<linkrel="next"title="community.crypto.openssh_keypair module – Generate OpenSSH private and public keys"href="openssh_keypair_module.html"/>
<linkrel="prev"title="community.crypto.luks_device module – Manage encrypted (LUKS) devices"href="luks_device_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_module.html">community.crypto.x509_crl_info module – Retrieve information on Certificate Revocation Lists (CRLs)</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_filter.html">community.crypto.gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_filter.html">community.crypto.openssl_csr_info filter – Retrieve information from OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="parse_serial_filter.html">community.crypto.parse_serial filter – Convert a serial number as a colon-separated list of hex numbers to an integer</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="to_serial_filter.html">community.crypto.to_serial filter – Convert an integer to a colon-separated list of hex numbers</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_lookup.html">community.crypto.gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file</a></li>
</ul>
<!-- extra nav elements for Ansible beyond RTD Sphinx Theme -->
<liclass="breadcrumb-item active">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</li>
<liclass="wy-breadcrumbs-aside">
<!-- User defined GitHub URL -->
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/openssh_cert.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<h1>community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.<aclass="headerlink"href="#community-crypto-openssh-cert-module-generate-openssh-host-or-user-certificates"title="Link to this heading"></a></h1>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
<p>It is not included in <codeclass="docutils literal notranslate"><spanclass="pre">ansible-core</span></code>.
To check whether it is installed, run <codeclass="code docutils literal notranslate"><spanclass="pre">ansible-galaxy</span><spanclass="pre">collection</span><spanclass="pre">list</span></code>.</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.openssh_cert</span></code>.</p>
<h2><aclass="toc-backref"href="#id1"role="doc-backlink">Synopsis</a><aclass="headerlink"href="#synopsis"title="Link to this heading"></a></h2>
<ulclass="simple">
<li><p>Generate and regenerate OpenSSH host or user certificates.</p></li>
</ul>
</section>
<sectionid="requirements">
<spanid="ansible-collections-community-crypto-openssh-cert-module-requirements"></span><h2><aclass="toc-backref"href="#id2"role="doc-backlink">Requirements</a><aclass="headerlink"href="#requirements"title="Link to this heading"></a></h2>
<p>The below requirements are needed on the host that executes this module.</p>
<ulclass="simple">
<li><p>ssh-keygen</p></li>
</ul>
</section>
<sectionid="parameters">
<h2><aclass="toc-backref"href="#id3"role="doc-backlink">Parameters</a><aclass="headerlink"href="#parameters"title="Link to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-attributes"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: attr</span></p>
<td><divclass="ansible-option-cell"><p>The attributes the resulting filesystem object should have.</p>
<p>To get supported flags look at the man page for <em>chattr</em> on the target system.</p>
<p>This string should contain the attributes in the same order as the one displayed by <em>lsattr</em>.</p>
<p>The <codeclass="docutils literal notranslate"><spanclass="pre">=</span></code> operator is assumed as default, otherwise <codeclass="docutils literal notranslate"><spanclass="pre">+</span></code> or <codeclass="docutils literal notranslate"><spanclass="pre">-</span></code> operators need to be included in the string.</p>
<aclass="ansibleOptionLink"href="#parameter-force"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Should the certificate be regenerated even if it already exists and is valid.</p>
<p>Equivalent to <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-regenerate"><spanclass="std std-ref"><spanclass="pre">regenerate=always</span></span></a></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-group"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Name of the group that should own the filesystem object, as would be fed to <em>chown</em>.</p>
<p>When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership.</p>
<aclass="ansibleOptionLink"href="#parameter-identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Specify the key identity when signing a public key. The identifier that is logged by the server when the certificate is used for authentication.</p>
<aclass="ansibleOptionLink"href="#parameter-ignore_timestamps"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
<p><emclass="ansible-option-versionadded">added in community.crypto 2.2.0</em></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-from"><spanclass="std std-ref"><spanclass="pre">valid_from</span></span></a></strong></code> and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-to"><spanclass="std std-ref"><spanclass="pre">valid_to</span></span></a></strong></code> timestamps should be ignored for idempotency checks.</p>
<p>However, the values will still be applied to a new certificate if it meets any other necessary conditions for generation/regeneration.</p>
<aclass="ansibleOptionLink"href="#parameter-mode"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">any</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The permissions the resulting filesystem object should have.</p>
<p>For those used to <em>/usr/bin/chmod</em> remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, <codeclass="docutils literal notranslate"><spanclass="pre">'644'</span></code> or <codeclass="docutils literal notranslate"><spanclass="pre">'1777'</span></code>) so Ansible receives a string and can do its own conversion from string into number. Adding a leading zero (for example, <codeclass="docutils literal notranslate"><spanclass="pre">0755</span></code>) works sometimes, but can fail in loops and some other circumstances.</p>
<p>Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results.</p>
<p>As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, <codeclass="docutils literal notranslate"><spanclass="pre">u+rwx</span></code> or <codeclass="docutils literal notranslate"><spanclass="pre">u=rw,g=r,o=r</span></code>).</p>
<p>If <codeclass="docutils literal notranslate"><spanclass="pre">mode</span></code> is not specified and the destination filesystem object <strong>does not</strong> exist, the default <codeclass="docutils literal notranslate"><spanclass="pre">umask</span></code> on the system will be used when setting the mode for the newly created filesystem object.</p>
<p>If <codeclass="docutils literal notranslate"><spanclass="pre">mode</span></code> is not specified and the destination filesystem object <strong>does</strong> exist, the mode of the existing filesystem object will be used.</p>
<p>Specifying <codeclass="docutils literal notranslate"><spanclass="pre">mode</span></code> is the best way to ensure filesystem objects are created with the correct permissions. See CVE-2020-1736 for further details.</p>
<aclass="ansibleOptionLink"href="#parameter-options"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">list</span> / <spanclass="ansible-option-elements">elements=string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Specify certificate options when signing a key. The option that are valid for user certificates are:</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">clear</span></code>: Clear all enabled permissions. This is useful for clearing the default set of permissions so permissions may be added individually.</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">force-command=command</span></code>: Forces the execution of command instead of any shell or command specified by the user when the certificate is used for authentication.</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">no-agent-forwarding</span></code>: Disable ssh-agent forwarding (permitted by default).</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">no-port-forwarding</span></code>: Disable port forwarding (permitted by default).</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">no-pty</span></code>: Disable PTY allocation (permitted by default).</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">no-user-rc</span></code>: Disable execution of <codeclass="docutils literal notranslate"><spanclass="pre">~/.ssh/rc</span></code> by sshd (permitted by default).</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">no-x11-forwarding</span></code>: Disable X11 forwarding (permitted by default)</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">source-address=address_list</span></code>: Restrict the source addresses from which the certificate is considered valid. The <codeclass="docutils literal notranslate"><spanclass="pre">address_list</span></code> is a comma-separated list of one or more address/netmask pairs in CIDR format.</p>
<p>At present, no options are valid for host keys.</p>
<aclass="ansibleOptionLink"href="#parameter-owner"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Name of the user that should own the filesystem object, as would be fed to <em>chown</em>.</p>
<p>When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership.</p>
<p>Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion.</p>
<aclass="ansibleOptionLink"href="#parameter-path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path of the file containing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-pkcs11_provider"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p><emclass="ansible-option-versionadded">added in community.crypto 1.1.0</em></p>
</div></td>
<td><divclass="ansible-option-cell"><p>To use a signing key that resides on a PKCS#11 token, set this to the name (or full path) of the shared library to use with the token. Usually <codeclass="docutils literal notranslate"><spanclass="pre">libpkcs11.so</span></code>.</p>
<p>If this is set, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-signing-key"><spanclass="std std-ref"><spanclass="pre">signing_key</span></span></a></strong></code> needs to point to a file containing the public key of the CA.</p>
<aclass="ansibleOptionLink"href="#parameter-principals"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">list</span> / <spanclass="ansible-option-elements">elements=string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Certificates may be limited to be valid for a set of principal (user/host) names. By default, generated certificates are valid for all users or hosts.</p>
<aclass="ansibleOptionLink"href="#parameter-public_key"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the public key that will be signed with the signing key in order to generate the certificate.</p>
<p>Required if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-state"><spanclass="std std-ref"><spanclass="pre">state</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">present</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-regenerate"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p><emclass="ansible-option-versionadded">added in community.crypto 1.8.0</em></p>
</div></td>
<td><divclass="ansible-option-cell"><p>When <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never</span></code> the task will fail if a certificate already exists at <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-path"><spanclass="std std-ref"><spanclass="pre">path</span></span></a></strong></code> and is unreadable otherwise a new certificate will only be generated if there is no existing certificate.</p>
<p>When <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">fail</span></code> the task will fail if a certificate already exists at <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-path"><spanclass="std std-ref"><spanclass="pre">path</span></span></a></strong></code> and does not match the module’s options.</p>
<p>When <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">partial_idempotence</span></code> an existing certificate will be regenerated based on <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-serial-number"><spanclass="std std-ref"><spanclass="pre">serial_number</span></span></a></strong></code>, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-signature-algorithm"><spanclass="std std-ref"><spanclass="pre">signature_algorithm</span></span></a></strong></code>, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-type"><spanclass="std std-ref"><spanclass="pre">type</span></span></a></strong></code>, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-from"><spanclass="std std-ref"><spanclass="pre">valid_from</span></span></a></strong></code>, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-to"><spanclass="std std-ref"><spanclass="pre">valid_to</span></span></a></strong></code>, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-at"><spanclass="std std-ref"><spanclass="pre">valid_at</span></span></a></strong></code>, and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-principals"><spanclass="std std-ref"><spanclass="pre">principals</span></span></a></strong></code>. <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-from"><spanclass="std std-ref"><spanclass="pre">valid_from</span></span></a></strong></code> and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-to"><spanclass="std std-ref"><spanclass="pre">valid_to</span></span></a></strong></code> can be excluded by <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=true</span></span></a></code>.</p>
<p>When <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">full_idempotence</span></code><codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-identifier"><spanclass="std std-ref"><spanclass="pre">identifier</span></span></a></strong></code>, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-options"><spanclass="std std-ref"><spanclass="pre">options</span></span></a></strong></code>, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-public-key"><spanclass="std std-ref"><spanclass="pre">public_key</span></span></a></strong></code>, and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-signing-key"><spanclass="std std-ref"><spanclass="pre">signing_key</span></span></a></strong></code> are also considered when compared against an existing certificate.</p>
<p><codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always</span></code> is equivalent to <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-force"><spanclass="std std-ref"><spanclass="pre">force=true</span></span></a></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-selevel"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The level part of the SELinux filesystem object context.</p>
<p>This is the MLS/MCS attribute, sometimes known as the <codeclass="docutils literal notranslate"><spanclass="pre">range</span></code>.</p>
<p>When set to <codeclass="docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">level</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-serial_number"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Specify the certificate serial number. The serial number is logged by the server when the certificate is used for authentication. The certificate serial number may be used in a KeyRevocationList. The serial number may be omitted for checks, but must be specified again for a new certificate. Note: The default value set by ssh-keygen is 0.</p>
<p>This option accepts an <strong>integer</strong>. If you want to provide serial numbers as colon-separated hex strings, such as <codeclass="docutils literal notranslate"><spanclass="pre">11:22:33</span></code>, you need to convert them to an integer with <aclass="reference internal"href="parse_serial_filter.html#ansible-collections-community-crypto-parse-serial-filter"><spanclass="std std-ref">community.crypto.parse_serial</span></a>.</p>
<aclass="ansibleOptionLink"href="#parameter-serole"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The role part of the SELinux filesystem object context.</p>
<p>When set to <codeclass="docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">role</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-setype"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The type part of the SELinux filesystem object context.</p>
<p>When set to <codeclass="docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">type</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-seuser"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The user part of the SELinux filesystem object context.</p>
<p>By default it uses the <codeclass="docutils literal notranslate"><spanclass="pre">system</span></code> policy, where applicable.</p>
<p>When set to <codeclass="docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">user</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-signature_algorithm"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p><emclass="ansible-option-versionadded">added in community.crypto 1.10.0</em></p>
</div></td>
<td><divclass="ansible-option-cell"><p>As of OpenSSH 8.2 the SHA-1 signature algorithm for RSA keys has been disabled and <codeclass="docutils literal notranslate"><spanclass="pre">ssh</span></code> will refuse host certificates signed with the SHA-1 algorithm. OpenSSH 8.1 made <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">rsa-sha2-512</span></code> the default algorithm when acting as a CA and signing certificates with a RSA key. However, for OpenSSH versions less than 8.1 the SHA-2 signature algorithms, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">rsa-sha2-256</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">rsa-sha2-512</span></code>, must be specified using this option if compatibility with newer <codeclass="docutils literal notranslate"><spanclass="pre">ssh</span></code> clients is required. Conversely if hosts using OpenSSH version 8.2 or greater must remain compatible with <codeclass="docutils literal notranslate"><spanclass="pre">ssh</span></code> clients using OpenSSH less than 7.2, then <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ssh-rsa</span></code> can be used when generating host certificates (a corresponding change to the sshd_config to add <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ssh-rsa</span></code> to the <codeclass="docutils literal notranslate"><spanclass="pre">CASignatureAlgorithms</span></code> keyword is also required).</p>
<p>Using any value for this option with a non-RSA <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-signing-key"><spanclass="std std-ref"><spanclass="pre">signing_key</span></span></a></strong></code> will cause this module to fail.</p>
<p>Note: OpenSSH versions prior to 7.2 do not support SHA-2 signature algorithms for RSA keys and OpenSSH versions prior to 7.3 do not support SHA-2 signature algorithms for certificates.</p>
<p>See <aclass="reference external"href="https://www.openssh.com/txt/release-8.2">https://www.openssh.com/txt/release-8.2</a> for more information.</p>
<aclass="ansibleOptionLink"href="#parameter-signing_key"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the private openssh key that is used for signing the public key in order to generate the certificate.</p>
<p>If the private key is on a PKCS#11 token (<codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-pkcs11-provider"><spanclass="std std-ref"><spanclass="pre">pkcs11_provider</span></span></a></strong></code>), set this to the path to the public key instead.</p>
<p>Required if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-state"><spanclass="std std-ref"><spanclass="pre">state</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">present</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-state"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether the host or user certificate should exist or not, taking action if the state is different from what is stated.</p>
<aclass="ansibleOptionLink"href="#parameter-type"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether the module should generate a host or a user certificate.</p>
<p>Required if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-state"><spanclass="std std-ref"><spanclass="pre">state</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">present</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-unsafe_writes"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object.</p>
<p>By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.</p>
<p>This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes).</p>
<p>IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption.</p>
<aclass="ansibleOptionLink"href="#parameter-use_agent"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
<p><emclass="ansible-option-versionadded">added in community.crypto 1.3.0</em></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Should the ssh-keygen use a CA key residing in a ssh-agent.</p>
<aclass="ansibleOptionLink"href="#parameter-valid_at"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Check if the certificate is valid at a certain point in time. If it is not the certificate will be regenerated. Time will always be interpreted as UTC. Mainly to be used with relative timespec for <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-from"><spanclass="std std-ref"><spanclass="pre">valid_from</span></span></a></strong></code> and / or <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-valid-to"><spanclass="std std-ref"><spanclass="pre">valid_to</span></span></a></strong></code>. Note that if using relative time this module is NOT idempotent.</p>
<aclass="ansibleOptionLink"href="#parameter-valid_from"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid formats are: <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">YYYY-MM-DD</span><spanclass="pre">|</span><spanclass="pre">YYYY-MM-DDTHH:MM:SS</span><spanclass="pre">|</span><spanclass="pre">YYYY-MM-DD</span><spanclass="pre">HH:MM:SS</span><spanclass="pre">|</span><spanclass="pre">always</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>). Note that if using relative time this module is NOT idempotent.</p>
<p>The value <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always</span></code> is only supported for OpenSSH 7.7 and greater, however, the value <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">1970-01-01T00:00:01</span></code> can be used with earlier versions as an equivalent expression.</p>
<p>To ignore this value during comparison with an existing certificate set <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=true</span></span></a></code>.</p>
<p>Required if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-state"><spanclass="std std-ref"><spanclass="pre">state</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">present</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-valid_to"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid formats are: <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">YYYY-MM-DD</span><spanclass="pre">|</span><spanclass="pre">YYYY-MM-DDTHH:MM:SS</span><spanclass="pre">|</span><spanclass="pre">YYYY-MM-DD</span><spanclass="pre">HH:MM:SS</span><spanclass="pre">|</span><spanclass="pre">forever</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>). Note that if using relative time this module is NOT idempotent.</p>
<p>To ignore this value during comparison with an existing certificate set <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=true</span></span></a></code>.</p>
<p>Required if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssh-cert-module-parameter-state"><spanclass="std std-ref"><spanclass="pre">state</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">present</span></code>.</p>
</div></td>
</tr>
</tbody>
</table>
</section>
<sectionid="attributes">
<h2><aclass="toc-backref"href="#id4"role="doc-backlink">Attributes</a><aclass="headerlink"href="#attributes"title="Link to this heading"></a></h2>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
<td><divclass="ansible-option-cell"><p>Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption.</p>
</div></td>
</tr>
</tbody>
</table>
</section>
<sectionid="see-also">
<h2><aclass="toc-backref"href="#id5"role="doc-backlink">See Also</a><aclass="headerlink"href="#see-also"title="Link to this heading"></a></h2>
<divclass="admonition seealso">
<pclass="admonition-title">See also</p>
<dlclass="simple">
<dt><aclass="reference internal"href="parse_serial_filter.html#ansible-collections-community-crypto-parse-serial-filter"><spanclass="std std-ref">community.crypto.parse_serial</span></a> filter plugin</dt><dd><p>Convert a serial number as a colon-separated list of hex numbers to an integer.</p>
</dd>
</dl>
</div>
</section>
<sectionid="examples">
<h2><aclass="toc-backref"href="#id6"role="doc-backlink">Examples</a><aclass="headerlink"href="#examples"title="Link to this heading"></a></h2>
<divclass="highlight-yaml+jinja notranslate"><divclass="highlight"><pre><span></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSH user certificate that is valid forever and for all users</span>
<spanclass="c1"># Generate an OpenSSH host certificate that is valid for 32 weeks from now and will be regenerated</span>
<spanclass="c1"># if it is valid for less than 2 weeks from the time the module is being run</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSH host certificate with valid_from, valid_to and valid_at parameters</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSH host certificate that is valid forever and only for example.com and examplehost</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSH user Certificate with clear and force-command option</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSH user certificate using a PKCS#11 token</span>
<h2><aclass="toc-backref"href="#id7"role="doc-backlink">Return Values</a><aclass="headerlink"href="#return-values"title="Link to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-filename"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>path to the certificate</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed or success</p>
<aclass="ansibleOptionLink"href="#return-info"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">list</span> / <spanclass="ansible-option-elements">elements=string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Information about the certificate. Output of <codeclass="docutils literal notranslate"><spanclass="pre">ssh-keygen</span><spanclass="pre">-L</span><spanclass="pre">-f</span></code>.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> change or success</p>
<aclass="ansibleOptionLink"href="#return-type"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>type of the certificate (host or user)</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed or success</p>
