ansible/test/integration/targets/win_certificate_store/tasks/test.yml

802 lines
27 KiB
YAML
Raw Normal View History

---
- name: fail with invalid store location
win_certificate_store:
state: present
path: '{{win_cert_dir}}\subj-cert.pem'
store_location: FakeLocation
register: fail_fake_location
failed_when: "fail_fake_location.msg != 'value of store_location must be one of: CurrentUser, LocalMachine. Got no match for: FakeLocation'"
- name: fail with invalid store name
win_certificate_store:
state: present
path: '{{win_cert_dir}}\subj-cert.pem'
store_name: FakeName
register: fail_fake_name
failed_when: "fail_fake_name.msg != 'value of store_name must be one of: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My, Root, TrustedPeople, TrustedPublisher. Got no match for: FakeName'"
- name: fail when state=present and no path is set
win_certificate_store:
state: present
register: fail_present_no_path
failed_when: "fail_present_no_path.msg != 'state is present but all of the following are missing: path'"
- name: fail when state=exported and no path is set
win_certificate_store:
state: exported
thumbprint: ABC
register: fail_export_no_path
failed_when: "fail_export_no_path.msg != 'state is exported but all of the following are missing: path'"
- name: fail when state=exported and no thumbprint is set
win_certificate_store:
state: exported
path: '{{win_cert_dir}}'
register: fail_export_no_thumbprint
failed_when: "fail_export_no_thumbprint.msg != 'state is exported but all of the following are missing: thumbprint'"
- name: fail to export thumbprint when path is a dir
win_certificate_store:
state: exported
thumbprint: '{{subj_thumbprint}}'
path: '{{win_cert_dir}}'
register: fail_export_path_is_dir
failed_when: fail_export_path_is_dir.msg != "Cannot export cert to path '" + win_cert_dir + "' as it is a directory"
- name: fail when state=absent and not path or thumbprint is set
win_certificate_store:
state: absent
register: fail_absent_no_path_or_thumbprint
failed_when: "fail_absent_no_path_or_thumbprint.msg != 'state is absent but any of the following are missing: path, thumbprint'"
- name: import pem certificate (check)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.pem'
state: present
register: import_pem_check
check_mode: yes
- name: get result of import pem certificate (check)
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_pem_result_check
- name: assert results of import pem certificate (check)
assert:
that:
- import_pem_check is changed
- import_pem_check.thumbprints == [subj_thumbprint]
- import_pem_result_check.stdout_lines[0] == "False"
- name: import pem certificate
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.pem'
state: present
register: import_pem
- name: get result of import pem certificate
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_pem_result
- name: assert results of import pem certificate
assert:
that:
- import_pem is changed
- import_pem.thumbprints == [subj_thumbprint]
- import_pem_result.stdout_lines[0] == "True"
- name: import pem certificate (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.pem'
state: present
register: import_pem_again
- name: assert results of import pem certificate (idempotent)
assert:
that:
- not import_pem_again is changed
- name: remove certificate based on thumbprint (check)
win_certificate_store:
thumbprint: '{{subj_thumbprint}}'
state: absent
register: remove_thumbprint_check
check_mode: yes
- name: get result of remove certificate based on thumbprint (check)
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: remove_thumbprint_result_check
- name: assert results of remove certificate based on thumbprint (check)
assert:
that:
- remove_thumbprint_check is changed
- remove_thumbprint_check.thumbprints == [subj_thumbprint]
- remove_thumbprint_result_check.stdout_lines[0] == "True"
- name: remove certificate based on thumbprint
win_certificate_store:
thumbprint: '{{subj_thumbprint}}'
state: absent
register: remove_thumbprint
- name: get result of remove certificate based on thumbprint
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: remove_thumbprint_result
- name: assert results of remove certificate based on thumbprint
assert:
that:
- remove_thumbprint is changed
- remove_thumbprint.thumbprints == [subj_thumbprint]
- remove_thumbprint_result.stdout_lines[0] == "False"
- name: remove certificate based on thumbprint (idempotent)
win_certificate_store:
thumbprint: '{{subj_thumbprint}}'
state: absent
register: remove_thumbprint_again
- name: assert results of remove certificate based on thumbprint (idempotent)
assert:
that:
- not remove_thumbprint_again is changed
- name: import der certificate (check)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.cer'
state: present
register: import_der_check
check_mode: yes
- name: get result of import der certificate (check)
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_der_result_check
- name: assert results of import der certificate (check)
assert:
that:
- import_der_check is changed
- import_der_check.thumbprints == [subj_thumbprint]
- import_der_result_check.stdout_lines[0] == "False"
- name: import der certificate
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.cer'
state: present
register: import_der
- name: get result of import der certificate
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_der_result
- name: assert results of import der certificate
assert:
that:
- import_der is changed
- import_der.thumbprints == [subj_thumbprint]
- import_der_result.stdout_lines[0] == "True"
- name: import der certificate (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.cer'
state: present
register: import_der_again
- name: assert results of import der certificate (idempotent)
assert:
that:
- not import_der_again is changed
- name: remove certificate based on path (check)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.cer'
state: absent
register: remove_path_check
check_mode: yes
- name: get result of remove certificate based on path (check)
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: remove_path_result_check
- name: assert results of remove certificate based on path (check)
assert:
that:
- remove_path_check is changed
- remove_path_check.thumbprints == [subj_thumbprint]
- remove_path_result_check.stdout_lines[0] == "True"
- name: remove certificate based on path
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.cer'
state: absent
register: remove_path
- name: get result of remove certificate based on path
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: remove_path_result
- name: assert results of remove certificate based on path
assert:
that:
- remove_path is changed
- remove_path.thumbprints == [subj_thumbprint]
- remove_path_result.stdout_lines[0] == "False"
- name: remove certificate based on path (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert.cer'
state: absent
register: remove_path_again
- name: assert results of remove certificate based on path (idempotent)
assert:
that:
- not remove_path_again is changed
- name: import PEM encoded p7b chain (check)
win_certificate_store:
path: '{{win_cert_dir}}\chain.pem'
state: present
register: import_pem_p7b_check
check_mode: yes
- name: get result of subj in p7b chain (check)
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_pem_p7b_subj_result_check
- name: get result of root in p7b chain (check)
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
register: import_pem_p7b_root_result_check
- name: assert results of import PEM encoded p7b chain (check)
assert:
that:
- import_pem_p7b_check is changed
- import_pem_p7b_check.thumbprints|count == 2
- subj_thumbprint in import_pem_p7b_check.thumbprints
- root_thumbprint in import_pem_p7b_check.thumbprints
- import_pem_p7b_subj_result_check.stdout_lines[0] == "False"
- import_pem_p7b_root_result_check.stdout_lines[0] == "False"
- name: import PEM encoded p7b chain
win_certificate_store:
path: '{{win_cert_dir}}\chain.pem'
state: present
register: import_pem_p7b
- name: get result of subj in p7b chain
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_pem_p7b_subj_result
- name: get result of root in p7b chain
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
register: import_pem_p7b_root_result
- name: assert results of import PEM encoded p7b chain
assert:
that:
- import_pem_p7b is changed
- import_pem_p7b.thumbprints|count == 2
- subj_thumbprint in import_pem_p7b.thumbprints
- root_thumbprint in import_pem_p7b.thumbprints
- import_pem_p7b_subj_result.stdout_lines[0] == "True"
- import_pem_p7b_root_result.stdout_lines[0] == "True"
- name: import PEM encoded p7b chain (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\chain.pem'
state: present
register: import_pem_p7b_again
- name: assert results of import PEM encoded p7b chain (idempotent)
assert:
that:
- not import_pem_p7b_again is changed
- name: remove p7b chain certs
win_certificate_store:
thumbprint: '{{item}}'
state: absent
with_items:
- '{{subj_thumbprint}}'
- '{{root_thumbprint}}'
- name: import DER encoded p7b chain into custom store (check)
win_certificate_store:
path: '{{win_cert_dir}}\chain.p7b'
state: present
store_name: TrustedPeople
store_location: CurrentUser
register: import_der_p7b_check
check_mode: yes
- name: get result of subj in p7b chain in custom store (check)
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_der_p7b_subj_result_check
- name: get result of root in p7b chain in custom store (check)
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
register: import_der_p7b_root_result_check
- name: assert results of import DER encoded p7b chain into custom store (check)
assert:
that:
- import_der_p7b_check is changed
- import_der_p7b_check.thumbprints|count == 2
- subj_thumbprint in import_der_p7b_check.thumbprints
- root_thumbprint in import_der_p7b_check.thumbprints
- import_der_p7b_subj_result_check.stdout_lines[0] == "False"
- import_der_p7b_root_result_check.stdout_lines[0] == "False"
- name: import DER encoded p7b chain into custom store
win_certificate_store:
path: '{{win_cert_dir}}\chain.p7b'
state: present
store_name: TrustedPeople
store_location: CurrentUser
register: import_der_p7b
- name: get result of subj in p7b chain in custom store
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_der_p7b_subj_result
- name: get result of root in p7b chain in custom store
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
register: import_der_p7b_root_result
- name: assert results of import DER encoded p7b chain into custom store
assert:
that:
- import_der_p7b is changed
- import_der_p7b.thumbprints|count == 2
- subj_thumbprint in import_der_p7b.thumbprints
- root_thumbprint in import_der_p7b.thumbprints
- import_der_p7b_root_result.stdout_lines[0] == "True"
- import_der_p7b_root_result.stdout_lines[0] == "True"
- name: import DER encoded p7b chain into custom store (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\chain.p7b'
state: present
store_name: TrustedPeople
store_location: CurrentUser
register: import_der_p7b_again
- name: assert results of import DER encoded p7b chain into custom store (idempotent)
assert:
that:
- not import_der_p7b_again is changed
- name: remove p7b chain certs from custom store
win_certificate_store:
thumbprint: '{{item}}'
state: absent
store_name: TrustedPeople
store_location: CurrentUser
with_items:
- '{{subj_thumbprint}}'
- '{{root_thumbprint}}'
- name: import pfx without password and non exportable (check)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert-without-pass.pfx'
state: present
key_exportable: no
vars: &become_vars
ansible_become: yes
ansible_become_method: runas
ansible_become_user: '{{ansible_user}}'
ansible_become_pass: '{{ansible_password}}'
register: import_pfx_without_pass_check
check_mode: yes
- name: get results of import pfx without password and non exportable (check)
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_pfx_without_pass_result_check
- name: assert results of import pfx without password and non exportable (check)
assert:
that:
- import_pfx_without_pass_check is changed
- import_pfx_without_pass_check.thumbprints == [subj_thumbprint]
- import_pfx_without_pass_result_check.stdout_lines[0] == "False"
- name: import pfx without password and non exportable
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert-without-pass.pfx'
state: present
key_exportable: no
vars: *become_vars
register: import_pfx_without_pass
- name: get results of import pfx without password and non exportable
win_shell: (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }).PrivateKey.CspKeyContainerInfo.Exportable
vars: *become_vars
register: import_pfx_without_pass_result
- name: assert results of import pfx without password and non exportable
assert:
that:
- import_pfx_without_pass is changed
- import_pfx_without_pass.thumbprints == [subj_thumbprint]
- import_pfx_without_pass_result.stdout_lines[0] == "False"
- name: import pfx without password and non exportable (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert-without-pass.pfx'
state: present
key_exportable: no
vars: *become_vars
register: import_pfx_without_pass_again
- name: assert results of import pfx without password and non exportable (idempotent)
assert:
that:
- not import_pfx_without_pass_again is changed
- name: fail import pfx with password and none set
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
state: present
store_location: CurrentUser
store_name: TrustedPeople
register: fail_import_pfx_with_password
failed_when: "'Failed to load cert from file' not in fail_import_pfx_with_password.msg and 'The specified network password is not correct' not in fail_import_pfx_with_password.msg"
- name: import pfx with password (check)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
state: present
password: '{{key_password}}'
store_location: CurrentUser
store_name: TrustedPeople
register: import_pfx_with_pass_check
vars: *become_vars
check_mode: yes
- name: get results of import pfx with password (check)
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
register: import_pfx_with_pass_result_check
- name: assert results of import pfx with password (check)
assert:
that:
- import_pfx_with_pass_check is changed
- import_pfx_with_pass_check.thumbprints == [subj_thumbprint]
- import_pfx_with_pass_result_check.stdout_lines[0] == "False"
- name: import pfx with password
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
state: present
password: '{{key_password}}'
store_location: CurrentUser
store_name: TrustedPeople
vars: *become_vars
register: import_pfx_with_pass
- name: get results of import pfx with password
win_shell: (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }).PrivateKey.CspKeyContainerInfo.Exportable
vars: *become_vars
register: import_pfx_with_pass_result
- name: assert results of import pfx with password
assert:
that:
- import_pfx_with_pass is changed
- import_pfx_with_pass.thumbprints == [subj_thumbprint]
- import_pfx_with_pass_result.stdout_lines[0] == "True"
- name: import pfx with password (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
state: present
password: '{{key_password}}'
store_location: CurrentUser
store_name: TrustedPeople
vars: *become_vars
register: import_pfx_with_pass_again
- name: assert results of import pfx with password (idempotent)
assert:
that:
- not import_pfx_with_pass_again is changed
- name: import root cert for export tests
win_certificate_store:
path: '{{win_cert_dir}}\root-cert.pem'
state: present
- name: export cert as pem (check)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.pem'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pem
register: export_pem_check
check_mode: yes
- name: get result of export cert as pem (check)
win_stat:
path: '{{win_cert_dir}}\exported\cert.pem'
register: export_pem_result_check
- name: assert results of export cert as pem (check)
assert:
that:
- export_pem_check is changed
- export_pem_check.thumbprints == [subj_thumbprint]
- export_pem_result_check.stat.exists == False
- name: export cert as pem
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.pem'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pem
register: export_pem
- name: get result of export cert as pem
win_stat:
path: '{{win_cert_dir}}\exported\cert.pem'
register: export_pem_result
- name: assert results of export cert as pem
assert:
that:
- export_pem is changed
- export_pem.thumbprints == [subj_thumbprint]
- export_pem_result.stat.checksum == '1ebf5467d18230e9f611940a74d12f1d0bc819b7'
- name: export cert as pem (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.pem'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pem
register: export_pem_again
- name: assert results of export cert as pem
assert:
that:
- not export_pem_again is changed
- name: export cert as der (check)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.cer'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: der
register: export_der_check
check_mode: yes
- name: get result of export cert as der (check)
win_stat:
path: '{{win_cert_dir}}\exported\cert.cer'
register: export_der_result_check
- name: assert results of export cert as der (check)
assert:
that:
- export_der_check is changed
- export_der_check.thumbprints == [subj_thumbprint]
- export_der_result_check.stat.exists == False
- name: export cert as der
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.cer'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: der
register: export_der
- name: get result of export cert as der
win_stat:
path: '{{win_cert_dir}}\exported\cert.cer'
register: export_der_result
- name: assert results of export cert as der
assert:
that:
- export_der is changed
- export_der.thumbprints == [subj_thumbprint]
- export_der_result.stat.checksum == 'bd7af104cf1872bdb518d95c9534ea941665fd27'
- name: export cert as der (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.cer'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: der
register: export_der_again
- name: assert results of export cert as der
assert:
that:
- not export_der_again is changed
- name: export cert as der replacing pem
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.pem'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: der
register: export_der_over_pem
- name: get result of export cert as der replacing pem
win_stat:
path: '{{win_cert_dir}}\exported\cert.pem'
register: export_der_over_pem_result
- name: assert results of export cert as der replacing pem
assert:
that:
- export_der_over_pem is changed
- export_der_over_pem.thumbprints == [subj_thumbprint]
- export_der_over_pem_result.stat.checksum == 'bd7af104cf1872bdb518d95c9534ea941665fd27'
- name: export cert as pem replacing der
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert.cer'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pem
register: export_pem_over_der
- name: get result of export cert as pem replacing der
win_stat:
path: '{{win_cert_dir}}\exported\cert.cer'
register: export_pem_over_der_result
- name: assert results of export cert as pem replacing der
assert:
that:
- export_pem_over_der is changed
- export_pem_over_der.thumbprints == [subj_thumbprint]
- export_pem_over_der_result.stat.checksum == '1ebf5467d18230e9f611940a74d12f1d0bc819b7'
- name: export cert with key and password as pfx (check)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pkcs12
store_location: CurrentUser
store_name: TrustedPeople
password: '{{key_password}}'
register: export_pfx_with_pass_check
vars: *become_vars
check_mode: yes
- name: get result of export cert with key and password as pfx (check)
win_stat:
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
register: export_pfx_with_pass_result_check
- name: assert results of export cert with key and password as pfx (check)
assert:
that:
- export_pfx_with_pass_check is changed
- export_pfx_with_pass_check.thumbprints == [subj_thumbprint]
- export_pfx_with_pass_result_check.stat.exists == False
- name: export cert with key and password as pfx
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pkcs12
store_location: CurrentUser
store_name: TrustedPeople
password: '{{key_password}}'
vars: *become_vars
register: export_pfx_with_pass
- name: get result of export cert with key and password as pfx
win_shell: |
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import("{{win_cert_dir}}\exported\cert-pass.pfx", "{{key_password}}", 0)
$cert.HasPrivateKey
vars: *become_vars
register: export_pfx_with_pass_result
- name: assert results of export cert with key and password as pfx
assert:
that:
- export_pfx_with_pass is changed
- export_pfx_with_pass.thumbprints == [subj_thumbprint]
- export_pfx_with_pass_result.stdout_lines[0] == "True"
- name: export cert with key and password as pfx (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pkcs12
store_location: CurrentUser
store_name: TrustedPeople
password: '{{key_password}}'
vars: *become_vars
register: export_pfx_with_pass_again
- name: assert results of export cert with key and password as pfx (idempotent)
assert:
that:
- not export_pfx_with_pass_again is changed
- name: export cert with key without password as pfx (check)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pkcs12
store_location: CurrentUser
store_name: TrustedPeople
vars: *become_vars
register: export_pfx_without_pass_check
check_mode: yes
- name: get result of export cert with key without password as pfx (check)
win_stat:
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
register: export_pfx_without_pass_result_check
- name: assert results of export cert with key without password as pfx (check)
assert:
that:
- export_pfx_without_pass_check is changed
- export_pfx_without_pass_check.thumbprints == [subj_thumbprint]
- export_pfx_without_pass_result_check.stat.exists == False
- name: export cert with key without password as pfx
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pkcs12
store_location: CurrentUser
store_name: TrustedPeople
vars: *become_vars
register: export_pfx_without_pass
- name: get result of export cert with key without password as pfx
win_shell: |
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import("{{win_cert_dir}}\exported\cert-without-pass.pfx", $null, 0)
$cert.HasPrivateKey
vars: *become_vars
register: export_pfx_without_pass_result
- name: assert results of export cert with key without password as pfx
assert:
that:
- export_pfx_without_pass is changed
- export_pfx_without_pass.thumbprints == [subj_thumbprint]
- export_pfx_without_pass_result.stdout_lines[0] == "True"
- name: export cert with key without password as pfx (idempotent)
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pkcs12
store_location: CurrentUser
store_name: TrustedPeople
vars: *become_vars
register: export_pfx_without_pass_again
- name: assert results of export cert with key without password as pfx (idempotent)
assert:
that:
- not export_pfx_without_pass_again is changed
- name: fail to export cert with key as pfx when not marked as exportable
win_certificate_store:
path: '{{win_cert_dir}}\exported\cert-fail.pfx'
thumbprint: '{{subj_thumbprint}}'
state: exported
file_type: pkcs12
vars: *become_vars
register: fail_export_non_exportable
failed_when: fail_export_non_exportable.msg != 'Cannot export cert with key as PKCS12 when the key is not marked as exportable or not accesible by the current user'