sophos.sophos_firewall.sfos_certificate module – Manage Certificates (System > Certificates)

Note

This module is part of the sophos.sophos_firewall collection (version 2.5.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install sophos.sophos_firewall. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: sophos.sophos_firewall.sfos_certificate.

New in sophos.sophos_firewall 2.4.0

Synopsis

• Creates certificates on Sophos Firewall, including uploaded certificates, self-signed certificates, certificate signing requests, and Let’s Encrypt certificates

Requirements

The below requirements are needed on the host that executes this module.

• sophosfirewall-python

• Beginning in version 2.0.0, this module requires use of an httpapi connection plugin. See the HTTPAPI example for details.

Parameters

Parameter	Comments
action string	Select an option for certificate management Choices: "UploadCertificate" "GenerateSelfSignedCertificate" "GenerateCertificateSigningRequest" "UploadRemoteCertificate" "RequestLetsEncryptCertificate" "LetsEncryptCertificate"
certificate_file string	Certificate file to be uploaded (PEM, DER, CER, P7B, PFX, P12 formats)
certificate_format string	Format of Certificate file Choices: "pem" ← (default) "der" "cer" "pkcs7" "pkcs12" "p7b"
certificate_id string	Value corresponding to the Certificate ID selected
certificate_id_type string	Certificate ID type
certname string	Certificate name
common_name string	Common name comprising of host and domain name
country_name string	Country code (2-letter ISO code)
curve_name string	Curve name for elliptic curve keys Choices: "secp256r1" ← (default) "secp384r1" "secp521r1"
dns_name list / elements=string	List of DNS Subject Alternative Names (SANs)
email_address string	Email Address for communication
hosted_address string	Interface for Let’s Encrypt challenge
ip_address list / elements=string	List of IP address Subject Alternative Names (SANs)
key_encryption string	Enable Key encryption Choices: "y" "Y" "n" ← (default) "N"
key_length integer	Key length - number of bits used to construct the key Choices: 1024 1536 2048 ← (default) 4096
key_type string	Key type - RSA or elliptic curve Choices: "RSA" ← (default) "Elliptic Curve"
locality_name string	Name of the locality
name string / required	Name of the Certificate
organization_name string	Organization name
organization_unit_name string	Department name
password string	Password for the Certificate used for authentication
private_key_file string	Private key file to be uploaded (KEY format)
secure_hash string	Secure hash algorithm Choices: "SHA - 256" ← (default) "SHA - 384" "SHA - 512"
state string / required	Use present to create certificate Use absent to remove certificate Choices: "present" "absent"
state_province_name string	State within the country
valid_from string	Date from which the Certificate is valid. Required when action is GenerateSelfSignedCertificate.
valid_upto string	Date upto which the Certificate is valid. Required when action is GenerateSelfSignedCertificate.

Examples

- name: Upload Certificate
  sophos.sophos_firewall.sfos_certificate:
    name: UPLOADED_CERT
    action: UploadCertificate
    certificate_file: /path/to/certificate.pem
    private_key_file: /path/to/private_key.key
    password: certpassword
    common_name: example.com
    state: present

- name: Generate Self-Signed Certificate
  sophos.sophos_firewall.sfos_certificate:
    name: SELFSIGNED_CERT
    action: GenerateSelfSignedCertificate
    common_name: internal.example.com
    organization_name: Example Organization
    country_name: US
    state_province_name: California
    locality_name: San Francisco
    email_address: admin@example.com
    key_type: RSA
    key_length: 2048
    secure_hash: "SHA - 256"
    valid_from: "2024-01-01"
    valid_upto: "2025-01-01"
    dns_name:
      - internal.example.com
      - www.internal.example.com
    state: present

- name: Generate Certificate Signing Request
  sophos.sophos_firewall.sfos_certificate:
    name: CSR_CERT
    action: GenerateCertificateSigningRequest
    common_name: csr.example.com
    organization_name: Example Organization
    country_name: US
    key_type: RSA
    key_length: 2048
    state: present

- name: Request Let's Encrypt Certificate
  sophos.sophos_firewall.sfos_certificate:
    name: LETSENCRYPT_CERT
    action: RequestLetsEncryptCertificate
    common_name: public.example.com
    email_address: admin@example.com
    hosted_address: 192.168.1.1
    dns_name:
      - public.example.com
      - www.public.example.com
    state: present

- name: Remove Certificate
  sophos.sophos_firewall.sfos_certificate:
    name: CERTIFICATE_TO_REMOVE
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
api_response dictionary	Serialized object containing the API response. Returned: always

Authors

• Matt Mullen (@mamullen13316)

Collection links

• Issue Tracker
• Repository (Sources)

Warning

If the firewall is a member of a group in Central, the changes made by Ansible will override the settings of the group. The actual configuration on the firewall may then differ from what is displayed for the same setting in the Central group.