W3cubDocs

/Ansible

community.general.java_cert – Uses keytool to import/remove certificate to/from java keystore (cacerts)

Note

This plugin is part of the community.general collection (version 3.8.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.java_cert.

Synopsis

  • This is a wrapper module around keytool, which can be used to import certificates and optionally private keys to a given java keystore, or remove them from it.

Requirements

The below requirements are needed on the host that executes this module.

  • openssl
  • keytool

Parameters

Parameter Choices/Defaults Comments
cert_alias
string
Imported certificate alias.
The alias is used when checking for the presence of a certificate in the keystore.
cert_path
path
Local path to load certificate from.
Exactly one of cert_url, cert_path or pkcs12_path is required to load certificate.
cert_port
integer
Default:
443
Port to connect to URL.
This will be used to create server URL:PORT.
cert_url
string
Basic URL to fetch SSL certificate from.
Exactly one of cert_url, cert_path or pkcs12_path is required to load certificate.
executable
string
Default:
"keytool"
Path to keytool binary if not used we search in PATH for it.
keystore_create
boolean
    Choices:
  • no
  • yes
Create keystore if it does not exist.
keystore_pass
string / required
Keystore password.
keystore_path
path
Path to keystore.
keystore_type
string
Keystore type (JCEKS, JKS).
pkcs12_alias
string
Alias in the PKCS12 keystore.
pkcs12_password
string
Default:
""
Password for importing from PKCS12 keystore.
pkcs12_path
path
Local path to load PKCS12 keystore from.
Unlike cert_url and cert_path, the PKCS12 keystore embeds the private key matching the certificate, and is used to import both the certificate and its private key into the java keystore.
Exactly one of cert_url, cert_path or pkcs12_path is required to load certificate.
state
string
    Choices:
  • absent
  • present
Defines action which can be either certificate import or removal.
When state is present, the certificate will always idempotently be inserted into the keystore, even if there already exists a cert alias that is different.
trust_cacert
boolean
added in 0.2.0 of community.general
    Choices:
  • no
  • yes
Trust imported cert as CAcert.

Examples

- name: Import SSL certificate from google.com to a given cacerts keystore
  community.general.java_cert:
    cert_url: google.com
    cert_port: 443
    keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
    keystore_pass: changeit
    state: present

- name: Remove certificate with given alias from a keystore
  community.general.java_cert:
    cert_url: google.com
    keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
    keystore_pass: changeit
    executable: /usr/lib/jvm/jre7/bin/keytool
    state: absent

- name: Import trusted CA from SSL certificate
  community.general.java_cert:
    cert_path: /opt/certs/rootca.crt
    keystore_path: /tmp/cacerts
    keystore_pass: changeit
    keystore_create: yes
    state: present
    cert_alias: LE_RootCA
    trust_cacert: True

- name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
  community.general.java_cert:
    cert_url: google.com
    keystore_path: /tmp/cacerts
    keystore_pass: changeit
    keystore_create: yes
    state: present

- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
  community.general.java_cert:
    pkcs12_path: "/tmp/importkeystore.p12"
    cert_alias: default
    keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
    keystore_pass: changeit
    keystore_create: yes
    state: present

- name: Import SSL certificate to JCEKS keystore
  community.general.java_cert:
    pkcs12_path: "/tmp/importkeystore.p12"
    pkcs12_alias: default
    pkcs12_password: somepass
    cert_alias: default
    keystore_path: /opt/someapp/security/keystore.jceks
    keystore_type: "JCEKS"
    keystore_pass: changeit
    keystore_create: yes
    state: present

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cmd
string
success
Executed command to get action done.

Sample:
keytool -importcert -noprompt -keystore
msg
string
success
Output from stdout of keytool command after execution of given command.

Sample:
Module require existing keystore at keystore_path '/tmp/test/cacerts'
rc
integer
success
Keytool command execution return value.

Sample:
0


Authors

  • Adam Hamsik (@haad)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/java_cert_module.html