<linkrel="prev"title="community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates"href="x509_certificate_info_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_module.html">community.crypto.x509_crl_info module – Retrieve information on Certificate Revocation Lists (CRLs)</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_filter.html">community.crypto.gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_filter.html">community.crypto.openssl_csr_info filter – Retrieve information from OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="parse_serial_filter.html">community.crypto.parse_serial filter – Convert a serial number as a colon-separated list of hex numbers to an integer</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="to_serial_filter.html">community.crypto.to_serial filter – Convert an integer to a colon-separated list of hex numbers</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_lookup.html">community.crypto.gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file</a></li>
</ul>
<!-- extra nav elements for Ansible beyond RTD Sphinx Theme -->
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/x509_certificate_pipe.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
<p>It is not included in <codeclass="docutils literal notranslate"><spanclass="pre">ansible-core</span></code>.
To check whether it is installed, run <codeclass="code docutils literal notranslate"><spanclass="pre">ansible-galaxy</span><spanclass="pre">collection</span><spanclass="pre">list</span></code>.</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.x509_certificate_pipe</span></code>.</p>
</div>
<pclass="ansible-version-added">New in community.crypto 1.3.0</p>
<h2><aclass="toc-backref"href="#id1"role="doc-backlink">Synopsis</a><aclass="headerlink"href="#synopsis"title="Link to this heading"></a></h2>
<ulclass="simple">
<li><p>It implements a notion of provider (one of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>) for your certificate.</p></li>
<li><p>It uses the cryptography python library to interact with OpenSSL.</p></li>
<li><p>The <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).</p></li>
<li><p>This module allows one to (re)generate OpenSSL certificates.</p></li>
</ul>
</section>
<sectionid="requirements">
<spanid="ansible-collections-community-crypto-x509-certificate-pipe-module-requirements"></span><h2><aclass="toc-backref"href="#id2"role="doc-backlink">Requirements</a><aclass="headerlink"href="#requirements"title="Link to this heading"></a></h2>
<p>The below requirements are needed on the host that executes this module.</p>
<ulclass="simple">
<li><p>cryptography >= 1.6 (if using <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider)</p></li>
</ul>
</section>
<sectionid="parameters">
<h2><aclass="toc-backref"href="#id3"role="doc-backlink">Parameters</a><aclass="headerlink"href="#parameters"title="Link to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-csr_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the Certificate Signing Request (CSR) used to generate this certificate.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-csr-path"><spanclass="std std-ref"><spanclass="pre">csr_path</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-csr_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the Certificate Signing Request (CSR) used to generate this certificate.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-csr-content"><spanclass="std std-ref"><spanclass="pre">csr_content</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_key_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_key"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The key (password) for authentication to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_specification_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the specification file defining the Entrust Certificate Services (ECS) API configuration.</p>
<p>You can use this to keep a local copy of the specification to avoid downloading it every time the module is used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_user"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The username for authentication to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_cert_type"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Specify the type of certificate requested.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as an absolute timestamp.</p>
<p>A valid absolute time format is <codeclass="docutils literal notranslate"><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> such as <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">2019-06-18</span></code>.</p>
<p>A valid relative time format is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">[+-]timespec</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code>, such as <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+365d</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Time will always be interpreted as UTC.</p>
<p>Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate.</p>
<p>The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used.</p>
<p>The minimum certificate lifetime is 90 days, and maximum is three years.</p>
<p>If this value is not specified, the certificate will stop being valid 365 days the date of issue.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>Please note that this value is <strong>not</strong> covered by the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_email"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The email of the requester of the certificate (for tracking purposes).</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_name"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The name of the requester of the certificate (for tracking purposes).</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_phone"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The phone number of the requester of the certificate (for tracking purposes).</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-force"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Generate the certificate, even if it already exists.</p>
<aclass="ansibleOptionLink"href="#parameter-ignore_timestamps"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
<p><emclass="ansible-option-versionadded">added in community.crypto 2.0.0</em></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether the “not before” and “not after” timestamps should be ignored for idempotency checks.</p>
<p>It is better to keep the default value <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code> when using relative timestamps (like <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+0s</span></code> for now).</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the CA (Certificate Authority) certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ownca-path"><spanclass="std std-ref"><spanclass="pre">ownca_path</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_authority_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Create a Authority Key Identifier from the CA’s certificate. If the CSR provided a authority key identifier, it is ignored.</p>
<p>The Authority Key Identifier is generated from the CA certificate’s Subject Key Identifier, if available. If it is not available, the CA certificate’s public key will be used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>Note that this is only supported if the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend is used!</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>Note that this is only supported if the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend is used!</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The digest algorithm to be used for the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will stop being valid 10 years from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid from.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will start being valid from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Remote absolute path of the CA (Certificate Authority) certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ownca-content"><spanclass="std std-ref"><spanclass="pre">ownca_content</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the CA (Certificate Authority) private key to use when signing the certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ownca-privatekey-path"><spanclass="std std-ref"><spanclass="pre">ownca_privatekey_path</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The passphrase for the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ownca-privatekey-path"><spanclass="std std-ref"><spanclass="pre">ownca_privatekey_path</span></span></a></strong></code> resp. <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ownca-privatekey-content"><spanclass="std std-ref"><spanclass="pre">ownca_privatekey_content</span></span></a></strong></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the CA (Certificate Authority) private key to use when signing the certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ownca-privatekey-content"><spanclass="std std-ref"><spanclass="pre">ownca_privatekey_content</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The version of the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the private key to use when signing the certificate.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-privatekey-path"><spanclass="std std-ref"><spanclass="pre">privatekey_path</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The passphrase for the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-privatekey-path"><spanclass="std std-ref"><spanclass="pre">privatekey_path</span></span></a></strong></code> resp. <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-privatekey-content"><spanclass="std std-ref"><spanclass="pre">privatekey_content</span></span></a></strong></code>.</p>
<p>This is required if the private key is password protected.</p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the private key to use when signing the certificate.</p>
<p>This is mutually exclusive with <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-privatekey-content"><spanclass="std std-ref"><spanclass="pre">privatekey_content</span></span></a></strong></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-provider"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Name of the provider to use to generate/retrieve the OpenSSL certificate.</p>
<p>The <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider requires credentials for the <aclass="reference external"href="https://www.entrustdatacard.com/products/categories/ssl-certificates">Entrust Certificate Services</a> (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-select_crypto_backend"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">auto</span></code>, which tries to use <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> if available.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">cryptography</span></code>, will try to use the <aclass="reference external"href="https://cryptography.io/">cryptography</a> library.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<p>Note that this is only supported if the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend is used!</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Digest algorithm to be used when self-signing the certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notAfter</span></p>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will stop being valid 10 years from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notBefore</span></p>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid from.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will start being valid from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Version of the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<p>Currently in check mode, private keys will not be (re-)generated, only the changed status is set. This will change in community.crypto 3.0.0.</p>
<p>From community.crypto 3.0.0 on, the module will ignore check mode and always behave as if check mode is not active. If you think this breaks your use-case of this module, please create an issue in the community.crypto repository.</p>
</div></td>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
</div></td>
</tr>
</tbody>
</table>
</section>
<sectionid="notes">
<h2><aclass="toc-backref"href="#id5"role="doc-backlink">Notes</a><aclass="headerlink"href="#notes"title="Link to this heading"></a></h2>
<divclass="admonition note">
<pclass="admonition-title">Note</p>
<ulclass="simple">
<li><p>All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.</p></li>
<li><p>Date specified should be UTC. Minutes and seconds are mandatory.</p></li>
<li><p>For security reason, when you use <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider, you should NOT run <aclass="reference internal"href="x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate</span></a> on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine.</p></li>
<li><p>For the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-csr-path"><spanclass="std std-ref"><spanclass="pre">csr_path</span></span></a></strong></code> and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-csr-content"><spanclass="std std-ref"><spanclass="pre">csr_content</span></span></a></strong></code> are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.</p></li>
</ul>
</div>
</section>
<sectionid="see-also">
<h2><aclass="toc-backref"href="#id6"role="doc-backlink">See Also</a><aclass="headerlink"href="#see-also"title="Link to this heading"></a></h2>
<dt><aclass="reference internal"href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_pipe</span></a></dt><dd><p>Generate OpenSSL private keys without disk access.</p>
</dd>
<dt><aclass="reference internal"href="openssl_publickey_module.html#ansible-collections-community-crypto-openssl-publickey-module"><spanclass="std std-ref">community.crypto.openssl_publickey</span></a></dt><dd><p>Generate an OpenSSL public key from its private key.</p>
</dd>
</dl>
</div>
</section>
<sectionid="examples">
<h2><aclass="toc-backref"href="#id7"role="doc-backlink">Examples</a><aclass="headerlink"href="#examples"title="Link to this heading"></a></h2>
<divclass="highlight-yaml+jinja notranslate"><divclass="highlight"><pre><span></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate a Self Signed OpenSSL certificate</span>
<spanclass="c1"># In the following example, both CSR and certificate file are stored on the</span>
<spanclass="c1"># machine where ansible-playbook is executed, while the OwnCA data (certificate,</span>
<spanclass="c1"># private key) are stored on the remote machine.</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">(1/2) Generate an OpenSSL Certificate with the CSR provided inline</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">result is changed</span>
<spanclass="c1"># In the following example, the certificate from another machine is signed by</span>
<spanclass="c1"># our OwnCA whose private key and certificate are only available on this</span>
<spanclass="c1"># machine (where ansible-playbook is executed), without having to write</span>
<spanclass="c1"># the certificate file to disk on localhost. The CSR could have been</span>
<spanclass="c1"># provided by community.crypto.openssl_csr_pipe earlier, or also have been</span>
<spanclass="c1"># read from the remote machine.</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">(1/3) Read certificate's contents from remote machine</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">(2/3) Generate an OpenSSL Certificate with the CSR provided inline</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">result is changed</span>
</pre></div>
</div>
</section>
<sectionid="return-values">
<h2><aclass="toc-backref"href="#id8"role="doc-backlink">Return Values</a><aclass="headerlink"href="#return-values"title="Link to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-certificate"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The (current or generated) certificate’s content.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed or success</p>
</div></td>
</tr>
</tbody>
</table>
<sectionid="authors">
<h3>Authors<aclass="headerlink"href="#authors"title="Link to this heading"></a></h3>
<ahref="x509_certificate_info_module.html"class="btn btn-neutral float-left"title="community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates"accesskey="p"rel="prev"><spanclass="fa fa-arrow-circle-left"aria-hidden="true"></span> Previous</a>
