a259b810ad
* Ansible.Basic - make choices validate case insensitive * fix win_certificate_store tests
801 lines
27 KiB
YAML
801 lines
27 KiB
YAML
---
|
|
- name: fail with invalid store location
|
|
win_certificate_store:
|
|
state: present
|
|
path: '{{win_cert_dir}}\subj-cert.pem'
|
|
store_location: FakeLocation
|
|
register: fail_fake_location
|
|
failed_when: "fail_fake_location.msg != 'value of store_location must be one of: CurrentUser, LocalMachine. Got no match for: FakeLocation'"
|
|
|
|
- name: fail with invalid store name
|
|
win_certificate_store:
|
|
state: present
|
|
path: '{{win_cert_dir}}\subj-cert.pem'
|
|
store_name: FakeName
|
|
register: fail_fake_name
|
|
failed_when: "fail_fake_name.msg != 'value of store_name must be one of: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My, Root, TrustedPeople, TrustedPublisher. Got no match for: FakeName'"
|
|
|
|
- name: fail when state=present and no path is set
|
|
win_certificate_store:
|
|
state: present
|
|
register: fail_present_no_path
|
|
failed_when: "fail_present_no_path.msg != 'state is present but all of the following are missing: path'"
|
|
|
|
- name: fail when state=exported and no path is set
|
|
win_certificate_store:
|
|
state: exported
|
|
thumbprint: ABC
|
|
register: fail_export_no_path
|
|
failed_when: "fail_export_no_path.msg != 'state is exported but all of the following are missing: path'"
|
|
|
|
- name: fail when state=exported and no thumbprint is set
|
|
win_certificate_store:
|
|
state: exported
|
|
path: '{{win_cert_dir}}'
|
|
register: fail_export_no_thumbprint
|
|
failed_when: "fail_export_no_thumbprint.msg != 'state is exported but all of the following are missing: thumbprint'"
|
|
|
|
- name: fail to export thumbprint when path is a dir
|
|
win_certificate_store:
|
|
state: exported
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
path: '{{win_cert_dir}}'
|
|
register: fail_export_path_is_dir
|
|
failed_when: fail_export_path_is_dir.msg != "Cannot export cert to path '" + win_cert_dir + "' as it is a directory"
|
|
|
|
- name: fail when state=absent and not path or thumbprint is set
|
|
win_certificate_store:
|
|
state: absent
|
|
register: fail_absent_no_path_or_thumbprint
|
|
failed_when: "fail_absent_no_path_or_thumbprint.msg != 'state is absent but any of the following are missing: path, thumbprint'"
|
|
|
|
- name: import pem certificate (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.pem'
|
|
state: present
|
|
register: import_pem_check
|
|
check_mode: yes
|
|
|
|
- name: get result of import pem certificate (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pem_result_check
|
|
|
|
- name: assert results of import pem certificate (check)
|
|
assert:
|
|
that:
|
|
- import_pem_check is changed
|
|
- import_pem_check.thumbprints == [subj_thumbprint]
|
|
- import_pem_result_check.stdout_lines[0] == "False"
|
|
|
|
- name: import pem certificate
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.pem'
|
|
state: present
|
|
register: import_pem
|
|
|
|
- name: get result of import pem certificate
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pem_result
|
|
|
|
- name: assert results of import pem certificate
|
|
assert:
|
|
that:
|
|
- import_pem is changed
|
|
- import_pem.thumbprints == [subj_thumbprint]
|
|
- import_pem_result.stdout_lines[0] == "True"
|
|
|
|
- name: import pem certificate (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.pem'
|
|
state: present
|
|
register: import_pem_again
|
|
|
|
- name: assert results of import pem certificate (idempotent)
|
|
assert:
|
|
that:
|
|
- not import_pem_again is changed
|
|
|
|
- name: remove certificate based on thumbprint (check)
|
|
win_certificate_store:
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: absent
|
|
register: remove_thumbprint_check
|
|
check_mode: yes
|
|
|
|
- name: get result of remove certificate based on thumbprint (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: remove_thumbprint_result_check
|
|
|
|
- name: assert results of remove certificate based on thumbprint (check)
|
|
assert:
|
|
that:
|
|
- remove_thumbprint_check is changed
|
|
- remove_thumbprint_check.thumbprints == [subj_thumbprint]
|
|
- remove_thumbprint_result_check.stdout_lines[0] == "True"
|
|
|
|
- name: remove certificate based on thumbprint
|
|
win_certificate_store:
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: absent
|
|
register: remove_thumbprint
|
|
|
|
- name: get result of remove certificate based on thumbprint
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: remove_thumbprint_result
|
|
|
|
- name: assert results of remove certificate based on thumbprint
|
|
assert:
|
|
that:
|
|
- remove_thumbprint is changed
|
|
- remove_thumbprint.thumbprints == [subj_thumbprint]
|
|
- remove_thumbprint_result.stdout_lines[0] == "False"
|
|
|
|
- name: remove certificate based on thumbprint (idempotent)
|
|
win_certificate_store:
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: absent
|
|
register: remove_thumbprint_again
|
|
|
|
- name: assert results of remove certificate based on thumbprint (idempotent)
|
|
assert:
|
|
that:
|
|
- not remove_thumbprint_again is changed
|
|
|
|
- name: import der certificate (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.cer'
|
|
state: present
|
|
register: import_der_check
|
|
check_mode: yes
|
|
|
|
- name: get result of import der certificate (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_der_result_check
|
|
|
|
- name: assert results of import der certificate (check)
|
|
assert:
|
|
that:
|
|
- import_der_check is changed
|
|
- import_der_check.thumbprints == [subj_thumbprint]
|
|
- import_der_result_check.stdout_lines[0] == "False"
|
|
|
|
- name: import der certificate
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.cer'
|
|
state: present
|
|
register: import_der
|
|
|
|
- name: get result of import der certificate
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_der_result
|
|
|
|
- name: assert results of import der certificate
|
|
assert:
|
|
that:
|
|
- import_der is changed
|
|
- import_der.thumbprints == [subj_thumbprint]
|
|
- import_der_result.stdout_lines[0] == "True"
|
|
|
|
- name: import der certificate (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.cer'
|
|
state: present
|
|
register: import_der_again
|
|
|
|
- name: assert results of import der certificate (idempotent)
|
|
assert:
|
|
that:
|
|
- not import_der_again is changed
|
|
|
|
- name: remove certificate based on path (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.cer'
|
|
state: absent
|
|
register: remove_path_check
|
|
check_mode: yes
|
|
|
|
- name: get result of remove certificate based on path (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: remove_path_result_check
|
|
|
|
- name: assert results of remove certificate based on path (check)
|
|
assert:
|
|
that:
|
|
- remove_path_check is changed
|
|
- remove_path_check.thumbprints == [subj_thumbprint]
|
|
- remove_path_result_check.stdout_lines[0] == "True"
|
|
|
|
- name: remove certificate based on path
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.cer'
|
|
state: absent
|
|
register: remove_path
|
|
|
|
- name: get result of remove certificate based on path
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: remove_path_result
|
|
|
|
- name: assert results of remove certificate based on path
|
|
assert:
|
|
that:
|
|
- remove_path is changed
|
|
- remove_path.thumbprints == [subj_thumbprint]
|
|
- remove_path_result.stdout_lines[0] == "False"
|
|
|
|
- name: remove certificate based on path (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert.cer'
|
|
state: absent
|
|
register: remove_path_again
|
|
|
|
- name: assert results of remove certificate based on path (idempotent)
|
|
assert:
|
|
that:
|
|
- not remove_path_again is changed
|
|
|
|
- name: import PEM encoded p7b chain (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\chain.pem'
|
|
state: present
|
|
register: import_pem_p7b_check
|
|
check_mode: yes
|
|
|
|
- name: get result of subj in p7b chain (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pem_p7b_subj_result_check
|
|
|
|
- name: get result of root in p7b chain (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pem_p7b_root_result_check
|
|
|
|
- name: assert results of import PEM encoded p7b chain (check)
|
|
assert:
|
|
that:
|
|
- import_pem_p7b_check is changed
|
|
- import_pem_p7b_check.thumbprints|count == 2
|
|
- subj_thumbprint in import_pem_p7b_check.thumbprints
|
|
- root_thumbprint in import_pem_p7b_check.thumbprints
|
|
- import_pem_p7b_subj_result_check.stdout_lines[0] == "False"
|
|
- import_pem_p7b_root_result_check.stdout_lines[0] == "False"
|
|
|
|
- name: import PEM encoded p7b chain
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\chain.pem'
|
|
state: present
|
|
register: import_pem_p7b
|
|
|
|
- name: get result of subj in p7b chain
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pem_p7b_subj_result
|
|
|
|
- name: get result of root in p7b chain
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pem_p7b_root_result
|
|
|
|
- name: assert results of import PEM encoded p7b chain
|
|
assert:
|
|
that:
|
|
- import_pem_p7b is changed
|
|
- import_pem_p7b.thumbprints|count == 2
|
|
- subj_thumbprint in import_pem_p7b.thumbprints
|
|
- root_thumbprint in import_pem_p7b.thumbprints
|
|
- import_pem_p7b_subj_result.stdout_lines[0] == "True"
|
|
- import_pem_p7b_root_result.stdout_lines[0] == "True"
|
|
|
|
- name: import PEM encoded p7b chain (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\chain.pem'
|
|
state: present
|
|
register: import_pem_p7b_again
|
|
|
|
- name: assert results of import PEM encoded p7b chain (idempotent)
|
|
assert:
|
|
that:
|
|
- not import_pem_p7b_again is changed
|
|
|
|
- name: remove p7b chain certs
|
|
win_certificate_store:
|
|
thumbprint: '{{item}}'
|
|
state: absent
|
|
with_items:
|
|
- '{{subj_thumbprint}}'
|
|
- '{{root_thumbprint}}'
|
|
|
|
- name: import DER encoded p7b chain into custom store (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\chain.p7b'
|
|
state: present
|
|
store_name: TrustedPeople
|
|
store_location: CurrentUser
|
|
register: import_der_p7b_check
|
|
check_mode: yes
|
|
|
|
- name: get result of subj in p7b chain in custom store (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_der_p7b_subj_result_check
|
|
|
|
- name: get result of root in p7b chain in custom store (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
|
|
register: import_der_p7b_root_result_check
|
|
|
|
- name: assert results of import DER encoded p7b chain into custom store (check)
|
|
assert:
|
|
that:
|
|
- import_der_p7b_check is changed
|
|
- import_der_p7b_check.thumbprints|count == 2
|
|
- subj_thumbprint in import_der_p7b_check.thumbprints
|
|
- root_thumbprint in import_der_p7b_check.thumbprints
|
|
- import_der_p7b_subj_result_check.stdout_lines[0] == "False"
|
|
- import_der_p7b_root_result_check.stdout_lines[0] == "False"
|
|
|
|
- name: import DER encoded p7b chain into custom store
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\chain.p7b'
|
|
state: present
|
|
store_name: TrustedPeople
|
|
store_location: CurrentUser
|
|
register: import_der_p7b
|
|
|
|
- name: get result of subj in p7b chain in custom store
|
|
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_der_p7b_subj_result
|
|
|
|
- name: get result of root in p7b chain in custom store
|
|
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{root_thumbprint}}" }) { $true } else { $false }
|
|
register: import_der_p7b_root_result
|
|
|
|
- name: assert results of import DER encoded p7b chain into custom store
|
|
assert:
|
|
that:
|
|
- import_der_p7b is changed
|
|
- import_der_p7b.thumbprints|count == 2
|
|
- subj_thumbprint in import_der_p7b.thumbprints
|
|
- root_thumbprint in import_der_p7b.thumbprints
|
|
- import_der_p7b_root_result.stdout_lines[0] == "True"
|
|
- import_der_p7b_root_result.stdout_lines[0] == "True"
|
|
|
|
- name: import DER encoded p7b chain into custom store (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\chain.p7b'
|
|
state: present
|
|
store_name: TrustedPeople
|
|
store_location: CurrentUser
|
|
register: import_der_p7b_again
|
|
|
|
- name: assert results of import DER encoded p7b chain into custom store (idempotent)
|
|
assert:
|
|
that:
|
|
- not import_der_p7b_again is changed
|
|
|
|
- name: remove p7b chain certs from custom store
|
|
win_certificate_store:
|
|
thumbprint: '{{item}}'
|
|
state: absent
|
|
store_name: TrustedPeople
|
|
store_location: CurrentUser
|
|
with_items:
|
|
- '{{subj_thumbprint}}'
|
|
- '{{root_thumbprint}}'
|
|
|
|
- name: import pfx without password and non exportable (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert-without-pass.pfx'
|
|
state: present
|
|
key_exportable: no
|
|
vars: &become_vars
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: '{{ansible_user}}'
|
|
ansible_become_pass: '{{ansible_password}}'
|
|
register: import_pfx_without_pass_check
|
|
check_mode: yes
|
|
|
|
- name: get results of import pfx without password and non exportable (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pfx_without_pass_result_check
|
|
|
|
- name: assert results of import pfx without password and non exportable (check)
|
|
assert:
|
|
that:
|
|
- import_pfx_without_pass_check is changed
|
|
- import_pfx_without_pass_check.thumbprints == [subj_thumbprint]
|
|
- import_pfx_without_pass_result_check.stdout_lines[0] == "False"
|
|
|
|
- name: import pfx without password and non exportable
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert-without-pass.pfx'
|
|
state: present
|
|
key_exportable: no
|
|
vars: *become_vars
|
|
register: import_pfx_without_pass
|
|
|
|
- name: get results of import pfx without password and non exportable
|
|
win_shell: (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }).PrivateKey.CspKeyContainerInfo.Exportable
|
|
vars: *become_vars
|
|
register: import_pfx_without_pass_result
|
|
|
|
- name: assert results of import pfx without password and non exportable
|
|
assert:
|
|
that:
|
|
- import_pfx_without_pass is changed
|
|
- import_pfx_without_pass.thumbprints == [subj_thumbprint]
|
|
- import_pfx_without_pass_result.stdout_lines[0] == "False"
|
|
|
|
- name: import pfx without password and non exportable (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert-without-pass.pfx'
|
|
state: present
|
|
key_exportable: no
|
|
vars: *become_vars
|
|
register: import_pfx_without_pass_again
|
|
|
|
- name: assert results of import pfx without password and non exportable (idempotent)
|
|
assert:
|
|
that:
|
|
- not import_pfx_without_pass_again is changed
|
|
|
|
- name: fail import pfx with password and none set
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
|
|
state: present
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
register: fail_import_pfx_with_password
|
|
failed_when: "'Failed to load cert from file' not in fail_import_pfx_with_password.msg and 'The specified network password is not correct' not in fail_import_pfx_with_password.msg"
|
|
|
|
- name: import pfx with password (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
|
|
state: present
|
|
password: '{{key_password}}'
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
register: import_pfx_with_pass_check
|
|
vars: *become_vars
|
|
check_mode: yes
|
|
|
|
- name: get results of import pfx with password (check)
|
|
win_shell: if (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }) { $true } else { $false }
|
|
register: import_pfx_with_pass_result_check
|
|
|
|
- name: assert results of import pfx with password (check)
|
|
assert:
|
|
that:
|
|
- import_pfx_with_pass_check is changed
|
|
- import_pfx_with_pass_check.thumbprints == [subj_thumbprint]
|
|
- import_pfx_with_pass_result_check.stdout_lines[0] == "False"
|
|
|
|
- name: import pfx with password
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
|
|
state: present
|
|
password: '{{key_password}}'
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
vars: *become_vars
|
|
register: import_pfx_with_pass
|
|
|
|
- name: get results of import pfx with password
|
|
win_shell: (Get-ChildItem -Path Cert:\CurrentUser\TrustedPeople | Where-Object { $_.Thumbprint -eq "{{subj_thumbprint}}" }).PrivateKey.CspKeyContainerInfo.Exportable
|
|
vars: *become_vars
|
|
register: import_pfx_with_pass_result
|
|
|
|
- name: assert results of import pfx with password
|
|
assert:
|
|
that:
|
|
- import_pfx_with_pass is changed
|
|
- import_pfx_with_pass.thumbprints == [subj_thumbprint]
|
|
- import_pfx_with_pass_result.stdout_lines[0] == "True"
|
|
|
|
- name: import pfx with password (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\subj-cert-with-pass.pfx'
|
|
state: present
|
|
password: '{{key_password}}'
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
vars: *become_vars
|
|
register: import_pfx_with_pass_again
|
|
|
|
- name: assert results of import pfx with password (idempotent)
|
|
assert:
|
|
that:
|
|
- not import_pfx_with_pass_again is changed
|
|
|
|
- name: import root cert for export tests
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\root-cert.pem'
|
|
state: present
|
|
|
|
- name: export cert as pem (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.pem'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pem
|
|
register: export_pem_check
|
|
check_mode: yes
|
|
|
|
- name: get result of export cert as pem (check)
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert.pem'
|
|
register: export_pem_result_check
|
|
|
|
- name: assert results of export cert as pem (check)
|
|
assert:
|
|
that:
|
|
- export_pem_check is changed
|
|
- export_pem_check.thumbprints == [subj_thumbprint]
|
|
- export_pem_result_check.stat.exists == False
|
|
|
|
- name: export cert as pem
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.pem'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pem
|
|
register: export_pem
|
|
|
|
- name: get result of export cert as pem
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert.pem'
|
|
register: export_pem_result
|
|
|
|
- name: assert results of export cert as pem
|
|
assert:
|
|
that:
|
|
- export_pem is changed
|
|
- export_pem.thumbprints == [subj_thumbprint]
|
|
- export_pem_result.stat.checksum == '1ebf5467d18230e9f611940a74d12f1d0bc819b7'
|
|
|
|
- name: export cert as pem (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.pem'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pem
|
|
register: export_pem_again
|
|
|
|
- name: assert results of export cert as pem
|
|
assert:
|
|
that:
|
|
- not export_pem_again is changed
|
|
|
|
- name: export cert as der (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.cer'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: der
|
|
register: export_der_check
|
|
check_mode: yes
|
|
|
|
- name: get result of export cert as der (check)
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert.cer'
|
|
register: export_der_result_check
|
|
|
|
- name: assert results of export cert as der (check)
|
|
assert:
|
|
that:
|
|
- export_der_check is changed
|
|
- export_der_check.thumbprints == [subj_thumbprint]
|
|
- export_der_result_check.stat.exists == False
|
|
|
|
- name: export cert as der
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.cer'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: der
|
|
register: export_der
|
|
|
|
- name: get result of export cert as der
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert.cer'
|
|
register: export_der_result
|
|
|
|
- name: assert results of export cert as der
|
|
assert:
|
|
that:
|
|
- export_der is changed
|
|
- export_der.thumbprints == [subj_thumbprint]
|
|
- export_der_result.stat.checksum == 'bd7af104cf1872bdb518d95c9534ea941665fd27'
|
|
|
|
- name: export cert as der (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.cer'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: der
|
|
register: export_der_again
|
|
|
|
- name: assert results of export cert as der
|
|
assert:
|
|
that:
|
|
- not export_der_again is changed
|
|
|
|
- name: export cert as der replacing pem
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.pem'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: der
|
|
register: export_der_over_pem
|
|
|
|
- name: get result of export cert as der replacing pem
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert.pem'
|
|
register: export_der_over_pem_result
|
|
|
|
- name: assert results of export cert as der replacing pem
|
|
assert:
|
|
that:
|
|
- export_der_over_pem is changed
|
|
- export_der_over_pem.thumbprints == [subj_thumbprint]
|
|
- export_der_over_pem_result.stat.checksum == 'bd7af104cf1872bdb518d95c9534ea941665fd27'
|
|
|
|
- name: export cert as pem replacing der
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert.cer'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pem
|
|
register: export_pem_over_der
|
|
|
|
- name: get result of export cert as pem replacing der
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert.cer'
|
|
register: export_pem_over_der_result
|
|
|
|
- name: assert results of export cert as pem replacing der
|
|
assert:
|
|
that:
|
|
- export_pem_over_der is changed
|
|
- export_pem_over_der.thumbprints == [subj_thumbprint]
|
|
- export_pem_over_der_result.stat.checksum == '1ebf5467d18230e9f611940a74d12f1d0bc819b7'
|
|
|
|
- name: export cert with key and password as pfx (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pkcs12
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
password: '{{key_password}}'
|
|
register: export_pfx_with_pass_check
|
|
vars: *become_vars
|
|
check_mode: yes
|
|
|
|
- name: get result of export cert with key and password as pfx (check)
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
|
|
register: export_pfx_with_pass_result_check
|
|
|
|
- name: assert results of export cert with key and password as pfx (check)
|
|
assert:
|
|
that:
|
|
- export_pfx_with_pass_check is changed
|
|
- export_pfx_with_pass_check.thumbprints == [subj_thumbprint]
|
|
- export_pfx_with_pass_result_check.stat.exists == False
|
|
|
|
- name: export cert with key and password as pfx
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pkcs12
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
password: '{{key_password}}'
|
|
vars: *become_vars
|
|
register: export_pfx_with_pass
|
|
|
|
- name: get result of export cert with key and password as pfx
|
|
win_shell: |
|
|
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
|
|
$cert.Import("{{win_cert_dir}}\exported\cert-pass.pfx", "{{key_password}}", 0)
|
|
$cert.HasPrivateKey
|
|
vars: *become_vars
|
|
register: export_pfx_with_pass_result
|
|
|
|
- name: assert results of export cert with key and password as pfx
|
|
assert:
|
|
that:
|
|
- export_pfx_with_pass is changed
|
|
- export_pfx_with_pass.thumbprints == [subj_thumbprint]
|
|
- export_pfx_with_pass_result.stdout_lines[0] == "True"
|
|
|
|
- name: export cert with key and password as pfx (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert-pass.pfx'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pkcs12
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
password: '{{key_password}}'
|
|
vars: *become_vars
|
|
register: export_pfx_with_pass_again
|
|
|
|
- name: assert results of export cert with key and password as pfx (idempotent)
|
|
assert:
|
|
that:
|
|
- not export_pfx_with_pass_again is changed
|
|
|
|
- name: export cert with key without password as pfx (check)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pkcs12
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
vars: *become_vars
|
|
register: export_pfx_without_pass_check
|
|
check_mode: yes
|
|
|
|
- name: get result of export cert with key without password as pfx (check)
|
|
win_stat:
|
|
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
|
|
register: export_pfx_without_pass_result_check
|
|
|
|
- name: assert results of export cert with key without password as pfx (check)
|
|
assert:
|
|
that:
|
|
- export_pfx_without_pass_check is changed
|
|
- export_pfx_without_pass_check.thumbprints == [subj_thumbprint]
|
|
- export_pfx_without_pass_result_check.stat.exists == False
|
|
|
|
- name: export cert with key without password as pfx
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pkcs12
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
vars: *become_vars
|
|
register: export_pfx_without_pass
|
|
|
|
- name: get result of export cert with key without password as pfx
|
|
win_shell: |
|
|
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
|
|
$cert.Import("{{win_cert_dir}}\exported\cert-without-pass.pfx", $null, 0)
|
|
$cert.HasPrivateKey
|
|
vars: *become_vars
|
|
register: export_pfx_without_pass_result
|
|
|
|
- name: assert results of export cert with key without password as pfx
|
|
assert:
|
|
that:
|
|
- export_pfx_without_pass is changed
|
|
- export_pfx_without_pass.thumbprints == [subj_thumbprint]
|
|
- export_pfx_without_pass_result.stdout_lines[0] == "True"
|
|
|
|
- name: export cert with key without password as pfx (idempotent)
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert-without-pass.pfx'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pkcs12
|
|
store_location: CurrentUser
|
|
store_name: TrustedPeople
|
|
vars: *become_vars
|
|
register: export_pfx_without_pass_again
|
|
|
|
- name: assert results of export cert with key without password as pfx (idempotent)
|
|
assert:
|
|
that:
|
|
- not export_pfx_without_pass_again is changed
|
|
|
|
- name: fail to export cert with key as pfx when not marked as exportable
|
|
win_certificate_store:
|
|
path: '{{win_cert_dir}}\exported\cert-fail.pfx'
|
|
thumbprint: '{{subj_thumbprint}}'
|
|
state: exported
|
|
file_type: pkcs12
|
|
vars: *become_vars
|
|
register: fail_export_non_exportable
|
|
failed_when: fail_export_non_exportable.msg != 'Cannot export cert with key as PKCS12 when the key is not marked as exportable or not accesible by the current user'
|