cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Warn of standard behavior of 'default' key store (#49903)

Browse source 
* Warn of standard behavior of 'default' key store 

The default key store typically results in the key being stored as user. In instances where we're trying to install a cert to enable SSL binding in IIS, this will result in an unbind-able cert, as the IIS APPPOOL identity will not be able to read the private key, and presents a very cryptic error of 'A specified logon session does not exist'.


+label: docsite_pr

* fix trailing whitespace

* Use C(user) reference

* specify what's required for successful iis import

- store_location's default value is currently 'LocalMachine' but if this changes it could result in the documentation being inaccurate
- key_exportable is not required for a successful IIS import

* remove stray =

dang cat

Co-Authored-By: tdietrich513 <tom.dietrich@gmail.com>
This commit is contained in:
Tom Dietrich 2018-12-18 20:13:31 -05:00 committed by Jordan Borean
parent 947c4300ee
commit 2b48c0187c
1 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/ansible/modules/windows/win_certificate_store.py
View file

@ -91,7 +91,7 @@ options:
key_storage:
description:
- Specifies where Windows will store the private key when it is imported.
- When set to C(default), the default option as set by Windows is used.
- When set to C(default), the default option as set by Windows is used, typically C(user).
- When set to C(machine), the key is stored in a path accessible by various
users.
- When set to C(user), the key is stored in a path only accessible by the
@ -118,6 +118,10 @@ notes:
Kerberos with credential delegation, or use C(become) to bypass these
restrictions.
- The certificates must be located on the Windows host to be set with I(path).
- When importing a certificate for usage in IIS, it is generally required
to use the C(machine) key_storage option, as both C(default) and C(user)
will make the private key unreadable to IIS APPPOOL identities and prevent
binding the certificate to the https endpoint.
author:
- Jordan Borean (@jborean93)
'''
@ -177,6 +181,15 @@ EXAMPLES = r'''
become: yes
become_method: runas
become_user: SYSTEM
- name: import certificate be used by IIS
win_certificate_store:
path: C:\Temp\cert.pfx
file_type: pkcs12
password: StrongPassword!
store_location: LocalMachine
key_storage: machine
state: present
'''
RETURN = r'''