W3cubDocs

/Ansible

community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format

Note

This filter plugin is part of the community.crypto collection (version 2.26.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.crypto. You need further requirements to be able to use this filter plugin, see Requirements for details.

To use it in a playbook, specify: community.crypto.x509_certificate_info.

New in community.crypto 2.10.0

Synopsis
Requirements
Input
Keyword parameters
See Also
Examples
Return Value

Synopsis

Provided a X.509 certificate in PEM format, retrieve information.
This is a filter version of the community.crypto.x509_certificate_info module.

Requirements

The below requirements are needed on the local controller node that executes this filter.

If name_encoding is set to another value than ignore, the idna Python library needs to be installed.

Input

This describes the input of the filter, the value before | community.crypto.x509_certificate_info.

Parameter	Comments
Input string / required	The content of the X.509 certificate in PEM format.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | community.crypto.x509_certificate_info(key1=value1, key2=value2, ...)

Parameter	Comments
name_encoding string	How to encode names (DNS names, URIs, email addresses) in return values. `ignore` will use the encoding returned by the backend. `idna` will convert all labels of domain names to IDNA encoding. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails. `unicode` will convert all labels of domain names to Unicode. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails. Note that `idna` and `unicode` require the idna Python library to be installed. Choices: `"ignore"` ← (default) `"idna"` `"unicode"`

Parameter

Comments

name_encoding

string

How to encode names (DNS names, URIs, email addresses) in return values.

ignore will use the encoding returned by the backend.

idna will convert all labels of domain names to IDNA encoding. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails.

unicode will convert all labels of domain names to Unicode. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails.

Note that idna and unicode require the idna Python library to be installed.

Choices:

"ignore" ← (default)
"idna"
"unicode"

Examples

---
- name: Show the Subject Alt Names of the certificate
  ansible.builtin.debug:
    msg: >-
      {{
        (
          lookup('ansible.builtin.file', '/path/to/cert.pem')
          | community.crypto.x509_certificate_info
        ).subject_alt_name | join(', ')
      }}

Return Value

Key	Description
Return value dictionary	Information on the certificate. Returned: success
authority_cert_issuer list / elements=string	The certificate’s authority cert issuer as a list of general names. Is `none` if the `AuthorityKeyIdentifier` extension is not present. See `name_encoding` for how IDNs are handled. Returned: success Sample: `["DNS:www.ansible.com", "IP:1.2.3.4"]`
authority_cert_serial_number integer	The certificate’s authority cert serial number. Is `none` if the `AuthorityKeyIdentifier` extension is not present. This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as `11:22:33`, you need to convert it to that form with community.crypto.to_serial. Returned: success Sample: `12345`
authority_key_identifier string	The certificate’s authority key identifier. The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `AuthorityKeyIdentifier` extension is not present. Returned: success Sample: `"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33"`
basic_constraints list / elements=string	Entries in the `basic_constraints` extension, or `none` if extension is not present. Returned: success Sample: `["CA:TRUE", "pathlen:1"]`
basic_constraints_critical boolean	Whether the `basic_constraints` extension is critical. Returned: success
expired boolean	Whether the certificate is expired (in other words, `notAfter` is in the past). Returned: success
extended_key_usage list / elements=string	Entries in the `extended_key_usage` extension, or `none` if extension is not present. Returned: success Sample: `["Biometric Info", "DVCS", "Time Stamping"]`
extended_key_usage_critical boolean	Whether the `extended_key_usage` extension is critical. Returned: success
extensions_by_oid dictionary	Returns a dictionary for every extension OID. Returned: success Sample: `{"1.3.6.1.5.5.7.1.24": {"critical": false, "value": "MAMCAQU="}}`
critical boolean	Whether the extension is critical. Returned: success
value string	The Base64 encoded value (in DER format) of the extension. Note that depending on the `cryptography` version used, it is not possible to extract the ASN.1 content of the extension, but only to provide the re-encoded content of the extension in case it was parsed by `cryptography`. This should usually result in exactly the same value, except if the original extension value was malformed. Returned: success Sample: `"MAMCAQU="`
fingerprints dictionary	Fingerprints of the DER-encoded form of the whole certificate. For every hash algorithm available, the fingerprint is computed. Returned: success Sample: `"{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."`
issuer dictionary	The certificate’s issuer. Note that for repeated values, only the last one will be returned. Returned: success Sample: `{"commonName": "ca.example.com", "organizationName": "Ansible"}`
issuer_ordered list / elements=list	The certificate’s issuer as an ordered list of tuples. Returned: success Sample: `[["organizationName", "Ansible"], [{"commonName": "ca.example.com"}]]`
issuer_uri string	The Issuer URI, if included in the certificate. Will be `none` if no issuer URI is included. Returned: success
key_usage string	Entries in the `key_usage` extension, or `none` if extension is not present. Returned: success Sample: `"['Key Agreement', 'Data Encipherment']"`
key_usage_critical boolean	Whether the `key_usage` extension is critical. Returned: success
not_after string	`notAfter` date as ASN.1 TIME. Returned: success Sample: `"20190413202428Z"`
not_before string	`notBefore` date as ASN.1 TIME. Returned: success Sample: `"20190331202428Z"`
ocsp_must_staple boolean	`true` if the OCSP Must Staple extension is present, `none` otherwise. Returned: success
ocsp_must_staple_critical boolean	Whether the `ocsp_must_staple` extension is critical. Returned: success
ocsp_uri string	The OCSP responder URI, if included in the certificate. Will be `none` if no OCSP responder URI is included. Returned: success
public_key string	Certificate’s public key in PEM format. Returned: success Sample: `"-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A..."`
public_key_data dictionary	Public key data. Depends on the public key’s type. Returned: success
curve string	The curve’s name for ECC. Returned: When `_value.public_key_type=ECC`
exponent integer	The RSA key’s public exponent. Returned: When `_value.public_key_type=RSA`
exponent_size integer	The maximum number of bits of a private key. This is basically the bit size of the subgroup used. Returned: When `_value.public_key_type=ECC`
g integer	The `g` value for DSA. This is the element spanning the subgroup of the multiplicative group of the prime field used. Returned: When `_value.public_key_type=DSA`
modulus integer	The RSA key’s modulus. Returned: When `_value.public_key_type=RSA`
p integer	The `p` value for DSA. This is the prime modulus upon which arithmetic takes place. Returned: When `_value.public_key_type=DSA`
q integer	The `q` value for DSA. This is a prime that divides `p - 1`, and at the same time the order of the subgroup of the multiplicative group of the prime field used. Returned: When `_value.public_key_type=DSA`
size integer	Bit size of modulus (RSA) or prime number (DSA). Returned: When `_value.public_key_type=RSA` or `_value.public_key_type=DSA`
x integer	The `x` coordinate for the public point on the elliptic curve. Returned: When `_value.public_key_type=ECC`
y integer	For `_value.public_key_type=ECC`, this is the `y` coordinate for the public point on the elliptic curve. For `_value.public_key_type=DSA`, this is the publicly known group element whose discrete logarithm with respect to `g` is the private key. Returned: When `_value.public_key_type=DSA` or `_value.public_key_type=ECC`
public_key_fingerprints dictionary	Fingerprints of certificate’s public key. For every hash algorithm available, the fingerprint is computed. Returned: success Sample: `"{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."`
public_key_type string	The certificate’s public key’s type. One of `RSA`, `DSA`, `ECC`, `Ed25519`, `X25519`, `Ed448`, or `X448`. Will start with `unknown` if the key type cannot be determined. Returned: success Sample: `"RSA"`
serial_number integer	The certificate’s serial number. This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as `11:22:33`, you need to convert it to that form with community.crypto.to_serial. Returned: success Sample: `1234`
signature_algorithm string	The signature algorithm used to sign the certificate. Returned: success Sample: `"sha256WithRSAEncryption"`
subject dictionary	The certificate’s subject as a dictionary. Note that for repeated values, only the last one will be returned. Returned: success Sample: `{"commonName": "www.example.com", "emailAddress": "[email protected]"}`
subject_alt_name list / elements=string	Entries in the `subject_alt_name` extension, or `none` if extension is not present. See `name_encoding` for how IDNs are handled. Returned: success Sample: `["DNS:www.ansible.com", "IP:1.2.3.4"]`
subject_alt_name_critical boolean	Whether the `subject_alt_name` extension is critical. Returned: success
subject_key_identifier string	The certificate’s subject key identifier. The identifier is returned in hexadecimal, with `:` used to separate bytes. Is `none` if the `SubjectKeyIdentifier` extension is not present. Returned: success Sample: `"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33"`
subject_ordered list / elements=list	The certificate’s subject as an ordered list of tuples. Returned: success Sample: `[["commonName", "www.example.com"], [{"emailAddress": "[email protected]"}]]`
version integer	The certificate version. Returned: success Sample: `3`

Authors

Felix Fontein (@felixfontein)

Collection links

© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_info_filter.html