W3cubDocs

bigip_device_certificate – Manage self-signed device certificates

New in version 2.9.

Synopsis
Parameters
Notes
Examples
Return Values
Status

Synopsis

Module used to create and/or renew self-signed device certificates for BIG-IP.

Parameters

Parameter		Choices/Defaults	Comments
add_to_trusted boolean		Choices: no ← yes	Specified if the certificate should be added to the trusted client and server certificate files.
cert_name string		Default: "server.crt"	Specifies the full name of the certificate file. If the name is not default `server.crt`, the module will configure `httpd` to use them prior to restarting the `httpd` daemon.
days_valid integer / required			Specifies the interval for which the self-signed certificate is valid. The maximum value is 25 years: `9125` days
force boolean		Choices: no ← yes	When `yes`, will update or overwrite the existing certificate when it is not expired device. When `no`, the certificate will only be updated/overwritten if expired. Generally should be `yes` only in cases where you need to update certificate that is about to expire. This option is also needed when generating new certificate to replace non expired one.
issuer dictionary			Certificate properties, required when generating new certificates.
	common_name string		Specifies Common Name attribute for the certificate.
	country string		Specifies the Country name attribute for the certificate.
	division string		Specifies the department name attribute for the certificate.
	email string		Specifies the domain administrator's email address.
	locality string		Specifies the city or town name for the certificate.
	organization string		Specifies the Organization attribute for the certificate.
	state string		Specifies the State or Province attribute for the certificate.
key_name string		Default: "server.key"	Specifies the full name of the key file. If the name is not default `server.key`, the module will configure `httpd` to use them prior to restarting the `httpd` daemon.
key_size integer		Choices: 512 1024 2048 ← 4096	Specifies the desired key size in bits. Mandatory option when generating a new certificate.
new_cert boolean		Choices: no ← yes	Specified if the module should generate new certificate. When `yes` the device certificate and key will be replaced
provider dictionary added in 2.5			A dict object containing connection details.
	auth_provider string		Configures the auth provider for to obtain authentication tokens from the remote device. This option is really used when working with BIG-IQ devices.
	password string / required		The password for the user account used to connect to the BIG-IP. You may omit this option by setting the environment variable `F5_PASSWORD`. aliases: pass, pwd
	server string / required		The BIG-IP host. You may omit this option by setting the environment variable `F5_SERVER`.
	server_port integer	Default: 443	The BIG-IP server port. You may omit this option by setting the environment variable `F5_SERVER_PORT`.
	ssh_keyfile path		Specifies the SSH keyfile to use to authenticate the connection to the remote device. This argument is only used for cli transports. You may omit this option by setting the environment variable `ANSIBLE_NET_SSH_KEYFILE`.
	timeout integer		Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
	transport string	Choices: cli rest ←	Configures the transport connection to use when connecting to the remote device.
	user string / required		The username to connect to the BIG-IP with. This user must have administrative privileges on the device. You may omit this option by setting the environment variable `F5_USER`.
	validate_certs boolean	Choices: no yes ←	If `no`, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates. You may omit this option by setting the environment variable `F5_VALIDATE_CERTS`.
transport - / required		Choices: cli ←	Configures the transport connection to use when connecting to the remote device. This module currently supports only connectivity to the device over cli (ssh).

Notes

Note

For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
Requires BIG-IP software version >= 12.
The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Update expired certificate
  bigip_device_certificate:
    days_valid: 365
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Update expired certificate non-default names
  bigip_device_certificate:
    days_valid: 60
    cert_name: custom.crt
    key_name: custom.key
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Force update not expired certificate
  bigip_device_certificate:
    days_valid: 365
    force: yes
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Create a new certificate to replace expired certificate
  bigip_device_certificate:
    days_valid: 365
    new_cert: yes
    issuer:
      country: US
      state: WA
      common_name: foobar.foo.local
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Force create a new custom named certificate to replace not expired certificate
  bigip_device_certificate:
    days_valid: 365
    cert_name: custom.crt
    key_name: custom.key
    new_cert: yes
    force: yes
    issuer:
      country: US
      state: WA
      common_name: foobar.foo.local
    key_size: 2048
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key		Returned	Description
cert_name string		changed	The full name of the certificate file. Sample: common.crt
days_valid integer		changed	The interval for which the self-signed certificate is valid. Sample: 365
issuer complex		changed	Specifies certificate properties.
	common_name string	changed	The Common Name attribute of the certificate. Sample: foo.bar.local
	country string	changed	The Country name attribute of the certificate. Sample: US
	division string	changed	The department name attribute of the certificate. Sample: IT
	email string	changed	The domain administrator's email address. Sample: [email protected]
	locality string	changed	The city or town name attribute of the certificate. Sample: Seattle
	organization string	changed	The Organization attribute of the certificate. Sample: F5
	state string	changed	The State or Province attribute of the certificate. Sample: WA
key_name string		changed	The full name of the key file. Sample: common.key
key_size integer		changed	The desired key size in bits. Sample: 2048

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by an Ansible Partner. [certified]

Authors

Wojciech Wypior (@wojtek0806)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/bigip_device_certificate_module.html