summaryrefslogtreecommitdiffstats
path: root/ansible_collections/community/crypto/plugins/doc_fragments
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-18 05:52:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-18 05:52:22 +0000
commit38b7c80217c4e72b1d8988eb1e60bb6e77334114 (patch)
tree356e9fd3762877d07cde52d21e77070aeff7e789 /ansible_collections/community/crypto/plugins/doc_fragments
parentAdding upstream version 7.7.0+dfsg. (diff)
downloadansible-38b7c80217c4e72b1d8988eb1e60bb6e77334114.tar.xz
ansible-38b7c80217c4e72b1d8988eb1e60bb6e77334114.zip
Adding upstream version 9.4.0+dfsg.upstream/9.4.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/community/crypto/plugins/doc_fragments')
-rw-r--r--ansible_collections/community/crypto/plugins/doc_fragments/acme.py26
-rw-r--r--ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py168
-rw-r--r--ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py74
-rw-r--r--ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py49
-rw-r--r--ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py4
-rw-r--r--ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py10
6 files changed, 165 insertions, 166 deletions
diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/acme.py b/ansible_collections/community/crypto/plugins/doc_fragments/acme.py
index a50cedd69..2b5bfc231 100644
--- a/ansible_collections/community/crypto/plugins/doc_fragments/acme.py
+++ b/ansible_collections/community/crypto/plugins/doc_fragments/acme.py
@@ -16,10 +16,10 @@ notes:
- "If a new enough version of the C(cryptography) library
is available (see Requirements for details), it will be used
instead of the C(openssl) binary. This can be explicitly disabled
- or enabled with the C(select_crypto_backend) option. Note that using
+ or enabled with the O(select_crypto_backend) option. Note that using
the C(openssl) binary will be slower and less secure, as private key
contents always have to be stored on disk (see
- C(account_key_content))."
+ O(account_key_content))."
- "Although the defaults are chosen so that the module can be used with
the L(Let's Encrypt,https://letsencrypt.org/) CA, the module can in
principle be used with any CA providing an ACME endpoint, such as
@@ -47,15 +47,15 @@ options:
RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys
can be created with C(openssl ecparam -genkey ...). Any other tool creating
private keys in PEM format can be used as well."
- - "Mutually exclusive with C(account_key_content)."
- - "Required if C(account_key_content) is not used."
+ - "Mutually exclusive with O(account_key_content)."
+ - "Required if O(account_key_content) is not used."
type: path
aliases: [ account_key ]
account_key_content:
description:
- "Content of the ACME account RSA or Elliptic Curve key."
- - "Mutually exclusive with C(account_key_src)."
- - "Required if C(account_key_src) is not used."
+ - "Mutually exclusive with O(account_key_src)."
+ - "Required if O(account_key_src) is not used."
- "B(Warning:) the content will be written into a temporary file, which will
be deleted by Ansible when the module completes. Since this is an
important private key — it can be used to change the account key,
@@ -81,9 +81,9 @@ options:
acme_version:
description:
- "The ACME version of the endpoint."
- - "Must be C(1) for the classic Let's Encrypt and Buypass ACME endpoints,
- or C(2) for standardized ACME v2 endpoints."
- - "The value C(1) is deprecated since community.crypto 2.0.0 and will be
+ - "Must be V(1) for the classic Let's Encrypt and Buypass ACME endpoints,
+ or V(2) for standardized ACME v2 endpoints."
+ - "The value V(1) is deprecated since community.crypto 2.0.0 and will be
removed from community.crypto 3.0.0."
required: true
type: int
@@ -114,17 +114,17 @@ options:
validate_certs:
description:
- Whether calls to the ACME directory will validate TLS certificates.
- - "B(Warning:) Should B(only ever) be set to C(false) for testing purposes,
+ - "B(Warning:) Should B(only ever) be set to V(false) for testing purposes,
for example when testing against a local Pebble server."
type: bool
default: true
select_crypto_backend:
description:
- Determines which crypto backend to use.
- - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to
+ - The default choice is V(auto), which tries to use C(cryptography) if available, and falls back to
C(openssl).
- - If set to C(openssl), will try to use the C(openssl) binary.
- - If set to C(cryptography), will try to use the
+ - If set to V(openssl), will try to use the C(openssl) binary.
+ - If set to V(cryptography), will try to use the
L(cryptography,https://cryptography.io/) library.
type: str
default: auto
diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py
index 648d4ce91..5691e7bbf 100644
--- a/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py
+++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py
@@ -17,7 +17,7 @@ description:
- This module allows one to (re)generate OpenSSL certificates.
- It uses the cryptography python library to interact with OpenSSL.
requirements:
- - cryptography >= 1.6 (if using C(selfsigned) or C(ownca) provider)
+ - cryptography >= 1.6 (if using V(selfsigned) or V(ownca) provider)
options:
force:
description:
@@ -28,35 +28,35 @@ options:
csr_path:
description:
- Path to the Certificate Signing Request (CSR) used to generate this certificate.
- - This is mutually exclusive with I(csr_content).
+ - This is mutually exclusive with O(csr_content).
type: path
csr_content:
description:
- Content of the Certificate Signing Request (CSR) used to generate this certificate.
- - This is mutually exclusive with I(csr_path).
+ - This is mutually exclusive with O(csr_path).
type: str
privatekey_path:
description:
- Path to the private key to use when signing the certificate.
- - This is mutually exclusive with I(privatekey_content).
+ - This is mutually exclusive with O(privatekey_content).
type: path
privatekey_content:
description:
- Content of the private key to use when signing the certificate.
- - This is mutually exclusive with I(privatekey_path).
+ - This is mutually exclusive with O(privatekey_path).
type: str
privatekey_passphrase:
description:
- - The passphrase for the I(privatekey_path) resp. I(privatekey_content).
+ - The passphrase for the O(privatekey_path) resp. O(privatekey_content).
- This is required if the private key is password protected.
type: str
ignore_timestamps:
description:
- Whether the "not before" and "not after" timestamps should be ignored for idempotency checks.
- - It is better to keep the default value C(true) when using relative timestamps (like C(+0s) for now).
+ - It is better to keep the default value V(true) when using relative timestamps (like V(+0s) for now).
type: bool
default: true
version_added: 2.0.0
@@ -64,8 +64,8 @@ options:
select_crypto_backend:
description:
- Determines which crypto backend to use.
- - The default choice is C(auto), which tries to use C(cryptography) if available.
- - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
+ - The default choice is V(auto), which tries to use C(cryptography) if available.
+ - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
type: str
default: auto
choices: [ auto, cryptography ]
@@ -73,7 +73,7 @@ options:
notes:
- All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
- Date specified should be UTC. Minutes and seconds are mandatory.
- - For security reason, when you use C(ownca) provider, you should NOT run
+ - For security reason, when you use V(ownca) provider, you should NOT run
M(community.crypto.x509_certificate) on a target machine, but on a dedicated CA machine. It
is recommended not to store the CA private key on the target machine. Once signed, the
certificate can be moved to the target machine.
@@ -91,26 +91,26 @@ seealso:
description:
- This module allows one to (re)generate OpenSSL certificates.
requirements:
- - acme-tiny >= 4.0.0 (if using the C(acme) provider)
+ - acme-tiny >= 4.0.0 (if using the V(acme) provider)
options:
acme_accountkey_path:
description:
- - The path to the accountkey for the C(acme) provider.
- - This is only used by the C(acme) provider.
+ - The path to the accountkey for the V(acme) provider.
+ - This is only used by the V(acme) provider.
type: path
acme_challenge_path:
description:
- The path to the ACME challenge directory that is served on U(http://<HOST>:80/.well-known/acme-challenge/)
- - This is only used by the C(acme) provider.
+ - This is only used by the V(acme) provider.
type: path
acme_chain:
description:
- Include the intermediate certificate to the generated certificate
- - This is only used by the C(acme) provider.
+ - This is only used by the V(acme) provider.
- Note that this is only available for older versions of C(acme-tiny).
- New versions include the chain automatically, and setting I(acme_chain) to C(true) results in an error.
+ New versions include the chain automatically, and setting O(acme_chain) to V(true) results in an error.
type: bool
default: false
@@ -127,7 +127,7 @@ options:
entrust_cert_type:
description:
- Specify the type of certificate requested.
- - This is only used by the C(entrust) provider.
+ - This is only used by the V(entrust) provider.
type: str
default: STANDARD_SSL
choices: [ 'STANDARD_SSL', 'ADVANTAGE_SSL', 'UC_SSL', 'EV_SSL', 'WILDCARD_SSL', 'PRIVATE_SSL', 'PD_SSL', 'CDS_ENT_LITE', 'CDS_ENT_PRO', 'SMIME_ENT' ]
@@ -135,66 +135,66 @@ options:
entrust_requester_email:
description:
- The email of the requester of the certificate (for tracking purposes).
- - This is only used by the C(entrust) provider.
- - This is required if the provider is C(entrust).
+ - This is only used by the V(entrust) provider.
+ - This is required if the provider is V(entrust).
type: str
entrust_requester_name:
description:
- The name of the requester of the certificate (for tracking purposes).
- - This is only used by the C(entrust) provider.
- - This is required if the provider is C(entrust).
+ - This is only used by the V(entrust) provider.
+ - This is required if the provider is V(entrust).
type: str
entrust_requester_phone:
description:
- The phone number of the requester of the certificate (for tracking purposes).
- - This is only used by the C(entrust) provider.
- - This is required if the provider is C(entrust).
+ - This is only used by the V(entrust) provider.
+ - This is required if the provider is V(entrust).
type: str
entrust_api_user:
description:
- The username for authentication to the Entrust Certificate Services (ECS) API.
- - This is only used by the C(entrust) provider.
- - This is required if the provider is C(entrust).
+ - This is only used by the V(entrust) provider.
+ - This is required if the provider is V(entrust).
type: str
entrust_api_key:
description:
- The key (password) for authentication to the Entrust Certificate Services (ECS) API.
- - This is only used by the C(entrust) provider.
- - This is required if the provider is C(entrust).
+ - This is only used by the V(entrust) provider.
+ - This is required if the provider is V(entrust).
type: str
entrust_api_client_cert_path:
description:
- The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.
- - This is only used by the C(entrust) provider.
- - This is required if the provider is C(entrust).
+ - This is only used by the V(entrust) provider.
+ - This is required if the provider is V(entrust).
type: path
entrust_api_client_cert_key_path:
description:
- The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API.
- - This is only used by the C(entrust) provider.
- - This is required if the provider is C(entrust).
+ - This is only used by the V(entrust) provider.
+ - This is required if the provider is V(entrust).
type: path
entrust_not_after:
description:
- The point in time at which the certificate stops being valid.
- Time can be specified either as relative time or as an absolute timestamp.
- - A valid absolute time format is C(ASN.1 TIME) such as C(2019-06-18).
- - A valid relative time format is C([+-]timespec) where timespec can be an integer + C([w | d | h | m | s]), such as C(+365d) or C(+32w1d2h)).
+ - A valid absolute time format is C(ASN.1 TIME) such as V(2019-06-18).
+ - A valid relative time format is V([+-]timespec) where timespec can be an integer + C([w | d | h | m | s]), such as V(+365d) or V(+32w1d2h)).
- Time will always be interpreted as UTC.
- Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate.
- The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day
earlier than expected if a relative time is used.
- The minimum certificate lifetime is 90 days, and maximum is three years.
- If this value is not specified, the certificate will stop being valid 365 days the date of issue.
- - This is only used by the C(entrust) provider.
- - Please note that this value is B(not) covered by the I(ignore_timestamps) option.
+ - This is only used by the V(entrust) provider.
+ - Please note that this value is B(not) covered by the O(ignore_timestamps) option.
type: str
default: +365d
@@ -202,60 +202,60 @@ options:
description:
- The path to the specification file defining the Entrust Certificate Services (ECS) API configuration.
- You can use this to keep a local copy of the specification to avoid downloading it every time the module is used.
- - This is only used by the C(entrust) provider.
+ - This is only used by the V(entrust) provider.
type: path
default: https://cloud.entrust.net/EntrustCloud/documentation/cms-api-2.1.0.yaml
'''
BACKEND_OWNCA_DOCUMENTATION = r'''
description:
- - The C(ownca) provider is intended for generating an OpenSSL certificate signed with your own
+ - The V(ownca) provider is intended for generating an OpenSSL certificate signed with your own
CA (Certificate Authority) certificate (self-signed certificate).
options:
ownca_path:
description:
- Remote absolute path of the CA (Certificate Authority) certificate.
- - This is only used by the C(ownca) provider.
- - This is mutually exclusive with I(ownca_content).
+ - This is only used by the V(ownca) provider.
+ - This is mutually exclusive with O(ownca_content).
type: path
ownca_content:
description:
- Content of the CA (Certificate Authority) certificate.
- - This is only used by the C(ownca) provider.
- - This is mutually exclusive with I(ownca_path).
+ - This is only used by the V(ownca) provider.
+ - This is mutually exclusive with O(ownca_path).
type: str
ownca_privatekey_path:
description:
- Path to the CA (Certificate Authority) private key to use when signing the certificate.
- - This is only used by the C(ownca) provider.
- - This is mutually exclusive with I(ownca_privatekey_content).
+ - This is only used by the V(ownca) provider.
+ - This is mutually exclusive with O(ownca_privatekey_content).
type: path
ownca_privatekey_content:
description:
- Content of the CA (Certificate Authority) private key to use when signing the certificate.
- - This is only used by the C(ownca) provider.
- - This is mutually exclusive with I(ownca_privatekey_path).
+ - This is only used by the V(ownca) provider.
+ - This is mutually exclusive with O(ownca_privatekey_path).
type: str
ownca_privatekey_passphrase:
description:
- - The passphrase for the I(ownca_privatekey_path) resp. I(ownca_privatekey_content).
- - This is only used by the C(ownca) provider.
+ - The passphrase for the O(ownca_privatekey_path) resp. O(ownca_privatekey_content).
+ - This is only used by the V(ownca) provider.
type: str
ownca_digest:
description:
- - The digest algorithm to be used for the C(ownca) certificate.
- - This is only used by the C(ownca) provider.
+ - The digest algorithm to be used for the V(ownca) certificate.
+ - This is only used by the V(ownca) provider.
type: str
default: sha256
ownca_version:
description:
- - The version of the C(ownca) certificate.
- - Nowadays it should almost always be C(3).
- - This is only used by the C(ownca) provider.
+ - The version of the V(ownca) certificate.
+ - Nowadays it should almost always be V(3).
+ - This is only used by the V(ownca) provider.
type: int
default: 3
@@ -265,12 +265,12 @@ options:
- Time can be specified either as relative time or as absolute timestamp.
- Time will always be interpreted as UTC.
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
- + C([w | d | h | m | s]) (for example C(+32w1d2h)).
+ + C([w | d | h | m | s]) (for example V(+32w1d2h)).
- If this value is not specified, the certificate will start being valid from now.
- Note that this value is B(not used to determine whether an existing certificate should be regenerated).
- This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
- avoid relative timestamps when setting I(ignore_timestamps=false).
- - This is only used by the C(ownca) provider.
+ This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should
+ avoid relative timestamps when setting O(ignore_timestamps=false).
+ - This is only used by the V(ownca) provider.
type: str
default: +0s
@@ -280,12 +280,12 @@ options:
- Time can be specified either as relative time or as absolute timestamp.
- Time will always be interpreted as UTC.
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
- + C([w | d | h | m | s]) (for example C(+32w1d2h)).
+ + C([w | d | h | m | s]) (for example V(+32w1d2h)).
- If this value is not specified, the certificate will stop being valid 10 years from now.
- Note that this value is B(not used to determine whether an existing certificate should be regenerated).
- This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
- avoid relative timestamps when setting I(ignore_timestamps=false).
- - This is only used by the C(ownca) provider.
+ This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should
+ avoid relative timestamps when setting O(ignore_timestamps=false).
+ - This is only used by the V(ownca) provider.
- On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer.
Please see U(https://support.apple.com/en-us/HT210176) for more details.
type: str
@@ -294,12 +294,12 @@ options:
ownca_create_subject_key_identifier:
description:
- Whether to create the Subject Key Identifier (SKI) from the public key.
- - A value of C(create_if_not_provided) (default) only creates a SKI when the CSR does not
+ - A value of V(create_if_not_provided) (default) only creates a SKI when the CSR does not
provide one.
- - A value of C(always_create) always creates a SKI. If the CSR provides one, that one is
+ - A value of V(always_create) always creates a SKI. If the CSR provides one, that one is
ignored.
- - A value of C(never_create) never creates a SKI. If the CSR provides one, that one is used.
- - This is only used by the C(ownca) provider.
+ - A value of V(never_create) never creates a SKI. If the CSR provides one, that one is used.
+ - This is only used by the V(ownca) provider.
- Note that this is only supported if the C(cryptography) backend is used!
type: str
choices: [create_if_not_provided, always_create, never_create]
@@ -311,7 +311,7 @@ options:
a authority key identifier, it is ignored.
- The Authority Key Identifier is generated from the CA certificate's Subject Key Identifier,
if available. If it is not available, the CA certificate's public key will be used.
- - This is only used by the C(ownca) provider.
+ - This is only used by the V(ownca) provider.
- Note that this is only supported if the C(cryptography) backend is used!
type: bool
default: true
@@ -319,7 +319,7 @@ options:
BACKEND_SELFSIGNED_DOCUMENTATION = r'''
notes:
- - For the C(selfsigned) provider, I(csr_path) and I(csr_content) are optional. If not provided, a
+ - For the V(selfsigned) provider, O(csr_path) and O(csr_content) are optional. If not provided, a
certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.
options:
@@ -329,28 +329,28 @@ options:
# csr_path:
# description:
- # - This is optional for the C(selfsigned) provider. If not provided, a certificate
+ # - This is optional for the V(selfsigned) provider. If not provided, a certificate
# without any information (Subject, Subject Alternative Names, Key Usage, etc.) is
# created.
# csr_content:
# description:
- # - This is optional for the C(selfsigned) provider. If not provided, a certificate
+ # - This is optional for the V(selfsigned) provider. If not provided, a certificate
# without any information (Subject, Subject Alternative Names, Key Usage, etc.) is
# created.
selfsigned_version:
description:
- - Version of the C(selfsigned) certificate.
- - Nowadays it should almost always be C(3).
- - This is only used by the C(selfsigned) provider.
+ - Version of the V(selfsigned) certificate.
+ - Nowadays it should almost always be V(3).
+ - This is only used by the V(selfsigned) provider.
type: int
default: 3
selfsigned_digest:
description:
- Digest algorithm to be used when self-signing the certificate.
- - This is only used by the C(selfsigned) provider.
+ - This is only used by the V(selfsigned) provider.
type: str
default: sha256
@@ -360,12 +360,12 @@ options:
- Time can be specified either as relative time or as absolute timestamp.
- Time will always be interpreted as UTC.
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
- + C([w | d | h | m | s]) (for example C(+32w1d2h)).
+ + C([w | d | h | m | s]) (for example V(+32w1d2h)).
- If this value is not specified, the certificate will start being valid from now.
- Note that this value is B(not used to determine whether an existing certificate should be regenerated).
- This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
- avoid relative timestamps when setting I(ignore_timestamps=false).
- - This is only used by the C(selfsigned) provider.
+ This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should
+ avoid relative timestamps when setting O(ignore_timestamps=false).
+ - This is only used by the V(selfsigned) provider.
type: str
default: +0s
aliases: [ selfsigned_notBefore ]
@@ -376,12 +376,12 @@ options:
- Time can be specified either as relative time or as absolute timestamp.
- Time will always be interpreted as UTC.
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
- + C([w | d | h | m | s]) (for example C(+32w1d2h)).
+ + C([w | d | h | m | s]) (for example V(+32w1d2h)).
- If this value is not specified, the certificate will stop being valid 10 years from now.
- Note that this value is B(not used to determine whether an existing certificate should be regenerated).
- This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
- avoid relative timestamps when setting I(ignore_timestamps=false).
- - This is only used by the C(selfsigned) provider.
+ This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should
+ avoid relative timestamps when setting O(ignore_timestamps=false).
+ - This is only used by the V(selfsigned) provider.
- On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer.
Please see U(https://support.apple.com/en-us/HT210176) for more details.
type: str
@@ -391,12 +391,12 @@ options:
selfsigned_create_subject_key_identifier:
description:
- Whether to create the Subject Key Identifier (SKI) from the public key.
- - A value of C(create_if_not_provided) (default) only creates a SKI when the CSR does not
+ - A value of V(create_if_not_provided) (default) only creates a SKI when the CSR does not
provide one.
- - A value of C(always_create) always creates a SKI. If the CSR provides one, that one is
+ - A value of V(always_create) always creates a SKI. If the CSR provides one, that one is
ignored.
- - A value of C(never_create) never creates a SKI. If the CSR provides one, that one is used.
- - This is only used by the C(selfsigned) provider.
+ - A value of V(never_create) never creates a SKI. If the CSR provides one, that one is used.
+ - This is only used by the V(selfsigned) provider.
- Note that this is only supported if the C(cryptography) backend is used!
type: str
choices: [create_if_not_provided, always_create, never_create]
diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py
index 81c4318a4..e2a0bdd94 100644
--- a/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py
+++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py
@@ -27,12 +27,12 @@ options:
privatekey_path:
description:
- The path to the private key to use when signing the certificate signing request.
- - Either I(privatekey_path) or I(privatekey_content) must be specified if I(state) is C(present), but not both.
+ - Either O(privatekey_path) or O(privatekey_content) must be specified if O(state) is V(present), but not both.
type: path
privatekey_content:
description:
- The content of the private key to use when signing the certificate signing request.
- - Either I(privatekey_path) or I(privatekey_content) must be specified if I(state) is C(present), but not both.
+ - Either O(privatekey_path) or O(privatekey_content) must be specified if O(state) is V(present), but not both.
type: str
privatekey_passphrase:
description:
@@ -53,17 +53,17 @@ options:
description:
- Key/value pairs that will be present in the subject name field of the certificate signing request.
- If you need to specify more than one value with the same key, use a list as value.
- - If the order of the components is important, use I(subject_ordered).
- - Mutually exclusive with I(subject_ordered).
+ - If the order of the components is important, use O(subject_ordered).
+ - Mutually exclusive with O(subject_ordered).
type: dict
subject_ordered:
description:
- A list of dictionaries, where every dictionary must contain one key/value pair. This key/value pair
will be present in the subject name field of the certificate signing request.
- If you want to specify more than one value with the same key in a row, you can use a list as value.
- - Mutually exclusive with I(subject), and any other subject field option, such as I(country_name),
- I(state_or_province_name), I(locality_name), I(organization_name), I(organizational_unit_name),
- I(common_name), or I(email_address).
+ - Mutually exclusive with O(subject), and any other subject field option, such as O(country_name),
+ O(state_or_province_name), O(locality_name), O(organization_name), O(organizational_unit_name),
+ O(common_name), or O(email_address).
type: list
elements: dict
version_added: 2.0.0
@@ -108,8 +108,8 @@ options:
- Values must be prefixed by their options. (These are C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
C(otherName), and the ones specific to your CA).
- Note that if no SAN is specified, but a common name, the common
- name will be added as a SAN except if C(useCommonNameForSAN) is
- set to I(false).
+ name will be added as a SAN except if O(use_common_name_for_san) is
+ set to V(false).
- More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6).
type: list
elements: str
@@ -122,8 +122,8 @@ options:
aliases: [ subjectAltName_critical ]
use_common_name_for_san:
description:
- - If set to C(true), the module will fill the common name in for
- C(subject_alt_name) with C(DNS:) prefix if no SAN is specified.
+ - If set to V(true), the module will fill the common name in for
+ O(subject_alt_name) with C(DNS:) prefix if no SAN is specified.
type: bool
default: true
aliases: [ useCommonNameForSAN ]
@@ -186,16 +186,16 @@ options:
description:
- For CA certificates, this specifies a list of identifiers which describe
subtrees of names that this CA is allowed to issue certificates for.
- - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
- C(otherName) and the ones specific to your CA).
+ - Values must be prefixed by their options. (That is, C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
+ C(otherName), and the ones specific to your CA).
type: list
elements: str
name_constraints_excluded:
description:
- For CA certificates, this specifies a list of identifiers which describe
subtrees of names that this CA is B(not) allowed to issue certificates for.
- - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
- C(otherName) and the ones specific to your CA).
+ - Values must be prefixed by their options. (That is, C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
+ C(otherName), and the ones specific to your CA).
type: list
elements: str
name_constraints_critical:
@@ -206,8 +206,8 @@ options:
select_crypto_backend:
description:
- Determines which crypto backend to use.
- - The default choice is C(auto), which tries to use C(cryptography) if available.
- - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
+ - The default choice is V(auto), which tries to use C(cryptography) if available.
+ - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
type: str
default: auto
choices: [ auto, cryptography ]
@@ -223,49 +223,51 @@ options:
subject_key_identifier:
description:
- The subject key identifier as a hex string, where two bytes are separated by colons.
- - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
+ - "Example: V(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
- "Please note that commercial CAs ignore this value, respectively use a value of their
own choice. Specifying this option is mostly useful for self-signed certificates
or for own CAs."
- - Note that this option can only be used if I(create_subject_key_identifier) is C(false).
+ - Note that this option can only be used if O(create_subject_key_identifier) is V(false).
- Note that this is only supported if the C(cryptography) backend is used!
type: str
authority_key_identifier:
description:
- The authority key identifier as a hex string, where two bytes are separated by colons.
- - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
+ - "Example: V(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
- "Please note that commercial CAs ignore this value, respectively use a value of their
own choice. Specifying this option is mostly useful for self-signed certificates
or for own CAs."
- Note that this is only supported if the C(cryptography) backend is used!
- - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
- I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
+ - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier),
+ O(authority_cert_issuer) and O(authority_cert_serial_number) is specified.
type: str
authority_cert_issuer:
description:
- Names that will be present in the authority cert issuer field of the certificate signing request.
- - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
- C(otherName) and the ones specific to your CA)
- - "Example: C(DNS:ca.example.org)"
- - If specified, I(authority_cert_serial_number) must also be specified.
+ - Values must be prefixed by their options. (That is, C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
+ C(otherName), and the ones specific to your CA)
+ - "Example: V(DNS:ca.example.org)"
+ - If specified, O(authority_cert_serial_number) must also be specified.
- "Please note that commercial CAs ignore this value, respectively use a value of their
own choice. Specifying this option is mostly useful for self-signed certificates
or for own CAs."
- Note that this is only supported if the C(cryptography) backend is used!
- - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
- I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
+ - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier),
+ O(authority_cert_issuer) and O(authority_cert_serial_number) is specified.
type: list
elements: str
authority_cert_serial_number:
description:
- The authority cert serial number.
- - If specified, I(authority_cert_issuer) must also be specified.
+ - If specified, O(authority_cert_issuer) must also be specified.
- Note that this is only supported if the C(cryptography) backend is used!
- "Please note that commercial CAs ignore this value, respectively use a value of their
own choice. Specifying this option is mostly useful for self-signed certificates
or for own CAs."
- - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
- I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
+ - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier),
+ O(authority_cert_issuer) and O(authority_cert_serial_number) is specified.
+ - This option accepts an B(integer). If you want to provide serial numbers as colon-separated hex strings,
+ such as C(11:22:33), you need to convert them to an integer with P(community.crypto.parse_serial#filter).
type: int
crl_distribution_points:
description:
@@ -277,15 +279,15 @@ options:
full_name:
description:
- Describes how the CRL can be retrieved.
- - Mutually exclusive with I(relative_name).
- - "Example: C(URI:https://ca.example.com/revocations.crl)."
+ - Mutually exclusive with O(crl_distribution_points[].relative_name).
+ - "Example: V(URI:https://ca.example.com/revocations.crl)."
type: list
elements: str
relative_name:
description:
- Describes how the CRL can be retrieved relative to the CRL issuer.
- - Mutually exclusive with I(full_name).
- - "Example: C(/CN=example.com)."
+ - Mutually exclusive with O(crl_distribution_points[].full_name).
+ - "Example: V(/CN=example.com)."
- Can only be used when cryptography >= 1.6 is installed.
type: list
elements: str
@@ -322,4 +324,6 @@ seealso:
- module: community.crypto.openssl_privatekey_pipe
- module: community.crypto.openssl_publickey
- module: community.crypto.openssl_csr_info
+- plugin: community.crypto.parse_serial
+ plugin_type: filter
'''
diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py
index a27b26c7d..d039cf1c0 100644
--- a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py
+++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py
@@ -18,11 +18,6 @@ description:
L(ECC,https://en.wikipedia.org/wiki/Elliptic-curve_cryptography) or
L(EdDSA,https://en.wikipedia.org/wiki/EdDSA) private keys.
- Keys are generated in PEM format.
- - "Please note that the module regenerates private keys if they do not match
- the module's options. In particular, if you provide another passphrase
- (or specify none), change the keysize, etc., the private key will be
- regenerated. If you are concerned that this could B(overwrite your private key),
- consider using the I(backup) option."
requirements:
- cryptography >= 1.2.3 (older versions might work as well)
options:
@@ -34,20 +29,20 @@ options:
type:
description:
- The algorithm used to generate the TLS/SSL private key.
- - Note that C(ECC), C(X25519), C(X448), C(Ed25519) and C(Ed448) require the C(cryptography) backend.
- C(X25519) needs cryptography 2.5 or newer, while C(X448), C(Ed25519) and C(Ed448) require
- cryptography 2.6 or newer. For C(ECC), the minimal cryptography version required depends on the
- I(curve) option.
+ - Note that V(ECC), V(X25519), V(X448), V(Ed25519), and V(Ed448) require the C(cryptography) backend.
+ V(X25519) needs cryptography 2.5 or newer, while V(X448), V(Ed25519), and V(Ed448) require
+ cryptography 2.6 or newer. For V(ECC), the minimal cryptography version required depends on the
+ O(curve) option.
type: str
default: RSA
choices: [ DSA, ECC, Ed25519, Ed448, RSA, X25519, X448 ]
curve:
description:
- Note that not all curves are supported by all versions of C(cryptography).
- - For maximal interoperability, C(secp384r1) or C(secp256r1) should be used.
+ - For maximal interoperability, V(secp384r1) or V(secp256r1) should be used.
- We use the curve names as defined in the
L(IANA registry for TLS,https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8).
- - Please note that all curves except C(secp224r1), C(secp256k1), C(secp256r1), C(secp384r1) and C(secp521r1)
+ - Please note that all curves except V(secp224r1), V(secp256k1), V(secp256r1), V(secp384r1), and V(secp521r1)
are discouraged for new private keys.
type: str
choices:
@@ -76,13 +71,13 @@ options:
type: str
cipher:
description:
- - The cipher to encrypt the private key. Must be C(auto).
+ - The cipher to encrypt the private key. Must be V(auto).
type: str
select_crypto_backend:
description:
- Determines which crypto backend to use.
- - The default choice is C(auto), which tries to use C(cryptography) if available.
- - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
+ - The default choice is V(auto), which tries to use C(cryptography) if available.
+ - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
type: str
default: auto
choices: [ auto, cryptography ]
@@ -90,11 +85,11 @@ options:
description:
- Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format)
is used for all keys which support it. Please note that not every key can be exported in any format.
- - The value C(auto) selects a format based on the key format. The value C(auto_ignore) does the same,
+ - The value V(auto) selects a format based on the key format. The value V(auto_ignore) does the same,
but for existing private key files, it will not force a regenerate when its format is not the automatically
selected one for generation.
- Note that if the format for an existing private key mismatches, the key is B(regenerated) by default.
- To change this behavior, use the I(format_mismatch) option.
+ To change this behavior, use the O(format_mismatch) option.
type: str
default: auto_ignore
choices: [ pkcs1, pkcs8, raw, auto, auto_ignore ]
@@ -102,8 +97,8 @@ options:
description:
- Determines behavior of the module if the format of a private key does not match the expected format, but all
other parameters are as expected.
- - If set to C(regenerate) (default), generates a new private key.
- - If set to C(convert), the key will be converted to the new format instead.
+ - If set to V(regenerate) (default), generates a new private key.
+ - If set to V(convert), the key will be converted to the new format instead.
- Only supported by the C(cryptography) backend.
type: str
default: regenerate
@@ -114,24 +109,24 @@ options:
The module will always generate a new key if the destination file does not exist.
- By default, the key will be regenerated when it does not match the module's options,
except when the key cannot be read or the passphrase does not match. Please note that
- this B(changed) for Ansible 2.10. For Ansible 2.9, the behavior was as if C(full_idempotence)
+ this B(changed) for Ansible 2.10. For Ansible 2.9, the behavior was as if V(full_idempotence)
is specified.
- - If set to C(never), the module will fail if the key cannot be read or the passphrase
+ - If set to V(never), the module will fail if the key cannot be read or the passphrase
is not matching, and will never regenerate an existing key.
- - If set to C(fail), the module will fail if the key does not correspond to the module's
+ - If set to V(fail), the module will fail if the key does not correspond to the module's
options.
- - If set to C(partial_idempotence), the key will be regenerated if it does not conform to
+ - If set to V(partial_idempotence), the key will be regenerated if it does not conform to
the module's options. The key is B(not) regenerated if it cannot be read (broken file),
the key is protected by an unknown passphrase, or when they key is not protected by a
passphrase, but a passphrase is specified.
- - If set to C(full_idempotence), the key will be regenerated if it does not conform to the
+ - If set to V(full_idempotence), the key will be regenerated if it does not conform to the
module's options. This is also the case if the key cannot be read (broken file), the key
is protected by an unknown passphrase, or when they key is not protected by a passphrase,
but a passphrase is specified. Make sure you have a B(backup) when using this option!
- - If set to C(always), the module will always regenerate the key. This is equivalent to
- setting I(force) to C(true).
- - Note that if I(format_mismatch) is set to C(convert) and everything matches except the
- format, the key will always be converted, except if I(regenerate) is set to C(always).
+ - If set to V(always), the module will always regenerate the key. This is equivalent to
+ setting O(force) to V(true).
+ - Note that if O(format_mismatch) is set to V(convert) and everything matches except the
+ format, the key will always be converted, except if O(regenerate) is set to V(always).
type: str
choices:
- never
diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py
index f1c6f70ec..973d1fe00 100644
--- a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py
+++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py
@@ -18,12 +18,12 @@ options:
src_path:
description:
- Name of the file containing the OpenSSL private key to convert.
- - Exactly one of I(src_path) or I(src_content) must be specified.
+ - Exactly one of O(src_path) or O(src_content) must be specified.
type: path
src_content:
description:
- The content of the file containing the OpenSSL private key to convert.
- - Exactly one of I(src_path) or I(src_content) must be specified.
+ - Exactly one of O(src_path) or O(src_content) must be specified.
type: str
src_passphrase:
description:
diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py b/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py
index fec94380d..b51408530 100644
--- a/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py
+++ b/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py
@@ -14,12 +14,12 @@ options:
name_encoding:
description:
- How to encode names (DNS names, URIs, email addresses) in return values.
- - C(ignore) will use the encoding returned by the backend.
- - C(idna) will convert all labels of domain names to IDNA encoding.
+ - V(ignore) will use the encoding returned by the backend.
+ - V(idna) will convert all labels of domain names to IDNA encoding.
IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails.
- - C(unicode) will convert all labels of domain names to Unicode.
+ - V(unicode) will convert all labels of domain names to Unicode.
IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails.
- - B(Note) that C(idna) and C(unicode) require the L(idna Python library,https://pypi.org/project/idna/) to be installed.
+ - B(Note) that V(idna) and V(unicode) require the L(idna Python library,https://pypi.org/project/idna/) to be installed.
type: str
default: ignore
choices:
@@ -27,5 +27,5 @@ options:
- idna
- unicode
requirements:
- - If I(name_encoding) is set to another value than C(ignore), the L(idna Python library,https://pypi.org/project/idna/) needs to be installed.
+ - If O(name_encoding) is set to another value than V(ignore), the L(idna Python library,https://pypi.org/project/idna/) needs to be installed.
'''
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-02 11:10:04 +0000