W3cubDocs

/Ansible

community.general.java_cert – Uses keytool to import/remove certificate to/from java keystore (cacerts)

Note

This plugin is part of the community.general collection (version 3.8.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.java_cert.

Synopsis
Requirements
Parameters
Examples
Return Values

Synopsis

This is a wrapper module around keytool, which can be used to import certificates and optionally private keys to a given java keystore, or remove them from it.

Requirements

The below requirements are needed on the host that executes this module.

openssl
keytool

Parameters

Parameter	Choices/Defaults	Comments
cert_alias string		Imported certificate alias. The alias is used when checking for the presence of a certificate in the keystore.
cert_path path		Local path to load certificate from. Exactly one of `cert_url`, `cert_path` or `pkcs12_path` is required to load certificate.
cert_port integer	Default: 443	Port to connect to URL. This will be used to create server URL:PORT.
cert_url string		Basic URL to fetch SSL certificate from. Exactly one of `cert_url`, `cert_path` or `pkcs12_path` is required to load certificate.
executable string	Default: "keytool"	Path to keytool binary if not used we search in PATH for it.
keystore_create boolean	Choices: no ← yes	Create keystore if it does not exist.
keystore_pass string / required		Keystore password.
keystore_path path		Path to keystore.
keystore_type string		Keystore type (JCEKS, JKS).
pkcs12_alias string		Alias in the PKCS12 keystore.
pkcs12_password string	Default: ""	Password for importing from PKCS12 keystore.
pkcs12_path path		Local path to load PKCS12 keystore from. Unlike `cert_url` and `cert_path`, the PKCS12 keystore embeds the private key matching the certificate, and is used to import both the certificate and its private key into the java keystore. Exactly one of `cert_url`, `cert_path` or `pkcs12_path` is required to load certificate.
state string	Choices: absent present ←	Defines action which can be either certificate import or removal. When state is present, the certificate will always idempotently be inserted into the keystore, even if there already exists a cert alias that is different.
trust_cacert boolean added in 0.2.0 of community.general	Choices: no ← yes	Trust imported cert as CAcert.

Examples

- name: Import SSL certificate from google.com to a given cacerts keystore
  community.general.java_cert:
    cert_url: google.com
    cert_port: 443
    keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
    keystore_pass: changeit
    state: present

- name: Remove certificate with given alias from a keystore
  community.general.java_cert:
    cert_url: google.com
    keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
    keystore_pass: changeit
    executable: /usr/lib/jvm/jre7/bin/keytool
    state: absent

- name: Import trusted CA from SSL certificate
  community.general.java_cert:
    cert_path: /opt/certs/rootca.crt
    keystore_path: /tmp/cacerts
    keystore_pass: changeit
    keystore_create: yes
    state: present
    cert_alias: LE_RootCA
    trust_cacert: True

- name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
  community.general.java_cert:
    cert_url: google.com
    keystore_path: /tmp/cacerts
    keystore_pass: changeit
    keystore_create: yes
    state: present

- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
  community.general.java_cert:
    pkcs12_path: "/tmp/importkeystore.p12"
    cert_alias: default
    keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
    keystore_pass: changeit
    keystore_create: yes
    state: present

- name: Import SSL certificate to JCEKS keystore
  community.general.java_cert:
    pkcs12_path: "/tmp/importkeystore.p12"
    pkcs12_alias: default
    pkcs12_password: somepass
    cert_alias: default
    keystore_path: /opt/someapp/security/keystore.jceks
    keystore_type: "JCEKS"
    keystore_pass: changeit
    keystore_create: yes
    state: present

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
cmd string	success	Executed command to get action done. Sample: keytool -importcert -noprompt -keystore
msg string	success	Output from stdout of keytool command after execution of given command. Sample: Module require existing keystore at keystore_path '/tmp/test/cacerts'
rc integer	success	Keytool command execution return value. Sample: 0

Authors

Adam Hamsik (@haad)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/java_cert_module.html