+ + +
+ +
+

community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format

+
+

Note

+

This filter plugin is part of the community.crypto collection (version 2.10.0).

+

To install it, use: ansible-galaxy collection install community.crypto. +You need further requirements to be able to use this filter plugin, +see Requirements for details.

+

To use it in a playbook, specify: community.crypto.x509_crl_info.

+
+

New in community.crypto 2.10.0

+ +
+

Synopsis

+ +
+
+

Requirements

+

The below requirements are needed on the local controller node that executes this filter.

+
    +

  • If name_encoding is set to another value than ignore, the idna Python library needs to be installed.

    • +
+
+
+

Input

+

This describes the input of the filter, the value before | community.crypto.x509_crl_info.

+ + + + + + + + + + + +

Parameter

Comments

+

Input

+

string / required

+

The content of the X.509 CRL in PEM format.

+
+
+
+

Keyword parameters

+

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | community.crypto.x509_crl_info(key1=value1, key2=value2, ...).

+ + + + + + + + + + + + + + +

Parameter

Comments

+

list_revoked_certificates

+

boolean

+

added in community.crypto 1.7.0

+

If set to false, the list of revoked certificates is not included in the result.

+

This is useful when retrieving information on large CRL files. Enumerating all revoked certificates can take some time, including serializing the result as JSON, sending it to the Ansible controller, and decoding it again.

+

Choices:

+
    +

  • false

    • +

  • true ← (default)

    • +
+
+

name_encoding

+

string

+

How to encode names (DNS names, URIs, email addresses) in return values.

+

ignore will use the encoding returned by the backend.

+

idna will convert all labels of domain names to IDNA encoding. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails.

+

unicode will convert all labels of domain names to Unicode. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails.

+

Note that idna and unicode require the idna Python library to be installed.

+

Choices:

+
    +

  • "ignore" ← (default)

    • +

  • "idna"

    • +

  • "unicode"

    • +
+
+
+
+

See Also

+
+

See also

+
+
community.crypto.x509_crl_info

Retrieve information on Certificate Revocation Lists (CRLs).

+
+
+
+
+
+

Examples

+
- name: Show the Organization Name of the CRL's subject
+  ansible.builtin.debug:
+    msg: >-
+      {{
+        (
+          lookup('ansible.builtin.file', '/path/to/cert.pem')
+          | community.crypto.x509_crl_info
+        ).issuer.organizationName
+      }}
+
+
+
+
+

Return Value

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Key

Description

+

Return value

+

dictionary

+

Information on the CRL.

+

Returned: success

+
+

digest

+

string

+

The signature algorithm used to sign the CRL.

+

Returned: success

+

Sample: "sha256WithRSAEncryption"

+
+

format

+

string

+

Whether the CRL is in PEM format (pem) or in DER format (der).

+

Returned: success

+

Sample: "pem"

+
+

issuer

+

dictionary

+

The CRL’s issuer.

+

Note that for repeated values, only the last one will be returned.

+

See name_encoding for how IDNs are handled.

+

Returned: success

+

Sample: {"commonName": "ca.example.com", "organizationName": "Ansible"}

+
+

issuer_ordered

+

list / elements=list

+

The CRL’s issuer as an ordered list of tuples.

+

Returned: success

+

Sample: [["organizationName", "Ansible"], [{"commonName": "ca.example.com"}]]

+
+

last_update

+

string

+

The point in time from which this CRL can be trusted as ASN.1 TIME.

+

Returned: success

+

Sample: "20190413202428Z"

+
+

next_update

+

string

+

The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME.

+

Returned: success

+

Sample: "20190413202428Z"

+
+

revoked_certificates

+

list / elements=dictionary

+

List of certificates to be revoked.

+

Returned: success if list_revoked_certificates=true

+
+

invalidity_date

+

string

+

The point in time it was known/suspected that the private key was compromised +or that the certificate otherwise became invalid as ASN.1 TIME.

+

Returned: success

+

Sample: "20190413202428Z"

+
+

invalidity_date_critical

+

boolean

+

Whether the invalidity date extension is critical.

+

Returned: success

+

Sample: false

+
+

issuer

+

list / elements=string

+

The certificate’s issuer.

+

See name_encoding for how IDNs are handled.

+

Returned: success

+

Sample: ["DNS:ca.example.org"]

+
+

issuer_critical

+

boolean

+

Whether the certificate issuer extension is critical.

+

Returned: success

+

Sample: false

+
+

reason

+

string

+

The value for the revocation reason extension.

+

One of unspecified, key_compromise, ca_compromise, affiliation_changed, superseded, cessation_of_operation, certificate_hold, privilege_withdrawn, aa_compromise, and remove_from_crl.

+

Returned: success

+

Sample: "key_compromise"

+
+

reason_critical

+

boolean

+

Whether the revocation reason extension is critical.

+

Returned: success

+

Sample: false

+
+

revocation_date

+

string

+

The point in time the certificate was revoked as ASN.1 TIME.

+

Returned: success

+

Sample: "20190413202428Z"

+
+

serial_number

+

integer

+

Serial number of the certificate.

+

Returned: success

+

Sample: 1234

+
+
+

Authors

+
    +

  • Felix Fontein (@felixfontein)

    • +
+
+

Hint

+

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.

+
+
+ +
+
+ + +
+