fortinet.fortios.fortios_vpn_certificate_setting – VPN certificate setting in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 1.1.8).
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_certificate_setting.
New in version 2.9: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
| access_token string | Token-based authentication. Generated from GUI of Fortigate. | ||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |
| vpn_certificate_setting dictionary | VPN certificate setting. | ||
| certname_dsa1024 string | 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
| certname_dsa2048 string | 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
| certname_ecdsa256 string | 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
| certname_ecdsa384 string | 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
| certname_rsa1024 string | 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
| certname_rsa2048 string | 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
| check_ca_cert string |
| Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted . | |
| check_ca_chain string |
| Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted . | |
| cmp_save_extra_certs string |
| Enable/disable saving extra certificates in CMP mode. | |
| cn_match string |
| When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name. | |
| ocsp_default_server string | Default OCSP server. Source vpn.certificate.ocsp-server.name. | ||
| ocsp_status string |
| Enable/disable receiving certificates using the OCSP. | |
| ssl_ocsp_option string |
| Specify whether the OCSP URL is from the certificate or the default OCSP server. | |
| ssl_ocsp_status string |
| Enable/disable SSL OCSP. | |
| strict_crl_check string |
| Enable/disable strict mode CRL checking. | |
| strict_ocsp_check string |
| Enable/disable strict mode OCSP checking. | |
| subject_match string |
| When searching for a matching certificate, control how to find matches in the certificate subject name. | |
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: VPN certificate setting.
fortios_vpn_certificate_setting:
vdom: "{{ vdom }}"
vpn_certificate_setting:
certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)"
check_ca_cert: "enable"
check_ca_chain: "enable"
cmp_save_extra_certs: "enable"
cn_match: "substring"
ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)"
ocsp_status: "enable"
ssl_ocsp_option: "certificate"
ssl_ocsp_status: "enable"
strict_crl_check: "enable"
strict_ocsp_check: "enable"
subject_match: "substring"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/fortinet/fortios/fortios_vpn_certificate_setting_module.html