microsoft.ad.cs_authority module – Manage CA CRL Distribution Points and Authority Information Access

Note

This module is part of the microsoft.ad collection (version 1.11.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install microsoft.ad.

To use it in a playbook, specify: microsoft.ad.cs_authority.

New in microsoft.ad 1.11.0

Synopsis

• Manage CRL Distribution Point (CDP) and Authority Information Access (AIA) extension entries on a Windows Certificate Authority.

• Uses the ADCSAdministration PowerShell module cmdlets Get-CACrlDistributionPoint, Add-CACrlDistributionPoint, Remove-CACrlDistributionPoint, Get-CAAuthorityInformationAccess, Add-CAAuthorityInformationAccess, and Remove-CAAuthorityInformationAccess.

• When cdp or aia is specified, the module enforces the exact desired list. Entries not in the desired list are removed, missing entries are added, and entries with matching URI but different flags are replaced.

• When cdp or aia is omitted, that extension type is not managed.

• The CertSvc service is restarted after changes when restart_service is true.

Parameters

Parameter	Comments
aia list / elements=dictionary	Desired list of Authority Information Access entries. Each entry specifies a URI and whether it is an AIA or OCSP endpoint. When specified, the module enforces exactly this list of AIA entries. Existing entries not in the list are removed. An empty list [] removes all AIA entries. When omitted, AIA configuration is not managed.
add_to_certificate_aia boolean	Include this URI in the AIA extension of issued certificates. Choices: false ← (default) true
add_to_certificate_ocsp boolean	Include this URI in the OCSP extension of issued certificates. Choices: false ← (default) true
uri string / required	The AIA or OCSP URI.
cdp list / elements=dictionary	Desired list of CRL Distribution Point entries. Each entry specifies a URI and the boolean flags that control how the CDP is used. When specified, the module enforces exactly this list of CDPs. Existing entries not in the list are removed. An empty list [] removes all CDP entries. When omitted, CDP configuration is not managed. URI strings may contain ADCS variable tokens in angle-bracket format: <ServerDNSName>, <ServerShortName>, <CAName>, <CertificateName>, <CATruncatedName>, <CRLNameSuffix>, <DeltaCRLAllowed>, <ConfigurationContainer>, <CDPObjectClass>, <CAObjectClass>.
add_to_certificate_cdp boolean	Include this URI in the CDP extension of issued certificates. Choices: false ← (default) true
add_to_crl_cdp boolean	Include this URI in the CDP extension of issued CRLs. Choices: false ← (default) true
add_to_crl_idp boolean	Include this URI in the IDP (Issuing Distribution Point) extension of issued CRLs. Choices: false ← (default) true
add_to_freshest_crl boolean	Include this URI in the freshest CRL extension for locating delta CRLs. Choices: false ← (default) true
publish_delta_to_server boolean	Publish delta CRLs to this location. Choices: false ← (default) true
publish_to_server boolean	Publish CRLs to this location. Choices: false ← (default) true
uri string / required	The CDP URI. Supports HTTP, LDAP, UNC, and file path URIs.
restart_service boolean	Whether to restart the CertSvc service after making changes. CDP and AIA changes typically require a service restart to take effect on newly issued certificates. Choices: false true ← (default)

Attributes

Attribute	Support	Description
check_mode	Support: full	Can run in check_mode and return changed status prediction without modifying target, if not supported the action will be skipped.
diff_mode	Support: none	Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode
platform	Platform: windows	Target OS/families that can be operated against

Notes

Note

• This module must be run on the CA server itself.

• The ADCSAdministration PowerShell module must be available on the target host (installed with the AD CS role).

• Changes only affect newly issued certificates and CRLs. Previously issued certificates retain their original CDP and AIA references.

• Administrator permissions on the CA are required.

See Also

See also

microsoft.ad.cs_template

Manage AD Certificate Services certificate templates.

Examples

- name: Configure CDP with HTTP and local file publishing
  microsoft.ad.cs_authority:
    cdp:
      - uri: 'C:\Windows\System32\CertSrv\CertEnroll\<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl'
        publish_to_server: true
        publish_delta_to_server: true
      - uri: 'http://pki.corp.com/crl/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl'
        add_to_certificate_cdp: true
        add_to_freshest_crl: true

- name: Configure AIA with HTTP and OCSP
  microsoft.ad.cs_authority:
    aia:
      - uri: 'http://pki.corp.com/crl/<ServerDNSName>_<CAName><CertificateName>.crt'
        add_to_certificate_aia: true
      - uri: 'http://ocsp.corp.com/ocsp'
        add_to_certificate_ocsp: true

- name: Configure both CDP and AIA together
  microsoft.ad.cs_authority:
    cdp:
      - uri: 'C:\Windows\System32\CertSrv\CertEnroll\<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl'
        publish_to_server: true
        publish_delta_to_server: true
      - uri: 'http://pki.corp.com/crl/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl'
        add_to_certificate_cdp: true
        add_to_freshest_crl: true
    aia:
      - uri: 'http://pki.corp.com/crl/<ServerDNSName>_<CAName><CertificateName>.crt'
        add_to_certificate_aia: true
      - uri: 'http://ocsp.corp.com/ocsp'
        add_to_certificate_ocsp: true
    restart_service: true

- name: Remove all CDP entries
  microsoft.ad.cs_authority:
    cdp: []

- name: Configure CDP without restarting the service
  microsoft.ad.cs_authority:
    cdp:
      - uri: 'http://pki.corp.com/crl/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl'
        add_to_certificate_cdp: true
    restart_service: false

Authors

• Ron Gershburg (@rgershbu)

Collection links

• Issue Tracker
• Repository (Sources)
• Report an issue
• Communication