Warn of standard behavior of 'default' key store (#49903)

* Warn of standard behavior of 'default' key store 

The default key store typically results in the key being stored as user. In instances where we're trying to install a cert to enable SSL binding in IIS, this will result in an unbind-able cert, as the IIS APPPOOL identity will not be able to read the private key, and presents a very cryptic error of 'A specified logon session does not exist'.


+label: docsite_pr

* fix trailing whitespace

* Use C(user) reference

* specify what's required for successful iis import

- store_location's default value is currently 'LocalMachine' but if this changes it could result in the documentation being inaccurate
- key_exportable is not required for a successful IIS import

* remove stray =

dang cat

Co-Authored-By: tdietrich513 <tom.dietrich@gmail.com>
This commit is contained in:
Tom Dietrich 2018-12-18 20:13:31 -05:00 committed by Jordan Borean
parent 947c4300ee
commit 2b48c0187c

View file

@ -91,7 +91,7 @@ options:
key_storage: key_storage:
description: description:
- Specifies where Windows will store the private key when it is imported. - Specifies where Windows will store the private key when it is imported.
- When set to C(default), the default option as set by Windows is used. - When set to C(default), the default option as set by Windows is used, typically C(user).
- When set to C(machine), the key is stored in a path accessible by various - When set to C(machine), the key is stored in a path accessible by various
users. users.
- When set to C(user), the key is stored in a path only accessible by the - When set to C(user), the key is stored in a path only accessible by the
@ -118,6 +118,10 @@ notes:
Kerberos with credential delegation, or use C(become) to bypass these Kerberos with credential delegation, or use C(become) to bypass these
restrictions. restrictions.
- The certificates must be located on the Windows host to be set with I(path). - The certificates must be located on the Windows host to be set with I(path).
- When importing a certificate for usage in IIS, it is generally required
to use the C(machine) key_storage option, as both C(default) and C(user)
will make the private key unreadable to IIS APPPOOL identities and prevent
binding the certificate to the https endpoint.
author: author:
- Jordan Borean (@jborean93) - Jordan Borean (@jborean93)
''' '''
@ -177,6 +181,15 @@ EXAMPLES = r'''
become: yes become: yes
become_method: runas become_method: runas
become_user: SYSTEM become_user: SYSTEM
- name: import certificate be used by IIS
win_certificate_store:
path: C:\Temp\cert.pfx
file_type: pkcs12
password: StrongPassword!
store_location: LocalMachine
key_storage: machine
state: present
''' '''
RETURN = r''' RETURN = r'''