<linkrel="next"title="community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key."href="openssl_publickey_module.html"/>
<linkrel="prev"title="community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys"href="openssl_privatekey_info_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1 current"><aclass="current reference internal"href="#">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a><ul>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_module.html">community.crypto.x509_crl_info module – Retrieve information on Certificate Revocation Lists (CRLs)</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_filter.html">community.crypto.gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_filter.html">community.crypto.openssl_csr_info filter – Retrieve information from OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="parse_serial_filter.html">community.crypto.parse_serial filter – Convert a serial number as a colon-separated list of hex numbers to an integer</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="to_serial_filter.html">community.crypto.to_serial filter – Convert an integer to a colon-separated list of hex numbers</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_lookup.html">community.crypto.gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file</a></li>
</ul>
<!-- extra nav elements for Ansible beyond RTD Sphinx Theme -->
<liclass="breadcrumb-item active">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</li>
<liclass="wy-breadcrumbs-aside">
<!-- User defined GitHub URL -->
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/openssl_privatekey_pipe.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<h1>community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access<aclass="headerlink"href="#community-crypto-openssl-privatekey-pipe-module-generate-openssl-private-keys-without-disk-access"title="Link to this heading"></a></h1>
<divclass="admonition note">
<pclass="admonition-title">Note</p>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.20.0).</p>
<p>It is not included in <codeclass="docutils literal notranslate"><spanclass="pre">ansible-core</span></code>.
To check whether it is installed, run <codeclass="code docutils literal notranslate"><spanclass="pre">ansible-galaxy</span><spanclass="pre">collection</span><spanclass="pre">list</span></code>.</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.openssl_privatekey_pipe</span></code>.</p>
</div>
<pclass="ansible-version-added">New in community.crypto 1.3.0</p>
<h2><aclass="toc-backref"href="#id1"role="doc-backlink">Synopsis</a><aclass="headerlink"href="#synopsis"title="Link to this heading"></a></h2>
<ulclass="simple">
<li><p>Keys are generated in PEM format.</p></li>
<li><p>Make sure to not write the result of this module into logs or to the console, as it contains private key data! Use the <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code> task option to be sure.</p></li>
<li><p>Note that this module is implemented as an <aclass="reference external"href="https://docs.ansible.com/ansible/latest/plugins/action.html">action plugin</a> and will always be executed on the controller.</p></li>
<li><p>One can generate <aclass="reference external"href="https://en.wikipedia.org/wiki/RSA_%2528cryptosystem%2529">RSA</a>, <aclass="reference external"href="https://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, <aclass="reference external"href="https://en.wikipedia.org/wiki/Elliptic-curve_cryptography">ECC</a> or <aclass="reference external"href="https://en.wikipedia.org/wiki/EdDSA">EdDSA</a> private keys.</p></li>
<li><p>This allows to read and write keys to vaults without having to write intermediate versions to disk.</p></li>
<li><p>This module allows one to (re)generate OpenSSL private keys without disk access.</p></li>
</ul>
<divclass="admonition note">
<pclass="admonition-title">Note</p>
<p>This module has a corresponding <aclass="reference external"href="https://docs.ansible.com/ansible/devel/plugins/action.html#action-plugins"title="(in Ansible vdevel)"><spanclass="xref std std-ref">action plugin</span></a>.</p>
</div>
</section>
<sectionid="requirements">
<spanid="ansible-collections-community-crypto-openssl-privatekey-pipe-module-requirements"></span><h2><aclass="toc-backref"href="#id2"role="doc-backlink">Requirements</a><aclass="headerlink"href="#requirements"title="Link to this heading"></a></h2>
<p>The below requirements are needed on the host that executes this module.</p>
<ulclass="simple">
<li><p>cryptography >= 1.2.3 (older versions might work as well)</p></li>
</ul>
</section>
<sectionid="parameters">
<h2><aclass="toc-backref"href="#id3"role="doc-backlink">Parameters</a><aclass="headerlink"href="#parameters"title="Link to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-cipher"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The cipher to encrypt the private key. Must be <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">auto</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The current private key data.</p>
<p>Needed for idempotency. If not provided, the module will always return a change, and all idempotence-related options are ignored.</p>
<aclass="ansibleOptionLink"href="#parameter-content_base64"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code> if the content is base64 encoded.</p>
<aclass="ansibleOptionLink"href="#parameter-curve"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Note that not all curves are supported by all versions of <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code>.</p>
<p>For maximal interoperability, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">secp384r1</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">secp256r1</span></code> should be used.</p>
<p>We use the curve names as defined in the <aclass="reference external"href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8">IANA registry for TLS</a>.</p>
<p>Please note that all curves except <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">secp224r1</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">secp256k1</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">secp256r1</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">secp384r1</span></code>, and <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">secp521r1</span></code> are discouraged for new private keys.</p>
<aclass="ansibleOptionLink"href="#parameter-format"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format) is used for all keys which support it. Please note that not every key can be exported in any format.</p>
<p>The value <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">auto</span></code> selects a format based on the key format. The value <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">auto_ignore</span></code> does the same, but for existing private key files, it will not force a regenerate when its format is not the automatically selected one for generation.</p>
<p>Note that if the format for an existing private key mismatches, the key is <strong>regenerated</strong> by default. To change this behavior, use the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-parameter-format-mismatch"><spanclass="std std-ref"><spanclass="pre">format_mismatch</span></span></a></strong></code> option.</p>
<aclass="ansibleOptionLink"href="#parameter-format_mismatch"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines behavior of the module if the format of a private key does not match the expected format, but all other parameters are as expected.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">regenerate</span></code> (default), generates a new private key.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">convert</span></code>, the key will be converted to the new format instead.</p>
<p>Only supported by the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend.</p>
<aclass="ansibleOptionLink"href="#parameter-passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The passphrase for the private key.</p>
<aclass="ansibleOptionLink"href="#parameter-regenerate"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Allows to configure in which situations the module is allowed to regenerate private keys. The module will always generate a new key if the destination file does not exist.</p>
<p>By default, the key will be regenerated when it does not match the module’s options, except when the key cannot be read or the passphrase does not match. Please note that this <strong>changed</strong> for Ansible 2.10. For Ansible 2.9, the behavior was as if <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">full_idempotence</span></code> is specified.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never</span></code>, the module will fail if the key cannot be read or the passphrase is not matching, and will never regenerate an existing key.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">fail</span></code>, the module will fail if the key does not correspond to the module’s options.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">partial_idempotence</span></code>, the key will be regenerated if it does not conform to the module’s options. The key is <strong>not</strong> regenerated if it cannot be read (broken file), the key is protected by an unknown passphrase, or when they key is not protected by a passphrase, but a passphrase is specified.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">full_idempotence</span></code>, the key will be regenerated if it does not conform to the module’s options. This is also the case if the key cannot be read (broken file), the key is protected by an unknown passphrase, or when they key is not protected by a passphrase, but a passphrase is specified. Make sure you have a <strong>backup</strong> when using this option!</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always</span></code>, the module will always regenerate the key.</p>
<p>Note that if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-parameter-format-mismatch"><spanclass="std std-ref"><spanclass="pre">format_mismatch</span></span></a></strong></code> is set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">convert</span></code> and everything matches except the format, the key will always be converted, except if <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-parameter-regenerate"><spanclass="std std-ref"><spanclass="pre">regenerate</span></span></a></strong></code> is set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-return_current_key"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code> to return the current private key when the module did not generate a new one.</p>
<p>Note that in case of check mode, when this option is not set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code>, the module always returns the current key (if it was provided) and Ansible will replace it by <codeclass="docutils literal notranslate"><spanclass="pre">VALUE_SPECIFIED_IN_NO_LOG_PARAMETER</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-select_crypto_backend"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">auto</span></code>, which tries to use <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> if available.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">cryptography</span></code>, will try to use the <aclass="reference external"href="https://cryptography.io/">cryptography</a> library.</p>
<aclass="ansibleOptionLink"href="#parameter-size"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Size (in bits) of the TLS/SSL key to generate.</p>
<aclass="ansibleOptionLink"href="#parameter-type"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The algorithm used to generate the TLS/SSL private key.</p>
<p>Note that <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ECC</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">X25519</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">X448</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">Ed25519</span></code>, and <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">Ed448</span></code> require the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend. <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">X25519</span></code> needs cryptography 2.5 or newer, while <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">X448</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">Ed25519</span></code>, and <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">Ed448</span></code> require cryptography 2.6 or newer. For <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ECC</span></code>, the minimal cryptography version required depends on the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-parameter-curve"><spanclass="std std-ref"><spanclass="pre">curve</span></span></a></strong></code> option.</p>
<td><divclass="ansible-option-cell"><p>Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.</p>
<p>This action runs completely on the controller.</p>
</div></td>
<td><divclass="ansible-option-cell"><p>Supports being used with the <codeclass="docutils literal notranslate"><spanclass="pre">async</span></code> keyword.</p>
<p>Currently in check mode, private keys will not be (re-)generated, only the changed status is set. This will change in community.crypto 3.0.0.</p>
<p>From community.crypto 3.0.0 on, the module will ignore check mode and always behave as if check mode is not active. If you think this breaks your use-case of this module, please create an issue in the community.crypto repository.</p>
</div></td>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
</div></td>
</tr>
</tbody>
</table>
</section>
<sectionid="see-also">
<h2><aclass="toc-backref"href="#id5"role="doc-backlink">See Also</a><aclass="headerlink"href="#see-also"title="Link to this heading"></a></h2>
<dt><aclass="reference internal"href="openssl_privatekey_info_module.html#ansible-collections-community-crypto-openssl-privatekey-info-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_info</span></a></dt><dd><p>Provide information for OpenSSL private keys.</p>
<dt><aclass="reference internal"href="openssl_publickey_module.html#ansible-collections-community-crypto-openssl-publickey-module"><spanclass="std std-ref">community.crypto.openssl_publickey</span></a></dt><dd><p>Generate an OpenSSL public key from its private key.</p>
</dd>
</dl>
</div>
</section>
<sectionid="examples">
<h2><aclass="toc-backref"href="#id6"role="doc-backlink">Examples</a><aclass="headerlink"href="#examples"title="Link to this heading"></a></h2>
<divclass="highlight-yaml+jinja notranslate"><divclass="highlight"><pre><span></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate an OpenSSL private key with the default values (4096 bits, RSA)</span>
<spanclass="w"></span><spanclass="nt">no_log</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">true</span><spanclass="w"></span><spanclass="c1"># make sure that private key data is not accidentally revealed in logs!</span>
<spanclass="w"></span><spanclass="c1"># DO NOT OUTPUT KEY MATERIAL TO CONSOLE OR LOGS IN PRODUCTION!</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate or update a Mozilla sops encrypted key</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Update sops-encrypted key with the community.sops collection</span>
<spanclass="w"></span><spanclass="nt">no_log</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">true</span><spanclass="w"></span><spanclass="c1"># make sure that private key data is not accidentally revealed in logs!</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Update encrypted key when openssl_privatekey_pipe reported a change</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">output is changed</span>
<spanclass="w"></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Make sure that output (which contains the private key) is overwritten</span>
<h2><aclass="toc-backref"href="#id7"role="doc-backlink">Return Values</a><aclass="headerlink"href="#return-values"title="Link to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-curve"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Elliptic curve used to generate the TLS/SSL private key.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed or success, and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-parameter-type"><spanclass="std std-ref"><spanclass="pre">type</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ECC</span></code></p>
<aclass="ansibleOptionLink"href="#return-fingerprint"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The fingerprint of the public key. Fingerprint will be generated for each <codeclass="docutils literal notranslate"><spanclass="pre">hashlib.algorithms</span></code> available.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed or success</p>
<aclass="ansibleOptionLink"href="#return-privatekey"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p>Please note that if the result is not changed, the current private key will only be returned if the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-parameter-return-current-key"><spanclass="std std-ref"><spanclass="pre">return_current_key</span></span></a></strong></code> option is set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code>.</p>
<p>Will be Base64-encoded if the key is in raw format.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed, or <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-openssl-privatekey-pipe-module-parameter-return-current-key"><spanclass="std std-ref"><spanclass="pre">return_current_key</span></span></a></strong></code> is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code></p>
<aclass="ansibleOptionLink"href="#return-size"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Size (in bits) of the TLS/SSL private key.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed or success</p>
<aclass="ansibleOptionLink"href="#return-type"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Algorithm used to generate the TLS/SSL private key.</p>
<pclass="ansible-option-line"><strongclass="ansible-option-returned-bold">Returned:</strong> changed or success</p>
<ahref="openssl_privatekey_info_module.html"class="btn btn-neutral float-left"title="community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys"accesskey="p"rel="prev"><spanclass="fa fa-arrow-circle-left"aria-hidden="true"></span> Previous</a>
<ahref="openssl_publickey_module.html"class="btn btn-neutral float-right"title="community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key."accesskey="n"rel="next">Next <spanclass="fa fa-arrow-circle-right"aria-hidden="true"></span></a>
