Last updated on: 2024-04-01 03:24:20.
bigip_device_certificate – Manage self-signed device certificates¶
New in version 1.0.0.
Parameters¶
| Parameter | Choices/Defaults | Configuration | Comments | |
|---|---|---|---|---|
|
add_to_trusted
boolean
|
|
Specifies if the certificate should be added to the trusted client and server certificate files.
|
||
|
cert_name
string
|
Default: "server.crt"
|
Specifies the full name of the certificate file.
If the name is not default
server.crt, the module will configure httpd to use them prior to restarting the httpd daemon. |
||
|
days_valid
integer
/ required
|
Specifies the interval for which the self-signed certificate is valid.
The maximum value is 25 years:
9125 days |
|||
|
force
boolean
|
|
When
true, will update or overwrite the existing certificate when it is not expired on the device.When
false, the certificate will only be updated/overwritten if expired.Generally should be
true only in cases where you need to update certificate that is about to expire.This option is also needed when generating a new certificate to replace non-expired one.
|
||
|
issuer
dictionary
|
Certificate properties, required when generating new certificates.
|
|||
|
common_name
string
|
Specifies the Common Name attribute for the certificate.
|
|||
|
country
string
|
Specifies the Country name attribute for the certificate.
|
|||
|
division
string
|
Specifies the department name attribute for the certificate.
|
|||
|
email
string
|
Specifies the email address of the domain administrator.
|
|||
|
locality
string
|
Specifies the city or town name for the certificate.
|
|||
|
organization
string
|
Specifies the Organization attribute for the certificate.
|
|||
|
state
string
|
Specifies the State or Province attribute for the certificate.
|
|||
|
key_name
string
|
Default: "server.key"
|
Specifies the full name of the key file.
If the name is not default
server.key, the module will configure httpd to use them prior to restarting the httpd daemon. |
||
|
key_size
integer
|
|
Specifies the desired key size in bits.
Mandatory option when generating a new certificate.
|
||
|
new_cert
boolean
|
|
Specifies if the module should generate a new certificate.
When
true, the device certificate and key will be replaced. |
||
|
provider
dictionary
added in 1.0.0 |
A dict object containing connection details.
|
|||
|
auth_provider
string
|
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
|
|||
|
no_f5_teem
boolean
|
|
If
yes, TEEM telemetry data is not sent to F5.You may omit this option by setting the environment variable
F5_TELEMETRY_OFF.Previously used variable
F5_TEEM is deprecated as its name was confusing. |
||
|
password
string
/ required
|
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable
F5_PASSWORD.aliases: pass, pwd |
|||
|
server
string
/ required
|
The BIG-IP host.
You may omit this option by setting the environment variable
F5_SERVER. |
|||
|
server_port
integer
|
Default: 22
|
The BIG-IP server port.
You may omit this option by setting the environment variable
F5_SERVER_PORT. |
||
|
ssh_keyfile
path
|
Specifies the SSH keyfile to use to authenticate the connection to the remote device. This argument is only used for cli transports.
You may omit this option by setting the environment variable
ANSIBLE_NET_SSH_KEYFILE. |
|||
|
timeout
integer
|
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
|
|||
|
transport
string
|
|
Configures the transport connection to use when connecting to the remote device.
|
||
|
user
string
/ required
|
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable
F5_USER. |
|||
|
validate_certs
boolean
|
|
If
no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.You may omit this option by setting the environment variable
F5_VALIDATE_CERTS. |
||
Notes¶
Note
- When using this module make sure SSH type is not set to libssh. To do this you could either set the environment variable like this
ANSIBLE_NETWORK_CLI_SSH_TYPE=paramikoor setadd ssh_type = paramikounder section persistent_connection in ansible.cfg. - For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
- Requires BIG-IP software version >= 12.
- The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples¶
- name: Update expired certificate
bigip_device_certificate:
days_valid: 365
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Update expired certificate non-default names
bigip_device_certificate:
days_valid: 60
cert_name: custom.crt
key_name: custom.key
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Force update not expired certificate
bigip_device_certificate:
days_valid: 365
force: true
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Create a new certificate to replace expired certificate
bigip_device_certificate:
days_valid: 365
new_cert: true
issuer:
country: US
state: WA
common_name: foobar.foo.local
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Force create a new custom named certificate to replace not expired certificate
bigip_device_certificate:
days_valid: 365
cert_name: custom.crt
key_name: custom.key
new_cert: true
force: true
issuer:
country: US
state: WA
common_name: foobar.foo.local
key_size: 2048
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
Return Values¶
The following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
|
cert_name
string
|
changed |
The full name of the certificate file.
Sample:
common.crt
|
|
|
days_valid
integer
|
changed |
The interval for which the self-signed certificate is valid.
Sample:
365
|
|
|
issuer
complex
|
changed |
Specifies certificate properties.
|
|
|
common_name
string
|
changed |
The Common Name attribute of the certificate.
Sample:
foo.bar.local
|
|
|
country
string
|
changed |
The Country name attribute of the certificate.
Sample:
US
|
|
|
division
string
|
changed |
The department name attribute of the certificate.
Sample:
IT
|
|
|
email
string
|
changed |
The domain administrator's email address.
Sample:
admin@foo.bar.local
|
|
|
locality
string
|
changed |
The city or town name attribute of the certificate.
Sample:
Seattle
|
|
|
organization
string
|
changed |
The Organization attribute of the certificate.
Sample:
F5
|
|
|
state
string
|
changed |
The State or Province attribute of the certificate.
Sample:
WA
|
|
|
key_name
string
|
changed |
The full name of the key file.
Sample:
common.key
|
|
|
key_size
integer
|
changed |
The desired key size in bits.
Sample:
2048
|
|