openssl_csr: allow to specify CRL distribution endpoints (#167)

* Improve error messages for name decoding (not all names appear in SANs). * Refactor DN parsing, add relative DN parsing code. * Allow to specify CRL distribution points. * Add changelog fragment. * Fix typo. * Make sure value argument to x509.NameAttribute is a text. * Update changelogs/fragments/167-openssl_csr-crl-distribution-points.yml Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> * Add example. Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2026-05-06 13:22:58 +00:00 · 2021-01-26 09:57:40 +01:00
parent a7c06b2ec4
commit d8ccebce60
8 changed files with 306 additions and 43 deletions
--- a/plugins/modules/openssl_csr.py
+++ b/plugins/modules/openssl_csr.py
@@ -142,6 +142,21 @@ EXAMPLES = r'''
    extended_key_usage:
    - clientAuth
    subject_alt_name: otherName:1.3.6.1.4.1.311.20.2.3;UTF8:username@localhost
+
+- name: Generate an OpenSSL Certificate Signing Request with a CRL distribution point
+  community.crypto.openssl_csr:
+    path: /etc/ssl/csr/www.ansible.com.csr
+    privatekey_path: /etc/ssl/private/ansible.com.pem
+    common_name: www.ansible.com
+    crl_distribution_points:
+      - full_name:
+          - "URI:https://ca.example.com/revocations.crl"
+        crl_issuer:
+          - "URI:https://ca.example.com/"
+        reasons:
+          - key_compromise
+          - ca_compromise
+          - cessation_of_operation
 '''

 RETURN = r'''
--- a/plugins/modules/x509_crl.py
+++ b/plugins/modules/x509_crl.py
@@ -502,7 +502,7 @@ class CRL(OpenSSLObject):
                result['serial_number'] = rc['serial_number']
            # All other options
            if rc['issuer']:
-                result['issuer'] = [cryptography_get_name(issuer) for issuer in rc['issuer']]
+                result['issuer'] = [cryptography_get_name(issuer, 'issuer') for issuer in rc['issuer']]
                result['issuer_critical'] = rc['issuer_critical']
            result['revocation_date'] = get_relative_time_option(
                rc['revocation_date'],
@@ -648,7 +648,7 @@ class CRL(OpenSSLObject):
            if entry['issuer'] is not None:
                revoked_cert = revoked_cert.add_extension(
                    x509.CertificateIssuer([
-                        cryptography_get_name(name) for name in entry['issuer']
+                        cryptography_get_name(name, 'issuer') for name in entry['issuer']
                    ]),
                    entry['issuer_critical']
                )