README.md

Documentation: netways.elasticstack modules

Overview

• cert_info module
  • Dependencies
  • Tested python-cryptography versions >= 2.5
  • Tested python versions
  • Tested ansible-core versions
  • Security measures
  • Supported extensions and values
  • Parameters
  • Returns
  • Example

cert_info module

The netways.elasticstack.cert_info module gathers information about pkcs12 certificates generated by the Elasticstack cert util.

Dependencies

• python-cryptography >= 2.5.0 on the remote node

Tested python-cryptography versions >= 2.5

• 2.5
• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 35.0.0
• 36.0.0
• 38.0.0
• 40.0.1

Tested python versions

• 2.7
• 3.5
• 3.6
• 3.7
• 3.8
• 3.10

Tested ansible-core versions

• 2.11
• 2.12
• 2.13
• 2.14

Security measures

• Only supported extensions with its available values will be returned. The available keys and values are applied in the code with the SUPPORTED_EXTENSIONS dictionary. The module will loop through it, and only if found, it will save it to the results variable.
• The paramters path and passphrase are set to no_log in the Ansible Module object.
• The objects __private_key, __cert, and __additional_certs are private and cannot be accessed globally.
• The object variables __path and __passphrase is private and cannot be accesed globally.

Supported extensions and values

Currently, the information of the following extensions and values will be returned (other extensions/values will be skipped):

BasicConstraints:

• _ca
• _path_length

AuthorityKeyIdentifier:

• _key_identifier
• _authority_cert_issuer
• _authority_cert_serial_number

SubjectKeyIdentifier:

• _digest

Paramters

path: Absolute path to certificate. (Default: undefined, required)

passphrase: The passphrase of the pkcs12 certificate. (Default: No default, optional)

passphrase_check: This will only check the passphrase and returns a bool in the results. If enabled it won't return any certificate information, only the passphrase_check result. (Default: False, optional)

Returns

All keys and values that will be returned with the results variable of the module:

issuer: The issuer of the CA certificate as str.

subject: The subject of the CA certificate as str.

version: The certificate version as str which represents an enumeration.

not_valid_after: A datetime.datetime object represented as a UTC formmated str. This is the beginning of the validity period.

not_valid_before: A datetime.datetime object represented as a UTC formmated str. This is the ending of the validity period.

serial_number: The serial number of the certificate as str which represents an integer.

extensions:

• oid: The object identifier of the extension as str which represents a dotted string.
• critical: The value of critical as str which represents a bool.
• values: The keys and their values of the extension as str. (See: Supported extensions)

passphrase_check: A bool that will be True if the passphrase check was positive and False, if not. It's also possible that it returns False if the certificate is corrupted, since Python can't differentiate it and handles exceptions like this as a "VauleError".

Example

- name: Test
  cert_info:
    path: /opt/es-ca/elasticsearch-ca.pkcs12
    passphrase: PleaseChangeMe
  register: test

- name: Debug
  debug:
    msg: "{{ test }}"

Output:

TASK [Debug] *******************************************************************
ok: [localhost] => {
    "msg": {
        "changed": false, 
        "extensions": {
            "authorityKeyIdentifier": {
                "_critical": "False", 
                "_dotted_string": "2.5.29.35", 
                "_values": {
                    "_authority_cert_issuer": "None", 
                    "_authority_cert_serial_number": "None", 
                    "_key_identifier": "82:53:20:11:C7:73:A7:5E:2A:77:C1:DF:22:E4:23:B4:C4:50:BA:CF"
                }
            }, 
            "basicConstraints": {
                "_critical": "True", 
                "_dotted_string": "2.5.29.19", 
                "_values": {
                    "_ca": "True", 
                    "_path_length": "None"
                }
            }, 
            "subjectKeyIdentifier": {
                "_critical": "False", 
                "_dotted_string": "2.5.29.14", 
                "_values": {
                    "_digest": "82:53:20:11:C7:73:A7:5E:2A:77:C1:DF:22:E4:23:B4:C4:50:BA:CF"
                }
            }
        }, 
        "failed": false, 
        "issuer": "Elastic Certificate Tool Autogenerated CA", 
        "not_valid_after": "2026-03-28 01:58:02", 
        "not_valid_before": "2023-03-29 01:58:02", 
        "serial_number": "719770426243590812378787092632593850366518596520", 
        "subject": "Elastic Certificate Tool Autogenerated CA", 
        "version": "Version.v3"
    }
}

Example of passphrase_check

- name: Test correct passphrase wit passphrase_check parameter
  cert_info:
    path: /opt/es-ca/elasticsearch-ca.pkcs12
    passphrase: PleaseChangeMe
    passphrase_check: True
  register: test

- name: Debug
  debug:
    msg: "{{ test }}"

Output:

TASK [Test correct passphrase wit passphrase_check parameter] ******************
ok: [localhost]

TASK [Debug] *******************************************************************
ok: [localhost] => {
    "msg": {
        "changed": false,
        "extensions": {},
        "failed": false,
        "issuer": "",
        "not_valid_after": "",
        "not_valid_before": "",
        "passphrase_check": true,
        "serial_number": "",
        "subject": "",
        "version": ""
    }
}