diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index bc2e627..a942322 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -5,13 +5,26 @@ jobs: call-create-github-release-workflow: uses: Keyfactor/actions/.github/workflows/github-release.yml@main + get-manifest-properties: + runs-on: windows-latest + outputs: + update_catalog: ${{ steps.read-json.outputs.prop }} + steps: + - uses: actions/checkout@v3 + - name: Read json + id: read-json + shell: pwsh + run: | + $json = Get-Content integration-manifest.json | ConvertFrom-Json + echo "::set-output name=prop::$(echo $json.update_catalog)" + call-dotnet-build-and-release-workflow: needs: [call-create-github-release-workflow] uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main with: release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} - release_dir: IISU/bin/Release/netcoreapp3.1 + release_dir: IISU/bin/Release/netcoreapp3.1 secrets: token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} @@ -22,7 +35,10 @@ jobs: token: ${{ secrets.APPROVE_README_PUSH }} call-update-catalog-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + needs: get-manifest-properties + if: needs.get-manifest-properties.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main secrets: token: ${{ secrets.SDK_SYNC_PAT }} + + diff --git a/CHANGELOG.md b/CHANGELOG.md index 60d53f3..faa1419 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ -2.0.1 +2.1.0 * Fixed issue that was occuring during renewal when there were bindings outside of http and https like net.tcp * Added PAM registration/initialization documentation in README.md +* Resolved Null HostName error +* Added WinCert Cert Store Type +* Added custom property parser to not show any passwords +* Removed any password references in trace logs and output settings in JSON format 2.0.0 * Add support for reenrollment jobs (On Device Key Generation) with the ability to specify a cryptographic provider. Specification of cryptographic provider allows HSM (Hardware Security Module) use. diff --git a/IISU/ClientPSCertStoreManager.cs b/IISU/ClientPSCertStoreManager.cs index fdff0b6..ccb9696 100644 --- a/IISU/ClientPSCertStoreManager.cs +++ b/IISU/ClientPSCertStoreManager.cs @@ -78,6 +78,7 @@ function InstallPfxToMachineStore([byte[]]$bytes, [string]$password, [string]$st $certStore.Open(5) $cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $bytes, $password, 18 <# Persist, Machine #> $certStore.Add($cert) + $certStore.Close(); }"; diff --git a/IISU/ClientPSCertStoreReEnrollment.cs b/IISU/ClientPSCertStoreReEnrollment.cs index 5257f83..fca10b0 100644 --- a/IISU/ClientPSCertStoreReEnrollment.cs +++ b/IISU/ClientPSCertStoreReEnrollment.cs @@ -12,7 +12,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -using Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS; using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; @@ -34,8 +33,8 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore { internal class ClientPSCertStoreReEnrollment { - private ILogger _logger; - private IPAMSecretResolver _resolver; + private readonly ILogger _logger; + private readonly IPAMSecretResolver _resolver; public ClientPSCertStoreReEnrollment(ILogger logger, IPAMSecretResolver resolver) { @@ -59,8 +58,10 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit JobProperties properties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate }); - WSManConnectionInfo connectionInfo = new WSManConnectionInfo(new Uri($"{properties?.WinRmProtocol}://{config.CertificateStoreDetails.ClientMachine}:{properties?.WinRmPort}/wsman")); - connectionInfo.IncludePortInSPN = properties.SpnPortFlag; + WSManConnectionInfo connectionInfo = new WSManConnectionInfo(new Uri($"{properties?.WinRmProtocol}://{config.CertificateStoreDetails.ClientMachine}:{properties?.WinRmPort}/wsman")) + { + IncludePortInSPN = properties.SpnPortFlag + }; var pw = new NetworkCredential(serverUserName, serverPassword).SecurePassword; _logger.LogTrace($"Credentials: UserName:{serverUserName}"); @@ -91,7 +92,7 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit Collection results; // If the provider name is null, default it to the Microsoft CA - if (providerName == null) providerName = "Microsoft Strong Cryptographic Provider"; + providerName ??= "Microsoft Strong Cryptographic Provider"; // Create the script file ps.AddScript("$infFilename = New-TemporaryFile"); diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index 2e08b32..4b03965 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -50,8 +50,8 @@ internal class ClientPSIIManager private long JobHistoryID { get; set; } - private ILogger _logger; - private Runspace _runSpace; + private readonly ILogger _logger; + private readonly Runspace _runSpace; private PowerShell ps; @@ -82,7 +82,7 @@ public ClientPSIIManager(ReenrollmentJobConfiguration config, string serverUsern Port = config.JobProperties["Port"].ToString(); HostName = config.JobProperties["HostName"]?.ToString(); Protocol = config.JobProperties["Protocol"].ToString(); - SniFlag = config.JobProperties["SniFlag"].ToString()?.Substring(0, 1); + SniFlag = config.JobProperties["SniFlag"]?.ToString()[..1]; IPAddress = config.JobProperties["IPAddress"].ToString(); PrivateKeyPassword = ""; // A reenrollment does not have a PFX Password @@ -119,7 +119,7 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam Port = config.JobProperties["Port"].ToString(); HostName = config.JobProperties["HostName"]?.ToString(); Protocol = config.JobProperties["Protocol"].ToString(); - SniFlag = config.JobProperties["SniFlag"].ToString()?.Substring(0, 1); + SniFlag = config.JobProperties["SniFlag"].ToString()?[..1]; IPAddress = config.JobProperties["IPAddress"].ToString(); PrivateKeyPassword = ""; // A reenrollment does not have a PFX Password diff --git a/IISU/ImplementedStoreTypes/Win/Inventory.cs b/IISU/ImplementedStoreTypes/Win/Inventory.cs index d277ba7..944ceb9 100644 --- a/IISU/ImplementedStoreTypes/Win/Inventory.cs +++ b/IISU/ImplementedStoreTypes/Win/Inventory.cs @@ -25,7 +25,7 @@ using Microsoft.Extensions.Logging; using Newtonsoft.Json; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.Win +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert { public class Inventory : WinCertJobTypeBase, IInventoryJobExtension { @@ -55,7 +55,7 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven { var inventoryItems = new List(); - _logger.LogTrace($"Job Configuration: {JsonConvert.SerializeObject(config)}"); + _logger.LogTrace(JobConfigurationParser.ParseInventoryJobConfiguration(config)); string serverUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); string serverPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); diff --git a/IISU/ImplementedStoreTypes/Win/Management.cs b/IISU/ImplementedStoreTypes/Win/Management.cs index fe5d96a..ebba907 100644 --- a/IISU/ImplementedStoreTypes/Win/Management.cs +++ b/IISU/ImplementedStoreTypes/Win/Management.cs @@ -24,7 +24,7 @@ using System.Net; using Keyfactor.Logging; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.Win +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert { public class Management : WinCertJobTypeBase, IManagementJobExtension { @@ -47,11 +47,13 @@ public Management(IPAMSecretResolver resolver) public JobResult ProcessJob(ManagementJobConfiguration config) { - _logger = LogHandler.GetClassLogger(); - _logger.MethodEntry(); - try { + _logger = LogHandler.GetClassLogger(); + _logger.MethodEntry(); + + _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); + string serverUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); string serverPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); @@ -112,56 +114,6 @@ public JobResult ProcessJob(ManagementJobConfiguration config) } } - //private JobResult PerformManagement(ManagementJobConfiguration config) - //{ - // try - // { - // _logger.MethodEntry(); - - // ServerUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); - // ServerPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); - - // var complete = new JobResult - // { - // Result = OrchestratorJobStatusJobResult.Failure, - // JobHistoryId = config.JobHistoryId, - // FailureMessage = - // "Invalid Management Operation" - // }; - - // switch (config.OperationType) - // { - // case CertStoreOperationType.Add: - // { - // _logger.LogTrace("Adding..."); - // if (config.JobProperties.ContainsKey("RenewalThumbprint")) - // { - // _thumbprint = config.JobProperties["RenewalThumbprint"].ToString(); - // _logger.LogTrace($"Found Thumbprint Will renew all cers with this Thumbprint: {_thumbprint}"); - // } - - // _logger.LogTrace("Before PerformAddition..."); - // complete = performAddition(config); - // _logger.LogTrace("After PerformAddition..."); - - // break; - // } - // case CertStoreOperationType.Remove: - // { - // break; - // } - // } - - // return complete; - // } - - // catch (Exception e) - // { - // _logger.LogError($"Error Occurred in Management.PerformManagement: {e.Message}"); - // throw; - // } - //} - private JobResult performAddition(ManagementJobConfiguration config) { try diff --git a/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs b/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs index 9152fd3..a261438 100644 --- a/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs +++ b/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs @@ -16,7 +16,7 @@ using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.Win +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert { public class ReEnrollment : WinCertJobTypeBase, IReenrollmentJobExtension { diff --git a/IISU/ImplementedStoreTypes/Win/WinInventory.cs b/IISU/ImplementedStoreTypes/Win/WinInventory.cs index 70ad891..0e4542c 100644 --- a/IISU/ImplementedStoreTypes/Win/WinInventory.cs +++ b/IISU/ImplementedStoreTypes/Win/WinInventory.cs @@ -19,7 +19,7 @@ using System.Management.Automation.Runspaces; using System.Text; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.Win +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert { internal class WinInventory : ClientPSCertStoreInventory { diff --git a/IISU/ImplementedStoreTypes/WinIIS/IISManager.cs b/IISU/ImplementedStoreTypes/WinIIS/IISManager.cs index 6a14735..eda2049 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/IISManager.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/IISManager.cs @@ -24,7 +24,7 @@ using Microsoft.Extensions.Logging; using Newtonsoft.Json; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU { public class IISManager { @@ -66,7 +66,7 @@ public IISManager(ReenrollmentJobConfiguration config, string serverUserName, st Port = config.JobProperties["Port"].ToString(); HostName = config.JobProperties["HostName"]?.ToString(); Protocol = config.JobProperties["Protocol"].ToString(); - SniFlag = config.JobProperties["SniFlag"].ToString()?.Substring(0, 1); + SniFlag = config.JobProperties["SniFlag"].ToString()?[..1]; IpAddress = config.JobProperties["IPAddress"].ToString(); PrivateKeyPassword = ""; // A reenrollment does not have a PFX Password @@ -105,7 +105,7 @@ public IISManager(ManagementJobConfiguration config, string serverUserName, stri Port = config.JobProperties["Port"].ToString(); HostName = config.JobProperties["HostName"]?.ToString(); Protocol = config.JobProperties["Protocol"].ToString(); - SniFlag = config.JobProperties["SniFlag"].ToString()?.Substring(0, 1); + SniFlag = config.JobProperties["SniFlag"].ToString()?[..1]; IpAddress = config.JobProperties["IPAddress"].ToString(); PrivateKeyPassword = config.JobCertificate.PrivateKeyPassword; diff --git a/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs b/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs index 0919ccf..1b3613b 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs @@ -25,7 +25,7 @@ using Microsoft.Extensions.Logging; using Newtonsoft.Json; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU { public class Inventory : WinCertJobTypeBase, IInventoryJobExtension { @@ -52,7 +52,9 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven { var inventoryItems = new List(); - _logger.LogTrace($"Job Configuration: {JsonConvert.SerializeObject(config)}"); + string myConfig = config.ToString(); + + _logger.LogTrace(JobConfigurationParser.ParseInventoryJobConfiguration(config)); string serverUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); string serverPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); diff --git a/IISU/ImplementedStoreTypes/WinIIS/Management.cs b/IISU/ImplementedStoreTypes/WinIIS/Management.cs index da0d60f..89afcbd 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/Management.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/Management.cs @@ -25,7 +25,7 @@ using Microsoft.PowerShell.Commands; using Newtonsoft.Json; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU { public class Management : WinCertJobTypeBase, IManagementJobExtension { @@ -33,8 +33,6 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension public string ExtensionName => string.Empty; - private string _thumbprint = string.Empty; - private Runspace myRunspace; public Management(IPAMSecretResolver resolver) @@ -49,7 +47,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config) _logger = LogHandler.GetClassLogger(); _logger.MethodEntry(); - _logger.LogTrace($"Job Configuration: {JsonConvert.SerializeObject(config)}"); + _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); string serverUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); string serverPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); @@ -139,8 +137,6 @@ private JobResult PerformRemoveCertificate(ManagementJobConfiguration config, st { _logger.LogTrace("Before Remove Certificate..."); - string certificateContents = config.JobCertificate.Contents; - string privateKeyPassword = config.JobCertificate.PrivateKeyPassword; string storePath = config.CertificateStoreDetails.StorePath; long jobNumber = config.JobHistoryId; diff --git a/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs b/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs index 59d2703..4307725 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs @@ -17,7 +17,7 @@ using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU { public class ReEnrollment: WinCertJobTypeBase, IReenrollmentJobExtension { diff --git a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs index 23fb0a3..5ac831f 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs @@ -22,7 +22,7 @@ using System.Management.Automation.Runspaces; using System.Text; -namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU { internal class WinIISInventory : ClientPSCertStoreInventory { diff --git a/IISU/Interfaces/ICertificateStoreDetailsBase.cs b/IISU/Interfaces/ICertificateStoreDetailsBase.cs new file mode 100644 index 0000000..302726a --- /dev/null +++ b/IISU/Interfaces/ICertificateStoreDetailsBase.cs @@ -0,0 +1,11 @@ +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal interface ICertificateStoreDetailsBase + { + public CertificateStoreDetailsDTO CertificateStoreDetails { get; set; } + } +} diff --git a/IISU/Interfaces/IInventoryCertStoreDetails.cs b/IISU/Interfaces/IInventoryCertStoreDetails.cs new file mode 100644 index 0000000..b20870b --- /dev/null +++ b/IISU/Interfaces/IInventoryCertStoreDetails.cs @@ -0,0 +1,7 @@ +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal interface IInventoryCertStoreDetails + { + public CertificateStoreDetailsDTO CertificateStoreDetails { get; set; } + } +} diff --git a/IISU/Interfaces/IInventoryJobLogger.cs b/IISU/Interfaces/IInventoryJobLogger.cs new file mode 100644 index 0000000..f8adf23 --- /dev/null +++ b/IISU/Interfaces/IInventoryJobLogger.cs @@ -0,0 +1,10 @@ +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal interface IInventoryJobLogger : IJobConfigurationLoggerBase, IInventoryCertStoreDetails + { + } +} diff --git a/IISU/Interfaces/IJobConfigurationLoggerBase.cs b/IISU/Interfaces/IJobConfigurationLoggerBase.cs new file mode 100644 index 0000000..1ca6792 --- /dev/null +++ b/IISU/Interfaces/IJobConfigurationLoggerBase.cs @@ -0,0 +1,24 @@ +using Keyfactor.Orchestrators.Extensions; +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal interface IJobConfigurationLoggerBase + { + public bool JobCancelled { get; set; } + public ServerFault ServerError { get; set; } + public long JobHistoryID { get; set; } + public int RequestStatus { get; set; } + public string ServerUserName { get; set; } + public string ServerPassword { get; set; } + public JobProperties JobConfigurationProperties { get; set; } + public bool UseSSL { get; set; } + public Guid JobTypeID { get; set; } + public Guid JobID { get; set; } + public string Capability { get; set; } + + public IEnumerable LastInventory { get; set; } + } +} diff --git a/IISU/Interfaces/IManagementCertStoreDetails.cs b/IISU/Interfaces/IManagementCertStoreDetails.cs new file mode 100644 index 0000000..935065d --- /dev/null +++ b/IISU/Interfaces/IManagementCertStoreDetails.cs @@ -0,0 +1,12 @@ +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal interface IManagementCertStoreDetails + { + public CertificateStoreDetailsDTO CertificateStoreDetails { get; set; } + public CertificateStoreDetailPropertiesDTO CertificateStoreDetailProperties { get; set; } + } +} diff --git a/IISU/Interfaces/IManagementJobLogger.cs b/IISU/Interfaces/IManagementJobLogger.cs new file mode 100644 index 0000000..dd10eef --- /dev/null +++ b/IISU/Interfaces/IManagementJobLogger.cs @@ -0,0 +1,13 @@ +using Keyfactor.Orchestrators.Common.Enums; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal interface IManagementJobLogger : IJobConfigurationLoggerBase, IManagementCertStoreDetails + { + public CertStoreOperationType OperationType { get; set; } + public bool Overwrite { get; set; } + + public JobCertificateDTO JobCertificateProperties { get; set; } + + } +} diff --git a/IISU/JobConfigurationParser.cs b/IISU/JobConfigurationParser.cs new file mode 100644 index 0000000..bd7889d --- /dev/null +++ b/IISU/JobConfigurationParser.cs @@ -0,0 +1,107 @@ +using Keyfactor.Orchestrators.Extensions; +using Microsoft.PowerShell.Commands; +using Newtonsoft.Json; +using System; +using System.Collections.Generic; +using System.Configuration.Internal; +using System.Diagnostics.Contracts; +using System.Linq; +using System.Management.Automation.Remoting; +using System.Net; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal class JobConfigurationParser + { + public static string ParseManagementJobConfiguration(ManagementJobConfiguration config) + { + + IManagementJobLogger managementParser = new ManagementJobLogger(); + + // JobConfiguration + managementParser.JobCancelled = config.JobCancelled; + managementParser.ServerError = config.ServerError; + managementParser.JobHistoryID = config.JobHistoryId; + managementParser.RequestStatus = config.RequestStatus; + managementParser.ServerUserName = config.ServerUsername; + managementParser.ServerPassword = "**********"; + managementParser.UseSSL = config.UseSSL; + managementParser.JobTypeID = config.JobTypeId; + managementParser.JobID = config.JobId; + managementParser.Capability = config.Capability; + + // JobProperties + JobProperties jobProperties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate }); + managementParser.JobConfigurationProperties = jobProperties; + + // PreviousInventoryItem + managementParser.LastInventory = config.LastInventory; + + //CertificateStore + managementParser.CertificateStoreDetails.ClientMachine = config.CertificateStoreDetails.ClientMachine; + managementParser.CertificateStoreDetails.StorePath = config.CertificateStoreDetails.StorePath; + managementParser.CertificateStoreDetails.StorePassword = "**********"; + managementParser.CertificateStoreDetails.Type = config.CertificateStoreDetails.Type; + + bool isEmpty = (config.JobProperties.Count == 0); // Check if the dictionary is empty or not + if (!isEmpty) + { + managementParser.CertificateStoreDetailProperties.SiteName = config.JobProperties["SiteName"].ToString(); + managementParser.CertificateStoreDetailProperties.Port = config.JobProperties["Port"].ToString(); + managementParser.CertificateStoreDetailProperties.HostName = config.JobProperties["HostName"]?.ToString(); + managementParser.CertificateStoreDetailProperties.Protocol = config.JobProperties["Protocol"].ToString(); + managementParser.CertificateStoreDetailProperties.SniFlag = config.JobProperties["SniFlag"].ToString()?[..1]; + managementParser.CertificateStoreDetailProperties.IPAddress = config.JobProperties["IPAddress"].ToString(); + managementParser.CertificateStoreDetailProperties.ProviderName = config.JobProperties["ProviderName"]?.ToString(); + managementParser.CertificateStoreDetailProperties.SAN = config.JobProperties["SAN"]?.ToString(); + } + + // Management Base + managementParser.OperationType = config.OperationType; + managementParser.Overwrite = config.Overwrite; + + // JobCertificate + managementParser.JobCertificateProperties.Thumbprint = config.JobCertificate.Thumbprint; + managementParser.JobCertificateProperties.Contents = config.JobCertificate.Contents; + managementParser.JobCertificateProperties.Alias = config.JobCertificate.Alias; + managementParser.JobCertificateProperties.PrivateKeyPassword = "**********"; + + return JsonConvert.SerializeObject(managementParser); + } + + public static string ParseInventoryJobConfiguration(InventoryJobConfiguration config) + { + IInventoryJobLogger inventoryParser = new InventoryJobLogger(); + + // JobConfiguration + inventoryParser.JobCancelled = config.JobCancelled; + inventoryParser.ServerError = config.ServerError; + inventoryParser.JobHistoryID = config.JobHistoryId; + inventoryParser.RequestStatus = config.RequestStatus; + inventoryParser.ServerUserName = config.ServerUsername; + inventoryParser.ServerPassword = "**********"; + inventoryParser.UseSSL = config.UseSSL; + inventoryParser.JobTypeID = config.JobTypeId; + inventoryParser.JobID = config.JobId; + inventoryParser.Capability = config.Capability; + + // JobProperties + JobProperties jobProperties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate }); + inventoryParser.JobConfigurationProperties = jobProperties; + + // PreviousInventoryItem + inventoryParser.LastInventory = config.LastInventory; + + //CertificateStore + + inventoryParser.CertificateStoreDetails.ClientMachine = config.CertificateStoreDetails.ClientMachine; + inventoryParser.CertificateStoreDetails.StorePath = config.CertificateStoreDetails.StorePath; + inventoryParser.CertificateStoreDetails.StorePassword = "**********"; + inventoryParser.CertificateStoreDetails.Type = config.CertificateStoreDetails.Type; + + + return JsonConvert.SerializeObject(inventoryParser); + } + } +} diff --git a/IISU/Models/DTOs/CertificateStoreDetailPropertiesDTO.cs b/IISU/Models/DTOs/CertificateStoreDetailPropertiesDTO.cs new file mode 100644 index 0000000..422c91c --- /dev/null +++ b/IISU/Models/DTOs/CertificateStoreDetailPropertiesDTO.cs @@ -0,0 +1,18 @@ +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal class CertificateStoreDetailPropertiesDTO + { + public string SiteName { get; set; } + public string Port { get; set; } + public string HostName { get; set; } + public string Protocol { get; set; } + public string SniFlag { get; set; } + public string IPAddress { get; set; } + public string ProviderName { get; set; } + public string SAN { get; set; } + } +} diff --git a/IISU/Models/DTOs/CertificateStoreDetailsDTO.cs b/IISU/Models/DTOs/CertificateStoreDetailsDTO.cs new file mode 100644 index 0000000..8f4a277 --- /dev/null +++ b/IISU/Models/DTOs/CertificateStoreDetailsDTO.cs @@ -0,0 +1,14 @@ +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal class CertificateStoreDetailsDTO + { + public string ClientMachine { get; set; } + public string StorePath { get; set; } + public string StorePassword { get; set; } + public int Type { get; set; } + } +} diff --git a/IISU/Models/DTOs/JobCertificateDTO.cs b/IISU/Models/DTOs/JobCertificateDTO.cs new file mode 100644 index 0000000..77a04d6 --- /dev/null +++ b/IISU/Models/DTOs/JobCertificateDTO.cs @@ -0,0 +1,15 @@ +using Keyfactor.Orchestrators.Extensions; +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal class JobCertificateDTO + { + public string Thumbprint { get; set; } + public string Contents { get; set; } + public string Alias { get; set; } + public string PrivateKeyPassword { get; set; } + } +} diff --git a/IISU/Models/InventoryJobLogger.cs b/IISU/Models/InventoryJobLogger.cs new file mode 100644 index 0000000..5659f94 --- /dev/null +++ b/IISU/Models/InventoryJobLogger.cs @@ -0,0 +1,26 @@ +using Keyfactor.Orchestrators.Extensions; +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal class InventoryJobLogger : IInventoryJobLogger, IInventoryCertStoreDetails + { + public bool JobCancelled { get; set; } + public ServerFault ServerError { get; set; } = new ServerFault(); + public long JobHistoryID { get; set; } + public int RequestStatus { get; set; } + public string ServerUserName { get; set; } + public string ServerPassword { get; set; } + public JobProperties JobConfigurationProperties { get; set; } = new JobProperties(); + public bool UseSSL { get; set; } + public Guid JobTypeID { get; set; } + public Guid JobID { get; set; } + public string Capability { get; set; } + + public IEnumerable LastInventory { get; set; } = new List(); + public CertificateStoreDetailsDTO CertificateStoreDetails { get; set; } = new CertificateStoreDetailsDTO(); + + } +} diff --git a/IISU/Models/JobProperties.cs b/IISU/Models/JobProperties.cs index 7e8926c..a5cad1f 100644 --- a/IISU/Models/JobProperties.cs +++ b/IISU/Models/JobProperties.cs @@ -13,6 +13,7 @@ // limitations under the License. using System.ComponentModel; +using System.Reflection.Metadata.Ecma335; using Newtonsoft.Json; namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore @@ -36,6 +37,13 @@ public JobProperties() [DefaultValue("5985")] public string WinRmPort { get; set; } + [JsonProperty("ServerUsername")] + public string ServerUsername { get; set; } + + [JsonProperty("ServerUseSsl")] + [DefaultValue(true)] + public bool ServerUseSsl { get; set; } + [JsonProperty("sniflag")] [DefaultValue(SniFlag.None)] public SniFlag SniFlag { get; set; } diff --git a/IISU/Models/ManagementJobLogger.cs b/IISU/Models/ManagementJobLogger.cs new file mode 100644 index 0000000..a9caa0a --- /dev/null +++ b/IISU/Models/ManagementJobLogger.cs @@ -0,0 +1,33 @@ +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using System; +using System.Collections.Generic; +using System.Text; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore +{ + internal class ManagementJobLogger : IManagementJobLogger, IManagementCertStoreDetails + { + public bool JobCancelled { get; set; } + public ServerFault ServerError { get; set; } = new ServerFault(); + public long JobHistoryID { get; set; } + public int RequestStatus { get; set; } + public string ServerUserName { get; set; } + public string ServerPassword { get; set; } + public JobProperties JobConfigurationProperties { get; set; } = new JobProperties(); + public bool UseSSL { get; set; } + public Guid JobTypeID { get; set; } + public Guid JobID { get; set; } + public string Capability { get; set; } + + public IEnumerable LastInventory { get; set; } = new List(); + + public CertificateStoreDetailsDTO CertificateStoreDetails { get; set; } = new CertificateStoreDetailsDTO(); + public CertificateStoreDetailPropertiesDTO CertificateStoreDetailProperties { get; set; } = new CertificateStoreDetailPropertiesDTO(); + + public CertStoreOperationType OperationType { get; set; } + public bool Overwrite { get; set; } + + public JobCertificateDTO JobCertificateProperties { get; set; } = new JobCertificateDTO(); + } +} diff --git a/IISU/PAMUtilities.cs b/IISU/PAMUtilities.cs index bbed644..38de2f3 100644 --- a/IISU/PAMUtilities.cs +++ b/IISU/PAMUtilities.cs @@ -27,7 +27,6 @@ internal static string ResolvePAMField(IPAMSecretResolver resolver, ILogger logg if (resolver == null) return key; else { - logger.LogDebug($"Attempting to resolve PAM eligible field {name} with key {key}"); return resolver.Resolve(key); } diff --git a/IISU/WindowsCertStore.csproj b/IISU/WindowsCertStore.csproj index dd80058..5af1292 100644 --- a/IISU/WindowsCertStore.csproj +++ b/IISU/WindowsCertStore.csproj @@ -21,6 +21,7 @@ + diff --git a/IISU/manifest.json b/IISU/manifest.json index 77c0b2b..6fa8618 100644 --- a/IISU/manifest.json +++ b/IISU/manifest.json @@ -1,29 +1,29 @@ { "extensions": { "Keyfactor.Orchestrators.Extensions.IOrchestratorJobExtension": { - "CertStores.WinIIS.Inventory": { + "CertStores.IISU.Inventory": { "assemblypath": "WindowsCertStore.dll", - "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS.Inventory" + "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU.Inventory" }, - "CertStores.WinIIS.Management": { + "CertStores.IISU.Management": { "assemblypath": "WindowsCertStore.dll", - "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS.Management" + "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU.Management" }, - "CertStores.WinIIS.ReEnrollment": { + "CertStores.IISU.ReEnrollment": { "assemblypath": "WindowsCertStore.dll", - "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinIIS.ReEnrollment" + "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU.ReEnrollment" }, - "CertStores.Win.Inventory": { + "CertStores.WinCert.Inventory": { "assemblypath": "WindowsCertStore.dll", - "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.Win.Inventory" + "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert.Inventory" }, - "CertStores.Win.Management": { + "CertStores.WinCert.Management": { "assemblypath": "WindowsCertStore.dll", - "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.Win.Management" + "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert.Management" }, - "CertStores.Win.ReEnrollment": { + "CertStores.WinCert.ReEnrollment": { "assemblypath": "WindowsCertStore.dll", - "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.Win.ReEnrollment" + "TypeFullName": "Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert.ReEnrollment" } } } diff --git a/README.md b/README.md index 6da3b6e..c4ca0cd 100644 --- a/README.md +++ b/README.md @@ -86,11 +86,10 @@ This text would be entered in as the value for the __Server Password__, instead --- -**WinCertStore Orchestrator Configuration** +# WinCertStore Orchestrator Configuration +## Overview -**Overview** - -The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: +The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: Get-ChildItem Cert:\LocalMachine @@ -110,35 +109,33 @@ In version 2.0 of the IIS Orchestrator, the certificate store type has been rena **Note: There is an additional certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.** -**Note: In version 3.0, the orchestrator has been renamed from IISU to WinCert. There is currently no succession process to update previous certificate store types.** - +## Creating New Certificate Store Types +Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates. Below describes how each of these certificate store types are created and configured. +
+ IISU Extension -**1. Create the New Certificate Store Type** +**In Keyfactor Command create a new Certificate Store Type similar to the one below:** -In Keyfactor Command create a new Certificate Store Type similar to the one below: - -#### STORE TYPE CONFIGURATION **Basic Settings:** CONFIG ELEMENT | DESCRIPTION ------------------|------------------ -Name |A descriptive name for the extension. Example: WinCert (for general windows cert store), WinIIS (for IIS Webstore cert store) -Short Name |The short name that identifies the registered functionality of the orchestrator. Currently must be either Win or WinIIS -Custom Capability|Store type name orchestrator will register with. Currently must be Win or WinIIS. -Job Types |Inventory (Checked), Add, Remove, and Reenrollment are the supported job types. +Name |A descriptive name for the extension. Example: IISU +Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISU. +Custom Capability|Store type name orchestrator will register with. Check the box and enter IISU. +Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment. General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked. Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked. - -![](images/certstoretype.png) +![](images/IISUCertStoreBasic.png) **Advanced Settings:** CONFIG ELEMENT | DESCRIPTION ------------------|------------------ -Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. -Store Path Value|When using this as a Windows Cert Store, this option must be freeform, allowing the user to type in a particular store path.
When using this for bound or IIS Certificates, This must be a comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting +Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. Select Multiple Choice. +Store Path Value|This must be a comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden. Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections. PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined). @@ -151,19 +148,17 @@ PFX Password Style |This determines how the platform generate passwords to prote Parameter Name|Display Name|Parameter Type|Default Value|Required|Description ---|---|---|---|---|--- -spnwithport\*|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service -WinRm Protocol\*|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on -WinRm Port\*|WinRm Port|String|5985|Yes|Port that WinRM Runs on -ServerUsername|Server Username|Secret||No|The username to log into the IIS Server -ServerPassword|Server Password|Secret||No|The password that matches the username to log into the IIS Server +spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service +WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on +WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on +ServerUsername|Server Username|Secret||No|The username to log into the Server +ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not -**NOTE: Elements with an asterisk (*) are only required when communicating with a Web Server and bound certificates. - -![](images/certstoretype-c.png) - +![](images/IISUCustomFields.png) **Entry Parameters:** + This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
- **Site Name** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The site name for the web site being bound to – i.e. "Default Web Site" @@ -178,8 +173,8 @@ This section must be configured with binding fields. The parameters will be popu - 1 - SNI Enabled - 2 - Non SNI Binding - 3 - SNI Binding -- **Provider Name\*** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target IIS server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target IIS Server. -- **SAN\*** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. +- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server. +- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Parameter Name|Parameter Type|Default Value|Required When ---|---|---|--- @@ -189,60 +184,137 @@ HostName |String|| SiteName |String|Default Web Site|Adding Entry, Removing Entry, Reenrolling an Entry SniFlag |String|0 - No SNI| Protocol |Multiple Choice|https|Adding Entry, Removing Entry, Reenrolling an Entry -ProviderName\* |String|| -SAN\* |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications) +ProviderName |String|| +SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications) + +![](images/IISUEntryParams.png) + +Click Save to save the Certificate Store Type. + +
+ +
+ WinCert Extension + +**1. In Keyfactor Command create a new Certificate Store Type using the settings below** + +**Basic Settings:** + +CONFIG ELEMENT | DESCRIPTION +------------------|------------------ +Name |A descriptive name for the extension. Example: WinCert +Short Name |The short name that identifies the registered functionality of the orchestrator. Must be WinCert. +Custom Capability|Store type name orchestrator will register with. Check the box and enter WinCert. +Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment. +General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked +Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked. +Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked. + +![](images/WinCertBasic.png) + +**Advanced Settings:** + +CONFIG ELEMENT | DESCRIPTION +------------------|------------------ +Store Path Type |Select Freeform. Allows users to type in a valid certificate store. +Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden. +Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections. +PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined). + +![](images/WinCertAdvanced.png) -**NOTE: Elements with an asterisk (*) are only required when not binding certificates to a web server. +**Custom Fields:** + +- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access + +Parameter Name|Display Name|Parameter Type|Default Value|Required|Description +---|---|---|---|---|--- +spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service +WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on +WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on +ServerUsername|Server Username|Secret||No|The username to log into the Server +ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server +ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not + +![](images/WinCertCustom.png) + +**Entry Parameters:** +- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server. +- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. + +Parameter Name|Parameter Type|Default Value|Required When +---|---|---|--- +ProviderName |String|| +SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications) + + +![](images/WinCertEntryParams.png) -![](images/screen2.png) +Click Save to save the Certificate Store Type. -**2. Register the IIS Universal Orchestrator with Keyfactor** -See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative. +
-**3a. Create an IIS Binding Certificate Store within Keyfactor Command** -In Keyfactor Command create a new Certificate Store similar to the one below, selecting "WinIIS" as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS AnyAgent".
+## Creating New Certificate Stores +Once the Certificate Store Types have been created, you need to create the Certificate Stores prior to using the extension. +Here are the settings required for each Store Type previously configured. -![](images/IISCertStore.png) +
+IISU Certificate Store + +In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION ----------------|--------------- -Category |The type of certificate store to be configured. Select category based on the display name configured above. +Category |Select the IISU from the dropdown. This is the name of the Certificate Store Type you previously create. Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell. Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin) -Store Path |My or WebHosting +Store Path |Select My or WebHosting from the dropdown. Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. -SPN with Port?| -WinRm Protocol|http or https +SPN with Port?| Defaulted to False +WinRm Protocol|Select either http or https WinRm Port |Port to run WinRm on Default for http is 5985 Server Username|Username to log into the IIS Server Server Password|Password for the username required to log into the IIS Server -Use SSL|Determines whether SSL is used ot not - +Use SSL|Determines whether SSL is used or not Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store. -**3b. Create a Windows Certificate Store within Keyfactor Command** +![](images/IISUAddCertStore.png) -In Keyfactor Command create a new Certificate Store similar to the one below, selecting "WinIIS" as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS AnyAgent".
+Click Save to save the settings for this Certificate Store +
+ +
+WinCert Certificate Store + +In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. -![](images/WinCertStore.png) #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION ----------------|--------------- -Category |The type of certificate store to be configured. Select category based on the display name configured above. +Category |The type of certificate store to be configured. Select category based on the display name configured above for WinCert. Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell. -Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin) -Store Path |Any correctly spelled local machine store path +Store Path |Enter the specific name of the certificate store path you want to use. Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. -Server Username|Username to log into the Server +SPN with Port?|Defaults to False +WinRm Protocol|Select http or https +WinRm Port |Port to run WinRm on Default for http is 5985 +Server Username|Username to log into the IIS Server Server Password|Password for the username required to log into the IIS Server -Use SSL|Determines whether SSL is used ot not +Use SSL|Determines whether SSL is used or not +Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store. + +![](images/WinCertStore.png) + +
+ + +## Test Cases -#### TEST CASES Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot ----|------------------------|------------------------------------|--------------|----------------|------------------------- 1 |New Cert Enrollment To New Binding With KFSecret Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from KFSecret|True|![](images/TestCase1Results.gif) @@ -265,4 +337,3 @@ Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot - diff --git a/WindowsCertStore.sln b/WindowsCertStore.sln index ed90aa4..e63867e 100644 --- a/WindowsCertStore.sln +++ b/WindowsCertStore.sln @@ -19,11 +19,18 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{630203 images\CertStoreType-c.png = images\CertStoreType-c.png images\CertStoreType.png = images\CertStoreType.png images\IISCertStore.png = images\IISCertStore.png + images\IISUAddCertStore.png = images\IISUAddCertStore.png + images\IISUCertStoreBasic.png = images\IISUCertStoreBasic.png + images\IISUCustomFields.png = images\IISUCustomFields.png + images\IISUEntryParams.png = images\IISUEntryParams.png images\ReEnrollment1.png = images\ReEnrollment1.png images\ReEnrollment1a.png = images\ReEnrollment1a.png images\ReEnrollment1b.png = images\ReEnrollment1b.png images\Screen1.png = images\Screen1.png images\Screen2.png = images\Screen2.png + images\WinCertAdvanced.png = images\WinCertAdvanced.png + images\WinCertBasic.png = images\WinCertBasic.png + images\WinCertEntryParams.png = images\WinCertEntryParams.png images\WinCertStore.png = images\WinCertStore.png EndProjectSection EndProject diff --git a/images/IISUAddCertStore.png b/images/IISUAddCertStore.png new file mode 100644 index 0000000..def6510 Binary files /dev/null and b/images/IISUAddCertStore.png differ diff --git a/images/IISUCertStoreBasic.png b/images/IISUCertStoreBasic.png new file mode 100644 index 0000000..54e9cbc Binary files /dev/null and b/images/IISUCertStoreBasic.png differ diff --git a/images/IISUCustomFields.png b/images/IISUCustomFields.png new file mode 100644 index 0000000..7d38af7 Binary files /dev/null and b/images/IISUCustomFields.png differ diff --git a/images/IISUEntryParams.png b/images/IISUEntryParams.png new file mode 100644 index 0000000..a05f36f Binary files /dev/null and b/images/IISUEntryParams.png differ diff --git a/images/WinCertAdvanced.png b/images/WinCertAdvanced.png new file mode 100644 index 0000000..5175a95 Binary files /dev/null and b/images/WinCertAdvanced.png differ diff --git a/images/WinCertBasic.png b/images/WinCertBasic.png new file mode 100644 index 0000000..3b28ac6 Binary files /dev/null and b/images/WinCertBasic.png differ diff --git a/images/WinCertCustom.png b/images/WinCertCustom.png new file mode 100644 index 0000000..193f6c9 Binary files /dev/null and b/images/WinCertCustom.png differ diff --git a/images/WinCertEntryParams.png b/images/WinCertEntryParams.png new file mode 100644 index 0000000..8506dac Binary files /dev/null and b/images/WinCertEntryParams.png differ diff --git a/integration-manifest.json b/integration-manifest.json index 2cf1679..effd81d 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -26,6 +26,292 @@ "supportsReenrollment": false, "supportsInventory": false, "platformSupport": "Unused" + }, + "store_types": { + "WinCert": { + "Name": "WinCert", + "ShortName": "WinCert", + "Capability": "WinCert", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRm Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "http, https", + "Required": true + }, + { + "Name": "WinRm Port", + "DisplayName": "WinRm Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5985", + "Required": true + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true + } + ], + "EntryParameters": [ + { + "Name": "ProviderName", + "DisplayName": "Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + } + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "JobProperties": [ + "ProviderName", + "SAN" + ], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "ServerRegistration": 7, + "InventoryEndpoint": "/AnyInventory/Update" + }, + "IISU": { + "Name": "IISU", + "ShortName": "IISU", + "Capability": "IISU", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRm Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "http,https", + "Required": true + }, + { + "Name": "WinRm Port", + "DisplayName": "WinRm Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5985", + "Required": true + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true + } + ], + "EntryParameters": [ + { + "Name": "IPAddress", + "DisplayName": "IP Address", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DefaultValue": "*" + }, + { + "Name": "Port", + "DisplayName": "Port", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DefaultValue": "443" + }, + { + "Name": "HostName", + "DisplayName": "Host Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "SiteName", + "DisplayName": "Site Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DefaultValue": "Default Web Site" + }, + { + "Name": "SniFlag", + "DisplayName": "SNI Flag", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "0 - No SNI" + }, + { + "Name": "Protocol", + "DisplayName": "Protocol", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DefaultValue": "https", + "Options": "http, https" + }, + { + "Name": "ProviderName", + "DisplayName": "Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + } + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "[\"My\",\"WebHosting\"]", + "PrivateKeyAllowed": "Required", + "JobProperties": [ + "IPAddress", + "Port", + "HostName", + "SiteName", + "SniFlag", + "Protocol", + "ProviderName", + "SAN" + ], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "InventoryEndpoint": "/AnyInventory/Update" + } } } } diff --git a/readme_source.md b/readme_source.md index 550a643..c166c26 100644 --- a/readme_source.md +++ b/readme_source.md @@ -1,8 +1,7 @@ -**WinCertStore Orchestrator Configuration** +# WinCertStore Orchestrator Configuration +## Overview -**Overview** - -The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: +The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: Get-ChildItem Cert:\LocalMachine @@ -22,35 +21,33 @@ In version 2.0 of the IIS Orchestrator, the certificate store type has been rena **Note: There is an additional certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.** -**Note: In version 3.0, the orchestrator has been renamed from IISU to WinCert. There is currently no succession process to update previous certificate store types.** - +## Creating New Certificate Store Types +Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates. Below describes how each of these certificate store types are created and configured. +
+ IISU Extension -**1. Create the New Certificate Store Type** +**In Keyfactor Command create a new Certificate Store Type similar to the one below:** -In Keyfactor Command create a new Certificate Store Type similar to the one below: - -#### STORE TYPE CONFIGURATION **Basic Settings:** CONFIG ELEMENT | DESCRIPTION ------------------|------------------ -Name |A descriptive name for the extension. Example: WinCert (for general windows cert store), WinIIS (for IIS Webstore cert store) -Short Name |The short name that identifies the registered functionality of the orchestrator. Currently must be either Win or WinIIS -Custom Capability|Store type name orchestrator will register with. Currently must be Win or WinIIS. -Job Types |Inventory (Checked), Add, Remove, and Reenrollment are the supported job types. +Name |A descriptive name for the extension. Example: IISU +Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISU. +Custom Capability|Store type name orchestrator will register with. Check the box and enter IISU. +Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment. General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked. Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked. - -![](images/certstoretype.png) +![](images/IISUCertStoreBasic.png) **Advanced Settings:** CONFIG ELEMENT | DESCRIPTION ------------------|------------------ -Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. -Store Path Value|When using this as a Windows Cert Store, this option must be freeform, allowing the user to type in a particular store path.
When using this for bound or IIS Certificates, This must be a comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting +Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. Select Multiple Choice. +Store Path Value|This must be a comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden. Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections. PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined). @@ -63,19 +60,17 @@ PFX Password Style |This determines how the platform generate passwords to prote Parameter Name|Display Name|Parameter Type|Default Value|Required|Description ---|---|---|---|---|--- -spnwithport\*|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service -WinRm Protocol\*|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on -WinRm Port\*|WinRm Port|String|5985|Yes|Port that WinRM Runs on -ServerUsername|Server Username|Secret||No|The username to log into the IIS Server -ServerPassword|Server Password|Secret||No|The password that matches the username to log into the IIS Server +spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service +WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on +WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on +ServerUsername|Server Username|Secret||No|The username to log into the Server +ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not -**NOTE: Elements with an asterisk (*) are only required when communicating with a Web Server and bound certificates. - -![](images/certstoretype-c.png) - +![](images/IISUCustomFields.png) **Entry Parameters:** + This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
- **Site Name** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The site name for the web site being bound to – i.e. "Default Web Site" @@ -90,8 +85,8 @@ This section must be configured with binding fields. The parameters will be popu - 1 - SNI Enabled - 2 - Non SNI Binding - 3 - SNI Binding -- **Provider Name\*** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target IIS server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target IIS Server. -- **SAN\*** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. +- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server. +- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Parameter Name|Parameter Type|Default Value|Required When ---|---|---|--- @@ -101,60 +96,137 @@ HostName |String|| SiteName |String|Default Web Site|Adding Entry, Removing Entry, Reenrolling an Entry SniFlag |String|0 - No SNI| Protocol |Multiple Choice|https|Adding Entry, Removing Entry, Reenrolling an Entry -ProviderName\* |String|| -SAN\* |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications) +ProviderName |String|| +SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications) + +![](images/IISUEntryParams.png) + +Click Save to save the Certificate Store Type. + +
+ +
+ WinCert Extension + +**1. In Keyfactor Command create a new Certificate Store Type using the settings below** + +**Basic Settings:** + +CONFIG ELEMENT | DESCRIPTION +------------------|------------------ +Name |A descriptive name for the extension. Example: WinCert +Short Name |The short name that identifies the registered functionality of the orchestrator. Must be WinCert. +Custom Capability|Store type name orchestrator will register with. Check the box and enter WinCert. +Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment. +General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked +Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked. +Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked. + +![](images/WinCertBasic.png) + +**Advanced Settings:** + +CONFIG ELEMENT | DESCRIPTION +------------------|------------------ +Store Path Type |Select Freeform. Allows users to type in a valid certificate store. +Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden. +Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections. +PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined). + +![](images/WinCertAdvanced.png) -**NOTE: Elements with an asterisk (*) are only required when not binding certificates to a web server. +**Custom Fields:** + +- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access + +Parameter Name|Display Name|Parameter Type|Default Value|Required|Description +---|---|---|---|---|--- +spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service +WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on +WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on +ServerUsername|Server Username|Secret||No|The username to log into the Server +ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server +ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not + +![](images/WinCertCustom.png) + +**Entry Parameters:** +- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server. +- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. + +Parameter Name|Parameter Type|Default Value|Required When +---|---|---|--- +ProviderName |String|| +SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications) + + +![](images/WinCertEntryParams.png) -![](images/screen2.png) +Click Save to save the Certificate Store Type. -**2. Register the IIS Universal Orchestrator with Keyfactor** -See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative. +
-**3a. Create an IIS Binding Certificate Store within Keyfactor Command** -In Keyfactor Command create a new Certificate Store similar to the one below, selecting "WinIIS" as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS AnyAgent".
+## Creating New Certificate Stores +Once the Certificate Store Types have been created, you need to create the Certificate Stores prior to using the extension. +Here are the settings required for each Store Type previously configured. -![](images/IISCertStore.png) +
+IISU Certificate Store + +In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION ----------------|--------------- -Category |The type of certificate store to be configured. Select category based on the display name configured above. +Category |Select the IISU from the dropdown. This is the name of the Certificate Store Type you previously create. Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell. Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin) -Store Path |My or WebHosting +Store Path |Select My or WebHosting from the dropdown. Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. -SPN with Port?| -WinRm Protocol|http or https +SPN with Port?| Defaulted to False +WinRm Protocol|Select either http or https WinRm Port |Port to run WinRm on Default for http is 5985 Server Username|Username to log into the IIS Server Server Password|Password for the username required to log into the IIS Server -Use SSL|Determines whether SSL is used ot not - +Use SSL|Determines whether SSL is used or not Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store. -**3b. Create a Windows Certificate Store within Keyfactor Command** +![](images/IISUAddCertStore.png) -In Keyfactor Command create a new Certificate Store similar to the one below, selecting "WinIIS" as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS AnyAgent".
+Click Save to save the settings for this Certificate Store +
+ +
+WinCert Certificate Store + +In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. -![](images/WinCertStore.png) #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION ----------------|--------------- -Category |The type of certificate store to be configured. Select category based on the display name configured above. +Category |The type of certificate store to be configured. Select category based on the display name configured above for WinCert. Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell. -Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin) -Store Path |Any correctly spelled local machine store path +Store Path |Enter the specific name of the certificate store path you want to use. Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. -Server Username|Username to log into the Server +SPN with Port?|Defaults to False +WinRm Protocol|Select http or https +WinRm Port |Port to run WinRm on Default for http is 5985 +Server Username|Username to log into the IIS Server Server Password|Password for the username required to log into the IIS Server -Use SSL|Determines whether SSL is used ot not +Use SSL|Determines whether SSL is used or not +Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store. + +![](images/WinCertStore.png) + +
+ + +## Test Cases -#### TEST CASES Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot ----|------------------------|------------------------------------|--------------|----------------|------------------------- 1 |New Cert Enrollment To New Binding With KFSecret Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from KFSecret|True|![](images/TestCase1Results.gif) @@ -176,4 +248,3 @@ Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot -