<linkrel="prev"title="community.crypto.openssl_signature_info module – Verify signatures with openssl"href="openssl_signature_info_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_create_module.html">community.crypto.acme_certificate_order_create module – Create an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_finalize_module.html">community.crypto.acme_certificate_order_finalize module – Finalize an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_info_module.html">community.crypto.acme_certificate_order_info module – Obtain information for an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_validate_module.html">community.crypto.acme_certificate_order_validate module – Validate authorizations of an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_filter.html">community.crypto.gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="parse_serial_filter.html">community.crypto.parse_serial filter – Convert a serial number as a colon-separated list of hex numbers to an integer</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="to_serial_filter.html">community.crypto.to_serial filter – Convert an integer to a colon-separated list of hex numbers</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_lookup.html">community.crypto.gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file</a></li>
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/x509_certificate.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.24.0).</p>
<p>It is not included in <codeclass="docutils literal notranslate"><spanclass="pre">ansible-core</span></code>.
To check whether it is installed, run <codeclass="code docutils literal notranslate"><spanclass="pre">ansible-galaxy</span><spanclass="pre">collection</span><spanclass="pre">list</span></code>.</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.x509_certificate</span></code>.</p>
<li><p>It implements a notion of provider (one of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">acme</span></code>, and <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>) for your certificate.</p></li>
<li><p>Note that this module was called <codeclass="docutils literal notranslate"><spanclass="pre">openssl_certificate</span></code> when included directly in Ansible up to version 2.9. When moved to the collection <codeclass="docutils literal notranslate"><spanclass="pre">community.crypto</span></code>, it was renamed to <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate</span></a>. From Ansible 2.10 on, it can still be used by the old short name (or by <codeclass="docutils literal notranslate"><spanclass="pre">ansible.builtin.openssl_certificate</span></code>), which redirects to <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate</span></a>. When using FQCNs or when using the <aclass="reference external"href="https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#using-collections-in-a-playbook">collections</a> keyword, the new name <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate</span></a> should be used to avoid a deprecation warning.</p></li>
<li><p>Please note that the module regenerates existing certificate if it does not match the module’s options, or if it seems to be corrupt. If you are concerned that this could overwrite your existing certificate, consider using the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-backup"><spanclass="std std-ref"><spanclass="pre">backup</span></span></a></strong></code> option.</p></li>
<li><p>The <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).</p></li>
<spanid="ansible-collections-community-crypto-x509-certificate-module-requirements"></span><h2><aclass="toc-backref"href="#id2"role="doc-backlink">Requirements</a><aclass="headerlink"href="#requirements"title="Link to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-acme_accountkey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
<td><divclass="ansible-option-cell"><p>The path to the accountkey for the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">acme</span></code> provider.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">acme</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-acme_chain"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Include the intermediate certificate to the generated certificate</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">acme</span></code> provider.</p>
<p>Note that this is only available for older versions of <codeclass="docutils literal notranslate"><spanclass="pre">acme-tiny</span></code>. New versions include the chain automatically, and setting <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-acme-chain"><spanclass="std std-ref"><spanclass="pre">acme_chain</span></span></a></strong></code> to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code> results in an error.</p>
<aclass="ansibleOptionLink"href="#parameter-acme_challenge_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
<td><divclass="ansible-option-cell"><p>The path to the ACME challenge directory that is served on <aclass="reference external"href="http://%3CHOST%3E:80/.well-known/acme-challenge/">http://<HOST>:80/.well-known/acme-challenge/</a></p>
<aclass="ansibleOptionLink"href="#parameter-acme_directory"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<td><divclass="ansible-option-cell"><p>The ACME directory to use. You can use any directory that supports the ACME protocol, such as Buypass or Let’s Encrypt.</p>
<p>Let’s Encrypt recommends using their staging server while developing jobs. <aclass="reference external"href="https://letsencrypt.org/docs/staging-environment/">https://letsencrypt.org/docs/staging-environment/</a>.</p>
<aclass="ansibleOptionLink"href="#parameter-attributes"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: attr</span></p>
<p>To get supported flags look at the man page for <codeclass="docutils literal notranslate"><spanclass="pre">chattr</span></code> on the target system.</p>
<p>This string should contain the attributes in the same order as the one displayed by <codeclass="docutils literal notranslate"><spanclass="pre">lsattr</span></code>.</p>
<p>The <codeclass="docutils literal notranslate"><spanclass="pre">=</span></code> operator is assumed as default, otherwise <codeclass="docutils literal notranslate"><spanclass="pre">+</span></code> or <codeclass="docutils literal notranslate"><spanclass="pre">-</span></code> operators need to be included in the string.</p>
<aclass="ansibleOptionLink"href="#parameter-backup"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Create a backup file including a timestamp so you can get the original certificate back if you overwrote it with a new one by accident.</p>
<aclass="ansibleOptionLink"href="#parameter-csr_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-csr_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the Certificate Signing Request (CSR) used to generate this certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_key_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_key"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The key (password) for authentication to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_specification_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the specification file defining the Entrust Certificate Services (ECS) API configuration.</p>
<p>You can use this to keep a local copy of the specification to avoid downloading it every time the module is used.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_user"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The username for authentication to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_cert_type"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Specify the type of certificate requested.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as an absolute timestamp.</p>
<p>A valid absolute time format is <codeclass="docutils literal notranslate"><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> such as <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">2019-06-18</span></code>.</p>
<p>A valid relative time format is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">[+-]timespec</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code>, such as <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+365d</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate.</p>
<p>The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used.</p>
<p>The minimum certificate lifetime is 90 days, and maximum is three years.</p>
<p>If this value is not specified, the certificate will stop being valid 365 days the date of issue.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>Please note that this value is <strong>not</strong> covered by the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_email"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The email of the requester of the certificate (for tracking purposes).</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_name"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The name of the requester of the certificate (for tracking purposes).</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_phone"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The phone number of the requester of the certificate (for tracking purposes).</p>
<aclass="ansibleOptionLink"href="#parameter-force"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Generate the certificate, even if it already exists.</p>
<aclass="ansibleOptionLink"href="#parameter-group"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<td><divclass="ansible-option-cell"><p>Name of the group that should own the filesystem object, as would be fed to <codeclass="docutils literal notranslate"><spanclass="pre">chown</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-ignore_timestamps"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
<p>It is better to keep the default value <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code> when using relative timestamps (like <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+0s</span></code> for now).</p>
<aclass="ansibleOptionLink"href="#parameter-mode"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">any</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The permissions the resulting filesystem object should have.</p>
<p>For those used to <codeclass="docutils literal notranslate"><spanclass="pre">/usr/bin/chmod</span></code> remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">'644'</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">'1777'</span></code>) so Ansible receives a string and can do its own conversion from string into number. Adding a leading zero (for example, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">0755</span></code>) works sometimes, but can fail in loops and some other circumstances.</p>
<p>As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">u+rwx</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">u=rw,g=r,o=r</span></code>).</p>
<p>If <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-mode"><spanclass="std std-ref"><spanclass="pre">mode</span></span></a></strong></code> is not specified and the destination filesystem object <strong>does not</strong> exist, the default <codeclass="docutils literal notranslate"><spanclass="pre">umask</span></code> on the system will be used when setting the mode for the newly created filesystem object.</p>
<p>If <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-mode"><spanclass="std std-ref"><spanclass="pre">mode</span></span></a></strong></code> is not specified and the destination filesystem object <strong>does</strong> exist, the mode of the existing filesystem object will be used.</p>
<p>Specifying <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-mode"><spanclass="std std-ref"><spanclass="pre">mode</span></span></a></strong></code> is the best way to ensure filesystem objects are created with the correct permissions. See CVE-2020-1736 for further details.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_authority_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Create a Authority Key Identifier from the CA’s certificate. If the CSR provided a authority key identifier, it is ignored.</p>
<p>The Authority Key Identifier is generated from the CA certificate’s Subject Key Identifier, if available. If it is not available, the CA certificate’s public key will be used.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<td><divclass="ansible-option-cell"><p>The digest algorithm to be used for the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid from.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Remote absolute path of the CA (Certificate Authority) certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the CA (Certificate Authority) private key to use when signing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
<td><divclass="ansible-option-cell"><p>The version of the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-owner"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<td><divclass="ansible-option-cell"><p>Name of the user that should own the filesystem object, as would be fed to <codeclass="docutils literal notranslate"><spanclass="pre">chown</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Remote absolute path where the generated certificate file should be created or is already located.</p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the private key to use when signing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-provider"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Name of the provider to use to generate/retrieve the OpenSSL certificate. Please see the examples on how to emulate it with <aclass="reference internal"href="x509_certificate_info_module.html#ansible-collections-community-crypto-x509-certificate-info-module"><spanclass="std std-ref">community.crypto.x509_certificate_info</span></a>, <aclass="reference internal"href="openssl_csr_info_module.html#ansible-collections-community-crypto-openssl-csr-info-module"><spanclass="std std-ref">community.crypto.openssl_csr_info</span></a>, <aclass="reference internal"href="openssl_privatekey_info_module.html#ansible-collections-community-crypto-openssl-privatekey-info-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_info</span></a> and <aclass="reference external"href="https://docs.ansible.com/ansible/devel/collections/ansible/builtin/assert_module.html#ansible-collections-ansible-builtin-assert-module"title="(in Ansible vdevel)"><spanclass="xref std std-ref">ansible.builtin.assert</span></a>.</p>
<p>The <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider was added for Ansible 2.9 and requires credentials for the <aclass="reference external"href="https://www.entrustdatacard.com/products/categories/ssl-certificates">Entrust Certificate Services</a> (ECS) API.</p>
<p>Required if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-state"><spanclass="std std-ref"><spanclass="pre">state</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">present</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-return_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
<td><divclass="ansible-option-cell"><p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code>, will return the (current or generated) certificate’s content as <codeclass="ansible-return-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-return-certificate"><spanclass="std std-ref"><spanclass="pre">certificate</span></span></a></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-select_crypto_backend"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">auto</span></code>, which tries to use <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> if available.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">cryptography</span></code>, will try to use the <aclass="reference external"href="https://cryptography.io/">cryptography</a> library.</p>
<aclass="ansibleOptionLink"href="#parameter-selevel"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The level part of the SELinux filesystem object context.</p>
<p>This is the MLS/MCS attribute, sometimes known as the <codeclass="docutils literal notranslate"><spanclass="pre">range</span></code>.</p>
<p>When set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">level</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Digest algorithm to be used when self-signing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notAfter</span></p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notBefore</span></p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
<td><divclass="ansible-option-cell"><p>Version of the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-serole"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The role part of the SELinux filesystem object context.</p>
<p>When set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">role</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-setype"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The type part of the SELinux filesystem object context.</p>
<p>When set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">type</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-seuser"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The user part of the SELinux filesystem object context.</p>
<p>By default it uses the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">system</span></code> policy, where applicable.</p>
<p>When set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">_default</span></code>, it will use the <codeclass="docutils literal notranslate"><spanclass="pre">user</span></code> portion of the policy if available.</p>
<aclass="ansibleOptionLink"href="#parameter-state"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether the certificate should exist or not, taking action if the state is different from what is stated.</p>
<aclass="ansibleOptionLink"href="#parameter-unsafe_writes"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object.</p>
<p>By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.</p>
<p>This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes).</p>
<p>IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption.</p>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
<p>If relative timestamps are used and <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>, the module is not idempotent.</p>
<td><divclass="ansible-option-cell"><p>When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change.</p>
<p>This assumes that the system controlled/queried by the module has not changed in a relevant way.</p>
<li><p>For security reason, when you use <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider, you should NOT run <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate</span></a> on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine.</p></li>
<li><p>For the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-csr-path"><spanclass="std std-ref"><spanclass="pre">csr_path</span></span></a></strong></code> and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-csr-content"><spanclass="std std-ref"><spanclass="pre">csr_content</span></span></a></strong></code> are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.</p></li>
<dt><aclass="reference internal"href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_pipe</span></a></dt><dd><p>Generate OpenSSL private keys without disk access.</p>
<dt><aclass="reference internal"href="openssl_publickey_module.html#ansible-collections-community-crypto-openssl-publickey-module"><spanclass="std std-ref">community.crypto.openssl_publickey</span></a></dt><dd><p>Generate an OpenSSL public key from its private key.</p>
<divclass="highlight-yaml+jinja notranslate"><divclass="highlight"><pre><span></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate a Self Signed OpenSSL certificate</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSL certificate signed with your own CA certificate</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Force (re-)generate a new Let's Encrypt Certificate</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an Entrust certificate via the Entrust Certificate Services (ECS) API</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"result.subject</span><spanclass="nv"></span><spanclass="s">|</span><spanclass="nv"></span><spanclass="s">length</span><spanclass="nv"></span><spanclass="s">==</span><spanclass="nv"></span><spanclass="s">1"</span><spanclass="w"></span><spanclass="c1"># the number must be the number of entries you check for</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"result.issuer</span><spanclass="nv"></span><spanclass="s">|</span><spanclass="nv"></span><spanclass="s">length</span><spanclass="nv"></span><spanclass="s">==</span><spanclass="nv"></span><spanclass="s">1"</span><spanclass="w"></span><spanclass="c1"># the number must be the number of entries you check for</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"result.key_usage</span><spanclass="nv"></span><spanclass="s">|</span><spanclass="nv"></span><spanclass="s">length</span><spanclass="nv"></span><spanclass="s">==</span><spanclass="nv"></span><spanclass="s">1"</span><spanclass="w"></span><spanclass="c1"># the number must be the number of entries you check for</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"result.extended_key_usage</span><spanclass="nv"></span><spanclass="s">|</span><spanclass="nv"></span><spanclass="s">length</span><spanclass="nv"></span><spanclass="s">==</span><spanclass="nv"></span><spanclass="s">1"</span><spanclass="w"></span><spanclass="c1"># the number must be the number of entries you check for</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"result.subject_alt_name</span><spanclass="nv"></span><spanclass="s">|</span><spanclass="nv"></span><spanclass="s">length</span><spanclass="nv"></span><spanclass="s">==</span><spanclass="nv"></span><spanclass="s">1"</span><spanclass="w"></span><spanclass="c1"># the number must be the number of entries you check for</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"result.valid_at.one_day_ten_hours"</span><spanclass="w"></span><spanclass="c1"># for valid_at</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"not</span><spanclass="nv"></span><spanclass="s">result.valid_at.fixed_timestamp"</span><spanclass="w"></span><spanclass="c1"># for invalid_at</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="s">"result.valid_at.ten_seconds"</span><spanclass="w"></span><spanclass="c1"># for valid_in</span>
<h2><aclass="toc-backref"href="#id8"role="doc-backlink">Return Values</a><aclass="headerlink"href="#return-values"title="Link to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-backup_file"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Name of backup file created.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed and if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-module-parameter-backup"><spanclass="std std-ref"><spanclass="pre">backup</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code></p>
<aclass="ansibleOptionLink"href="#return-certificate"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#return-filename"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the generated certificate.</p>
<li><span><aaria-role="button"class="ansible-link reference external"href="https://forum.ansible.com/tags/c/help/6/none/crypto"rel="noopener external"target="_blank">Ask for help (crypto)</a></span></li>
<li><span><aaria-role="button"class="ansible-link reference external"href="https://forum.ansible.com/tags/c/help/6/none/acme"rel="noopener external"target="_blank">Ask for help (ACME)</a></span></li>
