for the certificate and private key.Optional
iter_sizeNumber of times to repeat the encryption step. Default is 2048.Optional
maciter_sizeNumber of times to repeat the MAC step. Default is 1.Optional
passphraseThe PKCS#12 password.Optional
pathFilename to write the PKCS#12 file to.Required
privatekey_passphrasePassphrase source to decrypt any input private keys with.Optional
privatekey_pathFile to read private key from.Optional
stateWhether the file should exist or not. All parameters except path are ignored when state is absent. Possible values are: absent, present. Default is present.Optional
srcPKCS#12 file path to parse.Optional
backupCreate a backup file including a timestamp so you can get the original output file back if you overwrote it with a new one by accident. Possible values are: Yes, No. Default is No.Optional
modeThe permissions the resulting file or directory should have.
For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.
As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, u+rwx or u=rw,g=r,o=r).
Optional
ownerName of the user that should own the file/directory, as would be fed to chown.Optional
groupName of the group that should own the file/directory, as would be fed to chown.Optional
seuserThe user part of the SELinux file context.
By default it uses the system policy, where applicable.
When set to _default, it will use the user portion of the policy if available.
Optional
seroleThe role part of the SELinux file context.
When set to _default, it will use the role portion of the policy if available.
Optional
setypeThe type part of the SELinux file context.
When set to _default, it will use the type portion of the policy if available.
Optional
selevelThe level part of the SELinux file context.
This is the MLS/MCS attribute, sometimes known as the range.
When set to _default, it will use the level portion of the policy if available. Default is s0.
Optional
unsafe_writesInfluence when to use atomic operation to prevent data corruption or inconsistent reads from the target file.
By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.
This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes).
IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Possible values are: Yes, No. Default is No.
Optional
attributesThe attributes the resulting file or directory should have.
To get supported flags look at the man page for chattr on the target system.
This string should contain the attributes in the same order as the one displayed by lsattr.
The = operator is assumed as default, otherwise + or - operators need to be included in the string.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslPkcs12.filenamestringPath to the generate PKCS#12 file.
OpenSSL.OpensslPkcs12.privatekeystringPath to the TLS/SSL private key the public key was generated from.
OpenSSL.OpensslPkcs12.backup_filestringName of backup file created.

Command Example#

!openssl-pkcs12 host="123.123.123.123" action="export" path="/opt/certs/ansible.p12" friendly_name="raclette" privatekey_path="/etc/ssl/private/ansible.com.pem" certificate_path="/etc/ssl/crt/ansible.com.crt" other_certificates="/etc/ssl/crt/ca.crt" state="present"

Context Example#

{
"OpenSSL": {
"OpensslPkcs12": {
"changed": false,
"filename": "/opt/certs/ansible.p12",
"host": "123.123.123.123",
"mode": "0400",
"privatekey_path": "/etc/ssl/private/ansible.com.pem",
"status": "SUCCESS"
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

  • changed: False
  • filename: /opt/certs/ansible.p12
  • mode: 0400
  • privatekey_path: /etc/ssl/private/ansible.com.pem

openssl-privatekey#


Generate OpenSSL private keys Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_privatekey_module.html

Base Command#

openssl-privatekey

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
stateWhether the private key should exist or not, taking action if the state is different from what is stated. Possible values are: absent, present. Default is present.Optional
sizeSize (in bits) of the TLS/SSL key to generate. Default is 4096.Optional
typeThe algorithm used to generate the TLS/SSL private key.
Note that ECC, X25519, X448, Ed25519 and Ed448 require the cryptography backend. X25519 needs cryptography 2.5 or newer, while X448, Ed25519 and Ed448 require cryptography 2.6 or newer. For ECC, the minimal cryptography version required depends on the curve option. Possible values are: DSA, ECC, Ed25519, Ed448, RSA, X25519, X448. Default is RSA.
Optional
curveNote that not all curves are supported by all versions of cryptography.
For maximal interoperability, secp384r1 or secp256r1 should be used.
We use the curve names as defined in the IANA registry for TLS,https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8. Possible values are: secp384r1, secp521r1, secp224r1, secp192r1, secp256r1, secp256k1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, sect571k1, sect409k1, sect283k1, sect233k1, sect163k1, sect571r1, sect409r1, sect283r1, sect233r1, sect163r2.
Optional
forceShould the key be regenerated even if it already exists. Possible values are: Yes, No. Default is No.Optional
pathName of the file in which the generated TLS/SSL private key will be written. It will have 0600 mode.Required
passphraseThe passphrase for the private key.Optional
cipherThe cipher to encrypt the private key. (Valid values can be found by running openssl list -cipher-algorithms or openssl list-cipher-algorithms, depending on your OpenSSL version.)
When using the cryptography backend, use auto.
Optional
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library.
Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the cryptography backend will be available. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional
backupCreate a backup file including a timestamp so you can get the original private key back if you overwrote it with a new one by accident. Possible values are: Yes, No. Default is No.Optional
modeThe permissions the resulting file or directory should have.
For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.
As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, u+rwx or u=rw,g=r,o=r).
Optional
ownerName of the user that should own the file/directory, as would be fed to chown.Optional
groupName of the group that should own the file/directory, as would be fed to chown.Optional
seuserThe user part of the SELinux file context.
By default it uses the system policy, where applicable.
When set to _default, it will use the user portion of the policy if available.
Optional
seroleThe role part of the SELinux file context.
When set to _default, it will use the role portion of the policy if available.
Optional
setypeThe type part of the SELinux file context.
When set to _default, it will use the type portion of the policy if available.
Optional
selevelThe level part of the SELinux file context.
This is the MLS/MCS attribute, sometimes known as the range.
When set to _default, it will use the level portion of the policy if available. Default is s0.
Optional
unsafe_writesInfluence when to use atomic operation to prevent data corruption or inconsistent reads from the target file.
By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.
This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes).
IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Possible values are: Yes, No. Default is No.
Optional
attributesThe attributes the resulting file or directory should have.
To get supported flags look at the man page for chattr on the target system.
This string should contain the attributes in the same order as the one displayed by lsattr.
The = operator is assumed as default, otherwise + or - operators need to be included in the string.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslPrivatekey.sizenumberSize (in bits) of the TLS/SSL private key.
OpenSSL.OpensslPrivatekey.typestringAlgorithm used to generate the TLS/SSL private key.
OpenSSL.OpensslPrivatekey.curvestringElliptic curve used to generate the TLS/SSL private key.
OpenSSL.OpensslPrivatekey.filenamestringPath to the generated TLS/SSL private key file.
OpenSSL.OpensslPrivatekey.fingerprintunknownThe fingerprint of the public key. Fingerprint will be generated for each `hashlib.algorithms` available.
The PyOpenSSL backend requires PyOpenSSL >= 16.0 for meaningful output.
OpenSSL.OpensslPrivatekey.backup_filestringName of backup file created.

Command Example#

!openssl-privatekey host="123.123.123.123" path="/etc/ssl/private/ansible.com.pem"

Context Example#

{
"OpenSSL": {
"OpensslPrivatekey": {
"changed": false,
"filename": "/etc/ssl/private/ansible.com.pem",
"fingerprint": {
"blake2b": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"blake2s": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"md5": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha1": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_128": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14"
},
"host": "123.123.123.123",
"size": 4096,
"status": "SUCCESS",
"type": "RSA"
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

  • changed: False
  • filename: /etc/ssl/private/ansible.com.pem
  • size: 4096
  • type: RSA
  • Fingerprint#

    • blake2b: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • blake2s: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • md5: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha1: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_128: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14

openssl-privatekey-info#


Provide information for OpenSSL private keys Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_privatekey_info_module.html

Base Command#

openssl-privatekey-info

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
pathRemote absolute path where the private key file is loaded from.Required
passphraseThe passphrase for the private key.Optional
return_private_key_dataWhether to return private key data.
Only set this to yes when you want private information about this key to leave the remote machine.
WARNING: you have to make sure that private key data isn't accidentally logged!. Possible values are: Yes, No. Default is No.
Optional
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library.
Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in Ansible 2.13. From that point on, only the cryptography backend will be available. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslPrivatekeyInfo.can_load_keybooleanWhether the module was able to load the private key from disk
OpenSSL.OpensslPrivatekeyInfo.can_parse_keybooleanWhether the module was able to parse the private key
OpenSSL.OpensslPrivatekeyInfo.key_is_consistentbooleanWhether the key is consistent. Can also return `none` next to `yes` and `no`, to indicate that consistency couldn't be checked.
In case the check returns `no`, the module will fail.
OpenSSL.OpensslPrivatekeyInfo.public_keystringPrivate key's public key in PEM format
OpenSSL.OpensslPrivatekeyInfo.public_key_fingerprintsunknownFingerprints of private key's public key.
For every hash algorithm available, the fingerprint is computed.
OpenSSL.OpensslPrivatekeyInfo.typestringThe key's type.

One of `RSA`, `DSA`, `ECC`, `Ed25519`, `X25519`, `Ed448`, or `X448`. Will start with `unknown` if the key type cannot be determined. | | OpenSSL.OpensslPrivatekeyInfo.public_data | unknown | Public key data. Depends on key type. | | OpenSSL.OpensslPrivatekeyInfo.private_data | unknown | Private key data. Depends on key type. |

openssl-publickey#


Generate an OpenSSL public key from its private key. Further documentation available at https://docs.ansible.com/ansible/2.9/modules/openssl_publickey_module.html

Base Command#

openssl-publickey

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
stateWhether the public key should exist or not, taking action if the state is different from what is stated. Possible values are: absent, present. Default is present.Optional
forceShould the key be regenerated even it it already exists. Possible values are: Yes, No. Default is No.Optional
formatThe format of the public key. Possible values are: OpenSSH, PEM. Default is PEM.Optional
pathName of the file in which the generated TLS/SSL public key will be written.Required
privatekey_pathPath to the TLS/SSL private key from which to generate the public key.
Required if state is present.
Optional
privatekey_passphraseThe passphrase for the private key.Optional
backupCreate a backup file including a timestamp so you can get the original public key back if you overwrote it with a different one by accident. Possible values are: Yes, No. Default is No.Optional
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional
modeThe permissions the resulting file or directory should have.
For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.
As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, u+rwx or u=rw,g=r,o=r).
Optional
ownerName of the user that should own the file/directory, as would be fed to chown.Optional
groupName of the group that should own the file/directory, as would be fed to chown.Optional
seuserThe user part of the SELinux file context.
By default it uses the system policy, where applicable.
When set to _default, it will use the user portion of the policy if available.
Optional
seroleThe role part of the SELinux file context.
When set to _default, it will use the role portion of the policy if available.
Optional
setypeThe type part of the SELinux file context.
When set to _default, it will use the type portion of the policy if available.
Optional
selevelThe level part of the SELinux file context.
This is the MLS/MCS attribute, sometimes known as the range.
When set to _default, it will use the level portion of the policy if available. Default is s0.
Optional
unsafe_writesInfluence when to use atomic operation to prevent data corruption or inconsistent reads from the target file.
By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.
This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes).
IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Possible values are: Yes, No. Default is No.
Optional
attributesThe attributes the resulting file or directory should have.
To get supported flags look at the man page for chattr on the target system.
This string should contain the attributes in the same order as the one displayed by lsattr.
The = operator is assumed as default, otherwise + or - operators need to be included in the string.
Optional

Context Output#

PathTypeDescription
OpenSSL.OpensslPublickey.privatekeystringPath to the TLS/SSL private key the public key was generated from.
OpenSSL.OpensslPublickey.formatstringThe format of the public key (PEM, OpenSSH, ...).
OpenSSL.OpensslPublickey.filenamestringPath to the generated TLS/SSL public key file.
OpenSSL.OpensslPublickey.fingerprintunknownThe fingerprint of the public key. Fingerprint will be generated for each hashlib.algorithms available.
Requires PyOpenSSL >= 16.0 for meaningful output.
OpenSSL.OpensslPublickey.backup_filestringName of backup file created.

Command Example#

!openssl-publickey host="123.123.123.123" path="/etc/ssl/public/ansible.com.pem" privatekey_path="/etc/ssl/private/ansible.com.pem"

Context Example#

{
"OpenSSL": {
"OpensslPublickey": {
"changed": false,
"filename": "/etc/ssl/public/ansible.com.pem",
"fingerprint": {
"blake2b": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"blake2s": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"md5": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha1": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_224": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_384": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha3_512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"sha512": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_128": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14",
"shake_256": "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14"
},
"format": "PEM",
"host": "123.123.123.123",
"privatekey": "/etc/ssl/private/ansible.com.pem",
"status": "SUCCESS"
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

  • changed: False
  • filename: /etc/ssl/public/ansible.com.pem
  • format: PEM
  • privatekey: /etc/ssl/private/ansible.com.pem
  • Fingerprint#

    • blake2b: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • blake2s: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • md5: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha1: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_224: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_384: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha3_512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • sha512: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_128: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14
    • shake_256: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:12:11:11:11:11:11:11:11:13:11:11:11:11:11:11:11:14

openssl-certificate-complete-chain#


Complete certificate chain given a set of untrusted and root certificates Further documentation available at https://docs.ansible.com/ansible/2.9/modules/certificate_complete_chain_module.html

Base Command#

openssl-certificate-complete-chain

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
input_chainA concatenated set of certificates in PEM format forming a chain.
The module will try to complete this chain.
Required
root_certificatesA list of filenames or directories.
A filename is assumed to point to a file containing one or more certificates in PEM format. All certificates in this file will be added to the set of root certificates.
If a directory name is given, all files in the directory and its subdirectories will be scanned and tried to be parsed as concatenated certificates in PEM format.
Symbolic links will be followed.
Required
intermediate_certificatesA list of filenames or directories.
A filename is assumed to point to a file containing one or more certificates in PEM format. All certificates in this file will be added to the set of root certificates.
If a directory name is given, all files in the directory and its subdirectories will be scanned and tried to be parsed as concatenated certificates in PEM format.
Symbolic links will be followed.
Optional

Context Output#

PathTypeDescription
OpenSSL.CertificateCompleteChain.rootstringThe root certificate in PEM format.
OpenSSL.CertificateCompleteChain.chainunknownThe chain added to the given input chain. Includes the root certificate.
Returned as a list of PEM certificates.
OpenSSL.CertificateCompleteChain.complete_chainunknownThe completed chain, including leaf, all intermediates, and root.
Returned as a list of PEM certificates.

openssl-get-certificate#


Get a certificate from a host:port Further documentation available at https://docs.ansible.com/ansible/2.9/modules/get_certificate_module.html

Base Command#

openssl-get-certificate

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
ansible-module-hostThe host to get the cert for (IP is fine).Required
ca_certA PEM file containing one or more root certificates; if present, the cert will be validated against these root certs.
Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it.
Optional
portThe port to connect to.Required
proxy_hostProxy host used when get a certificate.Optional
proxy_portProxy port used when get a certificate. Default is 8080.Optional
timeoutThe timeout in seconds. Default is 10.Optional
select_crypto_backendDetermines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL,https://pypi.org/project/pyOpenSSL/ library.
If set to cryptography, will try to use the cryptography,https://cryptography.io/ library. Possible values are: auto, cryptography, pyopenssl. Default is auto.
Optional

Context Output#

PathTypeDescription
OpenSSL.GetCertificate.certstringThe certificate retrieved from the port
OpenSSL.GetCertificate.expiredbooleanBoolean indicating if the cert is expired
OpenSSL.GetCertificate.extensionsunknownExtensions applied to the cert
OpenSSL.GetCertificate.issuerunknownInformation about the issuer of the cert
OpenSSL.GetCertificate.not_afterstringExpiration date of the cert
OpenSSL.GetCertificate.not_beforestringIssue date of the cert
OpenSSL.GetCertificate.serial_numberstringThe serial number of the cert
OpenSSL.GetCertificate.signature_algorithmstringThe algorithm used to sign the cert
OpenSSL.GetCertificate.subjectunknownInformation about the subject of the cert (OU, CN, etc)
OpenSSL.GetCertificate.versionstringThe version number of the certificate

Troubleshooting#

The Ansible-Runner container is not suitable for running as a non-root user. Therefore, the Ansible integrations will fail if you follow the instructions in the Cortex XSOAR Docker Hardening Guide.

The docker.run.internal.asuser server configuration causes the software that is run inside of the Docker containers utilized by Cortex XSOAR to run as a non-root user account inside the container.

The Ansible-Runner software is required to run as root as it applies its own isolation via bwrap to the Ansible execution environment.

This is a limitation of the Ansible-Runner software itself https://github.com/ansible/ansible-runner/issues/611.

A workaround is to use the docker.run.internal.asuser.ignore server setting and to configure Cortex XSOAR to ignore the Ansible container image by setting the value of demisto/ansible-runner and afterwards running /reset_containers to reload any containers that might be running to ensure they receive the configuration.

See step 2 of this guide for complete instructions.