community.crypto/branch/main/docsite/guide_ownca.html

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>How to create a small CA &mdash; Community.Crypto Collection  documentation</title>
      <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
      <link rel="stylesheet" href="../_static/css/ansible.css" type="text/css" />
      <link rel="stylesheet" href="../_static/antsibull-minimal.css" type="text/css" />
      <link rel="stylesheet" href="../_static/css/rtd-ethical-ads.css" type="text/css" />
    <link rel="shortcut icon" href="../_static/images/Ansible-Mark-RGB_Black.png"/>
  <!--[if lt IE 9]>
    <script src="../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
        <script src="../_static/jquery.js?v=5d32c60e"></script>
        <script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
        <script src="../_static/documentation_options.js?v=7f41d439"></script>
        <script src="../_static/doctools.js?v=888ff710"></script>
        <script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
    <script src="../_static/js/theme.js"></script>
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="community.crypto.acme_account module – Create, modify or delete ACME accounts" href="../acme_account_module.html" />
    <link rel="prev" title="How to create self-signed certificates" href="guide_selfsigned.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->




</head>

<body class="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->

<div class="DocSite-globalNav ansibleNav">
  <ul>
    <li><a href="https://www.ansible.com/ansiblefest" target="_blank">AnsibleFest</a></li>
    <li><a href="https://www.ansible.com/tower" target="_blank">Products</a></li>
    <li><a href="https://www.ansible.com/community" target="_blank">Community</a></li>
    <li><a href="https://www.ansible.com/webinars-training" target="_blank">Webinars & Training</a></li>
    <li><a href="https://www.ansible.com/blog" target="_blank">Blog</a></li>
  </ul>
</div>

<a class="DocSite-nav" href="https://ansible-collections.github.io/community.crypto/branch/main/" style="padding-bottom: 30px;">

  <img class="DocSiteNav-logo"
    src="../_static/images/Ansible-Mark-RGB_White.png"
    alt="Ansible Logo">
  <div class="DocSiteNav-title">Community.Crypto Collection Docs</div>
</a>
  <div class="wy-grid-for-nav">
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search" >

          
          
          <a href="../index.html" class="icon icon-home">
            Community.Crypto Collection
          </a><!--- Based on https://github.com/rtfd/sphinx_rtd_theme/pull/438/files -->

<div class="version">
  
    
  
</div>
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
    <label class="sr-only" for="q">Search docs:</label>
    <input type="text" class="st-default-search-input" id="q" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>
        </div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
  
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="guide_selfsigned.html">How to create self-signed certificates</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">How to create a small CA</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#set-up-the-ca">Set up the CA</a></li>
<li class="toctree-l2"><a class="reference internal" href="#use-the-ca-to-sign-a-certificate">Use the CA to sign a certificate</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
<li class="toctree-l1"><a class="reference internal" href="../acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<li class="toctree-l1"><a class="reference internal" href="../certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../crypto_info_module.html">community.crypto.crypto_info module – Retrieve cryptographic capabilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="../ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<li class="toctree-l1"><a class="reference internal" href="../ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<li class="toctree-l1"><a class="reference internal" href="../get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<li class="toctree-l1"><a class="reference internal" href="../luks_device_module.html">community.crypto.luks_device module – Manage encrypted (LUKS) devices</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_module.html">community.crypto.openssl_csr module – Generate OpenSSL Certificate Signing Request (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_pipe_module.html">community.crypto.openssl_csr_pipe module – Generate OpenSSL Certificate Signing Request (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_dhparam_module.html">community.crypto.openssl_dhparam module – Generate OpenSSL Diffie-Hellman Parameters</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_pkcs12_module.html">community.crypto.openssl_pkcs12 module – Generate OpenSSL PKCS#12 archive</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_module.html">community.crypto.openssl_privatekey module – Generate OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_convert_module.html">community.crypto.openssl_privatekey_convert module – Convert OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_module.html">community.crypto.x509_certificate module – Generate and/or check OpenSSL certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_pipe_module.html">community.crypto.x509_certificate_pipe module – Generate and/or check OpenSSL certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_crl_module.html">community.crypto.x509_crl module – Generate Certificate Revocation Lists (CRLs)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_crl_info_module.html">community.crypto.x509_crl_info module – Retrieve information on Certificate Revocation Lists (CRLs)</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../gpg_fingerprint_filter.html">community.crypto.gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_csr_info_filter.html">community.crypto.openssl_csr_info filter – Retrieve information from OpenSSL Certificate Signing Requests (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="../openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<li class="toctree-l1"><a class="reference internal" href="../split_pem_filter.html">community.crypto.split_pem filter – Split PEM file contents into multiple objects</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<li class="toctree-l1"><a class="reference internal" href="../x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../gpg_fingerprint_lookup.html">community.crypto.gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file</a></li>
</ul>
<!-- extra nav elements for Ansible beyond RTD Sphinx Theme -->

        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../index.html">Community.Crypto Collection</a>
      </nav>

      <div class="wy-nav-content">
        <div class="rst-content">
          <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
      <li class="breadcrumb-item active">How to create a small CA</li>
      <li class="wy-breadcrumbs-aside">
      </li>
  </ul>
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">

  
           <div itemprop="articleBody">
             
  <section id="how-to-create-a-small-ca">
<span id="ansible-collections-community-crypto-docsite-guide-ownca"></span><h1>How to create a small CA<a class="headerlink" href="#how-to-create-a-small-ca" title="Link to this heading"></a></h1>
<p>The <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create your own small CA and how to use it to sign certificates.</p>
<p>In all examples, we assume that the CA’s private key is password protected, where the password is provided in the <code class="docutils literal notranslate"><span class="pre">secret_ca_passphrase</span></code> variable.</p>
<section id="set-up-the-ca">
<h2>Set up the CA<a class="headerlink" href="#set-up-the-ca" title="Link to this heading"></a></h2>
<p>Any certificate can be used as a CA certificate. You can create a self-signed certificate (see <a class="reference internal" href="guide_selfsigned.html#ansible-collections-community-crypto-docsite-guide-selfsigned"><span class="std std-ref">How to create self-signed certificates</span></a>), use another CA certificate to sign a new certificate (using the instructions below for signing a certificate), ask (and pay) a commercial CA to sign your CA certificate, etc.</p>
<p>The following instructions show how to set up a simple self-signed CA certificate.</p>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create private key with password protection</span>
<span class="w">  </span><span class="nt">community.crypto.openssl_privatekey</span><span class="p">:</span>
<span class="w">    </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.key</span>
<span class="w">    </span><span class="nt">passphrase</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">secret_ca_passphrase</span> <span class="cp">}}</span><span class="s">&quot;</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create certificate signing request (CSR) for CA certificate</span>
<span class="w">  </span><span class="nt">community.crypto.openssl_csr_pipe</span><span class="p">:</span>
<span class="w">    </span><span class="nt">privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.key</span>
<span class="w">    </span><span class="nt">privatekey_passphrase</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">secret_ca_passphrase</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">common_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ansible CA</span>
<span class="w">    </span><span class="nt">use_common_name_for_san</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w">  </span><span class="c1"># since we do not specify SANs, don&#39;t use CN as a SAN</span>
<span class="w">    </span><span class="nt">basic_constraints</span><span class="p">:</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&#39;CA:TRUE&#39;</span>
<span class="w">    </span><span class="nt">basic_constraints_critical</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">    </span><span class="nt">key_usage</span><span class="p">:</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">keyCertSign</span>
<span class="w">    </span><span class="nt">key_usage_critical</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ca_csr</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create self-signed CA certificate from CSR</span>
<span class="w">  </span><span class="nt">community.crypto.x509_certificate</span><span class="p">:</span>
<span class="w">    </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.pem</span>
<span class="w">    </span><span class="nt">csr_content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">ca_csr.csr</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.key</span>
<span class="w">    </span><span class="nt">privatekey_passphrase</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">secret_ca_passphrase</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsigned</span>
</pre></div>
</div>
</section>
<section id="use-the-ca-to-sign-a-certificate">
<h2>Use the CA to sign a certificate<a class="headerlink" href="#use-the-ca-to-sign-a-certificate" title="Link to this heading"></a></h2>
<p>To sign a certificate, you must pass a CSR to the <a class="reference internal" href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><span class="std std-ref">community.crypto.x509_certificate module</span></a> or <a class="reference internal" href="../x509_certificate_pipe_module.html#ansible-collections-community-crypto-x509-certificate-pipe-module"><span class="std std-ref">community.crypto.x509_certificate_pipe module</span></a>.</p>
<p>In the following example, we assume that the certificate to sign (including its private key) are on <code class="docutils literal notranslate"><span class="pre">server_1</span></code>, while our CA certificate is on <code class="docutils literal notranslate"><span class="pre">server_2</span></code>. We do not want any key material to leave each respective server.</p>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create private key for new certificate on server_1</span>
<span class="w">  </span><span class="nt">community.crypto.openssl_privatekey</span><span class="p">:</span>
<span class="w">    </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create certificate signing request (CSR) for new certificate</span>
<span class="w">  </span><span class="nt">community.crypto.openssl_csr_pipe</span><span class="p">:</span>
<span class="w">    </span><span class="nt">privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w">    </span><span class="nt">subject_alt_name</span><span class="p">:</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:ansible.com&quot;</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:www.ansible.com&quot;</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:docs.ansible.com&quot;</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">csr</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Sign certificate with our CA</span>
<span class="w">  </span><span class="nt">community.crypto.x509_certificate_pipe</span><span class="p">:</span>
<span class="w">    </span><span class="nt">csr_content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">csr.csr</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ownca</span>
<span class="w">    </span><span class="nt">ownca_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.pem</span>
<span class="w">    </span><span class="nt">ownca_privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.key</span>
<span class="w">    </span><span class="nt">ownca_privatekey_passphrase</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">secret_ca_passphrase</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">ownca_not_after</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">+365d</span><span class="w">  </span><span class="c1"># valid for one year</span>
<span class="w">    </span><span class="nt">ownca_not_before</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;-1d&quot;</span><span class="w">  </span><span class="c1"># valid since yesterday</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_2</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">certificate</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Write certificate file on server_1</span>
<span class="w">  </span><span class="nt">copy</span><span class="p">:</span>
<span class="w">    </span><span class="nt">dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.pem</span>
<span class="w">    </span><span class="nt">content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">certificate.certificate</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
</pre></div>
</div>
<p>Please note that the above procedure is <strong>not idempotent</strong>. The following extended example reads the existing certificate from <code class="docutils literal notranslate"><span class="pre">server_1</span></code> (if exists) and provides it to the <a class="reference internal" href="../x509_certificate_pipe_module.html#ansible-collections-community-crypto-x509-certificate-pipe-module"><span class="std std-ref">community.crypto.x509_certificate_pipe module</span></a>, and only writes the result back if it was changed:</p>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create private key for new certificate on server_1</span>
<span class="w">  </span><span class="nt">community.crypto.openssl_privatekey</span><span class="p">:</span>
<span class="w">    </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create certificate signing request (CSR) for new certificate</span>
<span class="w">  </span><span class="nt">community.crypto.openssl_csr_pipe</span><span class="p">:</span>
<span class="w">    </span><span class="nt">privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.key</span>
<span class="w">    </span><span class="nt">subject_alt_name</span><span class="p">:</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:ansible.com&quot;</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:www.ansible.com&quot;</span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;DNS:docs.ansible.com&quot;</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">csr</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Check whether certificate exists</span>
<span class="w">  </span><span class="nt">stat</span><span class="p">:</span>
<span class="w">    </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.pem</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">certificate_exists</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Read existing certificate if exists</span>
<span class="w">  </span><span class="nt">slurp</span><span class="p">:</span>
<span class="w">    </span><span class="nt">src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.pem</span>
<span class="w">  </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">certificate_exists.stat.exists</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">certificate</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Sign certificate with our CA</span>
<span class="w">  </span><span class="nt">community.crypto.x509_certificate_pipe</span><span class="p">:</span>
<span class="w">    </span><span class="nt">content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="o">(</span><span class="nv">certificate.content</span> <span class="o">|</span> <span class="nf">b64decode</span><span class="o">)</span> <span class="k">if</span> <span class="nv">certificate_exists.stat.exists</span> <span class="k">else</span> <span class="nv">omit</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">csr_content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">csr.csr</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ownca</span>
<span class="w">    </span><span class="nt">ownca_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.pem</span>
<span class="w">    </span><span class="nt">ownca_privatekey_path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/ca-certificate.key</span>
<span class="w">    </span><span class="nt">ownca_privatekey_passphrase</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">secret_ca_passphrase</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">    </span><span class="nt">ownca_not_after</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">+365d</span><span class="w">  </span><span class="c1"># valid for one year</span>
<span class="w">    </span><span class="nt">ownca_not_before</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;-1d&quot;</span><span class="w">  </span><span class="c1"># valid since yesterday</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_2</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">certificate</span>

<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Write certificate file on server_1</span>
<span class="w">  </span><span class="nt">copy</span><span class="p">:</span>
<span class="w">    </span><span class="nt">dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/path/to/certificate.pem</span>
<span class="w">    </span><span class="nt">content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">certificate.certificate</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w">  </span><span class="nt">delegate_to</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server_1</span>
<span class="w">  </span><span class="nt">run_once</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w">  </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">certificate is changed</span>
</pre></div>
</div>
</section>
</section>


           </div>
          </div>
          

<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="guide_selfsigned.html" class="btn btn-neutral float-left" title="How to create self-signed certificates" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../acme_account_module.html" class="btn btn-neutral float-right" title="community.crypto.acme_account module – Create, modify or delete ACME accounts" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright Community.Crypto Contributors.</p>
  </div>

  
   

</footer>
        </div>
      </div>
    </section>
  </div>
  <script>
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script><!-- extra footer elements for Ansible beyond RTD Sphinx Theme -->

</body>
</html>