-
Notifications
You must be signed in to change notification settings - Fork 52
pfsense_cert
Orion Poplawski edited this page Jan 13, 2023
·
1 revision
Manage pfSense certificates
ADDED IN: version 0.5.0 of pfsensible.core
OPTIONS (= is mandatory):
- altnames
The Alternative Names. A list of aditional identifiers for
the certificate. A comma separed values with format:
DNS:hostname,IP:X.X.X.X,email:user@mail,URI:url
default: null
type: str
- ca
The Certificate Authority
default: null
type: str
- certificate
The certificate to import. This can be in PEM form or Base64
encoded PEM as a single string (which is how pfSense stores
it).
default: null
type: str
- certtype
Type of the certificate ('user' is a certificate for the user)
choices: [user, server]
default: user
type: str
- digestalg
The digest method used when the certificate is signed
choices: [sha1, sha224, sha256, sha384, sha512]
default: sha256
type: str
- dn_city
The City
default: null
type: str
- dn_country
The Country Code
default: null
type: str
- dn_organization
The Organization
default: null
type: str
- dn_organizationalunit
The Organizational Unit
default: null
type: str
- dn_state
The State or Province
default: null
type: str
- ecname
The Elliptic Curve Name to use when generating a new ECDSA key
choices: [secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1,
secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, prime256v1, sect113r1, sect113r2, sect131r1,
sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1,
sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2pnb163v1,
c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1,
c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359v1, c2pnb368w1,
c2tnb431r1, wap-wsg-idm-ecid-wtls1, wap-wsg-idm-ecid-wtls3, wap-wsg-idm-ecid-wtls4,
wap-wsg-idm-ecid-wtls5, wap-wsg-idm-ecid-wtls6, wap-wsg-idm-ecid-wtls7, wap-wsg-idm-ecid-wtls8,
wap-wsg-idm-ecid-wtls9, wap-wsg-idm-ecid-wtls10, wap-wsg-idm-ecid-wtls11, wap-wsg-idm-ecid-wtls12,
Oakley-EC2N-3, Oakley-EC2N-4, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1,
brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1,
brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1,
brainpoolP512t1, SM2]
default: prime256v1
type: str
- key
The key to import. This can be in PEM form or Base64 encoded
PEM as a single string (which is how pfSense stores it).
default: null
type: str
- keylen
The length to use when generating a new RSA key, in bits
default: '2048'
type: str
- keytype
The type of key to generate
choices: [RSA, ECDSA]
default: RSA
type: str
- lifetime
The length of time the signed certificate will be valid, in
days
default: '3650'
type: str
- method
Method of the certificate created
choices: [internal, import]
default: internal
type: str
= name
The name of the certificate
type: str
- state
State in which to leave the certificate
choices: [present, absent]
default: present
type: str
AUTHOR: Carlos Rodrigues (@cmarodrigues)
METADATA:
metadata_version: '1.1'
status:
- preview
supported_by: community
EXAMPLES:
- name: Generate new internal certificate
pfsense_cert:
method: "internal"
name: "test"
ca: "internal-ca"
keytype: "RSA"
keylen: 2048
lifetime: 3650
dn_country: "PT"
dn_organization: "Dummy"
certtype: "user"
state: present
- name: Import certificate
pfsense_cert:
method: "import"
name: "test"
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUUxVENDQXIyZ0F3...
key: |
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4yY0SI8lWNN2B
...
i0LiJ+QOek6Qy+51kMK3rXNsQQ==
-----END PRIVATE KEY-----
certtype: "user"
state: present
- name: Remove certificate
pfsense_cert:
name: "test"
state: absent