From d0f228f5950da7255e911b6e501b33a8cb78b7cf Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Fri, 2 Dec 2022 15:18:18 -0500 Subject: [PATCH 1/4] Fixed Remove Bug Found after ReEnrollment Refactoring --- IISU/Jobs/Management.cs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/IISU/Jobs/Management.cs b/IISU/Jobs/Management.cs index 944e21e..492107b 100644 --- a/IISU/Jobs/Management.cs +++ b/IISU/Jobs/Management.cs @@ -92,10 +92,11 @@ private JobResult PerformRemoval(ManagementJobConfiguration config) try { _logger.MethodEntry(); - var siteName = config.JobProperties["Site Name"]; + var siteName = config.JobProperties["SiteName"]; var port = config.JobProperties["Port"]; - var hostName = config.JobProperties["Host Name"]; + var hostName = config.JobProperties["HostName"]; var protocol = config.JobProperties["Protocol"]; + var ipAddress = config.JobProperties["IPAddress"].ToString(); _logger.LogTrace($"Removing Site: {siteName}, Port:{port}, hostName:{hostName}, protocol:{protocol}"); var storePath = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, @@ -141,6 +142,7 @@ private JobResult PerformRemoval(ManagementJobConfiguration config) .AddParameter("Name", siteName) .AddParameter("Port", port) .AddParameter("HostHeader", hostName) + .AddParameter("IPAddress",ipAddress) .AddStatement(); From 6a728d66b09d6260f9d8d008d1ad0d6945633b2a Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Mon, 5 Dec 2022 10:54:53 -0500 Subject: [PATCH 2/4] Fixed Removal Bug and Updated Readme --- readme_source.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/readme_source.md b/readme_source.md index 12b4497..d9a72d0 100644 --- a/readme_source.md +++ b/readme_source.md @@ -84,16 +84,16 @@ This section must be configured with binding fields. The parameters will be popu - **Provider Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command. If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used. - **SAN** - Required. The SAN must have one entry that matches the Subject Name when using ReEnrollment. Multiple SANs maybe chained together using '&'. Example: dns=www.mysite.com&dns=www.mysite2.com. -Parameter Name|Parameter Type|Default Value|Required +Parameter Name|Parameter Type|Default Value|Required When ---|---|---|--- -Port|String|443|Yes -IP Address|String|*|Yes +Port|String|443|Adding Entry, Removing Entry, Reenrolling an Entry +IP Address|String|*|Adding Entry, Removing Entry, Reenrolling an Entry Host Name |String||No -Site Name |String|Default Web Site|Yes +Site Name |String|Default Web Site|Adding Entry, Removing Entry, Reenrolling an Entry Sni Flag |String|0 - No SNI|No -Protocol |Multiple Choice|https|Yes +Protocol |Multiple Choice|https|Adding Entry, Removing Entry, Reenrolling an Entry Provider Name |String||No -SAN |String||Yes +SAN |String||Reenrolling an Entry ![](images/screen2.png) @@ -128,7 +128,7 @@ Inventory Schedule |The interval that the system will use to report on what cert #### TEST CASES Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot ----|------------------------|------------------------------------|--------------|----------------|------------------------- -1 |New Cert Enrollment To New Binding|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified|True|![](images/TestCase1Results.gif) +1 |New Cert Enrollment To New Binding With KFSecret Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from KFSecret|True|![](images/TestCase1Results.gif) 2 |New Cert Enrollment To Existing Binding|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|Existing Binding From Case 1 Updated with New Cert|True|![](images/TestCase2Results.gif) 3 |New Cert Enrollment To Existing Binding Enable SNI |**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Will Update Site In Case 2 to Have Sni Enabled|True|![](images/TestCase3Results.gif) 4 |New Cert Enrollment New IP Address|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding Created With New IP and New SNI on Same Port|True|![](images/TestCase4Results.gif) @@ -141,6 +141,7 @@ Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot 11 |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.160`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|![](images/TestCase11Binding1.gif)![](images/TestCase11Binding2.gif) 12 |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 543
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|![](images/TestCase12Binding1.gif)![](images/TestCase12Binding2.gif) 13 |ReEnrollment to Fortanix HSM|**Subject Name:** cn=www.mysite.com
**Port:** 433
**IP Address:**`*`
**Host Name:** mysite.command.local
**Site Name:**Default Web Site
**Sni Flag:** 0 - No SNI
**Protocol:** https
**Provider Name:** Fortanix KMS CNG Provider
**SAN:** dns=www.mysite.com&dns=mynewsite.com|Cert will be generated with keys stored in Fortanix HSM and the cert will be bound to the supplied site.|true|![](images/ReEnrollment1a.png)![](images/ReEnrollment1b.png) +14 |New Cert Enrollment To New Binding With Pam Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from Pam Provider|True|![](images/TestCase1Results.gif) From 3595bcf181cd706c31f36ded993cfcc5b6d6894f Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 5 Dec 2022 15:55:40 +0000 Subject: [PATCH 3/4] Update generated README --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b471a4a..5a9d734 100644 --- a/README.md +++ b/README.md @@ -128,16 +128,16 @@ This section must be configured with binding fields. The parameters will be popu - **Provider Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command. If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used. - **SAN** - Required. The SAN must have one entry that matches the Subject Name when using ReEnrollment. Multiple SANs maybe chained together using '&'. Example: dns=www.mysite.com&dns=www.mysite2.com. -Parameter Name|Parameter Type|Default Value|Required +Parameter Name|Parameter Type|Default Value|Required When ---|---|---|--- -Port|String|443|Yes -IP Address|String|*|Yes +Port|String|443|Adding Entry, Removing Entry, Reenrolling an Entry +IP Address|String|*|Adding Entry, Removing Entry, Reenrolling an Entry Host Name |String||No -Site Name |String|Default Web Site|Yes +Site Name |String|Default Web Site|Adding Entry, Removing Entry, Reenrolling an Entry Sni Flag |String|0 - No SNI|No -Protocol |Multiple Choice|https|Yes +Protocol |Multiple Choice|https|Adding Entry, Removing Entry, Reenrolling an Entry Provider Name |String||No -SAN |String||Yes +SAN |String||Reenrolling an Entry ![](images/screen2.png) @@ -172,7 +172,7 @@ Inventory Schedule |The interval that the system will use to report on what cert #### TEST CASES Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot ----|------------------------|------------------------------------|--------------|----------------|------------------------- -1 |New Cert Enrollment To New Binding|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified|True|![](images/TestCase1Results.gif) +1 |New Cert Enrollment To New Binding With KFSecret Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from KFSecret|True|![](images/TestCase1Results.gif) 2 |New Cert Enrollment To Existing Binding|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|Existing Binding From Case 1 Updated with New Cert|True|![](images/TestCase2Results.gif) 3 |New Cert Enrollment To Existing Binding Enable SNI |**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Will Update Site In Case 2 to Have Sni Enabled|True|![](images/TestCase3Results.gif) 4 |New Cert Enrollment New IP Address|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding Created With New IP and New SNI on Same Port|True|![](images/TestCase4Results.gif) @@ -185,6 +185,7 @@ Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot 11 |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.160`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|![](images/TestCase11Binding1.gif)![](images/TestCase11Binding2.gif) 12 |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 543
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|![](images/TestCase12Binding1.gif)![](images/TestCase12Binding2.gif) 13 |ReEnrollment to Fortanix HSM|**Subject Name:** cn=www.mysite.com
**Port:** 433
**IP Address:**`*`
**Host Name:** mysite.command.local
**Site Name:**Default Web Site
**Sni Flag:** 0 - No SNI
**Protocol:** https
**Provider Name:** Fortanix KMS CNG Provider
**SAN:** dns=www.mysite.com&dns=mynewsite.com|Cert will be generated with keys stored in Fortanix HSM and the cert will be bound to the supplied site.|true|![](images/ReEnrollment1a.png)![](images/ReEnrollment1b.png) +14 |New Cert Enrollment To New Binding With Pam Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from Pam Provider|True|![](images/TestCase1Results.gif) From afd7b357384cb2fd0a6631943f6f8a1a25248a1f Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Mon, 5 Dec 2022 13:16:16 -0500 Subject: [PATCH 4/4] Update to migration script --- Migration-Scripts/IIS-Conversion.sql | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Migration-Scripts/IIS-Conversion.sql b/Migration-Scripts/IIS-Conversion.sql index 4048861..10320a1 100644 --- a/Migration-Scripts/IIS-Conversion.sql +++ b/Migration-Scripts/IIS-Conversion.sql @@ -146,6 +146,16 @@ begin transaction from cms_agents.CertStoreTypes a inner join @StoreTypesToConvert b on a.StoreType = b.FromCertStoreTypeId end + + --Update Cert Store Param Name to not have space (will not show on reenrolmment screen with space, KF Bug) + update [cms_agents].[CertStoreTypeEntryParameters] + set [Name]='SiteName' where Name='Site Name' + and [StoreTypeId] in (select StoreType from [cms_agents].[CertStoreTypes] where Name='IISU') + + --Update Cert Store Param Name to not have space (will not show on reenrolmment screen with space, KF Bug) + update [cms_agents].[CertStoreTypeEntryParameters] + set [Name]='HostName' where Name='Host Name' + and [StoreTypeId] in (select StoreType from [cms_agents].[CertStoreTypes] where Name='IISU') select * from cms_agents.CertStoreTypes