Note
This plugin is part of the community.crypto collection (version 1.9.6).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.crypto
.
To use it in a playbook, specify: community.crypto.openssl_csr_info
.
select_crypto_backend
). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0.The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments |
---|---|---|
content string added in 1.0.0 of community.crypto | Content of the CSR file. Either path or content must be specified, but not both. | |
path path | Remote absolute path where the CSR file is loaded from. Either path or content must be specified, but not both. | |
select_crypto_backend string |
| Determines which crypto backend to use. The default choice is auto , which tries to use cryptography if available, and falls back to pyopenssl .If set to pyopenssl , will try to use the pyOpenSSL library.If set to cryptography , will try to use the cryptography library.Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0. From that point on, only the cryptography backend will be available. |
See also
The official documentation on the community.crypto.openssl_csr module.
The official documentation on the community.crypto.openssl_csr_pipe module.
- name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem common_name: www.ansible.com - name: Get information on the CSR community.crypto.openssl_csr_info: path: /etc/ssl/csr/www.ansible.com.csr register: result - name: Dump information debug: var: result
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
authority_cert_issuer list / elements=string | success and if the pyOpenSSL backend is not used | The CSR's authority cert issuer as a list of general names. Is none if the AuthorityKeyIdentifier extension is not present.Sample: [DNS:www.ansible.com, IP:1.2.3.4] | |
authority_cert_serial_number integer | success and if the pyOpenSSL backend is not used | The CSR's authority cert serial number. Is none if the AuthorityKeyIdentifier extension is not present.Sample: 12345 | |
authority_key_identifier string | success and if the pyOpenSSL backend is not used | The CSR's authority key identifier. The identifier is returned in hexadecimal, with : used to separate bytes.Is none if the AuthorityKeyIdentifier extension is not present.Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33 | |
basic_constraints list / elements=string | success | Entries in the basic_constraints extension, or none if extension is not present.Sample: [CA:TRUE, pathlen:1] | |
basic_constraints_critical boolean | success | Whether the basic_constraints extension is critical. | |
extended_key_usage list / elements=string | success | Entries in the extended_key_usage extension, or none if extension is not present.Sample: [Biometric Info, DVCS, Time Stamping] | |
extended_key_usage_critical boolean | success | Whether the extended_key_usage extension is critical. | |
extensions_by_oid dictionary | success | Returns a dictionary for every extension OID Sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}} | |
critical boolean | success | Whether the extension is critical. | |
value string | success | The Base64 encoded value (in DER format) of the extension Sample: MAMCAQU= | |
key_usage string | success | Entries in the key_usage extension, or none if extension is not present.Sample: [Key Agreement, Data Encipherment] | |
key_usage_critical boolean | success | Whether the key_usage extension is critical. | |
name_constraints_critical boolean added in 1.1.0 of community.crypto | success | Whether the name_constraints extension is critical.Is none if extension is not present. | |
name_constraints_excluded list / elements=string added in 1.1.0 of community.crypto | success | List of excluded subtrees the CA cannot sign certificates for. Is none if extension is not present.Sample: ['email:.com'] | |
name_constraints_permitted list / elements=string added in 1.1.0 of community.crypto | success | List of permitted subtrees to sign certificates for. Sample: ['email:.somedomain.com'] | |
ocsp_must_staple boolean | success | yes if the OCSP Must Staple extension is present, none otherwise. | |
ocsp_must_staple_critical boolean | success | Whether the ocsp_must_staple extension is critical. | |
public_key string | success | CSR's public key in PEM format Sample: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A... | |
public_key_data dictionary added in 1.7.0 of community.crypto | success | Public key data. Depends on the public key's type. | |
curve string | When public_key_type=ECC
| The curve's name for ECC. | |
exponent integer | When public_key_type=RSA
| The RSA key's public exponent. | |
exponent_size integer | When public_key_type=ECC
| The maximum number of bits of a private key. This is basically the bit size of the subgroup used. | |
g integer | When public_key_type=DSA
| The g value for DSA.This is the element spanning the subgroup of the multiplicative group of the prime field used. | |
modulus integer | When public_key_type=RSA
| The RSA key's modulus. | |
p integer | When public_key_type=DSA
| The p value for DSA.This is the prime modulus upon which arithmetic takes place. | |
q integer | When public_key_type=DSA
| The q value for DSA.This is a prime that divides p - 1 , and at the same time the order of the subgroup of the multiplicative group of the prime field used. | |
size integer | When public_key_type=RSA or public_key_type=DSA
| Bit size of modulus (RSA) or prime number (DSA). | |
x integer | When public_key_type=ECC
| The x coordinate for the public point on the elliptic curve. | |
y integer | When public_key_type=DSA or public_key_type=ECC
| For public_key_type=ECC , this is the y coordinate for the public point on the elliptic curve.For public_key_type=DSA , this is the publicly known group element whose discrete logarithm w.r.t. g is the private key. | |
public_key_fingerprints dictionary | success | Fingerprints of CSR's public key. For every hash algorithm available, the fingerprint is computed. Sample: {'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1... | |
public_key_type string added in 1.7.0 of community.crypto | success | The CSR's public key's type. One of RSA , DSA , ECC , Ed25519 , X25519 , Ed448 , or X448 .Will start with unknown if the key type cannot be determined.Sample: RSA | |
signature_valid boolean | success | Whether the CSR's signature is valid. In case the check returns no , the module will fail. | |
subject dictionary | success | The CSR's subject as a dictionary. Note that for repeated values, only the last one will be returned. Sample: {"commonName": "www.example.com", "emailAddress": "[email protected]"} | |
subject_alt_name list / elements=string | success | Entries in the subject_alt_name extension, or none if extension is not present.Sample: [DNS:www.ansible.com, IP:1.2.3.4] | |
subject_alt_name_critical boolean | success | Whether the subject_alt_name extension is critical. | |
subject_key_identifier string | success and if the pyOpenSSL backend is not used | The CSR's subject key identifier. The identifier is returned in hexadecimal, with : used to separate bytes.Is none if the SubjectKeyIdentifier extension is not present.Sample: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33 | |
subject_ordered list / elements=list | success | The CSR's subject as an ordered list of tuples. Sample: [["commonName", "www.example.com"], ["emailAddress": "[email protected]"]] |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_info_module.html