<linkrel="prev"title="community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates"href="x509_certificate_info_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_filter.html">community.crypto.gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="gpg_fingerprint_lookup.html">community.crypto.gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file</a></li>
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/x509_certificate_pipe.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/community/crypto">community.crypto collection</a> (version 2.16.0).</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.x509_certificate_pipe</span></code>.</p>
</div>
<pclass="ansible-version-added">New in community.crypto 1.3.0</p>
<li><p>It implements a notion of provider (one of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code>, <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code>) for your certificate.</p></li>
<li><p>The <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).</p></li>
<spanid="ansible-collections-community-crypto-x509-certificate-pipe-module-requirements"></span><h2><aclass="toc-backref"href="#id2"role="doc-backlink">Requirements</a><aclass="headerlink"href="#requirements"title="Link to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-csr_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the Certificate Signing Request (CSR) used to generate this certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-csr_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the Certificate Signing Request (CSR) used to generate this certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_key_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_client_cert_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_key"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The key (password) for authentication to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_specification_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The path to the specification file defining the Entrust Certificate Services (ECS) API configuration.</p>
<p>You can use this to keep a local copy of the specification to avoid downloading it every time the module is used.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_api_user"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The username for authentication to the Entrust Certificate Services (ECS) API.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_cert_type"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Specify the type of certificate requested.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as an absolute timestamp.</p>
<p>A valid absolute time format is <codeclass="docutils literal notranslate"><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> such as <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">2019-06-18</span></code>.</p>
<p>A valid relative time format is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">[+-]timespec</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code>, such as <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+365d</span></code> or <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate.</p>
<p>The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used.</p>
<p>The minimum certificate lifetime is 90 days, and maximum is three years.</p>
<p>If this value is not specified, the certificate will stop being valid 365 days the date of issue.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">entrust</span></code> provider.</p>
<p>Please note that this value is <strong>not</strong> covered by the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option.</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_email"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The email of the requester of the certificate (for tracking purposes).</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_name"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The name of the requester of the certificate (for tracking purposes).</p>
<aclass="ansibleOptionLink"href="#parameter-entrust_requester_phone"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The phone number of the requester of the certificate (for tracking purposes).</p>
<aclass="ansibleOptionLink"href="#parameter-force"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Generate the certificate, even if it already exists.</p>
<aclass="ansibleOptionLink"href="#parameter-ignore_timestamps"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 2.0.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether the “not before” and “not after” timestamps should be ignored for idempotency checks.</p>
<p>It is better to keep the default value <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">true</span></code> when using relative timestamps (like <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+0s</span></code> for now).</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the CA (Certificate Authority) certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_authority_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Create a Authority Key Identifier from the CA’s certificate. If the CSR provided a authority key identifier, it is ignored.</p>
<p>The Authority Key Identifier is generated from the CA certificate’s Subject Key Identifier, if available. If it is not available, the CA certificate’s public key will be used.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<td><divclass="ansible-option-cell"><p>The digest algorithm to be used for the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time at which the certificate stops being valid.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The point in time the certificate is valid from.</p>
<p>Time can be specified either as relative time or as absolute timestamp.</p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Remote absolute path of the CA (Certificate Authority) certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the CA (Certificate Authority) private key to use when signing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-ownca_privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the CA (Certificate Authority) private key to use when signing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-ownca_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
<td><divclass="ansible-option-cell"><p>The version of the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#parameter-privatekey_path"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Path to the private key to use when signing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-provider"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Name of the provider to use to generate/retrieve the OpenSSL certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-select_crypto_backend"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">auto</span></code>, which tries to use <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> if available.</p>
<p>If set to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">cryptography</span></code>, will try to use the <aclass="reference external"href="https://cryptography.io/">cryptography</a> library.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_create_subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether to create the Subject Key Identifier (SKI) from the public key.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">create_if_not_provided</span></code> (default) only creates a SKI when the CSR does not provide one.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">always_create</span></code> always creates a SKI. If the CSR provides one, that one is ignored.</p>
<p>A value of <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">never_create</span></code> never creates a SKI. If the CSR provides one, that one is used.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_digest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Digest algorithm to be used when self-signing the certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_after"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notAfter</span></p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<p>On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see <aclass="reference external"href="https://support.apple.com/en-us/HT210176">https://support.apple.com/en-us/HT210176</a> for more details.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_not_before"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: selfsigned_notBefore</span></p>
<p>Valid format is <codeclass="docutils literal notranslate"><spanclass="pre">[+-]timespec</span><spanclass="pre">|</span><spanclass="pre">ASN.1</span><spanclass="pre">TIME</span></code> where timespec can be an integer + <codeclass="docutils literal notranslate"><spanclass="pre">[w</span><spanclass="pre">|</span><spanclass="pre">d</span><spanclass="pre">|</span><spanclass="pre">h</span><spanclass="pre">|</span><spanclass="pre">m</span><spanclass="pre">|</span><spanclass="pre">s]</span></code> (for example <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">+32w1d2h</span></code>).</p>
<p>Note that this value is <strong>not used to determine whether an existing certificate should be regenerated</strong>. This can be changed by setting the <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps</span></span></a></strong></code> option to <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">false</span></code>. Please note that you should avoid relative timestamps when setting <codeclass="ansible-option-value docutils literal notranslate"><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-ignore-timestamps"><spanclass="std std-ref"><spanclass="pre">ignore_timestamps=false</span></span></a></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<aclass="ansibleOptionLink"href="#parameter-selfsigned_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
<td><divclass="ansible-option-cell"><p>Version of the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> certificate.</p>
<p>Nowadays it should almost always be <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">3</span></code>.</p>
<p>This is only used by the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider.</p>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
<li><p>For security reason, when you use <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">ownca</span></code> provider, you should NOT run <aclass="reference internal"href="x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate</span></a> on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine.</p></li>
<li><p>For the <codeclass="ansible-value docutils literal notranslate"><spanclass="pre">selfsigned</span></code> provider, <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-csr-path"><spanclass="std std-ref"><spanclass="pre">csr_path</span></span></a></strong></code> and <codeclass="ansible-option docutils literal notranslate"><strong><aclass="reference internal"href="#ansible-collections-community-crypto-x509-certificate-pipe-module-parameter-csr-content"><spanclass="std std-ref"><spanclass="pre">csr_content</span></span></a></strong></code> are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.</p></li>
<dt><aclass="reference internal"href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_pipe</span></a></dt><dd><p>Generate OpenSSL private keys without disk access.</p>
<dt><aclass="reference internal"href="openssl_publickey_module.html#ansible-collections-community-crypto-openssl-publickey-module"><spanclass="std std-ref">community.crypto.openssl_publickey</span></a></dt><dd><p>Generate an OpenSSL public key from its private key.</p>
<divclass="highlight-yaml+jinja notranslate"><divclass="highlight"><pre><span></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Generate a Self Signed OpenSSL certificate</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">(1/2) Generate an OpenSSL Certificate with the CSR provided inline</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">result is changed</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">(2/3) Generate an OpenSSL Certificate with the CSR provided inline</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">result is changed</span>
<h2><aclass="toc-backref"href="#id8"role="doc-backlink">Return Values</a><aclass="headerlink"href="#return-values"title="Link to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-certificate"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The (current or generated) certificate’s content.</p>
<pclass="ansible-option-line"><spanclass="ansible-option-returned-bold">Returned:</span> changed or success</p>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=bug_report.md"aria-role="button"target="_blank"rel="noopener external">Submit a bug report</a>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=feature_request.md"aria-role="button"target="_blank"rel="noopener external">Request a feature</a>
<ahref="x509_certificate_info_module.html"class="btn btn-neutral float-left"title="community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates"accesskey="p"rel="prev"><spanclass="fa fa-arrow-circle-left"aria-hidden="true"></span> Previous</a>
