ansible.windows.win_certificate_store module – Manages the certificate store
Note
This module is part of the ansible.windows collection (version 2.5.0).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install ansible.windows
.
To use it in a playbook, specify: ansible.windows.win_certificate_store
.
Synopsis
- Used to import/export and remove certificates and keys from the local certificate store.
- This module is not used to create certificates and will only manage existing certs as a file or in the store.
- It can be used to import PEM, DER, P7B, PKCS12 (PFX) certificates and export PEM, DER and PKCS12 certificates.
Parameters
Parameter | Comments |
---|---|
file_type string | The file type to export the certificate as when
When Choices:
|
key_exportable boolean | Whether to allow the private key to be exported. If Used when Choices:
|
key_storage string | Specifies where Windows will store the private key when it is imported. When set to When set to When set to Used when See https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags.aspx for more details. Choices:
|
password string | The password of the pkcs12 certificate key. This is used when reading a pkcs12 certificate file or the password to set when If the pkcs12 file has no password set or no password should be set on the exported file, do not set this option. |
path path | The path to a certificate file. This is required when state is When state is |
state string | If If If When exporting a certificate, if path is a directory then the module will fail, otherwise the file will be replaced if needed. Choices:
|
store_location string | The store location to use when importing a certificate or searching for a certificate. Can be set to Defaults to Must be set to any service name when Default: |
store_name string | The store name to use when importing a certificate or searching for a certificate.
Default: |
store_type string added in ansible.windows 1.5.0 | The store type to manage. Use Use Choices:
|
thumbprint string | The thumbprint as a hex string to either export or remove. See the examples for how to specify the thumbprint. |
Notes
Note
- Some actions on PKCS12 certificates and keys may fail with the error
the specified network password is not correct
, either use CredSSP or Kerberos with credential delegation, or usebecome
to bypass these restrictions. - The certificates must be located on the Windows host to be set with path.
- When importing a certificate for usage in IIS, it is generally required to use the
machine
key_storage option, as bothdefault
anduser
will make the private key unreadable to IIS APPPOOL identities and prevent binding the certificate to the https endpoint.
Examples
- name: Import a certificate ansible.windows.win_certificate_store: path: C:\Temp\cert.pem state: present - name: Import pfx certificate that is password protected ansible.windows.win_certificate_store: path: C:\Temp\cert.pfx state: present password: VeryStrongPasswordHere! become: true become_method: runas - name: Import pfx certificate without password and set private key as un-exportable ansible.windows.win_certificate_store: path: C:\Temp\cert.pfx state: present key_exportable: false # usually you don't set this here but it is for illustrative purposes vars: ansible_winrm_transport: credssp - name: Remove a certificate based on file thumbprint ansible.windows.win_certificate_store: path: C:\Temp\cert.pem state: absent - name: Remove a certificate based on thumbprint ansible.windows.win_certificate_store: thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27 state: absent - name: Remove certificate based on thumbprint is CurrentUser/TrustedPublishers store ansible.windows.win_certificate_store: thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27 state: absent store_location: CurrentUser store_name: TrustedPublisher - name: Export certificate as der encoded file ansible.windows.win_certificate_store: path: C:\Temp\cert.cer state: exported file_type: der - name: Export certificate and key as pfx encoded file ansible.windows.win_certificate_store: path: C:\Temp\cert.pfx state: exported file_type: pkcs12 password: AnotherStrongPass! become: true become_method: runas become_user: SYSTEM - name: Import certificate be used by IIS ansible.windows.win_certificate_store: path: C:\Temp\cert.pfx file_type: pkcs12 password: StrongPassword! store_location: LocalMachine key_storage: machine state: present become: true become_method: runas become_user: SYSTEM - name: Import certificate to be used for LDAPS ansible.windows.win_certificate_store: path: C:\Temp\cert.pfx password: StrongPassword! store_type: service store_location: NTDS key_exportable: false key_storage: machine state: present
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Description |
---|---|
thumbprints list / elements=string | A list of certificate thumbprints that were touched by the module. Returned: success Sample: |
Collection links
© 2012–2018 Michael DeHaan
© 2018–2024 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_certificate_store_module.html