<linkrel="prev"title="community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates"href="x509_certificate_info_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/x509_certificate_pipe.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/community/crypto">community.crypto collection</a> (version 2.15.0).</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.x509_certificate_pipe</span></code>.</p>
</div>
<pclass="ansible-version-added">New in community.crypto 1.3.0</p>
<li><p>It implements a notion of provider (ie. <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>) for your certificate.</p></li>
<li><p>It uses the cryptography python library to interact with OpenSSL.</p></li>
<li><p>Please note that the module regenerates an existing certificate if it does not match the module’s options, or if it seems to be corrupt. If you are concerned that this could overwrite your existing certificate, consider using the <em>backup</em> option.</p></li>
<li><p>The <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).</p></li>
<li><p>This module allows one to (re)generate OpenSSL certificates.</p></li>
<spanid="ansible-collections-community-crypto-x509-certificate-pipe-module-requirements"></span><h2><aclass="toc-backref"href="#id2"role="doc-backlink">Requirements</a><aclass="headerlink"href="#requirements"title="Permalink to this heading"></a></h2>
<h2><aclass="toc-backref"href="#id3"role="doc-backlink">Parameters</a><aclass="headerlink"href="#parameters"title="Permalink to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-csr_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the Certificate Signing Request (CSR) used to generate this certificate.</p>
<p>This is mutually exclusive with <em>csr_path</em>.</p>
<aclass="ansibleOptionLink"href="#parameter-csr_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the Certificate Signing Request (CSR) used to generate this certificate.</p>
<p>This is mutually exclusive with <em>csr_content</em>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_key_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_key"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The key (password) for authentication to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_specification_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the specification file defining the Entrust Certificate Services (ECS) API configuration.</p>
<p>You can use this to keep a local copy of the specification to avoid downloading it every time the module is used.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_user"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The username for authentication to the Entrust Certificate Services (ECS) API.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_cert_type"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Specify the type of certificate requested.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as an absolute timestamp.</p>
<p>A valid absolute time format is <codeclass="docutils literal notranslate"><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> such as <codeclass="docutils literal notranslate"><spanclass="pre">2019-06-18</span></code>.</p>
<p>A valid relative time format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code>, such as <codeclass="docutils literal notranslate"><spanclass="pre">+365d</span></code> or <codeclass="docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Time will always be interpreted as UTC.</p>
<p>Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate.</p>
<p>The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used.</p>
<p>The minimum certificate lifetime is 90 days, and maximum is three years.</p>
<p>If this value is not specified, the certificate will stop being valid 365 days the date of issue.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>Please note that this value is <strong>not</strong> covered by the <em>ignore_timestamps</em> option.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_email"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The email of the requester of the certificate (for tracking purposes).</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_name"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The name of the requester of the certificate (for tracking purposes).</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_phone"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The phone number of the requester of the certificate (for tracking purposes).</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>This is required if the provider is <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-force"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Generate the certificate, even if it already exists.</p>
<aclass="ansibleOptionLink"href="#parameter-ignore_timestamps"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 2.0.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether the “not before” and “not after” timestamps should be ignored for idempotency checks.</p>
<p>It is better to keep the default value <codeclass="docutils literal notranslate"><spanclass="pre">true</span></code> when using relative timestamps (like <codeclass="docutils literal notranslate"><spanclass="pre">+0s</span></code> for now).</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the CA (Certificate Authority) certificate.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <em>ownca_path</em>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_authority_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Create a Authority Key Identifier from the CA’s certificate. If the CSR provided a authority key identifier, it is ignored.</p>
<p>The Authority Key Identifier is generated from the CA certificate’s Subject Key Identifier, if available. If it is not available, the CA certificate’s public key will be used.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>Note that this is only supported if the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend is used!</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>Note that this is only supported if the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend is used!</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The digest algorithm to be used for the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will stop being valid 10 years from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <em>ignore_timestamps</em> option to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <em>ignore_timestamps=false</em>.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid from.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will start being valid from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <em>ignore_timestamps</em> option to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <em>ignore_timestamps=false</em>.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Remote absolute path of the CA (Certificate Authority) certificate.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <em>ownca_content</em>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the CA (Certificate Authority) private key to use when signing the certificate.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <em>ownca_privatekey_path</em>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The passphrase for the <em>ownca_privatekey_path</em> resp. <em>ownca_privatekey_content</em>.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the CA (Certificate Authority) private key to use when signing the certificate.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>This is mutually exclusive with <em>ownca_privatekey_content</em>.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The version of the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The passphrase for the <em>privatekey_path</em> resp. <em>privatekey_content</em>.</p>
<p>This is required if the private key is password protected.</p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the private key to use when signing the certificate.</p>
<p>This is mutually exclusive with <em>privatekey_content</em>.</p>
<aclass="ansibleOptionLink"href="#parameter-provider"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Name of the provider to use to generate/retrieve the OpenSSL certificate.</p>
<p>The <codeclass="docutils literal notranslate"><spanclass="pre">entrust</span></code> provider requires credentials for the <aclass="reference external"href="https://www.entrustdatacard.com/products/categories/ssl-certificates">Entrust Certificate Services</a> (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-select_crypto_backend"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <codeclass="docutils literal notranslate"><spanclass="pre">auto</span></code>, which tries to use <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> if available.</p>
<p>If set to <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code>, will try to use the <aclass="reference external"href="https://cryptography.io/">cryptography</a> library.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<p>Note that this is only supported if the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend is used!</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Digest algorithm to be used when self-signing the certificate.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notAfter</span></p>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will stop being valid 10 years from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <em>ignore_timestamps</em> option to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <em>ignore_timestamps=false</em>.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notBefore</span></p>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid from.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Time will always be interpreted as UTC.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>If this value is not specified, the certificate will start being valid from now.</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <em>ignore_timestamps</em> option to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <em>ignore_timestamps=false</em>.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Version of the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<h2><aclass="toc-backref"href="#id4"role="doc-backlink">Attributes</a><aclass="headerlink"href="#attributes"title="Permalink to this heading"></a></h2>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
<li><p>All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.</p></li>
<li><p>Date specified should be UTC. Minutes and seconds are mandatory.</p></li>
<li><p>For security reason, when you use <codeclass="docutils literal notranslate"><spanclass="pre">ownca</span></code> provider, you should NOT run <aclass="reference internal"href="x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate</span></a> on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine.</p></li>
<li><p>For the <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider, <em>csr_path</em> and <em>csr_content</em> are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.</p></li>
<dt><aclass="reference internal"href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_pipe</span></a></dt><dd><p>Generate OpenSSL private keys without disk access.</p>
<dt><aclass="reference internal"href="openssl_publickey_module.html#ansible-collections-community-crypto-openssl-publickey-module"><spanclass="std std-ref">community.crypto.openssl_publickey</span></a></dt><dd><p>Generate an OpenSSL public key from its private key.</p>
<divclass="highlight-yaml+jinja notranslate"><divclass="highlight"><pre><span></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate a Self Signed OpenSSL certificate</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">(1/2) Generate an OpenSSL Certificate with the CSR provided inline</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">result is changed</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">(2/3) Generate an OpenSSL Certificate with the CSR provided inline</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">result is changed</span>
<h2><aclass="toc-backref"href="#id8"role="doc-backlink">Return Values</a><aclass="headerlink"href="#return-values"title="Permalink to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-certificate"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The (current or generated) certificate’s content.</p>
<pclass="ansible-option-line"><spanclass="ansible-option-returned-bold">Returned:</span> changed or success</p>
</div></td>
</tr>
</tbody>
</table>
<sectionid="authors">
<h3>Authors<aclass="headerlink"href="#authors"title="Permalink to this heading"></a></h3>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=bug_report.md"aria-role="button"target="_blank"rel="noopener external">Submit a bug report</a>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=feature_request.md"aria-role="button"target="_blank"rel="noopener external">Request a feature</a>
<ahref="x509_certificate_info_module.html"class="btn btn-neutral float-left"title="community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates"accesskey="p"rel="prev"><spanclass="fa fa-arrow-circle-left"aria-hidden="true"></span> Previous</a>
