fortios_vpn_certificate_setting – VPN certificate setting in Fortinet’s FortiOS and FortiGate.

New in version 2.0.0.

Synopsis

• This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

• ansible>=2.15

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility

Supported Version Ranges: v6.0.0 -> 7.4.3

Parameters

• access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
• enable_log - Enable/Disable logging for task. type: bool required: false default: False
• vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
• member_path - Member attribute path to operate on. type: str
• member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
• vpn_certificate_setting - VPN certificate setting. type: dict more...

  	Supported Version Ranges
  vpn_certificate_setting	v6.0.0 -> 7.4.3

• cert_expire_warning - Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning (0 - 100). type: int more...

  	Supported Version Ranges
  cert_expire_warning	v7.2.1 -> 7.4.3

• certname_dsa1024 - 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_dsa1024	v6.0.0 -> 7.4.3

• certname_dsa2048 - 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_dsa2048	v6.0.0 -> 7.4.3

• certname_ecdsa256 - 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_ecdsa256	v6.0.0 -> 7.4.3

• certname_ecdsa384 - 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_ecdsa384	v6.0.0 -> 7.4.3

• certname_ecdsa521 - 521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_ecdsa521	v6.2.0 -> 7.4.3

• certname_ed25519 - 253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_ed25519	v6.2.0 -> 7.4.3

• certname_ed448 - 456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_ed448	v6.2.0 -> 7.4.3

• certname_rsa1024 - 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_rsa1024	v6.0.0 -> 7.4.3

• certname_rsa2048 - 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_rsa2048	v6.0.0 -> 7.4.3

• certname_rsa4096 - 4096 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  certname_rsa4096	v6.2.0 -> 7.4.3

• check_ca_cert - Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted . type: str choices: enable, disable more...

  	Supported Version Ranges
  check_ca_cert	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• check_ca_chain - Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted . type: str choices: enable, disable more...

  	Supported Version Ranges
  check_ca_chain	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• cmp_key_usage_checking - Enable/disable server certificate key usage checking in CMP mode . type: str choices: enable, disable more...

  	Supported Version Ranges
  cmp_key_usage_checking	v6.0.0 -> v6.0.0	v6.0.11 -> v6.2.0	v6.2.5 -> 7.4.3
  [enable]	v6.0.0 -> v6.0.0
  [disable]	v6.0.0 -> v6.0.0

• cmp_save_extra_certs - Enable/disable saving extra certificates in CMP mode . type: str choices: enable, disable more...

  	Supported Version Ranges
  cmp_save_extra_certs	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• cn_allow_multi - When searching for a matching certificate, allow multiple CN fields in certificate subject name . type: str choices: disable, enable more...

  	Supported Version Ranges
  cn_allow_multi	v7.0.1 -> 7.4.3
  [disable]	v7.0.1 -> 7.4.3
  [enable]	v7.0.1 -> 7.4.3

• cn_match - When searching for a matching certificate, control how to do CN value matching with certificate subject name . type: str choices: substring, value more...

  	Supported Version Ranges
  cn_match	v6.0.0 -> 7.4.3
  [substring]	v6.0.0 -> 7.4.3
  [value]	v6.0.0 -> 7.4.3

• crl_verification - CRL verification options. type: dict more...

  	Supported Version Ranges
  crl_verification	v7.0.1 -> 7.4.3

• chain_crl_absence - CRL verification option when CRL of any certificate in chain is absent . type: str choices: ignore, revoke more...

  	Supported Version Ranges
  chain_crl_absence	v7.0.1 -> 7.4.3
  [ignore]	v7.0.1 -> 7.4.3
  [revoke]	v7.0.1 -> 7.4.3

• expiry - CRL verification option when CRL is expired . type: str choices: ignore, revoke more...

  	Supported Version Ranges
  expiry	v7.0.1 -> 7.4.3
  [ignore]	v7.0.1 -> 7.4.3
  [revoke]	v7.0.1 -> 7.4.3

• leaf_crl_absence - CRL verification option when leaf CRL is absent . type: str choices: ignore, revoke more...

  	Supported Version Ranges
  leaf_crl_absence	v7.0.1 -> 7.4.3
  [ignore]	v7.0.1 -> 7.4.3
  [revoke]	v7.0.1 -> 7.4.3

• interface - Specify outgoing interface to reach server. Source system.interface.name. type: str more...

  	Supported Version Ranges
  interface	v6.2.0 -> v6.2.0	v6.2.5 -> v6.4.0	v6.4.4 -> 7.4.3

• interface_select_method - Specify how to select outgoing interface to reach server. type: str choices: auto, sdwan, specify more...

  	Supported Version Ranges
  interface_select_method	v6.2.0 -> v6.2.0	v6.2.5 -> v6.4.0	v6.4.4 -> 7.4.3
  [auto]	v6.2.0 -> v6.2.0
  [sdwan]	v6.2.0 -> v6.2.0
  [specify]	v6.2.0 -> v6.2.0

• ocsp_default_server - Default OCSP server. Source vpn.certificate.ocsp-server.name. type: str more...

  	Supported Version Ranges
  ocsp_default_server	v6.0.0 -> 7.4.3

• ocsp_option - Specify whether the OCSP URL is from certificate or configured OCSP server. type: str choices: certificate, server more...

  	Supported Version Ranges
  ocsp_option	v6.2.0 -> 7.4.3
  [certificate]	v6.2.0 -> 7.4.3
  [server]	v6.2.0 -> 7.4.3

• ocsp_status - Enable/disable receiving certificates using the OCSP. type: str choices: enable, mandatory, disable more...

  	Supported Version Ranges
  ocsp_status	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [mandatory]	v7.4.2 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• proxy - Proxy server FQDN or IP for OCSP/CA queries during certificate verification. type: str more...

  	Supported Version Ranges
  proxy	v7.2.4 -> 7.4.3

• proxy_password - Proxy server password. type: str more...

  	Supported Version Ranges
  proxy_password	v7.2.4 -> 7.4.3

• proxy_port - Proxy server port (1 - 65535). type: int more...

  	Supported Version Ranges
  proxy_port	v7.2.4 -> 7.4.3

• proxy_username - Proxy server user name. type: str more...

  	Supported Version Ranges
  proxy_username	v7.2.4 -> 7.4.3

• source_ip - Source IP address for dynamic AIA and OCSP queries. type: str more...

  	Supported Version Ranges
  source_ip	v7.4.0 -> 7.4.3

• ssl_min_proto_version - Minimum supported protocol version for SSL/TLS connections . type: str choices: default, SSLv3, TLSv1, TLSv1-1, TLSv1-2, TLSv1-3 more...

  	Supported Version Ranges
  ssl_min_proto_version	v6.0.0 -> 7.4.3
  [default]	v6.0.0 -> 7.4.3
  [SSLv3]	v6.0.0 -> 7.4.3
  [TLSv1]	v6.0.0 -> 7.4.3
  [TLSv1-1]	v6.0.0 -> 7.4.3
  [TLSv1-2]	v6.0.0 -> 7.4.3
  [TLSv1-3]	v7.4.1 -> 7.4.3

• ssl_ocsp_option - Specify whether the OCSP URL is from the certificate or the default OCSP server. type: str choices: certificate, server more...

  	Supported Version Ranges
  ssl_ocsp_option	v6.0.0 -> v6.0.11
  [certificate]	v6.0.0 -> v6.0.11
  [server]	v6.0.0 -> v6.0.11

• ssl_ocsp_source_ip - Source IP address to use to communicate with the OCSP server. type: str more...

  	Supported Version Ranges
  ssl_ocsp_source_ip	v6.2.0 -> v6.2.0	v6.2.5 -> v7.2.4

• ssl_ocsp_status - Enable/disable SSL OCSP. type: str choices: enable, disable more...

  	Supported Version Ranges
  ssl_ocsp_status	v6.0.0 -> v6.0.11
  [enable]	v6.0.0 -> v6.0.11
  [disable]	v6.0.0 -> v6.0.11

• strict_crl_check - Enable/disable strict mode CRL checking. type: str choices: enable, disable more...

  	Supported Version Ranges
  strict_crl_check	v6.0.0 -> v7.0.0
  [enable]	v6.0.0 -> v7.0.0
  [disable]	v6.0.0 -> v7.0.0

• strict_ocsp_check - Enable/disable strict mode OCSP checking. type: str choices: enable, disable more...

  	Supported Version Ranges
  strict_ocsp_check	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• subject_match - When searching for a matching certificate, control how to do RDN value matching with certificate subject name . type: str choices: substring, value more...

  	Supported Version Ranges
  subject_match	v6.0.0 -> 7.4.3
  [substring]	v6.0.0 -> 7.4.3
  [value]	v6.0.0 -> 7.4.3

• subject_set - When searching for a matching certificate, control how to do RDN set matching with certificate subject name . type: str choices: subset, superset more...

  	Supported Version Ranges
  subject_set	v7.0.1 -> 7.4.3
  [subset]	v7.0.1 -> 7.4.3
  [superset]	v7.0.1 -> 7.4.3

Notes

Note

• Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- name: VPN certificate setting.
  fortinet.fortios.fortios_vpn_certificate_setting:
      vdom: "{{ vdom }}"
      vpn_certificate_setting:
          cert_expire_warning: "14"
          certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)"
          certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)"
          certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)"
          certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)"
          certname_ecdsa521: "<your_own_value> (source vpn.certificate.local.name)"
          certname_ed25519: "<your_own_value> (source vpn.certificate.local.name)"
          certname_ed448: "<your_own_value> (source vpn.certificate.local.name)"
          certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)"
          certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)"
          certname_rsa4096: "<your_own_value> (source vpn.certificate.local.name)"
          check_ca_cert: "enable"
          check_ca_chain: "enable"
          cmp_key_usage_checking: "enable"
          cmp_save_extra_certs: "enable"
          cn_allow_multi: "disable"
          cn_match: "substring"
          crl_verification:
              chain_crl_absence: "ignore"
              expiry: "ignore"
              leaf_crl_absence: "ignore"
          interface: "<your_own_value> (source system.interface.name)"
          interface_select_method: "auto"
          ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)"
          ocsp_option: "certificate"
          ocsp_status: "enable"
          proxy: "<your_own_value>"
          proxy_password: "<your_own_value>"
          proxy_port: "8080"
          proxy_username: "<your_own_value>"
          source_ip: "84.230.14.43"
          ssl_min_proto_version: "default"
          ssl_ocsp_option: "certificate"
          ssl_ocsp_source_ip: "<your_own_value>"
          ssl_ocsp_status: "enable"
          strict_crl_check: "enable"
          strict_ocsp_check: "enable"
          subject_match: "substring"
          subject_set: "subset"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

• build - Build number of the fortigate image returned: always type: str sample: 1547
• http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
• http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
• mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
• name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
• path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
• revision - Internal revision number returned: always type: str sample: 17.0.2.10658
• serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
• status - Indication of the operation's result returned: always type: str sample: success
• vdom - Virtual domain used returned: always type: str sample: root
• version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

• This module is not guaranteed to have a backwards compatible interface.

Authors

• Link Zheng (@chillancezen)

• Jie Xue (@JieX19)

• Hongbin Lu (@fgtdev-hblu)

• Frank Shen (@frankshen01)

• Miguel Angel Munoz (@mamunozgonzalez)

• Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.