How to extract .crt and .key from .pem file on Ansible

Question

I am using the module openssl_pkcs12 and I can extract the *.crt (CERTIFICATE) from the *.pem file but I can not figure it out how to extract the *.key (KEY).

Sample of code (creating and extracting from the file the CERTIFICATE):

- name: Generate PKCS#12 file
  local_action:
    module: openssl_pkcs12
    action: export
    path: /tmp/pkcs/ansible.p12
    friendly_name: raclette
    privatekey_path: /tmp/pkcs/key.pem
    certificate_path: /tmp/pkcs/cert.pem
    state: present

- name: Dump/Parse PKCS#12 file
  local_action:
    module: openssl_pkcs12
    action: parse
    src: /tmp/pkcs/ansible.p12
    path: /tmp/pkcs/ansible.pem
    state: present

Then if I simply do sdiff on those two files I can see that the CERTIFICATE matches perfectly. key.pem file:

$ cat key.pem
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCu8twQ9txatJWx
k1cJzQCz38JEZ0Rp/Bt3tOcw+OeSAwL8Ge2vqM6eHNAqCNzCfHI6QxrbYkxd1n+d
pfYQHHdDVAbqeFRdEd7vsyGbAwzmwiYiIZxwRfmpMLltGIOScB5CiJazMIETJ4F5
/8m2UoPXfb2jVxdg/wbZxotIbeUmaaCCpwa/4VF8oeR+Z7KRZzaCFWzIWKZOjLew
j285NSVe+pSUZbbs/YrgoEojG+I/DNBvdIp05Ik/qFnN3ddpgCsds5gWz/vt6OOx
o4luD0maMPJImGTecanaW0qHqE/FzzAPBGQDTVxQeCEYEGQEH0vXywTBo1Mm5SFG
cu4gbQF4XbZzv2qgZy5UO/rdR0zW+Sa6vcrj6YbOPZsN4TtssbUuxkpPQLnoq1pa
KfWDPKUAMmd89X7a6xYpp0Ia383WZ1JGCjONNcnXaF3TYyx9oaLzuv9Zw1u2ndj4
Di9eI+vZXhRFtWGlUSst0wg9fMq2LCThjZDUGvHXNTlZZql+kbnX7rngAjcbH8+M
Frokir+wmSy1n7/muYaNscOeLQvVGz3VXoZVy9qSJI5/DUP1trDDCIEzuBzlRMEr
8BxnONFPOVt6k242oDhCWIOp8AEWkb0HRbjyxL8Ij6+B+03bzz2PmhP/lndrPP92
QFgaBfyBOt1cS5xMFIuo8pwwxBcObQIDAQABAoICAFKuan0F/jxMDlcfOEpkfYmF
Ha3wVC/2uxCHCaBmciLak4WLx352PDgTi/nhuFueLuoEHuRB/691mVhrP/B7U44Z
Xy9e8RgPQxprwV0eQvGoHheRZPrWx1hDs86wgDYsENEG9pn3OXlQ+WssDSvCsZad
UYuptF3eCWHQ6LCxZ1QRJY+52oHCvh018eQfpA/+BI/UClZhNy/2ZzXlg/44dNH/
gUrlC1/Tr9fbSU5wdiuwJa4XGPyHqanRKagWySCON1JRN3bIktrsbvfcPy4pwXJC
4a6Xf0x10X1mGcIlNJZbBe6C97Vr0U4iiBl0XaBpHhH9W+EcDEdckK5X0Ny4R7HQ
Jt6RriJ9nw+O6jahPRczOAvL6XGcKqiwnOJXNgj6Rv0m7CZXcfvL09jT6uFGE9yu
rYMjxwVhLgNMq9JUJNlFXsueasAdDMTuC1QCcHcK6RNyLT0+d3p9qRpObyTdiI7V
xCIm6FzH9hN4Xp1pOTMpQRpT8J/wLWysgUG9fmOhIeHSwVgzn9a+hYRmVrgOBmIh
ZGEMIynEqiI/rm22yLQT7w9c5n3/7gTK4+zvzLpQrkSmaIQ7n7SY6ojVEoiLz9Au
YoC3lBKvYdPePWz3/TNjEUhHGR1eHhBJjfYAerJBeYyrnt8xyIgD85PCgvQINuGj
vBan9Mu2qiRMf/ZzH0xtAoIBAQDUMlMZgu3OX04pXQDlaX9AxY8HGDjhr3d5lyZZ
qNak2PG12JwOfAk58ZR7mpHwq3fOzFyTFNUerKskaqeF3VwD755hHbufUw8HtYuK
6NEI3tmudZSfzDQT7pJ/yePAFSiEwYZKMAWUBMqVgo77D8ynS8Nw+7xrthH6sY5R
9jdEj7U6gkPVuNJI2sYmsAjnfRdZjolpN/WNfgh3EJYEsZ+Go05O7oU81WR3rto5
UHqwoASjRSqTPHjrZ6P7e1u35Lk9L9O9h6+vecpPkq0L0v34bLR54DhWelLHWRf0
JFwum3DX0DNvIrbRG5rI3rcq2YYC+mj5gLA39N0eW/eXMCY/AoIBAQDTECS1xMAt
wr10TkDs8fXVCIA58Kc7WRrQw4jw7UNFYwAGp9O3FAxwzxDhYQ6p4i91an7Fdrd/
/xmJeCbwcsbKXriC+Jad4x2eZ63MeWLb9i2T5Ikkz5lf36K2+aFlfPoCpln+zqRK
VIEXPJ5ZeSaLv1d7AVGiR2BG/JzMJZHO92ECscu5X9csPCcUmqGP2YVjkUqzBUs5
NXvy7Sy6yvkyjTnwJRf5ruynOPWwdF49nIXr7IKkax7sVG75EqEcO9dvn1Cg0H99
WTNoa1QceS7Sa9POPYLR88G6obbiDbaB5Xj7JnDXg/ebFG9D8U+FrK6LbQB+xQQy
1HrsZDxKa1hTAoIBABBTNtV1nzoLVwYTo6gCr8mZ6WEQWf/y8ewm1sp7FNhl4GKv
IYJzxHnyvgusXqH3byY3zr96ENNlUV1h3zWLTDL5UmQCV5bwWu2q5+tt8fcOvgyP
+zk4CqGl7xtput3iQtXD1cMLYsJ6g+NwwfNKyeHtEEI2+84FmeiBlIN1v9bEf5ra
vsFIkNUOD8SWMnksxIkdUDEKHxgdpCUU35XI3I8NLU8hRprhh/M1PpC+QlIoXXL6
NUZSlrL1rEYCvZGuRRoR/eZM9BU593ibvjh0qRlds5zUxUDR9GBl2FPuIDFtwAa6
e9qG/y2jRAtEJy9iwM6l2UGoxuXnLsPRK4E0MR0CggEAceJKDJInKAnl8/Wtbqx3
+wTlO14wvgMsRuza3TUIkU4D25N+11BIDi6May/Vm7Dh7rcRxDZ0eOoKu3RLfn5P
6S4G3RSJIJRFjQ1gZ+4ve4Rvv1cW8PfbSDIBOD2l6n7u37Mm6ChT2Y+TQBiDUL/g
HpOV/lcN10QwHN19NWIoNMaiX7PTuyiNj969L47oEhhKsxjYd5QprKrBQKjc88VF
hRNS6dL6Bs1uACTp3NZNa20jjdNGArWSL+63GkoFCJj5e8840CzwPZB9/p+6+Moi
i4OG+8eQ6Pxf0fYkGgFQMvLAvrNVO9SHK/RwvPZd9EDixXSBSeXAiDTCRv8m0Pju
5QKCAQAfDC0NiESaPl8KFiayJ8p3FswG4DK7kBXo6l3+EAhYpF4FY1/zEtrtTBPe
hPx383IDI6BAJjfhUEeqH7j1MpFAFhnNIEmXGEW1RPb+cwzQMwuykTz7zazCSZW5
Kc/FTa5V7ZySiVBKDxt4C6zuv/JiCZh+1+lq7gq7UnyLrPH78K4Pu8tcQdh/fLEo
dSozinRy32edVN3pumoiDHKZJNQM1E/mSb6pNBUTlGpz6vWPXydpyGhY0waCCe1e
Pv1MBPySvPC0y4uzFdvo9qNxyU4XfcIS59kUsejSpbt8T8Yn6EXbls9vDkx+kZkJ
M9Rr9JD8a436neGHNJkWu3VJ2Glh
-----END PRIVATE KEY-----

The cert.pem file:

$ cat cert.pem
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIUG/3tOSqHmegHuFDtlKpf4nHcx3MwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMTIyMjIyNDNaFw0yMDEx
MTEyMjIyNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCu8twQ9txatJWxk1cJzQCz38JEZ0Rp/Bt3tOcw+OeS
AwL8Ge2vqM6eHNAqCNzCfHI6QxrbYkxd1n+dpfYQHHdDVAbqeFRdEd7vsyGbAwzm
wiYiIZxwRfmpMLltGIOScB5CiJazMIETJ4F5/8m2UoPXfb2jVxdg/wbZxotIbeUm
aaCCpwa/4VF8oeR+Z7KRZzaCFWzIWKZOjLewj285NSVe+pSUZbbs/YrgoEojG+I/
DNBvdIp05Ik/qFnN3ddpgCsds5gWz/vt6OOxo4luD0maMPJImGTecanaW0qHqE/F
zzAPBGQDTVxQeCEYEGQEH0vXywTBo1Mm5SFGcu4gbQF4XbZzv2qgZy5UO/rdR0zW
+Sa6vcrj6YbOPZsN4TtssbUuxkpPQLnoq1paKfWDPKUAMmd89X7a6xYpp0Ia383W
Z1JGCjONNcnXaF3TYyx9oaLzuv9Zw1u2ndj4Di9eI+vZXhRFtWGlUSst0wg9fMq2
LCThjZDUGvHXNTlZZql+kbnX7rngAjcbH8+MFrokir+wmSy1n7/muYaNscOeLQvV
Gz3VXoZVy9qSJI5/DUP1trDDCIEzuBzlRMEr8BxnONFPOVt6k242oDhCWIOp8AEW
kb0HRbjyxL8Ij6+B+03bzz2PmhP/lndrPP92QFgaBfyBOt1cS5xMFIuo8pwwxBcO
bQIDAQABo1MwUTAdBgNVHQ4EFgQUUF6sGcQCTi3PG7fgy83/9ey/F6cwHwYDVR0j
BBgwFoAUUF6sGcQCTi3PG7fgy83/9ey/F6cwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEAGvocNhi6SD2nG0LNVC8F9Tbk65o33yVMOXF5Sqwth0SM
uIIXYUIxCX/Z1bq6FQqZQtborHUNLAg6Ffz/N1klZgicz7J0+hLClls4cH/Murgx
QLjhf64H9FrhorBUhxwXgFwk2wTPGyULM8G2wFw2Ulk51fA8B5QhgxThjSv/up2m
hm+ekSbrgxytKOTST84GSTC60lWAfFjbVnzTerq0QPw+IUekSsFrcGQZ2NBrrT8E
nUNFV53BNIP8z4qDsoLR2BtDJjkvULhriwKzmkjmImqRV/s+/y68B+a3ZfW3PjOa
SxflBSgq79kBWYDn+35XvlQwq+Nm0M6Qa21SzOKnxyKTepfyTpbJDpsKO6hdETCn
pHE84cTvoBPspfyRX1VZFKTfTOkNEhd0WSx+E1HEHTefnts6z3vodXNXZa5VRUHf
C74p7fdeRplA9jBTcMUFVubiAmqPR2o+g4M+wmWosUekUjWDxtD4RiSHsGVLY9he
6ltWpJin/bBUKTuy2NyBzsg96liB/8pQ6U5XDA+KmneAX/umd6JtUqNY9zBE/lWS
20nkAGghP+wqKrT0BCXBygoOgYm8NQ3TapqxeFcyRGSa3TQFIERAHqHvJVpoPl9P
L8JiXjoPThU+gpCEVswCiWX+dlh7yrec0MRUSHP/upZqG4s0OjrTbmuBOhccYQw=
-----END CERTIFICATE-----

Then in order to make the full.pem file simply do: cat cert.pem key.pem > complete.pem more information can be found here ( How to get.pem file from.key and.crt files? ).

Currently I am using the shell module sample below:

- name: Export Cert from Certificate
  shell: "openssl pkcs12 -in {{ fullFile }} -nokeys -out {{ certFile }} -passin pass:{{ password }}"
  delegate_to: localhost

- name: Export Key from Certificate
  shell: "openssl pkcs12 -in {{ fullFile }} -nocerts -nodes -out {{ keyFile }} -passin pass:{{ password }}"
  delegate_to: localhost

I searched online for alternative modules eg ( openssl_certificate , openssl_csr and openssl_privatekey ). Is there any other module that could extract the key.pem written in Ansible?

Answer 1

Very basic solution but here we go...

From your last task, you get a file /tmp/ansible.pem containing both the private key and the certificate. Basically:

-----BEGIN PRIVATE KEY-----
[Key content here]
[...]
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[Cert content here]
[...]
-----END CERTIFICATE-----

The following tasks will read the file and extract each element.

Notes :

• I made my tests all locally so I used the file lookup to get the content. If the file is on the remote machine, you will have to adapt the following and either slurp the content or fetch the file locally.
• The cert regex will be gready by default and return all certs in the pem file if there are serveral. You will have to adapt that as well and extract serveral times if you want each individual certs.

- name: Get the key part
  debug:
    msg: >-
      {{
        lookup('file', '/tmp/ansible.pem') |
        regex_replace("[\s\S.]*(-----BEGIN PRIVATE KEY-----[\s\S.]*-----END PRIVATE KEY-----)[\s\S.]*", "\1")
      }}

- name: Get the cert part
  debug:
    msg: >-
      {{
        lookup('file', '/tmp/ansible.pem') |
        regex_replace("[\s\S.]*(-----BEGIN CERTIFICATE-----[\s\S.]*-----END CERTIFICATE-----)[\s\S.]*", "\1")
      }}