win_certificate_store - Manages the certificate store
New in version 2.5.
Synopsis
- Used to import/export and remove certificates and keys from the local certificate store.
- This module is not used to create certificates and will only manage existing certs as a file or in the store.
- It can be used to import PEM, DER, P7B, PKCS12 (PFX) certificates and export PEM, DER and PKCS12 certificates.
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
file_type |
| The file type to export the certificate as when state=exported .der is a binary ASN.1 encoded file.pem is a base64 encoded file of a der file in the OpenSSL form.pkcs12 (also known as pfx) is a binary container that contains both the certificate and private key unlike the other options.When pkcs12 is set and the private key is not exportable or accessible by the current user, it will throw an exception. |
key_exportable |
| Whether to allow the private key to be exported. If no , then this module and other process will only be able to export the certificate and the private key cannot be exported.Used when state=present only. |
key_storage |
| Specifies where Windows will store the private key when it is imported. When set to default , the default option as set by Windows is used.When set to machine , the key is stored in a path accessible by various users.When set to user , the key is stored in a path only accessible by the current user.Used when state=present only and cannot be changed once imported. |
password | The password of the pkcs12 certificate key. This is used when reading a pkcs12 certificate file or the password to set when state=exported and file_type=pkcs12 .If the pkcs12 file has no password set or no password should be set on the exported file, do not set this option. | |
path | The path to a certificate file. This is required when state is present or exported .When state is absent and thumbprint is not specified, the thumbprint is derived from the certificate at this path. | |
state |
| If present , will ensure that the certificate at path is imported into the certificate store specified.If absent , will ensure that the certificate specified by thumbprint or the thumbprint of the cert at path is removed from the store specified.If exported , will ensure the file at path is a certificate specified by thumbprint.When exporting a certificate, if path is a directory then the module will fail, otherwise the file will be replaced if needed. |
store_location |
| The store location to use when importing a certificate or searching for a certificate. |
store_name |
| The store name to use when importing a certificate or searching for a certificate. AddressBook : The X.509 certificate store for other usersAuthRoot : The X.509 certificate store for third-party certificate authorities (CAs)CertificateAuthority : The X.509 certificate store for intermediate certificate authorities (CAs)Disallowed : The X.509 certificate store for revoked certificatesMy : The X.509 certificate store for personal certificatesRoot : The X.509 certificate store for trusted root certificate authorities (CAs)TrustedPeople : The X.509 certificate store for directly trusted people and resourcesTrustedPublisher : The X.509 certificate store for directly trusted publishers |
thumbprint | The thumbprint as a hex string to either export or remove. See the examples for how to specify the thumbprint. |
Notes
Note
- Some actions on PKCS12 certificates and keys may fail with the error
the specified network password is not correct
, either use CredSSP or Kerberos with credential delegation, or usebecome
to bypass these restrictions. - The certificates must be located on the Windows host to be set with path.
Examples
- name: import a certificate win_certificate_store: path: C:\temp\cert.pem state: present - name: import pfx certificate that is password protected win_certificate_store: path: C:\temp\cert.pfx state: present password: VeryStrongPasswordHere! become: yes become_method: runas - name: import pfx certificate without password and set private key as un-exportable win_certificate_store: path: C:\temp\cert.pfx state: present key_exportable: no # usually you don't set this here but it is for illustrative purposes vars: ansible_winrm_transport: credssp - name: remove a certificate based on file thumbprint win_certificate_store: path: C:\temp\cert.pem state: absent - name: remove a certificate based on thumbprint win_certificate_store: thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27 state: absent - name: remove certificate based on thumbprint is CurrentUser/TrustedPublishers store win_certificate_store: thumbprint: BD7AF104CF1872BDB518D95C9534EA941665FD27 state: absent store_location: CurrentUser store_name: TrustedPublisher - name: export certificate as der encoded file win_certificate_store: path: C:\temp\cert.cer state: exported file_type: der - name: export certificate and key as pfx encoded file win_certificate_store: path: C:\temp\cert.pfx state: exported file_type: pkcs12 password: AnotherStrongPass! become: yes become_method: runas become_user: SYSTEM
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
thumbprints list | success | A list of certificate thumbprints that were touched by the module. Sample: ['BC05633694E675449136679A658281F17A191087'] |
Status
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Author
- Jordan Borean (@jborean93)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.5/modules/win_certificate_store_module.html