Warn of standard behavior of 'default' key store (#49903)
* Warn of standard behavior of 'default' key store The default key store typically results in the key being stored as user. In instances where we're trying to install a cert to enable SSL binding in IIS, this will result in an unbind-able cert, as the IIS APPPOOL identity will not be able to read the private key, and presents a very cryptic error of 'A specified logon session does not exist'. +label: docsite_pr * fix trailing whitespace * Use C(user) reference * specify what's required for successful iis import - store_location's default value is currently 'LocalMachine' but if this changes it could result in the documentation being inaccurate - key_exportable is not required for a successful IIS import * remove stray = dang cat Co-Authored-By: tdietrich513 <tom.dietrich@gmail.com>
This commit is contained in:
parent
947c4300ee
commit
2b48c0187c
1 changed files with 14 additions and 1 deletions
|
@ -91,7 +91,7 @@ options:
|
||||||
key_storage:
|
key_storage:
|
||||||
description:
|
description:
|
||||||
- Specifies where Windows will store the private key when it is imported.
|
- Specifies where Windows will store the private key when it is imported.
|
||||||
- When set to C(default), the default option as set by Windows is used.
|
- When set to C(default), the default option as set by Windows is used, typically C(user).
|
||||||
- When set to C(machine), the key is stored in a path accessible by various
|
- When set to C(machine), the key is stored in a path accessible by various
|
||||||
users.
|
users.
|
||||||
- When set to C(user), the key is stored in a path only accessible by the
|
- When set to C(user), the key is stored in a path only accessible by the
|
||||||
|
@ -118,6 +118,10 @@ notes:
|
||||||
Kerberos with credential delegation, or use C(become) to bypass these
|
Kerberos with credential delegation, or use C(become) to bypass these
|
||||||
restrictions.
|
restrictions.
|
||||||
- The certificates must be located on the Windows host to be set with I(path).
|
- The certificates must be located on the Windows host to be set with I(path).
|
||||||
|
- When importing a certificate for usage in IIS, it is generally required
|
||||||
|
to use the C(machine) key_storage option, as both C(default) and C(user)
|
||||||
|
will make the private key unreadable to IIS APPPOOL identities and prevent
|
||||||
|
binding the certificate to the https endpoint.
|
||||||
author:
|
author:
|
||||||
- Jordan Borean (@jborean93)
|
- Jordan Borean (@jborean93)
|
||||||
'''
|
'''
|
||||||
|
@ -177,6 +181,15 @@ EXAMPLES = r'''
|
||||||
become: yes
|
become: yes
|
||||||
become_method: runas
|
become_method: runas
|
||||||
become_user: SYSTEM
|
become_user: SYSTEM
|
||||||
|
|
||||||
|
- name: import certificate be used by IIS
|
||||||
|
win_certificate_store:
|
||||||
|
path: C:\Temp\cert.pfx
|
||||||
|
file_type: pkcs12
|
||||||
|
password: StrongPassword!
|
||||||
|
store_location: LocalMachine
|
||||||
|
key_storage: machine
|
||||||
|
state: present
|
||||||
'''
|
'''
|
||||||
|
|
||||||
RETURN = r'''
|
RETURN = r'''
|
||||||
|
|
Loading…
Reference in a new issue