|
|
@ -76,145 +76,178 @@ options:
|
|
|
|
selfsigned_version:
|
|
|
|
selfsigned_version:
|
|
|
|
default: 3
|
|
|
|
default: 3
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Version of the C(selfsigned) certificate. Nowadays it should almost always be C(3).
|
|
|
|
- Version of the C(selfsigned) certificate.
|
|
|
|
|
|
|
|
- Nowadays it should almost always be C(3).
|
|
|
|
|
|
|
|
- This is only used by the C(selfsigned) provider.
|
|
|
|
version_added: "2.5"
|
|
|
|
version_added: "2.5"
|
|
|
|
|
|
|
|
|
|
|
|
selfsigned_digest:
|
|
|
|
selfsigned_digest:
|
|
|
|
default: "sha256"
|
|
|
|
default: "sha256"
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Digest algorithm to be used when self-signing the certificate
|
|
|
|
- Digest algorithm to be used when self-signing the certificate
|
|
|
|
|
|
|
|
- This is only used by the C(selfsigned) provider.
|
|
|
|
|
|
|
|
|
|
|
|
selfsigned_not_before:
|
|
|
|
selfsigned_not_before:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
If this value is not specified, certificate will start being valid from now.
|
|
|
|
If this value is not specified, certificate will start being valid from now.
|
|
|
|
|
|
|
|
- This is only used by the C(selfsigned) provider.
|
|
|
|
aliases: [ selfsigned_notBefore ]
|
|
|
|
aliases: [ selfsigned_notBefore ]
|
|
|
|
|
|
|
|
|
|
|
|
selfsigned_not_after:
|
|
|
|
selfsigned_not_after:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
If this value is not specified, certificate will stop being valid 10 years from now.
|
|
|
|
If this value is not specified, certificate will stop being valid 10 years from now.
|
|
|
|
|
|
|
|
- This is only used by the C(selfsigned) provider.
|
|
|
|
aliases: [ selfsigned_notAfter ]
|
|
|
|
aliases: [ selfsigned_notAfter ]
|
|
|
|
|
|
|
|
|
|
|
|
ownca_path:
|
|
|
|
ownca_path:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Remote absolute path of the CA (Certificate Authority) certificate.
|
|
|
|
- Remote absolute path of the CA (Certificate Authority) certificate.
|
|
|
|
|
|
|
|
- This is only used by the C(ownca) provider.
|
|
|
|
version_added: "2.7"
|
|
|
|
version_added: "2.7"
|
|
|
|
|
|
|
|
|
|
|
|
ownca_privatekey_path:
|
|
|
|
ownca_privatekey_path:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Path to the CA (Certificate Authority) private key to use when signing the certificate.
|
|
|
|
- Path to the CA (Certificate Authority) private key to use when signing the certificate.
|
|
|
|
|
|
|
|
- This is only used by the C(ownca) provider.
|
|
|
|
version_added: "2.7"
|
|
|
|
version_added: "2.7"
|
|
|
|
|
|
|
|
|
|
|
|
ownca_privatekey_passphrase:
|
|
|
|
ownca_privatekey_passphrase:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The passphrase for the I(ownca_privatekey_path).
|
|
|
|
- The passphrase for the I(ownca_privatekey_path).
|
|
|
|
|
|
|
|
- This is only used by the C(ownca) provider.
|
|
|
|
version_added: "2.7"
|
|
|
|
version_added: "2.7"
|
|
|
|
|
|
|
|
|
|
|
|
ownca_digest:
|
|
|
|
ownca_digest:
|
|
|
|
default: "sha256"
|
|
|
|
default: "sha256"
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Digest algorithm to be used for the C(ownca) certificate.
|
|
|
|
- Digest algorithm to be used for the C(ownca) certificate.
|
|
|
|
|
|
|
|
- This is only used by the C(ownca) provider.
|
|
|
|
version_added: "2.7"
|
|
|
|
version_added: "2.7"
|
|
|
|
|
|
|
|
|
|
|
|
ownca_version:
|
|
|
|
ownca_version:
|
|
|
|
default: 3
|
|
|
|
default: 3
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Version of the C(ownca) certificate. Nowadays it should almost always be C(3).
|
|
|
|
- Version of the C(ownca) certificate.
|
|
|
|
|
|
|
|
- Nowadays it should almost always be C(3).
|
|
|
|
|
|
|
|
- This is only used by the C(ownca) provider.
|
|
|
|
version_added: "2.7"
|
|
|
|
version_added: "2.7"
|
|
|
|
|
|
|
|
|
|
|
|
ownca_not_before:
|
|
|
|
ownca_not_before:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
If this value is not specified, certificate will start being valid from now.
|
|
|
|
If this value is not specified, certificate will start being valid from now.
|
|
|
|
|
|
|
|
- This is only used by the C(ownca) provider.
|
|
|
|
version_added: "2.7"
|
|
|
|
version_added: "2.7"
|
|
|
|
|
|
|
|
|
|
|
|
ownca_not_after:
|
|
|
|
ownca_not_after:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
If this value is not specified, certificate will stop being valid 10 years from now.
|
|
|
|
If this value is not specified, certificate will stop being valid 10 years from now.
|
|
|
|
|
|
|
|
- This is only used by the C(ownca) provider.
|
|
|
|
version_added: "2.7"
|
|
|
|
version_added: "2.7"
|
|
|
|
|
|
|
|
|
|
|
|
acme_accountkey_path:
|
|
|
|
acme_accountkey_path:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Path to the accountkey for the C(acme) provider
|
|
|
|
- Path to the accountkey for the C(acme) provider
|
|
|
|
|
|
|
|
- This is only used by the C(acme) provider.
|
|
|
|
|
|
|
|
|
|
|
|
acme_challenge_path:
|
|
|
|
acme_challenge_path:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Path to the ACME challenge directory that is served on U(http://<HOST>:80/.well-known/acme-challenge/)
|
|
|
|
- Path to the ACME challenge directory that is served on U(http://<HOST>:80/.well-known/acme-challenge/)
|
|
|
|
|
|
|
|
- This is only used by the C(acme) provider.
|
|
|
|
|
|
|
|
|
|
|
|
acme_chain:
|
|
|
|
acme_chain:
|
|
|
|
default: True
|
|
|
|
default: True
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Include the intermediate certificate to the generated certificate
|
|
|
|
- Include the intermediate certificate to the generated certificate
|
|
|
|
|
|
|
|
- This is only used by the C(acme) provider.
|
|
|
|
version_added: "2.5"
|
|
|
|
version_added: "2.5"
|
|
|
|
|
|
|
|
|
|
|
|
signature_algorithms:
|
|
|
|
signature_algorithms:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- list of algorithms that you would accept the certificate to be signed with
|
|
|
|
- list of algorithms that you would accept the certificate to be signed with
|
|
|
|
(e.g. ['sha256WithRSAEncryption', 'sha512WithRSAEncryption']).
|
|
|
|
(e.g. ['sha256WithRSAEncryption', 'sha512WithRSAEncryption']).
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
|
|
|
|
|
|
|
|
issuer:
|
|
|
|
issuer:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Key/value pairs that must be present in the issuer name field of the certificate.
|
|
|
|
- Key/value pairs that must be present in the issuer name field of the certificate.
|
|
|
|
If you need to specify more than one value with the same key, use a list as value.
|
|
|
|
- If you need to specify more than one value with the same key, use a list as value.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
|
|
|
|
|
|
|
|
issuer_strict:
|
|
|
|
issuer_strict:
|
|
|
|
default: False
|
|
|
|
default: False
|
|
|
|
type: bool
|
|
|
|
type: bool
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If set to True, the I(issuer) field must contain only these values.
|
|
|
|
- If set to True, the I(issuer) field must contain only these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
version_added: "2.5"
|
|
|
|
version_added: "2.5"
|
|
|
|
|
|
|
|
|
|
|
|
subject:
|
|
|
|
subject:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Key/value pairs that must be present in the subject name field of the certificate.
|
|
|
|
- Key/value pairs that must be present in the subject name field of the certificate.
|
|
|
|
If you need to specify more than one value with the same key, use a list as value.
|
|
|
|
If you need to specify more than one value with the same key, use a list as value.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
|
|
|
|
|
|
|
|
subject_strict:
|
|
|
|
subject_strict:
|
|
|
|
default: False
|
|
|
|
default: False
|
|
|
|
type: bool
|
|
|
|
type: bool
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If set to True, the I(subject) field must contain only these values.
|
|
|
|
- If set to True, the I(subject) field must contain only these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
version_added: "2.5"
|
|
|
|
version_added: "2.5"
|
|
|
|
|
|
|
|
|
|
|
|
has_expired:
|
|
|
|
has_expired:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Checks if the certificate is expired/not expired at the time the module is executed. This only applies to
|
|
|
|
- Checks if the certificate is expired/not expired at the time the module is executed.
|
|
|
|
the C(assertonly) provider.
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
type: bool
|
|
|
|
type: bool
|
|
|
|
default: no
|
|
|
|
default: no
|
|
|
|
|
|
|
|
|
|
|
|
version:
|
|
|
|
version:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Version of the certificate. Nowadays it should almost always be 3.
|
|
|
|
- The version of the certificate.
|
|
|
|
|
|
|
|
- Nowadays it should almost always be 3.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
|
|
|
|
|
|
|
|
valid_at:
|
|
|
|
valid_at:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The certificate must be valid at this point in time. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The certificate must be valid at this point in time.
|
|
|
|
|
|
|
|
- The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
|
|
|
|
|
|
|
|
invalid_at:
|
|
|
|
invalid_at:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The certificate must be invalid at this point in time. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The certificate must be invalid at this point in time.
|
|
|
|
|
|
|
|
- The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
|
|
|
|
|
|
|
|
not_before:
|
|
|
|
not_before:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The certificate must start to become valid at this point in time. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The certificate must start to become valid at this point in time.
|
|
|
|
|
|
|
|
- The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ notBefore ]
|
|
|
|
aliases: [ notBefore ]
|
|
|
|
|
|
|
|
|
|
|
|
not_after:
|
|
|
|
not_after:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The certificate must expire at this point in time. The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
- The certificate must expire at this point in time.
|
|
|
|
|
|
|
|
- The timestamp is formatted as an ASN.1 TIME.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ notAfter ]
|
|
|
|
aliases: [ notAfter ]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
valid_in:
|
|
|
|
valid_in:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The certificate must still be valid in I(valid_in) seconds from now.
|
|
|
|
- The certificate must still be valid in I(valid_in) seconds from now.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
|
|
|
|
|
|
|
|
key_usage:
|
|
|
|
key_usage:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The I(key_usage) extension field must contain all these values.
|
|
|
|
- The I(key_usage) extension field must contain all these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ keyUsage ]
|
|
|
|
aliases: [ keyUsage ]
|
|
|
|
|
|
|
|
|
|
|
|
key_usage_strict:
|
|
|
|
key_usage_strict:
|
|
|
@ -222,11 +255,13 @@ options:
|
|
|
|
type: bool
|
|
|
|
type: bool
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If set to True, the I(key_usage) extension field must contain only these values.
|
|
|
|
- If set to True, the I(key_usage) extension field must contain only these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ keyUsage_strict ]
|
|
|
|
aliases: [ keyUsage_strict ]
|
|
|
|
|
|
|
|
|
|
|
|
extended_key_usage:
|
|
|
|
extended_key_usage:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The I(extended_key_usage) extension field must contain all these values.
|
|
|
|
- The I(extended_key_usage) extension field must contain all these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ extendedKeyUsage ]
|
|
|
|
aliases: [ extendedKeyUsage ]
|
|
|
|
|
|
|
|
|
|
|
|
extended_key_usage_strict:
|
|
|
|
extended_key_usage_strict:
|
|
|
@ -234,11 +269,13 @@ options:
|
|
|
|
type: bool
|
|
|
|
type: bool
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If set to True, the I(extended_key_usage) extension field must contain only these values.
|
|
|
|
- If set to True, the I(extended_key_usage) extension field must contain only these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ extendedKeyUsage_strict ]
|
|
|
|
aliases: [ extendedKeyUsage_strict ]
|
|
|
|
|
|
|
|
|
|
|
|
subject_alt_name:
|
|
|
|
subject_alt_name:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The I(subject_alt_name) extension field must contain these values.
|
|
|
|
- The I(subject_alt_name) extension field must contain these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ subjectAltName ]
|
|
|
|
aliases: [ subjectAltName ]
|
|
|
|
|
|
|
|
|
|
|
|
subject_alt_name_strict:
|
|
|
|
subject_alt_name_strict:
|
|
|
@ -246,6 +283,7 @@ options:
|
|
|
|
type: bool
|
|
|
|
type: bool
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If set to True, the I(subject_alt_name) extension field must contain only these values.
|
|
|
|
- If set to True, the I(subject_alt_name) extension field must contain only these values.
|
|
|
|
|
|
|
|
- This is only used by the C(assertonly) provider.
|
|
|
|
aliases: [ subjectAltName_strict ]
|
|
|
|
aliases: [ subjectAltName_strict ]
|
|
|
|
extends_documentation_fragment: files
|
|
|
|
extends_documentation_fragment: files
|
|
|
|
notes:
|
|
|
|
notes:
|
|
|
@ -995,6 +1033,8 @@ def main():
|
|
|
|
# General properties of a certificate
|
|
|
|
# General properties of a certificate
|
|
|
|
privatekey_path=dict(type='path'),
|
|
|
|
privatekey_path=dict(type='path'),
|
|
|
|
privatekey_passphrase=dict(type='str', no_log=True),
|
|
|
|
privatekey_passphrase=dict(type='str', no_log=True),
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# provider: assertonly
|
|
|
|
signature_algorithms=dict(type='list'),
|
|
|
|
signature_algorithms=dict(type='list'),
|
|
|
|
subject=dict(type='dict'),
|
|
|
|
subject=dict(type='dict'),
|
|
|
|
subject_strict=dict(type='bool', default=False),
|
|
|
|
subject_strict=dict(type='bool', default=False),
|
|
|
|