### Install community.crypto collection via CLI Source: https://github.com/ansible-collections/community.crypto/blob/main/README.md Uses the ansible-galaxy command-line tool to download and install the community.crypto collection from the Ansible Galaxy repository. ```bash ansible-galaxy collection install community.crypto ``` -------------------------------- ### Define community.crypto in requirements.yml Source: https://github.com/ansible-collections/community.crypto/blob/main/README.md Configures the community.crypto collection as a dependency within an Ansible requirements.yml file for automated installation. ```yaml collections: - name: community.crypto ``` -------------------------------- ### Create LUKS Container using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This Ansible task creates a LUKS (Linux Unified Key Setup) encrypted container on a specified device. It sets the device path, desired state to 'present', provides a passphrase, and specifies the LUKS version as 'luks2'. ```yaml --- # Create a LUKS container on a device - name: Create LUKS container on /dev/sdb1 community.crypto.luks_device: device: /dev/sdb1 state: present passphrase: "{{ luks_passphrase }}" type: luks2 ``` -------------------------------- ### Get certificate expiration date using x509_certificate_info filter Source: https://context7.com/ansible-collections/community.crypto/llms.txt Retrieves detailed information about an X.509 certificate, including its expiration date. This filter parses the certificate content and makes various fields, such as `not_after`, accessible. It requires the certificate content as input. ```yaml --- # Get certificate info using filter - name: Get certificate expiration using filter vars: cert_content: "{{ lookup('ansible.builtin.file', '/etc/ssl/crt/ansible.com.crt') }}" cert_info: "{{ cert_content | community.crypto.x509_certificate_info }}" ansible.builtin.debug: msg: "Certificate expires: {{ cert_info.not_after }}" ``` -------------------------------- ### Split PEM bundle into individual certificates using split_pem filter Source: https://context7.com/ansible-collections/community.crypto/llms.txt Splits a PEM-encoded certificate bundle into individual certificates. This filter is useful for processing CA bundles or multi-certificate PEM files. The output can then be iterated over, for example, to extract information from each certificate using the `x509_certificate_info` filter. ```yaml --- # Split a PEM bundle into individual certificates - name: Process CA bundle certificates ansible.builtin.debug: msg: "Certificate {{ idx }}: {{ item | community.crypto.x509_certificate_info | json_query('subject.commonName') }}" loop: "{{ lookup('ansible.builtin.file', '/etc/ssl/ca-bundle.pem') | community.crypto.split_pem }}" loop_control: index_var: idx ``` -------------------------------- ### Generate Self-Signed Certificates Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_selfsigned.rst Shows how to create a basic self-signed certificate using an existing private key and the community.crypto.x509_certificate module. ```yaml - name: Create simple self-signed certificate community.crypto.x509_certificate: path: /path/to/certificate.pem privatekey_path: /path/to/certificate.key provider: selfsigned ``` -------------------------------- ### Generate Private Keys with Ansible Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_selfsigned.rst Demonstrates how to create RSA and X25519 private keys using the community.crypto.openssl_privatekey module. Supports optional password protection and custom key sizes. ```yaml - name: Create private key (RSA, 4096 bits) community.crypto.openssl_privatekey: path: /path/to/certificate.key - name: Create private key (X25519) with password protection community.crypto.openssl_privatekey: path: /path/to/certificate.key type: X25519 passphrase: changeme ``` -------------------------------- ### Generate Encrypted Data with OpenSSL Source: https://github.com/ansible-collections/community.crypto/blob/main/tests/integration/targets/luks_device/files/keyfile3.txt This snippet demonstrates how to generate 4096 bytes of zero-filled data and encrypt it using OpenSSL with AES-256-CTR and a password. It's a common pattern for creating encrypted test data or initial cipher states. ```shell dd if=/dev/zero of=/dev/stdout bs=1 count=4096 | openssl enc -aes-256-ctr -pass pass:1234 -nosalt ``` -------------------------------- ### Generate Advanced Certificates via CSR Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_selfsigned.rst Demonstrates creating a certificate with specific metadata like subject and SANs by first generating a CSR using openssl_csr_pipe and then signing it with x509_certificate. ```yaml - name: Create certificate signing request (CSR) for self-signed certificate community.crypto.openssl_csr_pipe: privatekey_path: /path/to/certificate.key common_name: ansible.com organization_name: Ansible, Inc. subject_alt_name: - "DNS:ansible.com" - "DNS:www.ansible.com" - "DNS:docs.ansible.com" register: csr - name: Create self-signed certificate from CSR community.crypto.x509_certificate: path: /path/to/certificate.pem csr_content: "{{ csr.csr }}" privatekey_path: /path/to/certificate.key provider: selfsigned ``` -------------------------------- ### Write Certificate File with Copy Module (Ansible) Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_ownca.rst This Ansible task uses the 'copy' module to write the signed certificate content to a file on a target server. It's conditional on the certificate being changed. Dependencies include the Ansible core. Inputs are the destination path and the certificate content. Output is the certificate file. ```ansible - name: Write certificate file on server_1 copy: dest: /path/to/certificate.pem content: "{{ certificate.certificate }}" delegate_to: server_1 run_once: true when: certificate is changed ``` -------------------------------- ### Read Certificate Content with Slurp Module (Ansible) Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_ownca.rst This Ansible task uses the 'slurp' module to read the content of a certificate file. It's typically used after checking for the file's existence. Dependencies include the Ansible core. Input is the file path. Output is the file content. ```ansible - name: Read existing certificate if exists slurp: src: /path/to/certificate.pem when: certificate_exists.stat.exists delegate_to: server_1 run_once: true register: certificate ``` -------------------------------- ### Sign Certificate with Community.crypto x509_certificate_pipe (Ansible) Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_ownca.rst This Ansible task signs a certificate using the community.crypto.x509_certificate_pipe module. It handles reading an existing certificate or generating a new one based on a CSR, and signs it with a specified CA. Dependencies include the community.crypto collection. Inputs are certificate content, CSR content, CA details, and validity periods. Outputs are the signed certificate. ```ansible - name: Sign certificate with our CA community.crypto.x509_certificate_pipe: content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}" csr_content: "{{ csr.csr }}" provider: ownca ownca_path: /path/to/ca-certificate.pem ownca_privatekey_path: /path/to/ca-certificate.key ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}" ownca_not_after: "+365d" ownca_not_before: "-1d" delegate_to: server_2 run_once: true register: certificate ``` -------------------------------- ### Check Certificate Existence with Stat Module (Ansible) Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_ownca.rst This Ansible task uses the 'stat' module to check if a certificate file exists at a specified path. It's useful for conditional operations. Dependencies include the Ansible core. Input is the file path. Output is a variable indicating whether the file exists. ```ansible - name: Check whether certificate exists stat: path: /path/to/certificate.pem delegate_to: server_1 run_once: true register: certificate_exists ``` -------------------------------- ### Idempotent Certificate Signing with Own CA (YAML) Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_ownca.rst Provides an idempotent way to sign a certificate using an existing CA. It checks for an existing certificate and only re-signs if necessary, ensuring the task runs without unintended changes. ```yaml - name: Create private key for new certificate on server_1 community.crypto.openssl_privatekey: path: /path/to/certificate.key delegate_to: server_1 run_once: true - name: Create certificate signing request (CSR) for new certificate community.crypto.openssl_csr_pipe: privatekey_path: /path/to/certificate.key subject_alt_name: - "DNS:ansible.com" - "DNS:www.ansible.com" - "DNS:docs.ansible.com" delegate_to: server_1 run_once: true ``` -------------------------------- ### Display Certificate Details using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This snippet demonstrates how to display detailed information about an X.509 certificate using Ansible's debug module and the community.crypto.x509_certificate_info lookup plugin. It requires the certificate information to be registered in a variable. ```yaml - name: Dump certificate information ansible.builtin.debug: msg: | Subject: {{ cert_info.subject }} Issuer: {{ cert_info.issuer }} Not Before: {{ cert_info.not_before }} Not After: {{ cert_info.not_after }} Serial Number: {{ cert_info.serial_number }} Expired: {{ cert_info.expired }} ``` -------------------------------- ### Generate PKCS#12 file with certificate and private key using openssl_pkcs12 Source: https://context7.com/ansible-collections/community.crypto/llms.txt Generates a PKCS#12 file containing a certificate and private key. It requires the paths to the certificate, private key, and the desired output path for the PKCS#12 file. The passphrase is used to protect the generated file. ```yaml - name: Generate PKCS#12 file community.crypto.openssl_pkcs12: action: export path: /etc/ssl/ansible.com.p12 friendly_name: ansible_cert privatekey_path: /etc/ssl/private/ansible.com.pem certificate_path: /etc/ssl/crt/ansible.com.crt passphrase: "{{ p12_passphrase }}" state: present ``` -------------------------------- ### Generate PKCS#12 with full certificate chain using openssl_pkcs12 Source: https://context7.com/ansible-collections/community.crypto/llms.txt Creates a PKCS#12 file that includes a full certificate chain, meaning it contains the end-entity certificate, intermediate CA certificates, and the root CA certificate. This is useful for ensuring proper trust verification. It requires the paths to the primary certificate, private key, and a list of other certificates in the chain. ```yaml - name: Generate PKCS#12 with certificate chain community.crypto.openssl_pkcs12: action: export path: /etc/ssl/ansible.com.p12 friendly_name: ansible_cert privatekey_path: /etc/ssl/private/ansible.com.pem certificate_path: /etc/ssl/crt/ansible.com.crt other_certificates: - /etc/ssl/crt/intermediate_ca.crt - /etc/ssl/crt/root_ca.crt passphrase: "{{ p12_passphrase }}" state: present ``` -------------------------------- ### Open LUKS Container using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This task opens (unlocks) an existing LUKS encrypted container. It requires the device path, the state set to 'opened', a name for the opened volume, and the correct passphrase. ```yaml # Open (unlock) a LUKS container - name: Open LUKS container community.crypto.luks_device: device: /dev/sdb1 state: opened name: secure_volume passphrase: "{{ luks_passphrase }}" ``` -------------------------------- ### Create CA Private Key and Certificate (YAML) Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_ownca.rst Generates a password-protected private key for a CA and then creates a self-signed CA certificate from a CSR. This sets up the foundation for your own Certificate Authority. ```yaml - name: Create private key with password protection community.crypto.openssl_privatekey: path: /path/to/ca-certificate.key passphrase: "{{ secret_ca_passphrase }}" - name: Create certificate signing request (CSR) for CA certificate community.crypto.openssl_csr_pipe: privatekey_path: /path/to/ca-certificate.key privatekey_passphrase: "{{ secret_ca_passphrase }}" common_name: Ansible CA use_common_name_for_san: false basic_constraints: - 'CA:TRUE' basic_constraints_critical: true key_usage: - keyCertSign key_usage_critical: true register: ca_csr - name: Create self-signed CA certificate from CSR community.crypto.x509_certificate: path: /path/to/ca-certificate.pem csr_content: "{{ ca_csr.csr }}" privatekey_path: /path/to/ca-certificate.key privatekey_passphrase: "{{ secret_ca_passphrase }}" provider: selfsigned ``` -------------------------------- ### Verify CSR Matches Private Key using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This task verifies that a CSR's public key matches the corresponding private key. It first retrieves information for both the CSR and the private key using their respective modules and then uses an assertion to compare their public keys. ```yaml # Verify CSR matches private key - name: Get private key information community.crypto.openssl_privatekey_info: path: /etc/ssl/private/ansible.com.pem register: key_info - name: Assert CSR uses correct private key ansible.builtin.assert: that: - csr_info.public_key == key_info.public_key fail_msg: "CSR public key does not match private key!" ``` -------------------------------- ### Sign Certificate with Own CA (YAML) Source: https://github.com/ansible-collections/community.crypto/blob/main/docs/docsite/rst/guide_ownca.rst Signs a new certificate using an existing CA. This process involves creating a private key and CSR for the new certificate, then using the CA's details to sign it. The resulting certificate is then copied to the target server. ```yaml - name: Create private key for new certificate on server_1 community.crypto.openssl_privatekey: path: /path/to/certificate.key delegate_to: server_1 run_once: true - name: Create certificate signing request (CSR) for new certificate community.crypto.openssl_csr_pipe: privatekey_path: /path/to/certificate.key subject_alt_name: - "DNS:ansible.com" - "DNS:www.ansible.com" - "DNS:docs.ansible.com" delegate_to: server_1 run_once: true register: csr - name: Sign certificate with our CA community.crypto.x509_certificate_pipe: csr_content: "{{ csr.csr }}" provider: ownca ownca_path: /path/to/ca-certificate.pem ownca_privatekey_path: /path/to/ca-certificate.key ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}" ownca_not_after: "+365d" ownca_not_before: "-1d" delegate_to: server_2 run_once: true register: certificate - name: Write certificate file on server_1 copy: dest: /path/to/certificate.pem content: "{{ certificate.certificate }}" delegate_to: server_1 run_once: true ``` -------------------------------- ### ACME Certificate Management with HTTP-01 Challenge (Ansible) Source: https://context7.com/ansible-collections/community.crypto/llms.txt Obtains SSL/TLS certificates from ACME-compliant Certificate Authorities (CAs) like Let's Encrypt using the HTTP-01 challenge. This process requires two steps: first, creating the challenge data and then fulfilling it. It manages account keys, CSRs, and certificate destinations, and can be used for both standard and wildcard certificates. ```yaml --- # Step 1: Create a challenge for the domain - name: Create a challenge for sample.com using an account key file community.crypto.acme_certificate: account_key_src: /etc/pki/cert/private/account.key csr: /etc/pki/cert/csr/sample.com.csr dest: /etc/httpd/ssl/sample.com.crt fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt acme_directory: https://acme-v02.api.letsencrypt.org/directory challenge: http-01 remaining_days: 30 modify_account: false register: sample_com_challenge # Fulfill the HTTP-01 challenge - name: Copy http-01 challenge for sample.com ansible.builtin.copy: dest: "/var/www/html/{{ sample_com_challenge.challenge_data['sample.com']['http-01']['resource'] }}" content: "{{ sample_com_challenge.challenge_data['sample.com']['http-01']['resource_value'] }}" when: sample_com_challenge is changed and 'sample.com' in sample_com_challenge.challenge_data # Step 2: Complete validation and retrieve certificate - name: Let the challenge be validated and retrieve the cert community.crypto.acme_certificate: account_key_src: /etc/pki/cert/private/account.key csr: /etc/pki/cert/csr/sample.com.csr dest: /etc/httpd/ssl/sample.com.crt fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt acme_directory: https://acme-v02.api.letsencrypt.org/directory challenge: http-01 remaining_days: 30 data: "{{ sample_com_challenge }}" modify_account: false when: sample_com_challenge is changed # DNS-01 Challenge example for wildcard certificates - name: Create DNS-01 challenge for wildcard certificate community.crypto.acme_certificate: account_key_src: /etc/pki/cert/private/account.key csr: /etc/pki/cert/csr/wildcard.sample.com.csr dest: /etc/httpd/ssl/wildcard.sample.com.crt acme_directory: https://acme-v02.api.letsencrypt.org/directory challenge: dns-01 modify_account: false register: wildcard_challenge ``` -------------------------------- ### Generate Self-Signed Certificate with Custom Validity (Ansible) Source: https://context7.com/ansible-collections/community.crypto/llms.txt Generates a self-signed X.509 certificate and its corresponding private key. It allows specifying the validity period, paths for the certificate, private key, and Certificate Signing Request (CSR), and supports backup of existing files. The output registers the result, including the filename of the created certificate. ```yaml --- # Generate a self-signed certificate with custom validity - name: Generate self-signed certificate valid for 1 year community.crypto.x509_certificate: path: /etc/ssl/crt/ansible.com.crt privatekey_path: /etc/ssl/private/ansible.com.pem csr_path: /etc/ssl/csr/ansible.com.csr provider: selfsigned selfsigned_not_after: "+365d" backup: true register: cert_result # Verify certificate was created - name: Show certificate path ansible.builtin.debug: msg: "Certificate created at: {{ cert_result.filename }}" ``` -------------------------------- ### Add New Key to LUKS Container using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This task adds a new passphrase (key) to an existing LUKS encrypted container. It requires the device path, the current passphrase to authenticate, and the new passphrase to be added. ```yaml # Add a new key to LUKS container - name: Add backup passphrase to LUKS container community.crypto.luks_device: device: /dev/sdb1 passphrase: "{{ luks_passphrase }}" new_passphrase: "{{ luks_backup_passphrase }}" ``` -------------------------------- ### Retrieve X.509 Certificate Information (Ansible) Source: https://context7.com/ansible-collections/community.crypto/llms.txt Queries and retrieves detailed information from X.509 certificate files. This includes subject and issuer details, validity periods, extensions, and public key data. The module can be used to inspect certificates generated by other means, and its output can be registered for further processing or debugging. ```yaml --- # Get information on a certificate file - name: Get information on generated certificate community.crypto.x509_certificate_info: path: /etc/ssl/crt/ansible.com.crt register: cert_info ``` -------------------------------- ### Check Certificate Validity at Specific Times using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This Ansible task uses the community.crypto.x509_certificate_info module to check the validity of a certificate at various future points in time. The results are registered in a variable for further use, such as assertions. ```yaml - name: Test whether certificate is valid at specific times community.crypto.x509_certificate_info: path: /etc/ssl/crt/ansible.com.crt valid_at: tomorrow: "+1d" next_week: "+7d" next_month: "+30d" register: validity_check ``` -------------------------------- ### Generate PKCS#12 Archives using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This section outlines the usage of the community.crypto.openssl_pkcs12 module in Ansible to create PKCS#12 archives. These archives bundle certificates and private keys, suitable for import into various keystores and applications. ```yaml --- ``` -------------------------------- ### Generate RSA SSH Keypair with Specific Size using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This task generates an RSA SSH keypair with a specified key size of 4096 bits. It sets the output path, key type, and includes a comment using the Ansible hostname fact. The generated keys are saved to the specified file path. ```yaml # Generate RSA key with specific size - name: Generate RSA SSH keypair community.crypto.openssh_keypair: path: /home/user/.ssh/id_rsa type: rsa size: 4096 comment: "{{ ansible_hostname }}" ``` -------------------------------- ### Generate X.509 Certificates with Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt Generates X.509 certificates using the `community.crypto.x509_certificate` module. Supports self-signed certificates, certificates signed by a private CA, and ACME protocol integration (e.g., Let's Encrypt). Includes options for automatic renewal and validation. ```yaml --- # Generate a self-signed certificate - name: Generate a Self Signed OpenSSL certificate community.crypto.x509_certificate: path: /etc/ssl/crt/ansible.com.crt privatekey_path: /etc/ssl/private/ansible.com.pem csr_path: /etc/ssl/csr/ansible.com.csr provider: selfsigned # Generate a certificate signed with your own CA - name: Generate certificate signed with own CA community.crypto.x509_certificate: path: /etc/ssl/crt/ansible.com.crt csr_path: /etc/ssl/csr/ansible.com.csr ownca_path: /etc/ssl/crt/ansible_CA.crt ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem ownca_privatekey_passphrase: "{{ ca_passphrase }}" provider: ownca ``` -------------------------------- ### ACME Account Management (Ansible) Source: https://context7.com/ansible-collections/community.crypto/llms.txt Manages ACME accounts for automated certificate acquisition. This module allows for the creation, modification, and deletion of accounts, including setting contact information and agreeing to terms of service. It also supports changing the account key for security purposes and can be configured to prevent new account creation if an account already exists. ```yaml --- # Create an ACME account with contact information - name: Make sure account exists and has given contacts community.crypto.acme_account: account_key_src: /etc/pki/cert/private/account.key state: present terms_agreed: true acme_directory: https://acme-v02.api.letsencrypt.org/directory contact: - mailto:admin@example.com - mailto:security@example.com # Create account without allowing new account creation (for existing accounts) - name: Update existing account email address community.crypto.acme_account: account_key_src: /etc/pki/cert/private/account.key state: present allow_creation: false acme_directory: https://acme-v02.api.letsencrypt.org/directory contact: - mailto:new-admin@example.com # Change account key for security rotation - name: Change account key to a new key community.crypto.acme_account: account_key_src: /etc/pki/cert/private/account.key new_account_key_src: /etc/pki/cert/private/account-new.key state: changed_key acme_directory: https://acme-v02.api.letsencrypt.org/directory # Delete an ACME account - name: Delete ACME account community.crypto.acme_account: account_key_src: /etc/pki/cert/private/account.key state: absent acme_directory: https://acme-v02.api.letsencrypt.org/directory ``` -------------------------------- ### Parse existing PKCS#12 file using openssl_pkcs12 Source: https://context7.com/ansible-collections/community.crypto/llms.txt Parses an existing PKCS#12 file to extract its contents. This action requires the source path of the PKCS#12 file and a destination path where the parsed components will be stored. The passphrase is necessary to decrypt the PKCS#12 file. ```yaml - name: Parse PKCS#12 file community.crypto.openssl_pkcs12: action: parse src: /etc/ssl/ansible.com.p12 path: /etc/ssl/parsed/ passphrase: "{{ p12_passphrase }}" ``` -------------------------------- ### Retrieve CSR Information using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This Ansible task uses the community.crypto.openssl_csr_info module to extract information from a Certificate Signing Request (CSR) file. The retrieved details, such as subject and public key, are registered in a variable. ```yaml --- # Get information on a CSR - name: Get information on the CSR community.crypto.openssl_csr_info: path: /etc/ssl/csr/www.ansible.com.csr register: csr_info ``` -------------------------------- ### Smoke Test Library Script Source: https://github.com/ansible-collections/community.crypto/blob/main/tests/sanity/ignore-2.20.txt A Python script used within the execution environment smoke tests to verify library availability. It includes a shebang line for direct execution. ```python #!/usr/bin/python import sys def main(): print("Smoke test passed") if __name__ == '__main__': main() ``` -------------------------------- ### Generate OpenSSL Private Keys with Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt Generates OpenSSL private keys using the `community.crypto.openssl_privatekey` module. Supports RSA, DSA, ECC, and Ed25519 algorithms, passphrase encryption, and custom key sizes. It can also create backups of generated keys. ```yaml --- # Generate a default 4096-bit RSA private key - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: /etc/ssl/private/ansible.com.pem # Generate an RSA key with passphrase protection - name: Generate an OpenSSL private key with a passphrase community.crypto.openssl_privatekey: path: /etc/ssl/private/ansible.com.pem passphrase: "{{ vault_key_passphrase }}" cipher: auto # Generate an ECC key with specific curve - name: Generate an OpenSSL private key with elliptic curve cryptography (ECC) community.crypto.openssl_privatekey: path: /etc/ssl/private/ansible.com.pem type: ECC curve: secp256r1 # Generate a 2048-bit RSA key with backup - name: Generate RSA key with custom size and backup community.crypto.openssl_privatekey: path: /etc/ssl/private/ansible.com.pem size: 2048 backup: true register: privatekey_result # Access return values - name: Display key fingerprint ansible.builtin.debug: msg: "SHA256 fingerprint: {{ privatekey_result.fingerprint.sha256 }}" ``` -------------------------------- ### Show Subject Alt Names using Ansible Filter Source: https://context7.com/ansible-collections/community.crypto/llms.txt This snippet demonstrates using the community.crypto.x509_certificate_info filter within Ansible's debug module to extract Subject Alternative Names from a certificate file. It utilizes the 'lookup' and 'json_query' modules for file reading and data extraction. ```yaml - name: Show Subject Alt Names using filter ansible.builtin.debug: msg: >- {{ lookup('ansible.builtin.file', '/path/to/cert.pem') | community.crypto.x509_certificate_info | json_query('subject_alt_name') }} ``` -------------------------------- ### Generate Certificate Revocation List (CRL) using x509_crl Source: https://context7.com/ansible-collections/community.crypto/llms.txt Generates a Certificate Revocation List (CRL) to manage revoked certificates. This module requires the path for the CRL, the private key of the issuer, issuer details, and validity periods. It supports specifying revoked certificates by serial number or by providing a path to a revoked certificate file, along with the reason for revocation. ```yaml --- # Generate a CRL with revoked certificates - name: Generate a CRL community.crypto.x509_crl: path: /etc/ssl/crl/ca.crl privatekey_path: /etc/ssl/private/ca.pem issuer: CN: My Certificate Authority O: My Organization last_update: "+0s" next_update: "+7d" revoked_certificates: - serial_number: 1234 revocation_date: "20230101000000Z" reason: key_compromise - path: /etc/ssl/crt/revoked_cert.crt reason: cessation_of_operation format: pem ``` -------------------------------- ### Generate OpenSSL CSRs with Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt Creates OpenSSL Certificate Signing Requests (CSRs) using the `community.crypto.openssl_csr` module. Allows configuration of subject information, subject alternative names (SANs), key usage, and extended key usage extensions. ```yaml --- # Generate a basic CSR - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem common_name: www.ansible.com # Generate CSR with full subject information - name: Generate CSR with Subject information community.crypto.openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem country_name: US organization_name: Ansible Inc organizational_unit_name: IT Security email_address: admin@ansible.com common_name: www.ansible.com # Generate CSR with Subject Alternative Names (SANs) - name: Generate CSR with subjectAltName extension community.crypto.openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem common_name: www.ansible.com subject_alt_name: - "DNS:www.ansible.com" - "DNS:ansible.com" - "DNS:m.ansible.com" - "IP:192.168.1.100" # Generate CSR with key usage and extended key usage - name: Generate CSR with special key usages community.crypto.openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr privatekey_path: /etc/ssl/private/ansible.com.pem common_name: www.ansible.com key_usage: - digitalSignature - keyEncipherment key_usage_critical: true extended_key_usage: - serverAuth - clientAuth ocsp_must_staple: true ``` -------------------------------- ### Verify CSR extensions using openssl_csr_info filter Source: https://context7.com/ansible-collections/community.crypto/llms.txt Parses and extracts information from a Certificate Signing Request (CSR), including its subject alternative names (SANs). This filter is valuable for validating CSRs before issuing certificates, ensuring that requested domain names or IP addresses are correctly included. ```yaml --- # Get CSR info using filter - name: Verify CSR extensions using filter vars: csr_info: "{{ lookup('ansible.builtin.file', '/etc/ssl/csr/ansible.com.csr') | community.crypto.openssl_csr_info }}" ansible.builtin.assert: that: - "'DNS:www.ansible.com' in csr_info.subject_alt_name" ``` -------------------------------- ### Generate ECDSA SSH Keypair with Passphrase using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This task generates an ECDSA SSH keypair using the cryptography backend, with a key size of 521 bits and a passphrase. The public key is then displayed using the debug module. The generated keys are stored at the specified path. ```yaml # Generate ECDSA key with passphrase - name: Generate ECDSA SSH keypair with passphrase community.crypto.openssh_keypair: path: /home/user/.ssh/id_ecdsa type: ecdsa size: 521 passphrase: "{{ ssh_key_passphrase }}" backend: cryptography register: ssh_key # Display the public key - name: Show public key for authorized_keys ansible.builtin.debug: msg: "{{ ssh_key.public_key }}" ``` -------------------------------- ### Convert certificate serial number to hex string using to_serial filter Source: https://context7.com/ansible-collections/community.crypto/llms.txt Converts a certificate's serial number, typically represented as a decimal string, into its hexadecimal string format. This filter is useful for tasks that require serial numbers in a specific format, such as comparing them or logging them in a standard hex representation. ```yaml --- # Parse serial number to hex format - name: Convert serial number to hex string vars: cert_info: "{{ lookup('ansible.builtin.file', '/etc/ssl/crt/ansible.com.crt') | community.crypto.x509_certificate_info }}" ansible.builtin.debug: msg: "Serial: {{ cert_info.serial_number | community.crypto.to_serial }}" ``` -------------------------------- ### Validate Certificate Expiration using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This Ansible task asserts that a certificate is not expired and will remain valid for at least 30 days. It uses the 'assert' module and checks conditions based on previously registered variables 'cert_info' and 'validity_check'. ```yaml - name: Assert certificate is valid for at least 30 days ansible.builtin.assert: that: - not cert_info.expired - validity_check.valid_at.next_month fail_msg: "Certificate expires within 30 days!" ``` -------------------------------- ### Display CSR Details using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This snippet displays various details extracted from a CSR, including subject, subject alternative names, key usage, and public key type. It uses Ansible's debug module and accesses data from a registered variable 'csr_info'. ```yaml # Display CSR details - name: Dump CSR information ansible.builtin.debug: msg: | Subject: {{ csr_info.subject }} Subject Alt Names: {{ csr_info.subject_alt_name | default([]) | join(', ') }} Key Usage: {{ csr_info.key_usage | default('None') }} Public Key Type: {{ csr_info.public_key_type }} ``` -------------------------------- ### Update existing CRL with new revoked certificate using x509_crl Source: https://context7.com/ansible-collections/community.crypto/llms.txt Updates an existing Certificate Revocation List (CRL) by adding a new revoked certificate. This operation requires the path to the existing CRL, the issuer's private key, and issuer details. It allows specifying the new revoked certificate by its serial number and the reason for revocation, and updates the next update time for the CRL. ```yaml --- # Update existing CRL with new revoked certificate - name: Add certificate to existing CRL community.crypto.x509_crl: path: /etc/ssl/crl/ca.crl privatekey_path: /etc/ssl/private/ca.pem issuer: CN: My Certificate Authority next_update: "+7d" crl_mode: update revoked_certificates: - serial_number: 5678 reason: superseded ``` -------------------------------- ### Generate Ed25519 SSH Keypair using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This Ansible task generates an Ed25519 SSH keypair, which is recommended for security. It specifies the output path, key type, and a comment for the key. The generated keys are stored at the specified path. ```yaml --- # Generate an Ed25519 SSH key (recommended for security) - name: Generate Ed25519 SSH keypair community.crypto.openssh_keypair: path: /home/user/.ssh/id_ed25519 type: ed25519 comment: "user@ansible-managed" ``` -------------------------------- ### Close LUKS Container using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This task closes (locks) a LUKS encrypted container. It requires the name assigned to the opened volume and the state set to 'closed'. ```yaml # Close (lock) a LUKS container - name: Close LUKS container community.crypto.luks_device: name: secure_volume state: closed ``` -------------------------------- ### Remove Key from LUKS Container using Ansible Source: https://context7.com/ansible-collections/community.crypto/llms.txt This task removes a specific passphrase (key) from a LUKS encrypted container. It requires the device path, the current passphrase for authentication, and the passphrase to be removed. ```yaml # Remove a key from LUKS container - name: Remove old passphrase from LUKS container community.crypto.luks_device: device: /dev/sdb1 passphrase: "{{ luks_passphrase }}" remove_passphrase: "{{ old_passphrase }}" ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.