diff --git a/IISU.sln b/IISU.sln index 65b071d..50f7736 100644 --- a/IISU.sln +++ b/IISU.sln @@ -1,45 +1,48 @@ - -Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 17 -VisualStudioVersion = 17.2.32616.157 -MinimumVisualStudioVersion = 10.0.40219.1 -Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IISU", "IISU\IISU.csproj", "{33FBC5A1-3466-4F10-B9A6-7186F804A65A}" -EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}" - ProjectSection(SolutionItems) = preProject - CHANGELOG.md = CHANGELOG.md - integration-manifest.json = integration-manifest.json - .github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml - readme_source.md = readme_source.md - EndProjectSection -EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{6302034E-DF8C-4B65-AC36-CED24C068999}" - ProjectSection(SolutionItems) = preProject - images\ReEnrollment1.png = images\ReEnrollment1.png - images\ReEnrollment1a.png = images\ReEnrollment1a.png - images\ReEnrollment1b.png = images\ReEnrollment1b.png - images\Screen1.png = images\Screen1.png - images\Screen2.png = images\Screen2.png - EndProjectSection -EndProject -Global - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|Any CPU = Debug|Any CPU - Release|Any CPU = Release|Any CPU - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.Build.0 = Debug|Any CPU - {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.ActiveCfg = Release|Any CPU - {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.Build.0 = Release|Any CPU - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection - GlobalSection(NestedProjects) = preSolution - {6302034E-DF8C-4B65-AC36-CED24C068999} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6} - EndGlobalSection - GlobalSection(ExtensibilityGlobals) = postSolution - SolutionGuid = {E0FA12DA-6B82-4E64-928A-BB9965E636C1} - EndGlobalSection -EndGlobal + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.32929.386 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IISU", "IISU\IISU.csproj", "{33FBC5A1-3466-4F10-B9A6-7186F804A65A}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}" + ProjectSection(SolutionItems) = preProject + CHANGELOG.md = CHANGELOG.md + integration-manifest.json = integration-manifest.json + .github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml + readme_source.md = readme_source.md + EndProjectSection +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{6302034E-DF8C-4B65-AC36-CED24C068999}" + ProjectSection(SolutionItems) = preProject + images\AddCertStore.png = images\AddCertStore.png + images\CertStoreType-c.png = images\CertStoreType-c.png + images\CertStoreType.png = images\CertStoreType.png + images\ReEnrollment1.png = images\ReEnrollment1.png + images\ReEnrollment1a.png = images\ReEnrollment1a.png + images\ReEnrollment1b.png = images\ReEnrollment1b.png + images\Screen1.png = images\Screen1.png + images\Screen2.png = images\Screen2.png + EndProjectSection +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Release|Any CPU = Release|Any CPU + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.Build.0 = Debug|Any CPU + {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.ActiveCfg = Release|Any CPU + {33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(NestedProjects) = preSolution + {6302034E-DF8C-4B65-AC36-CED24C068999} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6} + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {E0FA12DA-6B82-4E64-928A-BB9965E636C1} + EndGlobalSection +EndGlobal diff --git a/IISU/IISManager.cs b/IISU/IISManager.cs index 30aea1d..b5926e3 100644 --- a/IISU/IISManager.cs +++ b/IISU/IISManager.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Linq; using System.Management.Automation; using System.Management.Automation.Runspaces; diff --git a/IISU/JobProperties.cs b/IISU/JobProperties.cs index aa3ccc0..7c78948 100644 --- a/IISU/JobProperties.cs +++ b/IISU/JobProperties.cs @@ -1,4 +1,18 @@ -using System.ComponentModel; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System.ComponentModel; using Newtonsoft.Json; namespace Keyfactor.Extensions.Orchestrator.IISU diff --git a/IISU/Jobs/Inventory.cs b/IISU/Jobs/Inventory.cs index 535b1cb..be8acb5 100644 --- a/IISU/Jobs/Inventory.cs +++ b/IISU/Jobs/Inventory.cs @@ -1,3 +1,17 @@ +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + using System; using System.Collections.Generic; using System.Linq; diff --git a/IISU/Jobs/Management.cs b/IISU/Jobs/Management.cs index fc015cd..944e21e 100644 --- a/IISU/Jobs/Management.cs +++ b/IISU/Jobs/Management.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Linq; using System.Management.Automation; using System.Management.Automation.Runspaces; diff --git a/IISU/Jobs/ReEnrollment.cs b/IISU/Jobs/ReEnrollment.cs index 703e60b..e4750cc 100644 --- a/IISU/Jobs/ReEnrollment.cs +++ b/IISU/Jobs/ReEnrollment.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Collections.ObjectModel; using System.Linq; using System.Management.Automation; @@ -108,7 +122,6 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi ps.AddScript($"Add-Content $infFilename '[Extensions]'"); ps.AddScript(@"Add-Content $infFilename '2.5.29.17 = ""{text}""'"); - // Todo: Parse SAN by '&' and add the below entry for each DSN foreach (string s in SAN.ToString().Split("&")) { ps.AddScript($"Add-Content $infFilename '_continue_ = \"{s + "&"}\"'"); @@ -116,7 +129,13 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi // Execute the -new command ps.AddScript($"certreq -new -q $infFilename $csrFilename"); + _logger.LogDebug($"Subject Text: {subjectText}"); + _logger.LogDebug($"SAN: {SAN}"); + _logger.LogDebug($"Provider Name: {providerName}"); + _logger.LogDebug($"Key Type: {keyType}"); + _logger.LogDebug($"Key Size: {keySize}"); _logger.LogTrace("Attempting to create the CSR by Invoking the script."); + Collection results = ps.Invoke(); _logger.LogTrace("Completed the attempt in creating the CSR."); ps.Commands.Clear(); @@ -126,9 +145,9 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi ps.AddScript($"$CSR = Get-Content $csrFilename"); _logger.LogTrace("Attempting to get the contents of the CSR file."); results = ps.Invoke(); - _logger.LogTrace("Completet getting the CSR Contents."); + _logger.LogTrace("Finished getting the CSR Contents."); } - catch (Exception e) + catch (Exception) { var psError = ps.Streams.Error.ReadAll().Aggregate(String.Empty, (current, error) => current + error.ErrorDetails.Message); throw new PowerShellCertException($"Error creating CSR File. {psError}"); @@ -174,7 +193,7 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi _logger.LogTrace("Attempting to accept or bind the certificate to the HSM."); ps.AddScript("certreq -accept $cerFilename"); ps.Invoke(); - _logger.LogTrace("Successfully bind the certificate to the HSM."); + _logger.LogTrace("Successfully bound the certificate to the HSM."); ps.Commands.Clear(); // Delete the temp files diff --git a/IISU/PSCertStoreException.cs b/IISU/PSCertStoreException.cs index 702dc8f..5afc67b 100644 --- a/IISU/PSCertStoreException.cs +++ b/IISU/PSCertStoreException.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Runtime.Serialization; namespace Keyfactor.Extensions.Orchestrator.IISU diff --git a/IISU/PSCertificate.cs b/IISU/PSCertificate.cs index 832bee7..5bfdf7f 100644 --- a/IISU/PSCertificate.cs +++ b/IISU/PSCertificate.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; namespace Keyfactor.Extensions.Orchestrator.IISU { diff --git a/IISU/PowerShellCertException.cs b/IISU/PowerShellCertException.cs index 160176d..87d915c 100644 --- a/IISU/PowerShellCertException.cs +++ b/IISU/PowerShellCertException.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Collections.Generic; using System.Runtime.Serialization; using System.Text; diff --git a/IISU/PowerShellCertStore.cs b/IISU/PowerShellCertStore.cs index ecf11f7..ce9505a 100644 --- a/IISU/PowerShellCertStore.cs +++ b/IISU/PowerShellCertStore.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2022 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Collections.Generic; using System.Management.Automation; using System.Management.Automation.Runspaces; @@ -50,7 +64,7 @@ private void Initalize() { using var ps = PowerShell.Create(); ps.Runspace = RunSpace; - //todo: accept StoreType and Store Name enum for which to open + var certStoreScript = $@" $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store('{StorePath}','LocalMachine') $certStore.Open('ReadOnly') diff --git a/README.md b/README.md index 28c83b5..b471a4a 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,13 @@ This agent implements four job types – Inventory, Management Add, Remove and R WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the server running the orchestrator to manage the server running IIS. -**Note if you are upgrading from version 1.1.2 you must run the IISWBin 1.1.3 upgrade script.sql SQL Script** +**Note:** +In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options: +1. Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type. +1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type. +1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.) + +**Note: There is an additional certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.** **1. Create the New Certificate Store Type for the IIS Orchestrator** @@ -66,8 +72,8 @@ In Keyfactor Command create a new Certificate Store Type similar to the one belo CONFIG ELEMENT | DESCRIPTION ------------------|------------------ Name |Descriptive name for the Store Type -Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISWBin -Custom Capability|Store type name orchestrator will register with. Must be "IISBindings". +Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISU +Custom Capability|Store type name orchestrator will register with. Must be "IISU". Needs Server |Must be checked Blueprint Allowed |Unchecked Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked. @@ -80,7 +86,7 @@ Private Keys |This determines if Keyfactor can send the private key associated w PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined). Job Types |Inventory, Add, and Remove are the supported job types. -![](images/screen1.gif) +![](images/certstoretype.png) **Advanced Settings:** - **Custom Alias** – Forbidden @@ -97,8 +103,12 @@ Parameter Name|Display Name|Parameter Type|Default Value|Required|Description spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on +ServerUsername|Server Username|Secret||No|The username to log into the IIS Server +ServerPassword|Server Password|Secret||No|The password that matches the username to log into the IIS Server +ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not + -![](images/screen1-b.gif) +![](images/certstoretype-c.png) **Entry Parameters:** This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
@@ -115,7 +125,7 @@ This section must be configured with binding fields. The parameters will be popu - 1 - SNI Enabled - 2 - Non SNI Binding - 3 - SNI Binding -- **Prover Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command. If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used. +- **Provider Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command. If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used. - **SAN** - Required. The SAN must have one entry that matches the Subject Name when using ReEnrollment. Multiple SANs maybe chained together using '&'. Example: dns=www.mysite.com&dns=www.mysite2.com. Parameter Name|Parameter Type|Default Value|Required @@ -129,17 +139,16 @@ Protocol |Multiple Choice|https|Yes Provider Name |String||No SAN |String||Yes -![](images/screen1-c.gif) +![](images/screen2.png) -**2. Register the IIS Binding Orchestrator with Keyfactor** +**2. Register the IIS Universal Orchestrator with Keyfactor** See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative. **3. Create an IIS Binding Certificate Store within Keyfactor Command** -In Keyfactor Command create a new Certificate Store similar to the one below, selecting IIS With Binding as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent". +In Keyfactor Command create a new Certificate Store similar to the one below, selecting "IISU" as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS AnyAgent".
-![](images/screen2.gif) -![](images/screen2-a.gif) +![](images/AddCertStore.png) #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION @@ -149,9 +158,14 @@ Container |This is a logical grouping of like stores. This configuration is opti Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell. Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin) Store Path |My or WebHosting +Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. +SPN with Port?| WinRm Protocol|http or https WinRm Port |Port to run WinRm on Default for http is 5985 -Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. +Server Username|Username to log into the IIS Server +Server Password|Password for the username required to log into the IIS Server +Use SSL|Determines whether SSL is used ot not + Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store. diff --git a/images/AddCertStore.png b/images/AddCertStore.png new file mode 100644 index 0000000..2d18d0e Binary files /dev/null and b/images/AddCertStore.png differ diff --git a/images/CertStoreType-c.png b/images/CertStoreType-c.png new file mode 100644 index 0000000..c308691 Binary files /dev/null and b/images/CertStoreType-c.png differ diff --git a/images/CertStoreType.png b/images/CertStoreType.png new file mode 100644 index 0000000..b44d7a6 Binary files /dev/null and b/images/CertStoreType.png differ diff --git a/readme_source.md b/readme_source.md index 00ef8c4..12b4497 100644 --- a/readme_source.md +++ b/readme_source.md @@ -12,7 +12,13 @@ This agent implements four job types – Inventory, Management Add, Remove and R WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the server running the orchestrator to manage the server running IIS. -**Note if you are upgrading from version 1.1.2 you must run the IISWBin 1.1.3 upgrade script.sql SQL Script** +**Note:** +In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options: +1. Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type. +1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type. +1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.) + +**Note: There is an additional certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.** **1. Create the New Certificate Store Type for the IIS Orchestrator** @@ -22,8 +28,8 @@ In Keyfactor Command create a new Certificate Store Type similar to the one belo CONFIG ELEMENT | DESCRIPTION ------------------|------------------ Name |Descriptive name for the Store Type -Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISWBin -Custom Capability|Store type name orchestrator will register with. Must be "IISBindings". +Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISU +Custom Capability|Store type name orchestrator will register with. Must be "IISU". Needs Server |Must be checked Blueprint Allowed |Unchecked Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked. @@ -36,7 +42,7 @@ Private Keys |This determines if Keyfactor can send the private key associated w PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined). Job Types |Inventory, Add, and Remove are the supported job types. -![](images/screen1.gif) +![](images/certstoretype.png) **Advanced Settings:** - **Custom Alias** – Forbidden @@ -53,8 +59,12 @@ Parameter Name|Display Name|Parameter Type|Default Value|Required|Description spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on +ServerUsername|Server Username|Secret||No|The username to log into the IIS Server +ServerPassword|Server Password|Secret||No|The password that matches the username to log into the IIS Server +ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not + -![](images/screen1-b.gif) +![](images/certstoretype-c.png) **Entry Parameters:** This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
@@ -71,7 +81,7 @@ This section must be configured with binding fields. The parameters will be popu - 1 - SNI Enabled - 2 - Non SNI Binding - 3 - SNI Binding -- **Prover Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command. If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used. +- **Provider Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command. If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used. - **SAN** - Required. The SAN must have one entry that matches the Subject Name when using ReEnrollment. Multiple SANs maybe chained together using '&'. Example: dns=www.mysite.com&dns=www.mysite2.com. Parameter Name|Parameter Type|Default Value|Required @@ -85,17 +95,16 @@ Protocol |Multiple Choice|https|Yes Provider Name |String||No SAN |String||Yes -![](images/screen1-c.gif) +![](images/screen2.png) -**2. Register the IIS Binding Orchestrator with Keyfactor** +**2. Register the IIS Universal Orchestrator with Keyfactor** See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative. **3. Create an IIS Binding Certificate Store within Keyfactor Command** -In Keyfactor Command create a new Certificate Store similar to the one below, selecting IIS With Binding as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent". +In Keyfactor Command create a new Certificate Store similar to the one below, selecting "IISU" as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS AnyAgent".
-![](images/screen2.gif) -![](images/screen2-a.gif) +![](images/AddCertStore.png) #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION @@ -105,9 +114,14 @@ Container |This is a logical grouping of like stores. This configuration is opti Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell. Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin) Store Path |My or WebHosting +Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. +SPN with Port?| WinRm Protocol|http or https WinRm Port |Port to run WinRm on Default for http is 5985 -Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. +Server Username|Username to log into the IIS Server +Server Password|Password for the username required to log into the IIS Server +Use SSL|Determines whether SSL is used ot not + Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store.