entrust.crypto.cagw_certificate module – Request SSL/TLS certificates with the Certificate Authority Gateway (CAGW) API
Note
This module is part of the entrust.crypto collection (version 1.0.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install entrust.crypto.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: entrust.crypto.cagw_certificate.
Synopsis
Create, get, and take actions (Hold, Unhold, Revoke certificates) with the Certificate Authority Gateway (CAGW) API.
Requires credentials for calling the CAGW API.
Requirements
The below requirements are needed on the host that executes this module.
cryptography >= 1.6
Ansible Core >= 2.14.0
Minimum Python Version = 3.6
Parameters
Parameter |
Comments |
|---|---|
Reason has to be given for the action. |
|
What action has to be taken on the certificate that is RevokeAction, HoldAction, UnholdAction. Choices:
|
|
A list of additional email addresses to receive the delivery notice and expiry notification for the certificate. |
|
Path for the Client cert key issued by the same CA. |
|
Path for the Client cert issued by the same CA. |
|
Path for CAGW api specification doc. |
|
Unique id for the Certificate Authority. |
|
Profile id for the Certificate Authority. |
|
This parameter defines which CA type connected at the backend. Supported list of CAs include Entrust Certificate Solution(ECS), Entrust Security Manager(SM), Entrust PKIHUB CA(PKIaaS), Microsoft CA(MSCA). If connector_name is not provided when Choices:
|
|
Base-64 encoded Certificate Signing Request (CSR). csr is accepted without PEM formatting around the Base-64 string. If no csr is provided when |
|
Mapping of custom fields to associate with the certificate request and certificate. Only supported if custom fields are enabled for your account. Each custom field specified must be a custom field you have defined for your account. |
|
Custom date field. |
|
Custom date field. |
|
Custom date field. |
|
Custom date field. |
|
Custom date field. |
|
Custom dropdown field. |
|
Custom dropdown field. |
|
Custom dropdown field. |
|
Custom dropdown field. |
|
Custom dropdown field. |
|
Custom email field. |
|
Custom email field. |
|
Custom email field. |
|
Custom email field. |
|
Custom email field. |
|
Custom number field. |
|
Custom number field. |
|
Custom number field. |
|
Custom number field. |
|
Custom number field. |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Custom text field (maximum 500 characters). |
|
Distinguished name given for the enrollment. |
|
The certificate validity period. An ISO 8601 date-time interval or duration indicating the not before and/or not after dates of the certificate. Specify the start date and expiry date as follows 2018-07-06T13:00Z/2019-07-06T09:00:00Z Specify the start date and a duration. Start on July 6, 2018 13:00Z with a lifetime of 1 year and 3 months 2018-07-06T13:00Z/P1Y3M0DT0H0M Specify the expiry date and a duration. Expire on December 31, 2018 with a lifetime of 3 months. Note that the start date will be automatically calculated. P0Y3M0DT0H0M/2018-12-31T00:00Z Specify a duration only. A lifetime of 1 year, 3 months, 10 days, 0 hours and 0 minutes. Note that the start date will always be the current date. P1Y3M10DT0H0M |
|
enrollment_format that is X509 or PKCS12. Choices:
|
|
If Choices:
|
|
Host or IP address for Entrust CAGW. |
|
PKCS12 password for server side generation of the private key and CSR. |
|
The destination path for the generated certificate as a PEM encoded cert. If there is already a certificate at this location and If |
|
Port for Entrust CAGW. Default: |
|
The number of days the certificate must have left being valid. If a certificate is already present at the path and force is not specified then we get the certificate validity for existing certificate from Entrust CAGW. If The Default: |
|
Request type that is new (stands for enrollment), get (stands for get certificate), action (stands for action to be taken on the certificate). Choices:
|
|
-The requester email to associate with certificate tracking information and receive delivery and expiry notices for the certificate. - If requester_email is not provided when |
|
The requester name to associate with certificate tracking information. If requester_name is not provided when |
|
The requester phone number to associate with certificate tracking information. |
|
Serial number of the already issued certificate. |
|
The subject alternative name identifiers. |
|
directoryName of the target server. |
|
DNS name of the target server. |
|
IP address of the target server. |
|
rfc822 name of the target server. |
|
URI of the target server. |
|
Free form tracking information to attach to the record for the certificate. |
|
If set to false then SSL validation with Server is skipped. This should be set to false only for testing purposes. Choices:
|
Notes
Note
pathmust be specified as the output location of the certificate.
See Also
See also
- community.crypto.openssl_privatekey
Can be used to create private keys (both for certificates and accounts).
- community.crypto.openssl_csr
Can be used to create a Certificate Signing Request (CSR).
Examples
- name: Request a new certificate from SM via CAGW with bare minimum parameters. Will request a new certificate
entrust.crypto.cagw_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr: /etc/ssl/csr/ansible.com.csr
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
certificate_profile_id: profile_id
request_type: new
enrollment_format: X509
connector_name: SM
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
- name: Request a new certificate from CAGW with subjectAltName parameters and server cert validation is false
entrust.crypto.cagw_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr: /etc/ssl/csr/ansible.com.csr
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
certificate_profile_id: profile_id
request_type: new
enrollment_format: X509
connector_name: SM
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
validity_period: 2018-07-06T13:00Z/2019-07-06T09:00:00Z
subject_alt_name:
dNSName: server.example.com
iPAddress: 192.168.1.1
directoryName: cn=john doe,o=example inc,c=us
uniformResourceIdentifier: http://example.com/
rfc822Name: server.example.com
validate_certs: false
- name: Get an already issued certificate from CAGW with valid serial num in hexadecimal format
entrust.crypto.cagw_certificate:
path: /etc/ssl/crt/ansible.com.crt
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
request_type: get
serial_no: 5b9ba13d
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
- name: Request a certificate from CAGW with enrollment format PKCS12
entrust.crypto.cagw_certificate:
path: /etc/ssl/crt/ansible.com.crt
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
certificate_profile_id: profile_id
request_type: new
enrollment_format: PKCS12
connector_name: SM
p12_protection_password: 'Password@2023'
dn: /C=CA/O=iotrust/CN=CA/CN=ans-test-101
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
- name: Request a new SSL certificate from ECS via CAGW with bare minimum parameters. Will request a new certificate
entrust.crypto.cagw_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr: /etc/ssl/csr/ansible.com.csr
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
certificate_profile_id: profile_id
request_type: new
enrollment_format: X509
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
connector_name: ECS
requester_name: John-Clark
requester_email: john.clark@example.com
- name: Request a new SSL certificate from ECS via CAGW with optional custom_field parameters. Will request a new certificate
entrust.crypto.cagw_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr: /etc/ssl/csr/ansible.com.csr
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
certificate_profile_id: profile_id
request_type: new
enrollment_format: X509
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
connector_name: ECS
requester_name: John-Clark
requester_email: john.clark@example.com
custom_fields:
text1: Admin
text2: Invoice 25
number1: 342
date1: '2018-01-01'
email1: sales@ansible.testcertificates.com
dropdown1: red
- name: Take an action(HoldAction) on certificate already recieved from CAGW
entrust.crypto.cagw_certificate:
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
request_type: action
action_type: HoldAction
action_reason: unspecified
serial_no: 5b9ba13d
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
- name: Take an action(UnholdAction) on certificate already recieved from CAGW
entrust.crypto.cagw_certificate:
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
request_type: action
action_type: UnholdAction
action_reason: unspecified
serial_no: 5b9ba13d
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
- name: Take an action(RevokeAction) on certificate already recieved from CAGW
entrust.crypto.cagw_certificate:
cagw_api_client_cert_path: /etc/ssl/entrust/cagw-client.crt
cagw_api_client_cert_key_path: /etc/ssl/entrust/cagw-client.key
certificate_authority_id: ca_id
request_type: action
action_type: RevokeAction
action_reason: unspecified
serial_no: 5b9ba13d
cagw_api_specification_path: /etc/ssl/entrust/cagw-api.yaml
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The number of days the certificate remains valid from now. Returned: success Sample: |
|
The full response JSON from the New/Get Certificate call of the CAGW API. While the response contents are guaranteed to be forwards compatible with new CAGW API releases, Entrust recommends that you do not make any playbooks take actions based on the content of this field. However it may be useful for debugging, logging, or auditing purposes. Returned: success |
|
The certificate status in CAGW. Possible values are: ACCEPTED, normal, Revoked, Held Returned: success |
|
The destination path for the generated certificate or PKCS12. Returned: changed or success Sample: |
|
Message we get from CAGW. Returned: success |
|
The serial number of the issued certificate. Returned: success Sample: |
Authors
Sapna Jain (@sapnajainEntrust)