* Warn of standard behavior of 'default' key store
The default key store typically results in the key being stored as user. In instances where we're trying to install a cert to enable SSL binding in IIS, this will result in an unbind-able cert, as the IIS APPPOOL identity will not be able to read the private key, and presents a very cryptic error of 'A specified logon session does not exist'.
* specify what's required for successful iis import
- store_location's default value is currently 'LocalMachine' but if this changes it could result in the documentation being inaccurate
- key_exportable is not required for a successful IIS import
Co-Authored-By: tdietrich513 <tom.dietrich@gmail.com>
(cherry picked from commit 2b48c0187c
)
This commit is contained in:
parent
85764a00c4
commit
1bd3adf4f4
1 changed files with 14 additions and 1 deletions
|
@ -91,7 +91,7 @@ options:
|
|||
key_storage:
|
||||
description:
|
||||
- Specifies where Windows will store the private key when it is imported.
|
||||
- When set to C(default), the default option as set by Windows is used.
|
||||
- When set to C(default), the default option as set by Windows is used, typically C(user).
|
||||
- When set to C(machine), the key is stored in a path accessible by various
|
||||
users.
|
||||
- When set to C(user), the key is stored in a path only accessible by the
|
||||
|
@ -118,6 +118,10 @@ notes:
|
|||
Kerberos with credential delegation, or use C(become) to bypass these
|
||||
restrictions.
|
||||
- The certificates must be located on the Windows host to be set with I(path).
|
||||
- When importing a certificate for usage in IIS, it is generally required
|
||||
to use the C(machine) key_storage option, as both C(default) and C(user)
|
||||
will make the private key unreadable to IIS APPPOOL identities and prevent
|
||||
binding the certificate to the https endpoint.
|
||||
author:
|
||||
- Jordan Borean (@jborean93)
|
||||
'''
|
||||
|
@ -177,6 +181,15 @@ EXAMPLES = r'''
|
|||
become: yes
|
||||
become_method: runas
|
||||
become_user: SYSTEM
|
||||
|
||||
- name: import certificate be used by IIS
|
||||
win_certificate_store:
|
||||
path: C:\Temp\cert.pfx
|
||||
file_type: pkcs12
|
||||
password: StrongPassword!
|
||||
store_location: LocalMachine
|
||||
key_storage: machine
|
||||
state: present
|
||||
'''
|
||||
|
||||
RETURN = r'''
|
||||
|
|
Loading…
Reference in a new issue