<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_create_module.html">community.crypto.acme_certificate_order_create module – Create an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_finalize_module.html">community.crypto.acme_certificate_order_finalize module – Finalize an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_info_module.html">community.crypto.acme_certificate_order_info module – Obtain information for an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_order_validate_module.html">community.crypto.acme_certificate_order_validate module – Validate authorizations of an ACME v2 order</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_module.html">community.crypto.x509_crl_info module – Retrieve information on Certificate Revocation Lists (CRLs)</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_filter.html">community.crypto.gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_filter.html">community.crypto.openssl_csr_info filter – Retrieve information from OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="parse_serial_filter.html">community.crypto.parse_serial filter – Convert a serial number as a colon-separated list of hex numbers to an integer</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="to_serial_filter.html">community.crypto.to_serial filter – Convert an integer to a colon-separated list of hex numbers</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_lookup.html">community.crypto.gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file</a></li>
</ul>
<!-- extra nav elements for Ansible beyond RTD Sphinx Theme -->
<h1><aclass="toc-backref"href="#id173"role="doc-backlink">Community.Crypto Release Notes</a><aclass="headerlink"href="#community-crypto-release-notes"title="Link to this heading"></a></h1>
<h3><aclass="toc-backref"href="#id175"role="doc-backlink">Release Summary</a><aclass="headerlink"href="#release-summary"title="Link to this heading"></a></h3>
<p>New feature and bugfix release with multiple new modules. It also deprecates support for older ansible-core and Python versions.</p>
<h3><aclass="toc-backref"href="#id176"role="doc-backlink">Minor Changes</a><aclass="headerlink"href="#minor-changes"title="Link to this heading"></a></h3>
<ulclass="simple">
<li><p>acme_certificate - add options <codeclass="docutils literal notranslate"><spanclass="pre">order_creation_error_strategy</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">order_creation_max_retries</span></code> which allow to configure the error handling behavior if creating a new ACME order fails. This is particularly important when using the <codeclass="docutils literal notranslate"><spanclass="pre">include_renewal_cert_id</span></code> option, and the default value <codeclass="docutils literal notranslate"><spanclass="pre">auto</span></code> for <codeclass="docutils literal notranslate"><spanclass="pre">order_creation_error_strategy</span></code> tries to gracefully handle related errors (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/842">https://github.com/ansible-collections/community.crypto/pull/842</a>).</p></li>
<li><p>acme_certificate - allow to chose a profile for certificate generation, in case the CA supports this using Internet-Draft <aclass="reference external"href="https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/">draft-aaron-acme-profiles</a> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/835">https://github.com/ansible-collections/community.crypto/pull/835</a>).</p></li>
<li><p>acme_certificate_renewal_info - add <codeclass="docutils literal notranslate"><spanclass="pre">exists</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">parsable</span></code> return values and <codeclass="docutils literal notranslate"><spanclass="pre">treat_parsing_error_as_non_existing</span></code> option (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/838">https://github.com/ansible-collections/community.crypto/pull/838</a>).</p></li>
</ul>
</section>
<sectionid="deprecated-features">
<h3><aclass="toc-backref"href="#id177"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#deprecated-features"title="Link to this heading"></a></h3>
<ulclass="simple">
<li><p>Support for ansible-core 2.11, 2.12, 2.13, 2.14, 2.15, and 2.16 is deprecated, and will be removed in the next major release (community.crypto 3.0.0). Some modules might still work with some of these versions afterwards, but we will no longer keep compatibility code that was needed to support them. Note that this means that support for all Python versions before 3.7 will be dropped, also on the target side (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/559">https://github.com/ansible-collections/community.crypto/issues/559</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/839">https://github.com/ansible-collections/community.crypto/pull/839</a>).</p></li>
<li><p>Support for cryptography < 3.4 is deprecated, and will be removed in the next major release (community.crypto 3.0.0). Some modules might still work with older versions of cryptography, but we will no longer keep compatibility code that was needed to support them (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/559">https://github.com/ansible-collections/community.crypto/issues/559</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/839">https://github.com/ansible-collections/community.crypto/pull/839</a>).</p></li>
</ul>
</section>
<sectionid="bugfixes">
<h3><aclass="toc-backref"href="#id178"role="doc-backlink">Bugfixes</a><aclass="headerlink"href="#bugfixes"title="Link to this heading"></a></h3>
<ulclass="simple">
<li><p>crypto_info - when running the module on Fedora 41 with <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> installed from the package repository, the module crashed apparently due to some elliptic curves being removed from libssl against which cryptography is running, which cryptography did not expect (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/834">https://github.com/ansible-collections/community.crypto/pull/834</a>).</p></li>
</ul>
</section>
<sectionid="new-modules">
<h3><aclass="toc-backref"href="#id179"role="doc-backlink">New Modules</a><aclass="headerlink"href="#new-modules"title="Link to this heading"></a></h3>
<ulclass="simple">
<li><p>community.crypto.acme_certificate_order_create - Create an ACME v2 order.</p></li>
<li><p>community.crypto.acme_certificate_order_finalize - Finalize an ACME v2 order.</p></li>
<li><p>community.crypto.acme_certificate_order_info - Obtain information for an ACME v2 order.</p></li>
<li><p>community.crypto.acme_certificate_order_validate - Validate authorizations of an ACME v2 order.</p></li>
</ul>
</section>
</section>
<sectionid="v2-23-0">
<h2><aclass="toc-backref"href="#id180"role="doc-backlink">v2.23.0</a><aclass="headerlink"href="#v2-23-0"title="Link to this heading"></a></h2>
<sectionid="id1">
<h3><aclass="toc-backref"href="#id181"role="doc-backlink">Release Summary</a><aclass="headerlink"href="#id1"title="Link to this heading"></a></h3>
<p>Feature release.</p>
</section>
<sectionid="id2">
<h3><aclass="toc-backref"href="#id182"role="doc-backlink">Minor Changes</a><aclass="headerlink"href="#id2"title="Link to this heading"></a></h3>
<li><p>acme_certificate - add compatibility for ACME CAs that are not fully RFC8555 compliant and do not provide <codeclass="docutils literal notranslate"><spanclass="pre">challenges</span></code> in authz objects (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/824">https://github.com/ansible-collections/community.crypto/issues/824</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/832">https://github.com/ansible-collections/community.crypto/pull/832</a>).</p></li>
<li><p>luks_device - allow to provide passphrases base64-encoded (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/827">https://github.com/ansible-collections/community.crypto/issues/827</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/829">https://github.com/ansible-collections/community.crypto/pull/829</a>).</p></li>
<li><p>x509_certificate_convert - add new option <codeclass="docutils literal notranslate"><spanclass="pre">verify_cert_parsable</span></code> which allows to check whether the certificate can actually be parsed (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/809">https://github.com/ansible-collections/community.crypto/issues/809</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/830">https://github.com/ansible-collections/community.crypto/pull/830</a>).</p></li>
<h3><aclass="toc-backref"href="#id183"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id3"title="Link to this heading"></a></h3>
<li><p>openssl_pkcs12 - the PyOpenSSL based backend is deprecated and will be removed from community.crypto 3.0.0. From that point on you need cryptography 3.0 or newer to use this module (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/667">https://github.com/ansible-collections/community.crypto/issues/667</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/831">https://github.com/ansible-collections/community.crypto/pull/831</a>).</p></li>
<li><p>acme_* modules - when using the OpenSSL backend, explicitly use the UTC timezone in Python code (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/811">https://github.com/ansible-collections/community.crypto/pull/811</a>).</p></li>
<li><p>time module utils - fix conversion of naive <codeclass="docutils literal notranslate"><spanclass="pre">datetime</span></code> objects to UNIX timestamps for Python 3 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/808">https://github.com/ansible-collections/community.crypto/issues/808</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/810">https://github.com/ansible-collections/community.crypto/pull/810</a>).</p></li>
<li><p>acme_certificate - fix authorization failure when CSR contains SANs with mixed case (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/803">https://github.com/ansible-collections/community.crypto/pull/803</a>).</p></li>
<li><p>acme_* modules - when querying renewal information, make sure to insert a slash between the base URL and the certificate identifier (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/801">https://github.com/ansible-collections/community.crypto/issues/801</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/802">https://github.com/ansible-collections/community.crypto/pull/802</a>).</p></li>
<li><p>openssl_privatekey, openssl_privatekey_pipe - add default value <codeclass="docutils literal notranslate"><spanclass="pre">auto</span></code> for <codeclass="docutils literal notranslate"><spanclass="pre">cipher</span></code> option, which happens to be the only supported value for this option anyway. Therefore it is no longer necessary to specify <codeclass="docutils literal notranslate"><spanclass="pre">cipher=auto</span></code> when providing <codeclass="docutils literal notranslate"><spanclass="pre">passphrase</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/793">https://github.com/ansible-collections/community.crypto/issues/793</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/794">https://github.com/ansible-collections/community.crypto/pull/794</a>).</p></li>
<li><p>get_certificate - allow to obtain the certificate chain sent by the server, and the one used for validation, with the new <codeclass="docutils literal notranslate"><spanclass="pre">get_certificate_chain</span></code> option. Note that this option only works if the module is run with Python 3.10 or newer (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/568">https://github.com/ansible-collections/community.crypto/issues/568</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/784">https://github.com/ansible-collections/community.crypto/pull/784</a>).</p></li>
<li><p>acme_certificate - add <codeclass="docutils literal notranslate"><spanclass="pre">include_renewal_cert_id</span></code> option to allow requesting renewal of a specific certificate according to the current ACME Renewal Information specification draft (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/739">https://github.com/ansible-collections/community.crypto/pull/739</a>).</p></li>
<h3><aclass="toc-backref"href="#id205"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id18"title="Link to this heading"></a></h3>
<li><p>acme documentation fragment - the default <codeclass="docutils literal notranslate"><spanclass="pre">community.crypto.acme[.documentation]</span></code> docs fragment is deprecated and will be removed from community.crypto 3.0.0. Replace it with both the new <codeclass="docutils literal notranslate"><spanclass="pre">community.crypto.acme.basic</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">community.crypto.acme.account</span></code> fragments (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/735">https://github.com/ansible-collections/community.crypto/pull/735</a>).</p></li>
<li><p>acme.backends module utils - the <codeclass="docutils literal notranslate"><spanclass="pre">get_cert_information()</span></code> method for a ACME crypto backend must be implemented from community.crypto 3.0.0 on (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/736">https://github.com/ansible-collections/community.crypto/pull/736</a>).</p></li>
<li><p>crypto.module_backends.common module utils - the <codeclass="docutils literal notranslate"><spanclass="pre">crypto.module_backends.common</span></code> module utils is deprecated and will be removed from community.crypto 3.0.0. Use the improved <codeclass="docutils literal notranslate"><spanclass="pre">argspec</span></code> module util instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/749">https://github.com/ansible-collections/community.crypto/pull/749</a>).</p></li>
<li><p>x509_crl, x509_certificate, x509_certificate_info - when parsing absolute timestamps which omitted the second count, the first digit of the minutes was used as a one-digit minutes count, and the second digit of the minutes as a one-digit second count (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/745">https://github.com/ansible-collections/community.crypto/pull/745</a>).</p></li>
<li><p>crypto.math module utils - change return values for <codeclass="docutils literal notranslate"><spanclass="pre">quick_is_not_prime()</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">convert_int_to_bytes(0,</span><spanclass="pre">0)</span></code> for special cases that do not appear when using the collection (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/733">https://github.com/ansible-collections/community.crypto/pull/733</a>).</p></li>
<li><p>ecs_certificate - fixed <codeclass="docutils literal notranslate"><spanclass="pre">csr</span></code> option to be empty and allow renewal of a specific certificate according to the Renewal Information specification (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/740">https://github.com/ansible-collections/community.crypto/pull/740</a>).</p></li>
<li><p>x509_certificate - since community.crypto 2.19.0 the module was no longer idempotent with respect to <codeclass="docutils literal notranslate"><spanclass="pre">not_before</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">not_after</span></code> times. This is now fixed (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/753">https://github.com/ansible-collections/community.crypto/issues/753</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/754">https://github.com/ansible-collections/community.crypto/pull/754</a>).</p></li>
<li><p>When using cryptography >= 42.0.0, use offset-aware <codeclass="docutils literal notranslate"><spanclass="pre">datetime.datetime</span></code> objects (with timezone UTC) instead of offset-naive UTC timestamps (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/726">https://github.com/ansible-collections/community.crypto/issues/726</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/727">https://github.com/ansible-collections/community.crypto/pull/727</a>).</p></li>
<li><p>openssh_cert - avoid UTC functions deprecated in Python 3.12 when using Python 3 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/727">https://github.com/ansible-collections/community.crypto/pull/727</a>).</p></li>
<h3><aclass="toc-backref"href="#id214"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id25"title="Link to this heading"></a></h3>
<li><p>acme.backends module utils - from community.crypto on, all implementations of <codeclass="docutils literal notranslate"><spanclass="pre">CryptoBackend</span></code> must override <codeclass="docutils literal notranslate"><spanclass="pre">get_ordered_csr_identifiers()</span></code>. The current default implementation, which simply sorts the result of <codeclass="docutils literal notranslate"><spanclass="pre">get_csr_identifiers()</span></code>, will then be removed (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/725">https://github.com/ansible-collections/community.crypto/pull/725</a>).</p></li>
<li><p>acme_certificate - respect the order of the CNAME and SAN identifiers that are passed on when creating an ACME order (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/723">https://github.com/ansible-collections/community.crypto/issues/723</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/725">https://github.com/ansible-collections/community.crypto/pull/725</a>).</p></li>
<li><p>x509_crl - the new option <codeclass="docutils literal notranslate"><spanclass="pre">serial_numbers</span></code> allow to configure in which format serial numbers can be provided to <codeclass="docutils literal notranslate"><spanclass="pre">revoked_certificates[].serial_number</span></code>. The default is as integers (<codeclass="docutils literal notranslate"><spanclass="pre">serial_numbers=integer</span></code>) for backwards compatibility; setting <codeclass="docutils literal notranslate"><spanclass="pre">serial_numbers=hex-octets</span></code> allows to specify colon-separated hex octet strings like <codeclass="docutils literal notranslate"><spanclass="pre">00:11:22:FF</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/687">https://github.com/ansible-collections/community.crypto/issues/687</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/715">https://github.com/ansible-collections/community.crypto/pull/715</a>).</p></li>
<h3><aclass="toc-backref"href="#id220"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id30"title="Link to this heading"></a></h3>
<li><p>openssl_csr_pipe, openssl_privatekey_pipe, x509_certificate_pipe - the current behavior of check mode is deprecated and will change in community.crypto 3.0.0. The current behavior is similar to the modules without <codeclass="docutils literal notranslate"><spanclass="pre">_pipe</span></code>: if the object needs to be (re-)generated, only the <codeclass="docutils literal notranslate"><spanclass="pre">changed</span></code> status is set, but the object is not updated. From community.crypto 3.0.0 on, the modules will ignore check mode and always act as if check mode is not active. This behavior can already achieved now by adding <codeclass="docutils literal notranslate"><spanclass="pre">check_mode:</span><spanclass="pre">false</span></code> to the task. If you think this breaks your use-case of this module, please <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/new/choose">create an issue in the community.crypto repository</a> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/712">https://github.com/ansible-collections/community.crypto/issues/712</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/714">https://github.com/ansible-collections/community.crypto/pull/714</a>).</p></li>
<li><p>luks_device - fixed module a bug that prevented using <codeclass="docutils literal notranslate"><spanclass="pre">remove_keyslot</span></code> with the value <codeclass="docutils literal notranslate"><spanclass="pre">0</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/710">https://github.com/ansible-collections/community.crypto/pull/710</a>).</p></li>
<li><p>luks_device - fixed module falsely outputting <codeclass="docutils literal notranslate"><spanclass="pre">changed=false</span></code> when trying to add a new slot with a key that is already present in another slot. The module now rejects adding keys that are already present in another slot (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/710">https://github.com/ansible-collections/community.crypto/pull/710</a>).</p></li>
<li><p>luks_device - fixed testing of LUKS passphrases in when specifying a keyslot for cryptsetup version 2.0.3. The output of this cryptsetup version slightly differs from later versions (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/710">https://github.com/ansible-collections/community.crypto/pull/710</a>).</p></li>
<h3><aclass="toc-backref"href="#id222"role="doc-backlink">New Plugins</a><aclass="headerlink"href="#new-plugins"title="Link to this heading"></a></h3>
<li><p>openssl_dhparam - was using an internal function instead of the public API to load DH param files when using the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend. The internal function was removed in cryptography 42.0.0. The module now uses the public API, which has been available since support for DH params was added to cryptography (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/698">https://github.com/ansible-collections/community.crypto/pull/698</a>).</p></li>
<li><p>openssl_privatekey_info - <codeclass="docutils literal notranslate"><spanclass="pre">check_consistency=true</span></code> no longer works for RSA keys with cryptography 42.0.0+ (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/701">https://github.com/ansible-collections/community.crypto/pull/701</a>).</p></li>
<li><p>openssl_privatekey_info - <codeclass="docutils literal notranslate"><spanclass="pre">check_consistency=true</span></code> now reports a warning if it cannot determine consistency (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/705">https://github.com/ansible-collections/community.crypto/pull/705</a>).</p></li>
<li><p>acme_* modules - directly react on bad return data for account creation/retrieval/updating requests (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/682">https://github.com/ansible-collections/community.crypto/pull/682</a>).</p></li>
<li><p>acme_* modules - fix improved error reporting in case of socket errors, bad status lines, and unknown connection errors (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/684">https://github.com/ansible-collections/community.crypto/pull/684</a>).</p></li>
<li><p>acme_* modules - increase number of retries from 5 to 10 to increase stability with unstable ACME endpoints (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/685">https://github.com/ansible-collections/community.crypto/pull/685</a>).</p></li>
<li><p>acme_* modules - make account registration handling more flexible to accept 404 instead of 400 send by DigiCert’s ACME endpoint when an account does not exist (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/681">https://github.com/ansible-collections/community.crypto/pull/681</a>).</p></li>
<li><p>acme_* modules - also retry requests in case of socket errors, bad status lines, and unknown connection errors; improve error messages in these cases (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/680">https://github.com/ansible-collections/community.crypto/issues/680</a>).</p></li>
<li><p>openssl_pkcs12 - modify autodetect to not detect pyOpenSSL >= 23.3.0, which removed PKCS#12 support (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/666">https://github.com/ansible-collections/community.crypto/pull/666</a>).</p></li>
<li><p>openssh_keypair - fail when comment cannot be updated (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/646">https://github.com/ansible-collections/community.crypto/pull/646</a>).</p></li>
<h3><aclass="toc-backref"href="#id246"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id47"title="Link to this heading"></a></h3>
<li><p>get_certificate - the default <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code> of the <codeclass="docutils literal notranslate"><spanclass="pre">asn1_base64</span></code> option is deprecated and will change to <codeclass="docutils literal notranslate"><spanclass="pre">true</span></code> in community.crypto 3.0.0 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/600">https://github.com/ansible-collections/community.crypto/pull/600</a>).</p></li>
<li><p>openssh_cert, openssh_keypair - the modules ignored return codes of <codeclass="docutils literal notranslate"><spanclass="pre">ssh</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">ssh-keygen</span></code> in some cases (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/645">https://github.com/ansible-collections/community.crypto/issues/645</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/646">https://github.com/ansible-collections/community.crypto/pull/646</a>).</p></li>
<li><p>openssh_keypair - fix comment updating for OpenSSH before 6.5 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/646">https://github.com/ansible-collections/community.crypto/pull/646</a>).</p></li>
<p>Bugfix and maintenance release with updated documentation.</p>
<p>From this version on, community.crypto is using the new <aclass="reference external"href="https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#semantic-markup-within-module-documentation">Ansible semantic markup</a>
in its documentation. If you look at documentation with the ansible-doc CLI tool
from ansible-core before 2.15, please note that it does not render the markup
correctly. You should be still able to read it in most cases, but you need
ansible-core 2.15 or later to see it as it is intended. Alternatively you can
look at <aclass="reference external"href="https://docs.ansible.com/ansible/devel/collections/community/crypto/">the devel docsite</a>
for the rendered HTML version of the documentation of the latest release.</p>
<li><p>Fix PEM detection/identification to also accept random other lines before the line starting with <codeclass="docutils literal notranslate"><spanclass="pre">-----BEGIN</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/627">https://github.com/ansible-collections/community.crypto/issues/627</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/628">https://github.com/ansible-collections/community.crypto/pull/628</a>).</p></li>
<h3><aclass="toc-backref"href="#id254"role="doc-backlink">Known Issues</a><aclass="headerlink"href="#known-issues"title="Link to this heading"></a></h3>
<li><p>Ansible markup will show up in raw form on ansible-doc text output for ansible-core before 2.15. If you have trouble deciphering the documentation markup, please upgrade to ansible-core 2.15 (or newer), or read the HTML documentation on <aclass="reference external"href="https://docs.ansible.com/ansible/devel/collections/community/crypto/">https://docs.ansible.com/ansible/devel/collections/community/crypto/</a>.</p></li>
<li><p>acme_certificate - allow to use no challenge by providing <codeclass="docutils literal notranslate"><spanclass="pre">no</span><spanclass="pre">challenge</span></code> for the <codeclass="docutils literal notranslate"><spanclass="pre">challenge</span></code> option. This is needed for ACME servers where validation is done without challenges (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/613">https://github.com/ansible-collections/community.crypto/issues/613</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/615">https://github.com/ansible-collections/community.crypto/pull/615</a>).</p></li>
<li><p>acme_certificate - validate and wait for challenges in parallel instead handling them one after another (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/617">https://github.com/ansible-collections/community.crypto/pull/617</a>).</p></li>
<li><p>x509_certificate_info - added support for certificates in DER format when using <codeclass="docutils literal notranslate"><spanclass="pre">path</span></code> parameter (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/603">https://github.com/ansible-collections/community.crypto/issues/603</a>).</p></li>
<li><p>x509_crl - the <codeclass="docutils literal notranslate"><spanclass="pre">crl_mode</span></code> option has been added to replace the existing <codeclass="docutils literal notranslate"><spanclass="pre">mode</span></code> option (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/596">https://github.com/ansible-collections/community.crypto/issues/596</a>).</p></li>
<h3><aclass="toc-backref"href="#id264"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id59"title="Link to this heading"></a></h3>
<li><p>x509_crl - the <codeclass="docutils literal notranslate"><spanclass="pre">mode</span></code> option is deprecated; use <codeclass="docutils literal notranslate"><spanclass="pre">crl_mode</span></code> instead. The <codeclass="docutils literal notranslate"><spanclass="pre">mode</span></code> option will change its meaning in community.crypto 3.0.0, and will refer to the CRL file’s mode instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/596">https://github.com/ansible-collections/community.crypto/issues/596</a>).</p></li>
<li><p>openssh_keypair - always generate a new key pair if the private key does not exist. Previously, the module would fail when <codeclass="docutils literal notranslate"><spanclass="pre">regenerate=fail</span></code> without an existing key, contradicting the documentation (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/598">https://github.com/ansible-collections/community.crypto/pull/598</a>).</p></li>
<li><p>x509_crl - remove problem with ansible-core 2.16 due to <codeclass="docutils literal notranslate"><spanclass="pre">AnsibleModule</span></code> is now validating the <codeclass="docutils literal notranslate"><spanclass="pre">mode</span></code> parameter’s values (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/596">https://github.com/ansible-collections/community.crypto/issues/596</a>).</p></li>
<li><p>get_certificate - add <codeclass="docutils literal notranslate"><spanclass="pre">asn1_base64</span></code> option to control whether the ASN.1 included in the <codeclass="docutils literal notranslate"><spanclass="pre">extensions</span></code> return value is binary data or Base64 encoded (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/592">https://github.com/ansible-collections/community.crypto/pull/592</a>).</p></li>
<li><p>openssl_csr, openssl_csr_pipe - prevent invalid values for <codeclass="docutils literal notranslate"><spanclass="pre">crl_distribution_points</span></code> that do not have one of <codeclass="docutils literal notranslate"><spanclass="pre">full_name</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">relative_name</span></code>, and <codeclass="docutils literal notranslate"><spanclass="pre">crl_issuer</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/560">https://github.com/ansible-collections/community.crypto/pull/560</a>).</p></li>
<li><p>openssl_publickey_info - do not crash with internal error when public key cannot be parsed (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/551">https://github.com/ansible-collections/community.crypto/pull/551</a>).</p></li>
<li><p>x509_certificate_info - adds <codeclass="docutils literal notranslate"><spanclass="pre">issuer_uri</span></code> field in return value based on Authority Information Access data (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/530">https://github.com/ansible-collections/community.crypto/pull/530</a>).</p></li>
<li><p>acme_* modules - handle more gracefully if CA’s new nonce call does not return a nonce (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/525">https://github.com/ansible-collections/community.crypto/pull/525</a>).</p></li>
<li><p>acme_* modules - include symbolic HTTP status codes in error and log messages when available (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/524">https://github.com/ansible-collections/community.crypto/pull/524</a>).</p></li>
<li><p>openssl_pkcs12 - add option <codeclass="docutils literal notranslate"><spanclass="pre">encryption_level</span></code> which allows to chose <codeclass="docutils literal notranslate"><spanclass="pre">compatibility2022</span></code> when cryptography >= 38.0.0 is used to enable a more backwards compatible encryption algorithm. If cryptography uses OpenSSL 3.0.0 or newer, the default algorithm is not compatible with older software (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/523">https://github.com/ansible-collections/community.crypto/pull/523</a>).</p></li>
<li><p>acme_* modules - improve feedback when importing <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> does not work (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/518">https://github.com/ansible-collections/community.crypto/issues/518</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/519">https://github.com/ansible-collections/community.crypto/pull/519</a>).</p></li>
<li><p>acme* modules - also support the HTTP 503 Service Unavailable and 408 Request Timeout response status for automatic retries (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/513">https://github.com/ansible-collections/community.crypto/pull/513</a>).</p></li>
<li><p>acme* modules - support the HTTP 429 Too Many Requests response status (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/508">https://github.com/ansible-collections/community.crypto/pull/508</a>).</p></li>
<li><p>openssh_keypair - added <codeclass="docutils literal notranslate"><spanclass="pre">pkcs1</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">pkcs8</span></code>, and <codeclass="docutils literal notranslate"><spanclass="pre">ssh</span></code> to the available choices for the <codeclass="docutils literal notranslate"><spanclass="pre">private_key_format</span></code> option (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/511">https://github.com/ansible-collections/community.crypto/pull/511</a>).</p></li>
<li><p>All software licenses are now in the <codeclass="docutils literal notranslate"><spanclass="pre">LICENSES/</span></code> directory of the collection root. Moreover, <codeclass="docutils literal notranslate"><spanclass="pre">SPDX-License-Identifier:</span></code> is used to declare the applicable license for every file that is not automatically generated (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/491">https://github.com/ansible-collections/community.crypto/pull/491</a>).</p></li>
<h3><aclass="toc-backref"href="#id303"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id86"title="Link to this heading"></a></h3>
<li><p>Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed in the next major release (community.crypto 3.0.0). Some modules might still work with these versions afterwards, but we will no longer keep compatibility code that was needed to support them (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/460">https://github.com/ansible-collections/community.crypto/pull/460</a>).</p></li>
<li><p>openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying to read non-existing other certificates (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/486">https://github.com/ansible-collections/community.crypto/issues/486</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/487">https://github.com/ansible-collections/community.crypto/pull/487</a>).</p></li>
<li><p>Include <codeclass="docutils literal notranslate"><spanclass="pre">Apache-2.0.txt</span></code> file for <codeclass="docutils literal notranslate"><spanclass="pre">plugins/module_utils/crypto/_obj2txt.py</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">plugins/module_utils/crypto/_objects_data.py</span></code>.</p></li>
<li><p>openssl_csr - the module no longer crashes with ‘permitted_subtrees/excluded_subtrees must be a non-empty list or None’ if only one of <codeclass="docutils literal notranslate"><spanclass="pre">name_constraints_permitted</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">name_constraints_excluded</span></code> is provided (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/481">https://github.com/ansible-collections/community.crypto/issues/481</a>).</p></li>
<li><p>x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/473">https://github.com/ansible-collections/community.crypto/issues/473</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/474">https://github.com/ansible-collections/community.crypto/pull/474</a>).</p></li>
<li><p>Include <codeclass="docutils literal notranslate"><spanclass="pre">simplified_bsd.txt</span></code> license file for the ECS module utils.</p></li>
<li><p>certificate_complete_chain - do not stop execution if an unsupported signature algorithm is encountered; warn instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/457">https://github.com/ansible-collections/community.crypto/pull/457</a>).</p></li>
<li><p>Prepare collection for inclusion in an Execution Environment by declaring its dependencies. Please note that system packages are used for cryptography and PyOpenSSL, which can be rather limited. If you need features from newer cryptography versions, you will have to manually force a newer version to be installed by pip by specifying something like <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span><spanclass="pre">>=</span><spanclass="pre">37.0.0</span></code> in your Execution Environment’s Python dependencies file (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/440">https://github.com/ansible-collections/community.crypto/pull/440</a>).</p></li>
<li><p>Support automatic conversion for Internalionalized Domain Names (IDNs). When passing general names, for example Subject Alternative Names to <codeclass="docutils literal notranslate"><spanclass="pre">community.crypto.openssl_csr</span></code>, these will automatically be converted to IDNA. Conversion will be done per label to IDNA2008 if possible, and IDNA2003 if IDNA2008 conversion fails for that label. Note that IDNA conversion requires <aclass="reference external"href="https://pypi.org/project/idna/">the Python idna library</a> to be installed. Please note that depending on which versions of the cryptography library are used, it could try to process the converted IDNA another time with the Python <codeclass="docutils literal notranslate"><spanclass="pre">idna</span></code> library and reject IDNA2003 encoded values. Using a new enough <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> version avoids this (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/426">https://github.com/ansible-collections/community.crypto/issues/426</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/436">https://github.com/ansible-collections/community.crypto/pull/436</a>).</p></li>
<li><p>openssl_csr_info - add <codeclass="docutils literal notranslate"><spanclass="pre">name_encoding</span></code> option to control the encoding (IDNA, Unicode) used to return domain names in general names (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/436">https://github.com/ansible-collections/community.crypto/pull/436</a>).</p></li>
<li><p>openssl_pkcs12 - allow to provide the private key as text instead of having to read it from a file. This allows to store the private key in an encrypted form, for example in Ansible Vault (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/452">https://github.com/ansible-collections/community.crypto/pull/452</a>).</p></li>
<li><p>x509_certificate_info - add <codeclass="docutils literal notranslate"><spanclass="pre">name_encoding</span></code> option to control the encoding (IDNA, Unicode) used to return domain names in general names (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/436">https://github.com/ansible-collections/community.crypto/pull/436</a>).</p></li>
<li><p>x509_crl - add <codeclass="docutils literal notranslate"><spanclass="pre">name_encoding</span></code> option to control the encoding (IDNA, Unicode) used to return domain names in general names (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/436">https://github.com/ansible-collections/community.crypto/pull/436</a>).</p></li>
<li><p>x509_crl_info - add <codeclass="docutils literal notranslate"><spanclass="pre">name_encoding</span></code> option to control the encoding (IDNA, Unicode) used to return domain names in general names (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/436">https://github.com/ansible-collections/community.crypto/pull/436</a>).</p></li>
<li><p>Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/445">https://github.com/ansible-collections/community.crypto/pull/445</a>).</p></li>
<li><p>x509_crl - fix crash when <codeclass="docutils literal notranslate"><spanclass="pre">issuer</span></code> for a revoked certificate is specified (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/441">https://github.com/ansible-collections/community.crypto/pull/441</a>).</p></li>
<p>In this release, we extended the test matrix to include Alpine 3, ArchLinux, Debian Bullseye, and CentOS Stream 8. CentOS 8 was removed from the test matrix.</p>
<li><p>certificate_complete_chain - allow multiple potential intermediate certificates to have the same subject (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/399">https://github.com/ansible-collections/community.crypto/issues/399</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/403">https://github.com/ansible-collections/community.crypto/pull/403</a>).</p></li>
<li><p>x509_certificate - for the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider, check whether the CA private key actually belongs to the CA certificate (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/407">https://github.com/ansible-collections/community.crypto/pull/407</a>).</p></li>
<li><p>x509_certificate - regenerate certificate when the CA’s public key changes for <codeclass="docutils literal notranslate"><spanclass="pre">provider=ownca</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/407">https://github.com/ansible-collections/community.crypto/pull/407</a>).</p></li>
<li><p>x509_certificate - regenerate certificate when the CA’s subject changes for <codeclass="docutils literal notranslate"><spanclass="pre">provider=ownca</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/400">https://github.com/ansible-collections/community.crypto/issues/400</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/402">https://github.com/ansible-collections/community.crypto/pull/402</a>).</p></li>
<li><p>x509_certificate - regenerate certificate when the private key changes for <codeclass="docutils literal notranslate"><spanclass="pre">provider=selfsigned</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/407">https://github.com/ansible-collections/community.crypto/pull/407</a>).</p></li>
<li><p>openssh_cert - added <codeclass="docutils literal notranslate"><spanclass="pre">ignore_timestamps</span></code> parameter so it can be used semi-idempotent with relative timestamps in <codeclass="docutils literal notranslate"><spanclass="pre">valid_to</span></code>/<codeclass="docutils literal notranslate"><spanclass="pre">valid_from</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/379">https://github.com/ansible-collections/community.crypto/issues/379</a>).</p></li>
<li><p>luks_devices - set <codeclass="docutils literal notranslate"><spanclass="pre">LANG</span></code> and similar environment variables to avoid translated output, which can break some of the module’s functionality like key management (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/388">https://github.com/ansible-collections/community.crypto/pull/388</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/385">https://github.com/ansible-collections/community.crypto/issues/385</a>).</p></li>
<li><p>Adjust error messages that indicate <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> is not installed from <codeclass="docutils literal notranslate"><spanclass="pre">Can't</span></code> to <codeclass="docutils literal notranslate"><spanclass="pre">Cannot</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/374">https://github.com/ansible-collections/community.crypto/pull/374</a>).</p></li>
<li><p>Various modules and plugins - use vendored version of <codeclass="docutils literal notranslate"><spanclass="pre">distutils.version</span></code> instead of the deprecated Python standard library <codeclass="docutils literal notranslate"><spanclass="pre">distutils</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/353">https://github.com/ansible-collections/community.crypto/pull/353</a>).</p></li>
<li><p>certificate_complete_chain - do not append root twice if the chain already ends with a root certificate (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/360">https://github.com/ansible-collections/community.crypto/pull/360</a>).</p></li>
<li><p>certificate_complete_chain - do not hang when infinite loop is found (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/355">https://github.com/ansible-collections/community.crypto/issues/355</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/360">https://github.com/ansible-collections/community.crypto/pull/360</a>).</p></li>
<li><p>acme_certificate - avoid passing multiple certificates to <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code>’s X.509 certificate loader when <codeclass="docutils literal notranslate"><spanclass="pre">fullchain_dest</span></code> is used (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/324">https://github.com/ansible-collections/community.crypto/pull/324</a>).</p></li>
<li><p>get_certificate, openssl_csr_info, x509_certificate_info - add fallback code for extension parsing that works with cryptography 36.0.0 and newer. This code re-serializes de-serialized extensions and thus can return slightly different values if the extension in the original CSR resp. certificate was not canonicalized correctly. This code is currently used as a fallback if the existing code stops working, but we will switch it to be the main code in a future release (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/331">https://github.com/ansible-collections/community.crypto/pull/331</a>).</p></li>
<li><p>luks_device - now also runs a built-in LUKS signature cleaner on <codeclass="docutils literal notranslate"><spanclass="pre">state=absent</span></code> to make sure that also the secondary LUKS2 header is wiped when older versions of wipefs are used (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/326">https://github.com/ansible-collections/community.crypto/issues/326</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/327">https://github.com/ansible-collections/community.crypto/pull/327</a>).</p></li>
<li><p>openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography 36.0.0 if available (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/302">https://github.com/ansible-collections/community.crypto/pull/302</a>).</p></li>
<p>A new major release of the <codeclass="docutils literal notranslate"><spanclass="pre">community.crypto</span></code> collection. The main changes are removal of the PyOpenSSL backends for almost all modules (<codeclass="docutils literal notranslate"><spanclass="pre">openssl_pkcs12</span></code> being the only exception), and removal of the <codeclass="docutils literal notranslate"><spanclass="pre">assertonly</span></code> provider in the <codeclass="docutils literal notranslate"><spanclass="pre">x509_certificate</span></code> provider. There are also some other breaking changes which should improve the user interface/experience of this collection long-term.</p>
<li><p>acme_certificate - the <codeclass="docutils literal notranslate"><spanclass="pre">subject</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">issuer</span></code> fields in in the <codeclass="docutils literal notranslate"><spanclass="pre">select_chain</span></code> entries are now more strictly validated (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/316">https://github.com/ansible-collections/community.crypto/pull/316</a>).</p></li>
<li><p>openssl_csr, openssl_csr_pipe - provide a new <codeclass="docutils literal notranslate"><spanclass="pre">subject_ordered</span></code> option if the order of the components in the subject is of importance (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/291">https://github.com/ansible-collections/community.crypto/issues/291</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/316">https://github.com/ansible-collections/community.crypto/pull/316</a>).</p></li>
<li><p>openssl_csr, openssl_csr_pipe - there is now stricter validation of the values of the <codeclass="docutils literal notranslate"><spanclass="pre">subject</span></code> option (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/316">https://github.com/ansible-collections/community.crypto/pull/316</a>).</p></li>
<li><p>openssl_privatekey_info - add <codeclass="docutils literal notranslate"><spanclass="pre">check_consistency</span></code> option to request private key consistency checks to be done (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/309">https://github.com/ansible-collections/community.crypto/pull/309</a>).</p></li>
<li><p>x509_certificate, x509_certificate_pipe - add <codeclass="docutils literal notranslate"><spanclass="pre">ignore_timestamps</span></code> option which allows to enable idempotency for ‘not before’ and ‘not after’ options (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/295">https://github.com/ansible-collections/community.crypto/issues/295</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/317">https://github.com/ansible-collections/community.crypto/pull/317</a>).</p></li>
<li><p>x509_crl - provide a new <codeclass="docutils literal notranslate"><spanclass="pre">issuer_ordered</span></code> option if the order of the components in the issuer is of importance (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/291">https://github.com/ansible-collections/community.crypto/issues/291</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/316">https://github.com/ansible-collections/community.crypto/pull/316</a>).</p></li>
<li><p>x509_crl - there is now stricter validation of the values of the <codeclass="docutils literal notranslate"><spanclass="pre">issuer</span></code> option (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/316">https://github.com/ansible-collections/community.crypto/pull/316</a>).</p></li>
<h3><aclass="toc-backref"href="#id350"role="doc-backlink">Breaking Changes / Porting Guide</a><aclass="headerlink"href="#breaking-changes-porting-guide"title="Link to this heading"></a></h3>
<li><p>Adjust <codeclass="docutils literal notranslate"><spanclass="pre">dirName</span></code> text parsing and to text converting code to conform to <aclass="reference external"href="https://datatracker.ietf.org/doc/html/rfc4514.html">Sections 2 and 3 of RFC 4514</a>. This is similar to how <aclass="reference external"href="https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Name.rfc4514_string">cryptography handles this</a> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/274">https://github.com/ansible-collections/community.crypto/pull/274</a>).</p></li>
<li><p>acme_* modules - removed vendored copy of the Python library <codeclass="docutils literal notranslate"><spanclass="pre">ipaddress</span></code>. If you are using Python 2.x, please make sure to install the library (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/287">https://github.com/ansible-collections/community.crypto/pull/287</a>).</p></li>
<li><p>compatibility module_utils - removed vendored copy of the Python library <codeclass="docutils literal notranslate"><spanclass="pre">ipaddress</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/287">https://github.com/ansible-collections/community.crypto/pull/287</a>).</p></li>
<li><p>get_certificate, openssl_csr_info, x509_certificate_info - depending on the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> version used, the modules might not return the ASN.1 value for an extension as contained in the certificate respectively CSR, but a re-encoded version of it. This should usually be identical to the value contained in the source file, unless the value was malformed. For extensions not handled by C(cryptography) the value contained in the source file is always returned unaltered (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/318">https://github.com/ansible-collections/community.crypto/pull/318</a>).</p></li>
<li><p>module_utils - removed various PyOpenSSL support functions and default backend values that are not needed for the openssl_pkcs12 module (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_csr, openssl_csr_pipe, x509_crl - the <codeclass="docutils literal notranslate"><spanclass="pre">subject</span></code> respectively <codeclass="docutils literal notranslate"><spanclass="pre">issuer</span></code> fields no longer ignore empty values, but instead fail when encountering them (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/316">https://github.com/ansible-collections/community.crypto/pull/316</a>).</p></li>
<li><p>openssl_privatekey_info - by default consistency checks are not run; they need to be explicitly requested by passing <codeclass="docutils literal notranslate"><spanclass="pre">check_consistency=true</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/309">https://github.com/ansible-collections/community.crypto/pull/309</a>).</p></li>
<li><p>x509_crl - for idempotency checks, the <codeclass="docutils literal notranslate"><spanclass="pre">issuer</span></code> order is ignored. If order is important, use the new <codeclass="docutils literal notranslate"><spanclass="pre">issuer_ordered</span></code> option (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/316">https://github.com/ansible-collections/community.crypto/pull/316</a>).</p></li>
<h3><aclass="toc-backref"href="#id351"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id119"title="Link to this heading"></a></h3>
<li><p>acme_* modules - ACME version 1 is now deprecated and support for it will be removed in community.crypto 2.0.0 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/288">https://github.com/ansible-collections/community.crypto/pull/288</a>).</p></li>
<h3><aclass="toc-backref"href="#id352"role="doc-backlink">Removed Features (previously deprecated)</a><aclass="headerlink"href="#removed-features-previously-deprecated"title="Link to this heading"></a></h3>
<li><p>acme_* modules - the <codeclass="docutils literal notranslate"><spanclass="pre">acme_directory</span></code> option is now required (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>acme_* modules - the <codeclass="docutils literal notranslate"><spanclass="pre">acme_version</span></code> option is now required (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>acme_account_facts - the deprecated redirect has been removed. Use community.crypto.acme_account_info instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>acme_account_info - <codeclass="docutils literal notranslate"><spanclass="pre">retrieve_orders=url_list</span></code> no longer returns the return value <codeclass="docutils literal notranslate"><spanclass="pre">orders</span></code>. Use the <codeclass="docutils literal notranslate"><spanclass="pre">order_uris</span></code> return value instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>crypto.info module utils - the deprecated redirect has been removed. Use <codeclass="docutils literal notranslate"><spanclass="pre">crypto.pem</span></code> instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>get_certificate - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_certificate - the deprecated redirect has been removed. Use community.crypto.x509_certificate instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>openssl_certificate_info - the deprecated redirect has been removed. Use community.crypto.x509_certificate_info instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>openssl_csr - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_csr and openssl_csr_pipe - <codeclass="docutils literal notranslate"><spanclass="pre">version</span></code> now only accepts the (default) value 1 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/290">https://github.com/ansible-collections/community.crypto/pull/290</a>).</p></li>
<li><p>openssl_csr_info - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_csr_pipe - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_privatekey - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_privatekey_info - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_privatekey_pipe - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_publickey - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_publickey_info - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_signature - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>openssl_signature_info - removed the <codeclass="docutils literal notranslate"><spanclass="pre">pyopenssl</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/273">https://github.com/ansible-collections/community.crypto/pull/273</a>).</p></li>
<li><p>acme_* modules - fix commands composed for OpenSSL backend to retrieve information on CSRs and certificates from stdin to use <codeclass="docutils literal notranslate"><spanclass="pre">/dev/stdin</span></code> instead of <codeclass="docutils literal notranslate"><spanclass="pre">-</span></code>. This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/279">https://github.com/ansible-collections/community.crypto/pull/279</a>).</p></li>
<li><p>acme_challenge_cert_helper - only return exception when cryptography is not installed, not when a too old version of it is installed. This prevents Ansible’s callback to crash (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/281">https://github.com/ansible-collections/community.crypto/pull/281</a>).</p></li>
<li><p>openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used to compare strings with the cryptography backend. This fixes idempotency problems with non-ASCII letters on Python 2 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/270">https://github.com/ansible-collections/community.crypto/issues/270</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/271">https://github.com/ansible-collections/community.crypto/pull/271</a>).</p></li>
<li><p>get_certificate - added <codeclass="docutils literal notranslate"><spanclass="pre">starttls</span></code> option to retrieve certificates from servers which require clients to request an encrypted connection (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/264">https://github.com/ansible-collections/community.crypto/pull/264</a>).</p></li>
<li><p>openssh_keypair - added <codeclass="docutils literal notranslate"><spanclass="pre">diff</span></code> support (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/260">https://github.com/ansible-collections/community.crypto/pull/260</a>).</p></li>
<li><p>openssh_keypair - fixed <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend to preserve original file permissions when regenerating a keypair requires existing files to be overwritten (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/260">https://github.com/ansible-collections/community.crypto/pull/260</a>).</p></li>
<li><p>openssh_keypair - fixed error handling to restore original keypair if regeneration fails (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/260">https://github.com/ansible-collections/community.crypto/pull/260</a>).</p></li>
<li><p>x509_crl - restore inherited function signature to pass sanity tests (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/263">https://github.com/ansible-collections/community.crypto/pull/263</a>).</p></li>
<li><p>Avoid internal ansible-core module_utils in favor of equivalent public API available since at least Ansible 2.9 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/253">https://github.com/ansible-collections/community.crypto/pull/253</a>).</p></li>
<li><p>openssh certificate module utils - new module_utils for parsing OpenSSH certificates (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/246">https://github.com/ansible-collections/community.crypto/pull/246</a>).</p></li>
<li><p>openssh_cert - added <codeclass="docutils literal notranslate"><spanclass="pre">regenerate</span></code> option to validate additional certificate parameters which trigger regeneration of an existing certificate (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/256">https://github.com/ansible-collections/community.crypto/pull/256</a>).</p></li>
<li><p>openssh_cert - adding <codeclass="docutils literal notranslate"><spanclass="pre">diff</span></code> support (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/255">https://github.com/ansible-collections/community.crypto/pull/255</a>).</p></li>
<li><p>openssh_cert - fixed certificate generation to restore original certificate if an error is encountered (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/255">https://github.com/ansible-collections/community.crypto/pull/255</a>).</p></li>
<li><p>openssh_keypair - fixed a bug that prevented custom file attributes being applied to public keys (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/257">https://github.com/ansible-collections/community.crypto/pull/257</a>).</p></li>
<li><p>cryptography_openssh module utils - new module_utils for managing asymmetric keypairs and OpenSSH formatted/encoded asymmetric keypairs (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/213">https://github.com/ansible-collections/community.crypto/pull/213</a>).</p></li>
<li><p>openssh_keypair - added <codeclass="docutils literal notranslate"><spanclass="pre">backend</span></code> parameter for selecting between the cryptography library or the OpenSSH binary for the execution of actions performed by <codeclass="docutils literal notranslate"><spanclass="pre">openssh_keypair</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/236">https://github.com/ansible-collections/community.crypto/pull/236</a>).</p></li>
<li><p>openssl_pkcs12 - added option <codeclass="docutils literal notranslate"><spanclass="pre">select_crypto_backend</span></code> and a <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend. This requires cryptography 3.0 or newer, and does not support the <codeclass="docutils literal notranslate"><spanclass="pre">iter_size</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">maciter_size</span></code> options (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/234">https://github.com/ansible-collections/community.crypto/pull/234</a>).</p></li>
<li><p>openssh_keypair - fix <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> to populate return values for existing keypairs (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/113">https://github.com/ansible-collections/community.crypto/issues/113</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/230">https://github.com/ansible-collections/community.crypto/pull/230</a>).</p></li>
<li><p>various modules - prevent crashes when modules try to set attributes on not yet existing files in check mode. This will be fixed in ansible-core 2.12, but it is not backported to every Ansible version we support (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issue/242">https://github.com/ansible-collections/community.crypto/issue/242</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/243">https://github.com/ansible-collections/community.crypto/pull/243</a>).</p></li>
<li><p>x509_certificate - fix crash when <codeclass="docutils literal notranslate"><spanclass="pre">assertonly</span></code> provider is used and some error conditions should be reported (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/240">https://github.com/ansible-collections/community.crypto/issues/240</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/241">https://github.com/ansible-collections/community.crypto/pull/241</a>).</p></li>
<li><p>acme_* modules - avoid crashing for ACME servers where the <codeclass="docutils literal notranslate"><spanclass="pre">meta</span></code> directory key is not present (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/220">https://github.com/ansible-collections/community.crypto/issues/220</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/221">https://github.com/ansible-collections/community.crypto/pull/221</a>).</p></li>
<p>Fixes compatibility issues with the latest ansible-core 2.11 beta, and contains a lot of internal refactoring for the ACME modules and support for private key passphrases for them.</p>
<li><p>acme module_utils - the <codeclass="docutils literal notranslate"><spanclass="pre">acme</span></code> module_utils has been split up into several Python modules (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/184">https://github.com/ansible-collections/community.crypto/pull/184</a>).</p></li>
<li><p>acme_* modules - codebase refactor which should not be visible to end-users (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/184">https://github.com/ansible-collections/community.crypto/pull/184</a>).</p></li>
<li><p>acme_* modules - support account key passphrases for <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/197">https://github.com/ansible-collections/community.crypto/issues/197</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/207">https://github.com/ansible-collections/community.crypto/pull/207</a>).</p></li>
<li><p>acme_certificate_revoke - support revoking by private keys that are passphrase protected for <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/207">https://github.com/ansible-collections/community.crypto/pull/207</a>).</p></li>
<h3><aclass="toc-backref"href="#id389"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id145"title="Link to this heading"></a></h3>
<li><p>acme module_utils - the <codeclass="docutils literal notranslate"><spanclass="pre">acme</span></code> module_utils (<codeclass="docutils literal notranslate"><spanclass="pre">ansible_collections.community.crypto.plugins.module_utils.acme</span></code>) is deprecated and will be removed in community.crypto 2.0.0. Use the new Python modules in the <codeclass="docutils literal notranslate"><spanclass="pre">acme</span></code> package instead (<codeclass="docutils literal notranslate"><spanclass="pre">ansible_collections.community.crypto.plugins.module_utils.acme.xxx</span></code>) (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/184">https://github.com/ansible-collections/community.crypto/pull/184</a>).</p></li>
<li><p>action_module plugin helper - make compatible with latest changes in ansible-core 2.11.0b3 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/202">https://github.com/ansible-collections/community.crypto/pull/202</a>).</p></li>
<li><p>openssl_privatekey_pipe - make compatible with latest changes in ansible-core 2.11.0b3 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/202">https://github.com/ansible-collections/community.crypto/pull/202</a>).</p></li>
<li><p>acme_account_info - when <codeclass="docutils literal notranslate"><spanclass="pre">retrieve_orders</span></code> is not <codeclass="docutils literal notranslate"><spanclass="pre">ignore</span></code> and the ACME server allows to query orders, the new return value <codeclass="docutils literal notranslate"><spanclass="pre">order_uris</span></code> is always populated with a list of URIs (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/178">https://github.com/ansible-collections/community.crypto/pull/178</a>).</p></li>
<li><p>luks_device - allow to specify sector size for LUKS2 containers with new <codeclass="docutils literal notranslate"><spanclass="pre">sector_size</span></code> parameter (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/193">https://github.com/ansible-collections/community.crypto/pull/193</a>).</p></li>
<h3><aclass="toc-backref"href="#id394"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id149"title="Link to this heading"></a></h3>
<li><p>acme_account_info - when <codeclass="docutils literal notranslate"><spanclass="pre">retrieve_orders=url_list</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">orders</span></code> will no longer be returned in community.crypto 2.0.0. Use <codeclass="docutils literal notranslate"><spanclass="pre">order_uris</span></code> instead (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/178">https://github.com/ansible-collections/community.crypto/pull/178</a>).</p></li>
<li><p>openssl_csr - no longer fails when comparing CSR without basic constraint when <codeclass="docutils literal notranslate"><spanclass="pre">basic_constraints</span></code> is specified (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/179">https://github.com/ansible-collections/community.crypto/issues/179</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/180">https://github.com/ansible-collections/community.crypto/pull/180</a>).</p></li>
<li><p>The ACME module_utils has been relicensed back from the Simplified BSD License (<aclass="reference external"href="https://opensource.org/licenses/BSD-2-Clause">https://opensource.org/licenses/BSD-2-Clause</a>) to the GPLv3+ (same license used by most other code in this collection). This undoes a licensing change when the original GPLv3+ licensed code was moved to module_utils in <aclass="reference external"href="https://github.com/ansible/ansible/pull/40697">https://github.com/ansible/ansible/pull/40697</a> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/165">https://github.com/ansible-collections/community.crypto/pull/165</a>).</p></li>
<li><p>The <codeclass="docutils literal notranslate"><spanclass="pre">crypto/identify.py</span></code> module_utils has been renamed to <codeclass="docutils literal notranslate"><spanclass="pre">crypto/pem.py</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/166">https://github.com/ansible-collections/community.crypto/pull/166</a>).</p></li>
<li><p>luks_device - <codeclass="docutils literal notranslate"><spanclass="pre">new_keyfile</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">new_passphrase</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">remove_keyfile</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">remove_passphrase</span></code> are now idempotent (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/19">https://github.com/ansible-collections/community.crypto/issues/19</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/168">https://github.com/ansible-collections/community.crypto/pull/168</a>).</p></li>
<li><p>luks_device - allow to configure PBKDF (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/163">https://github.com/ansible-collections/community.crypto/pull/163</a>).</p></li>
<li><p>openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints with <codeclass="docutils literal notranslate"><spanclass="pre">crl_distribution_points</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/147">https://github.com/ansible-collections/community.crypto/issues/147</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/167">https://github.com/ansible-collections/community.crypto/pull/167</a>).</p></li>
<li><p>openssl_pkcs12 - allow to specify certificate bundles in <codeclass="docutils literal notranslate"><spanclass="pre">other_certificates</span></code> by using new option <codeclass="docutils literal notranslate"><spanclass="pre">other_certificates_parse_all</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/149">https://github.com/ansible-collections/community.crypto/issues/149</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/166">https://github.com/ansible-collections/community.crypto/pull/166</a>).</p></li>
<li><p>acme_certificate - error when requested challenge type is not found for non-valid challenges, instead of hanging on step 2 (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/171">https://github.com/ansible-collections/community.crypto/issues/171</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/173">https://github.com/ansible-collections/community.crypto/pull/173</a>).</p></li>
<p>Contains new modules <codeclass="docutils literal notranslate"><spanclass="pre">openssl_privatekey_pipe</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">openssl_csr_pipe</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">x509_certificate_pipe</span></code> which allow to create or update private keys, CSRs and X.509 certificates without having to write them to disk.</p>
<li><p>openssh_cert - add module parameter <codeclass="docutils literal notranslate"><spanclass="pre">use_agent</span></code> to enable using signing keys stored in ssh-agent (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/116">https://github.com/ansible-collections/community.crypto/issues/116</a>).</p></li>
<li><p>openssl_csr - refactor module to allow code reuse by openssl_csr_pipe (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/123">https://github.com/ansible-collections/community.crypto/pull/123</a>).</p></li>
<li><p>openssl_privatekey - refactor module to allow code reuse by openssl_privatekey_pipe (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/119">https://github.com/ansible-collections/community.crypto/pull/119</a>).</p></li>
<li><p>openssl_privatekey - the elliptic curve <codeclass="docutils literal notranslate"><spanclass="pre">secp192r1</span></code> now triggers a security warning. Elliptic curves of at least 224 bits should be used for new keys; see <aclass="reference external"href="https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec.html#elliptic-curves">here</a> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/132">https://github.com/ansible-collections/community.crypto/pull/132</a>).</p></li>
<li><p>x509_certificate - for the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider, a CSR is not required anymore. If no CSR is provided, the module behaves as if a minimal CSR which only contains the public key has been provided (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/32">https://github.com/ansible-collections/community.crypto/issues/32</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/129">https://github.com/ansible-collections/community.crypto/pull/129</a>).</p></li>
<li><p>x509_certificate - refactor module to allow code reuse by x509_certificate_pipe (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/135">https://github.com/ansible-collections/community.crypto/pull/135</a>).</p></li>
<li><p>openssl_pkcs12 - report the correct state when <codeclass="docutils literal notranslate"><spanclass="pre">action</span></code> is <codeclass="docutils literal notranslate"><spanclass="pre">parse</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/143">https://github.com/ansible-collections/community.crypto/issues/143</a>).</p></li>
<li><p>support code - improve handling of certificate and certificate signing request (CSR) loading with the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend when errors occur (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/138">https://github.com/ansible-collections/community.crypto/issues/138</a>, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/139">https://github.com/ansible-collections/community.crypto/pull/139</a>).</p></li>
<li><p>x509_certificate - fix <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider, which was broken since community.crypto 0.1.0 due to a feature added before the collection move (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/135">https://github.com/ansible-collections/community.crypto/pull/135</a>).</p></li>
<li><p>acme_certificate - allow to pass CSR file as content with new option <codeclass="docutils literal notranslate"><spanclass="pre">csr_content</span></code> (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/115">https://github.com/ansible-collections/community.crypto/pull/115</a>).</p></li>
<li><p>x509_certificate_info - add <codeclass="docutils literal notranslate"><spanclass="pre">fingerprints</span></code> return value which returns certificate fingerprints (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/121">https://github.com/ansible-collections/community.crypto/pull/121</a>).</p></li>
<h3><aclass="toc-backref"href="#id408"role="doc-backlink">Security Fixes</a><aclass="headerlink"href="#security-fixes"title="Link to this heading"></a></h3>
<li><p>openssl_csr - the option <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_content</span></code> was not marked as <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code>, resulting in it being dumped into the system log by default, and returned in the registered results in the <codeclass="docutils literal notranslate"><spanclass="pre">invocation</span></code> field (CVE-2020-25646, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/125">https://github.com/ansible-collections/community.crypto/pull/125</a>).</p></li>
<li><p>openssl_privatekey_info - the option <codeclass="docutils literal notranslate"><spanclass="pre">content</span></code> was not marked as <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code>, resulting in it being dumped into the system log by default, and returned in the registered results in the <codeclass="docutils literal notranslate"><spanclass="pre">invocation</span></code> field (CVE-2020-25646, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/125">https://github.com/ansible-collections/community.crypto/pull/125</a>).</p></li>
<li><p>openssl_publickey - the option <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_content</span></code> was not marked as <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code>, resulting in it being dumped into the system log by default, and returned in the registered results in the <codeclass="docutils literal notranslate"><spanclass="pre">invocation</span></code> field (CVE-2020-25646, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/125">https://github.com/ansible-collections/community.crypto/pull/125</a>).</p></li>
<li><p>openssl_signature - the option <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_content</span></code> was not marked as <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code>, resulting in it being dumped into the system log by default, and returned in the registered results in the <codeclass="docutils literal notranslate"><spanclass="pre">invocation</span></code> field (CVE-2020-25646, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/125">https://github.com/ansible-collections/community.crypto/pull/125</a>).</p></li>
<li><p>x509_certificate - the options <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_content</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">ownca_privatekey_content</span></code> were not marked as <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code>, resulting in it being dumped into the system log by default, and returned in the registered results in the <codeclass="docutils literal notranslate"><spanclass="pre">invocation</span></code> field (CVE-2020-25646, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/125">https://github.com/ansible-collections/community.crypto/pull/125</a>).</p></li>
<li><p>x509_crl - the option <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_content</span></code> was not marked as <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code>, resulting in it being dumped into the system log by default, and returned in the registered results in the <codeclass="docutils literal notranslate"><spanclass="pre">invocation</span></code> field (CVE-2020-25646, <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/125">https://github.com/ansible-collections/community.crypto/pull/125</a>).</p></li>
<li><p>openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private key and/or no main certificate (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/103">https://github.com/ansible-collections/community.crypto/issues/103</a>).</p></li>
<li><p>meta/runtime.yml - convert Ansible version numbers for old names of modules to collection version numbers (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/108">https://github.com/ansible-collections/community.crypto/pull/108</a>).</p></li>
<li><p>openssl_csr - improve handling of IDNA errors (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/105">https://github.com/ansible-collections/community.crypto/issues/105</a>).</p></li>
<li><p>acme_account - add <codeclass="docutils literal notranslate"><spanclass="pre">external_account_binding</span></code> option to allow creation of ACME accounts with External Account Binding (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/89">https://github.com/ansible-collections/community.crypto/issues/89</a>).</p></li>
<li><p>acme_certificate - allow new selector <codeclass="docutils literal notranslate"><spanclass="pre">test_certificates:</span><spanclass="pre">first</span></code> for <codeclass="docutils literal notranslate"><spanclass="pre">select_chain</span></code> parameter (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/102">https://github.com/ansible-collections/community.crypto/pull/102</a>).</p></li>
<li><p>cryptography backends - support arbitrary dotted OIDs (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/39">https://github.com/ansible-collections/community.crypto/issues/39</a>).</p></li>
<li><p>get_certificate - add support for SNI (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/69">https://github.com/ansible-collections/community.crypto/issues/69</a>).</p></li>
<li><p>luks_device - add support for encryption options on container creation (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/97">https://github.com/ansible-collections/community.crypto/pull/97</a>).</p></li>
<li><p>openssh_cert - add support for PKCS#11 tokens (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/95">https://github.com/ansible-collections/community.crypto/pull/95</a>).</p></li>
<li><p>openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/76">https://github.com/ansible-collections/community.crypto/issues/76</a>).</p></li>
<li><p>openssl_csr - add support for name constraints extension (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/46">https://github.com/ansible-collections/community.crypto/issues/46</a>).</p></li>
<li><p>openssl_csr_info - add support for name constraints extension (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/46">https://github.com/ansible-collections/community.crypto/issues/46</a>).</p></li>
<li><p>acme_inspect - fix problem with Python 3.5 that JSON was not decoded (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/86">https://github.com/ansible-collections/community.crypto/issues/86</a>).</p></li>
<li><p>get_certificate - fix <codeclass="docutils literal notranslate"><spanclass="pre">ca_cert</span></code> option handling when <codeclass="docutils literal notranslate"><spanclass="pre">proxy_host</span></code> is used (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/84">https://github.com/ansible-collections/community.crypto/pull/84</a>).</p></li>
<li><p>openssl_*, x509_* modules - fix handling of general names which refer to IP networks and not IP addresses (<aclass="reference external"href="https://github.com/ansible-collections/community.crypto/pull/92">https://github.com/ansible-collections/community.crypto/pull/92</a>).</p></li>
<p>This is the first proper release of the <codeclass="docutils literal notranslate"><spanclass="pre">community.crypto</span></code> collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0.</p>
<li><p>luks_device - add <codeclass="docutils literal notranslate"><spanclass="pre">keysize</span></code> parameter to set key size at LUKS container creation</p></li>
<li><p>luks_device - added support to use UUIDs, and labels with LUKS2 containers</p></li>
<li><p>luks_device - added the <codeclass="docutils literal notranslate"><spanclass="pre">type</span></code> option that allows user explicit define the LUKS container format version</p></li>
<li><p>openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with <codeclass="docutils literal notranslate"><spanclass="pre">force=yes</span></code>.</p></li>
<li><p>openssh_keypair - the <codeclass="docutils literal notranslate"><spanclass="pre">regenerate</span></code> option allows to configure the module’s behavior when it should or needs to regenerate private keys.</p></li>
<li><p>openssl_* modules - the cryptography backend now properly supports <codeclass="docutils literal notranslate"><spanclass="pre">dirName</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">otherName</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">RID</span></code> (Registered ID) names.</p></li>
<li><p>openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let’s Encrypt instead of using acme-tiny’s default. (acme-tiny also uses Let’s Encrypt at the time being, so no action should be necessary.)</p></li>
<li><p>openssl_certificate - Change the required version of acme-tiny to >= 4.0.0</p></li>
<li><p>openssl_certificate - allow to provide content of some input files via the <codeclass="docutils literal notranslate"><spanclass="pre">csr_content</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_content</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">ownca_privatekey_content</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">ownca_content</span></code> options.</p></li>
<li><p>openssl_certificate - allow to return the existing/generated certificate directly as <codeclass="docutils literal notranslate"><spanclass="pre">certificate</span></code> by setting <codeclass="docutils literal notranslate"><spanclass="pre">return_content</span></code> to <codeclass="docutils literal notranslate"><spanclass="pre">yes</span></code>.</p></li>
<li><p>openssl_certificate_info - allow to provide certificate content via <codeclass="docutils literal notranslate"><spanclass="pre">content</span></code> option (<aclass="reference external"href="https://github.com/ansible/ansible/issues/64776">https://github.com/ansible/ansible/issues/64776</a>).</p></li>
<li><p>openssl_csr - Add support for specifying the SAN <codeclass="docutils literal notranslate"><spanclass="pre">otherName</span></code> value in the OpenSSL ASN.1 UTF8 string format, <codeclass="docutils literal notranslate"><spanclass="pre">otherName:<OID>;UTF8:string</span><spanclass="pre">value</span></code>.</p></li>
<li><p>openssl_csr - allow to provide private key content via <codeclass="docutils literal notranslate"><spanclass="pre">private_key_content</span></code> option.</p></li>
<li><p>openssl_csr - allow to return the existing/generated CSR directly as <codeclass="docutils literal notranslate"><spanclass="pre">csr</span></code> by setting <codeclass="docutils literal notranslate"><spanclass="pre">return_content</span></code> to <codeclass="docutils literal notranslate"><spanclass="pre">yes</span></code>.</p></li>
<li><p>openssl_csr_info - allow to provide CSR content via <codeclass="docutils literal notranslate"><spanclass="pre">content</span></code> option.</p></li>
<li><p>openssl_dhparam - allow to return the existing/generated DH params directly as <codeclass="docutils literal notranslate"><spanclass="pre">dhparams</span></code> by setting <codeclass="docutils literal notranslate"><spanclass="pre">return_content</span></code> to <codeclass="docutils literal notranslate"><spanclass="pre">yes</span></code>.</p></li>
<li><p>openssl_dhparam - now supports a <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code>-based backend. Auto-detection can be overwritten with the <codeclass="docutils literal notranslate"><spanclass="pre">select_crypto_backend</span></code> option.</p></li>
<li><p>openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as <codeclass="docutils literal notranslate"><spanclass="pre">pkcs12</span></code> by setting <codeclass="docutils literal notranslate"><spanclass="pre">return_content</span></code> to <codeclass="docutils literal notranslate"><spanclass="pre">yes</span></code>.</p></li>
<li><p>openssl_privatekey - allow to return the existing/generated private key directly as <codeclass="docutils literal notranslate"><spanclass="pre">privatekey</span></code> by setting <codeclass="docutils literal notranslate"><spanclass="pre">return_content</span></code> to <codeclass="docutils literal notranslate"><spanclass="pre">yes</span></code>.</p></li>
<li><p>openssl_privatekey - the <codeclass="docutils literal notranslate"><spanclass="pre">regenerate</span></code> option allows to configure the module’s behavior when it should or needs to regenerate private keys.</p></li>
<li><p>openssl_privatekey_info - allow to provide private key content via <codeclass="docutils literal notranslate"><spanclass="pre">content</span></code> option.</p></li>
<li><p>openssl_publickey - allow to provide private key content via <codeclass="docutils literal notranslate"><spanclass="pre">private_key_content</span></code> option.</p></li>
<li><p>openssl_publickey - allow to return the existing/generated public key directly as <codeclass="docutils literal notranslate"><spanclass="pre">publickey</span></code> by setting <codeclass="docutils literal notranslate"><spanclass="pre">return_content</span></code> to <codeclass="docutils literal notranslate"><spanclass="pre">yes</span></code>.</p></li>
<h3><aclass="toc-backref"href="#id421"role="doc-backlink">Deprecated Features</a><aclass="headerlink"href="#id169"title="Link to this heading"></a></h3>
<li><p>openssl_csr - all values for the <codeclass="docutils literal notranslate"><spanclass="pre">version</span></code> option except <codeclass="docutils literal notranslate"><spanclass="pre">1</span></code> are deprecated. The value 1 denotes the current only standardized CSR version.</p></li>
<h3><aclass="toc-backref"href="#id422"role="doc-backlink">Removed Features (previously deprecated)</a><aclass="headerlink"href="#id170"title="Link to this heading"></a></h3>
<li><p>The <codeclass="docutils literal notranslate"><spanclass="pre">letsencrypt</span></code> module has been removed. Use <codeclass="docutils literal notranslate"><spanclass="pre">acme_certificate</span></code> instead.</p></li>
<li><p>ACME modules: fix bug in ACME v1 account update code</p></li>
<li><p>ACME modules: make sure some connection errors are handled properly</p></li>
<li><p>ACME modules: support Buypass’ ACME v1 endpoint</p></li>
<li><p>acme_certificate - fix crash when module is used with Python 2.x.</p></li>
<li><p>acme_certificate - fix misbehavior when ACME v1 is used with <codeclass="docutils literal notranslate"><spanclass="pre">modify_account</span></code> set to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code>.</p></li>
<li><p>ecs_certificate - Always specify header <codeclass="docutils literal notranslate"><spanclass="pre">connection:</span><spanclass="pre">keep-alive</span></code> for ECS API connections.</p></li>
<li><p>ecs_certificate - Fix formatting of contents of <codeclass="docutils literal notranslate"><spanclass="pre">full_chain_path</span></code>.</p></li>
<li><p>get_certificate - Fix cryptography backend when pyopenssl is unavailable (<aclass="reference external"href="https://github.com/ansible/ansible/issues/67900">https://github.com/ansible/ansible/issues/67900</a>)</p></li>
<li><p>openssh_keypair - add logic to avoid breaking password protected keys.</p></li>
<li><p>openssh_keypair - fixes idempotence issue with public key (<aclass="reference external"href="https://github.com/ansible/ansible/issues/64969">https://github.com/ansible/ansible/issues/64969</a>).</p></li>
<li><p>openssh_keypair - public key’s file attributes (permissions, owner, group, etc.) are now set to the same values as the private key.</p></li>
<li><p>openssl_* modules - prevent crash on fingerprint determination in FIPS mode (<aclass="reference external"href="https://github.com/ansible/ansible/issues/67213">https://github.com/ansible/ansible/issues/67213</a>).</p></li>
<li><p>openssl_certificate - When provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>, use a <codeclass="docutils literal notranslate"><spanclass="pre">connection:</span><spanclass="pre">keep-alive</span></code> header for ECS API connections.</p></li>
<li><p>openssl_certificate - <codeclass="docutils literal notranslate"><spanclass="pre">provider</span></code> option was documented as required, but it was not checked whether it was provided. It is now only required when <codeclass="docutils literal notranslate"><spanclass="pre">state</span></code> is <codeclass="docutils literal notranslate"><spanclass="pre">present</span></code>.</p></li>
<li><p>openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend. This probably needs at least cryptography 2.8, since older versions have problems with signing certificates or CSRs with such keys. (<aclass="reference external"href="https://github.com/ansible/ansible/issues/59039">https://github.com/ansible/ansible/issues/59039</a>, PR <aclass="reference external"href="https://github.com/ansible/ansible/pull/63984">https://github.com/ansible/ansible/pull/63984</a>)</p></li>
<li><p>openssl_csr - a warning is issued if an unsupported value for <codeclass="docutils literal notranslate"><spanclass="pre">version</span></code> is used for the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend.</p></li>
<li><p>openssl_csr - the module will now enforce that <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_path</span></code> is specified when <codeclass="docutils literal notranslate"><spanclass="pre">state=present</span></code>.</p></li>
<li><p>openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (<aclass="reference external"href="https://github.com/ansible/ansible/issues/67035">https://github.com/ansible/ansible/issues/67035</a>).</p></li>
