fortinet.fortios.fortios_vpn_certificate_setting – VPN certificate setting in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_certificate_setting.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
| access_token
string
|
Token-based authentication. Generated from GUI of Fortigate.
|
||
| enable_log
boolean
|
|
Enable/Disable logging for task.
|
|
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|
| vpn_certificate_setting
dictionary
|
VPN certificate setting.
|
||
| certname_dsa1024
string
|
1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_dsa2048
string
|
2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_ecdsa256
string
|
256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_ecdsa384
string
|
384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_ecdsa521
string
|
521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_ed25519
string
|
253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_ed448
string
|
456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_rsa1024
string
|
1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_rsa2048
string
|
2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| certname_rsa4096
string
|
4096 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name.
|
||
| check_ca_cert
string
|
|
Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted .
|
|
| check_ca_chain
string
|
|
Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted .
|
|
| cmp_key_usage_checking
string
|
|
Enable/disable server certificate key usage checking in CMP mode .
|
|
| cmp_save_extra_certs
string
|
|
Enable/disable saving extra certificates in CMP mode.
|
|
| cn_match
string
|
|
When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.
|
|
| interface
string
|
Specify outgoing interface to reach server. Source system.interface.name.
|
||
| interface_select_method
string
|
|
Specify how to select outgoing interface to reach server.
|
|
| ocsp_default_server
string
|
Default OCSP server. Source vpn.certificate.ocsp-server.name.
|
||
| ocsp_option
string
|
|
Specify whether the OCSP URL is from certificate or configured OCSP server.
|
|
| ocsp_status
string
|
|
Enable/disable receiving certificates using the OCSP.
|
|
| ssl_min_proto_version
string
|
|
Minimum supported protocol version for SSL/TLS connections .
|
|
| ssl_ocsp_option
string
|
|
Specify whether the OCSP URL is from the certificate or the default OCSP server.
|
|
| ssl_ocsp_source_ip
string
|
Source IP address to use to communicate with the OCSP server.
|
||
| ssl_ocsp_status
string
|
|
Enable/disable SSL OCSP.
|
|
| strict_crl_check
string
|
|
Enable/disable strict mode CRL checking.
|
|
| strict_ocsp_check
string
|
|
Enable/disable strict mode OCSP checking.
|
|
| subject_match
string
|
|
When searching for a matching certificate, control how to find matches in the certificate subject name.
|
|
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: VPN certificate setting.
fortios_vpn_certificate_setting:
vdom: "{{ vdom }}"
vpn_certificate_setting:
certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa521: "<your_own_value> (source vpn.certificate.local.name)"
certname_ed25519: "<your_own_value> (source vpn.certificate.local.name)"
certname_ed448: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa4096: "<your_own_value> (source vpn.certificate.local.name)"
check_ca_cert: "enable"
check_ca_chain: "enable"
cmp_key_usage_checking: "enable"
cmp_save_extra_certs: "enable"
cn_match: "substring"
interface: "<your_own_value> (source system.interface.name)"
interface_select_method: "auto"
ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)"
ocsp_option: "certificate"
ocsp_status: "enable"
ssl_min_proto_version: "default"
ssl_ocsp_option: "certificate"
ssl_ocsp_source_ip: "<your_own_value>"
ssl_ocsp_status: "enable"
strict_crl_check: "enable"
strict_ocsp_check: "enable"
subject_match: "substring"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_vpn_certificate_setting_module.html