diff --git a/CHANGELOG.md b/CHANGELOG.md
index faa1419..37288f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+2.1.1
+* Fixed the missing site name error when issuing a WinCert job when writing trace log settings to the log file.
+* Several display names changed in the documented certificate store type definitions. There are no changes to the internal type or parameter names, so no migration is necessary for currently configured stores.
+ * Display name for IISU changed to "IIS Bound Certificate".
+ * Display name for WinCert changed to "Windows Certificate".
+ * Display names for several Store and Entry parameters changed to be more descriptive and UI friendly.
+* Significant readme cleanup
+
2.1.0
* Fixed issue that was occuring during renewal when there were bindings outside of http and https like net.tcp
* Added PAM registration/initialization documentation in README.md
diff --git a/IISU/JobConfigurationParser.cs b/IISU/JobConfigurationParser.cs
index bd7889d..5cb0448 100644
--- a/IISU/JobConfigurationParser.cs
+++ b/IISU/JobConfigurationParser.cs
@@ -47,14 +47,15 @@ public static string ParseManagementJobConfiguration(ManagementJobConfiguration
bool isEmpty = (config.JobProperties.Count == 0); // Check if the dictionary is empty or not
if (!isEmpty)
{
- managementParser.CertificateStoreDetailProperties.SiteName = config.JobProperties["SiteName"].ToString();
- managementParser.CertificateStoreDetailProperties.Port = config.JobProperties["Port"].ToString();
- managementParser.CertificateStoreDetailProperties.HostName = config.JobProperties["HostName"]?.ToString();
- managementParser.CertificateStoreDetailProperties.Protocol = config.JobProperties["Protocol"].ToString();
- managementParser.CertificateStoreDetailProperties.SniFlag = config.JobProperties["SniFlag"].ToString()?[..1];
- managementParser.CertificateStoreDetailProperties.IPAddress = config.JobProperties["IPAddress"].ToString();
- managementParser.CertificateStoreDetailProperties.ProviderName = config.JobProperties["ProviderName"]?.ToString();
- managementParser.CertificateStoreDetailProperties.SAN = config.JobProperties["SAN"]?.ToString();
+ object value = "";
+ if (config.JobProperties.TryGetValue("SiteName", out value)) managementParser.CertificateStoreDetailProperties.SiteName = config.JobProperties["SiteName"].ToString();
+ if (config.JobProperties.TryGetValue("Port", out value)) managementParser.CertificateStoreDetailProperties.Port = config.JobProperties["Port"].ToString();
+ if (config.JobProperties.TryGetValue("HostName", out value)) managementParser.CertificateStoreDetailProperties.HostName = config.JobProperties["HostName"]?.ToString();
+ if (config.JobProperties.TryGetValue("Protocol", out value)) managementParser.CertificateStoreDetailProperties.Protocol = config.JobProperties["Protocol"].ToString();
+ if (config.JobProperties.TryGetValue("SniFlag", out value)) managementParser.CertificateStoreDetailProperties.SniFlag = config.JobProperties["SniFlag"].ToString()?[..1];
+ if (config.JobProperties.TryGetValue("IPAddress", out value)) managementParser.CertificateStoreDetailProperties.IPAddress = config.JobProperties["IPAddress"].ToString();
+ if (config.JobProperties.TryGetValue("ProviderName", out value)) managementParser.CertificateStoreDetailProperties.ProviderName = config.JobProperties["ProviderName"]?.ToString();
+ if (config.JobProperties.TryGetValue("SAN", out value)) managementParser.CertificateStoreDetailProperties.SAN = config.JobProperties["SAN"]?.ToString();
}
// Management Base
diff --git a/README.md b/README.md
index c4ca0cd..de297a3 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,16 @@
# IIS Orchestrator
-The IIS Orchestrator treats the certificates bound (actively in use) on a Microsoft Internet Information Server (IIS) as a Keyfactor certificate store. Inventory and Management functions are supported. The orchestrator replaces the IIS orchestrator that ships with Keyfactor Command (which did not support binding.)
+The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) “WinCert” which manages certificates in a Windows local machine store, and 2) “IISU” which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated “IIS” cert store type that ships with Keyfactor Command. The “IISU” extension also replaces the “IISBin” certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from “IIS Orchestrator” as it now supports certificates that are not in use by IIS.
#### Integration status: Production - Ready for use in production environments.
-## About the Keyfactor Universal Orchestrator Capability
+## About the Keyfactor Universal Orchestrator Extension
-This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
+This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
-The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme.
+The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.
-The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
+The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
@@ -45,7 +45,7 @@ The secrets that this orchestrator extension supports for use with a PAM Provide
|Name|Description|
|----|-----------|
-|Server UserName|The user id that will be used to authenticate into the server hosting the store|
+|Server Username|The user id that will be used to authenticate into the server hosting the store|
|Server Password|The password that will be used to authenticate into the server hosting the store|
@@ -83,6 +83,7 @@ This text would be entered in as the value for the __Server Password__, instead
+
---
@@ -97,7 +98,7 @@ The returned list will contain the actual certificate store name to be used when
By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
-This agent implements four job types: Inventory, Management Add/Remove, and ReEnrollment.
+This extension implements four job types: Inventory, Management Add/Remove, and ReEnrollment.
WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document.
@@ -107,85 +108,80 @@ In version 2.0 of the IIS Orchestrator, the certificate store type has been rena
1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type.
1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.)
-**Note: There is an additional certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.**
+**Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.**
## Creating New Certificate Store Types
-Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates. Below describes how each of these certificate store types are created and configured.
+Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates.
+Below describes how each of these certificate store types are created and configured.
IISU Extension
-**In Keyfactor Command create a new Certificate Store Type similar to the one below:**
+**In Keyfactor Command create a new Certificate Store Type as specified below:**
**Basic Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Name |A descriptive name for the extension. Example: IISU
-Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISU.
-Custom Capability|Store type name orchestrator will register with. Check the box and enter IISU.
-Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment.
-General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked
-Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
-Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked.
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | IIS Bound Certificate | Display name for the store type (may be customized)
+Short Name| IISU | Short display name for the store type
+Custom Capability | IISU | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
**Advanced Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. Select Multiple Choice.
-Store Path Value|This must be a comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting
-Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden.
-Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections.
-PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined).
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Multiple Choice | Determines what restrictions are applied to the store path field when configuring a new store.
+Store Path Value | My,WebHosting | Comma separated list of options configure multiple choice. This, combined with the hostname, will determine the location used for the certificate store management and inventory.
+Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be useless.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
-
+
**Custom Fields:**
-- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote
+target server containing the certificate store to be managed
-Parameter Name|Display Name|Parameter Type|Default Value|Required|Description
+Name|Display Name|Type|Default Value / Options|Required|Description
---|---|---|---|---|---
-spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service
-WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on
-WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on
-ServerUsername|Server Username|Secret||No|The username to log into the Server
-ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server
-ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not
+WinRm Protocol|WinRm Protocol|Multiple Choice| https,http |Yes|Protocol that target server WinRM listener is using
+WinRm Port|WinRm Port|String|5986|Yes| Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS
+spnwithport|SPN With Port|Bool|false|No|Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
+ServerUsername|Server Username|Secret||No|The username to log into the target server (This field is automatically created)
+ServerPassword|Server Password|Secret||No|The password that matches the username to log into the target server (This field is automatically created)
+ServerUseSsl|Use SSL|Bool|true|Yes|Determine whether the server uses SSL or not (This field is automatically created)
+
+*Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.*
+
**Entry Parameters:**
-This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
-
-- **Site Name** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The site name for the web site being bound to – i.e. "Default Web Site"
-- **IP Address** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The IP address for the web site being bound to. Default is "\*" for all IP Addresses.
-- **Port** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The port for the web site being bound to. Default is "443".
-- **Host Name** – Optional. The host name for the web site being bound to.
-- **Protocol** - Required (Adding an entry, Removing an entry, Reenrolling an entry)
- - https
- - http
-- **Sni Flag** – Optional. Set the SNI flag associated with the binding being created. Default is "0". Acceptable values are:
- - 0 - No SNI
- - 1 - SNI Enabled
- - 2 - Non SNI Binding
- - 3 - SNI Binding
-- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server.
-- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs.
-
-Parameter Name|Parameter Type|Default Value|Required When
----|---|---|---
-Port|String|443|Adding Entry, Removing Entry, Reenrolling and Entry
-IPAddress|String|*|Adding Entry, Reenrolling an Entry
-HostName |String||
-SiteName |String|Default Web Site|Adding Entry, Removing Entry, Reenrolling an Entry
-SniFlag |String|0 - No SNI|
-Protocol |Multiple Choice|https|Adding Entry, Removing Entry, Reenrolling an Entry
-ProviderName |String||
-SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications)
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
+
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+SiteName | IIS Site Name|String|Default Web Site|Adding, Removing, Reenrolling | IIS web site to bind certificate to
+IPAddress | IP Address | String | * | Adding, Removing, Reenrolling | IP address to bind certificate to (use '*' for all IP addresses)
+Port | Port | String | 443 || Adding, Removing, Reenrolling|IP port for bind certificate to
+HostName | Host Name | String |||| Host name (host header) to bind certificate to, leave blank for all host names
+SniFlag | SNI Support | Multiple Choice | 0 - No SNI||Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding")
+Protocol | Protocol | Multiple Choice | https| Adding, Removing, Reenrolling|Protocol to bind to (always "https").
(Multiple choice configuration should be "https")
+ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server.
+SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA.
+
+None of the above entry parameters have the "Depends On" field set.
@@ -200,53 +196,60 @@ Click Save to save the Certificate Store Type.
**Basic Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Name |A descriptive name for the extension. Example: WinCert
-Short Name |The short name that identifies the registered functionality of the orchestrator. Must be WinCert.
-Custom Capability|Store type name orchestrator will register with. Check the box and enter WinCert.
-Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment.
-General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked
-Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
-Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked.
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | Windows Certificate | Display name for the store type (may be customized)
+Short Name| WinCert | Short display name for the store type
+Custom Capability | WinCert | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
**Advanced Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Store Path Type |Select Freeform. Allows users to type in a valid certificate store.
-Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden.
-Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections.
-PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined).
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Freeform | Allows users to type in a valid certificate store.
+Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be useless.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
**Custom Fields:**
-- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed
-Parameter Name|Display Name|Parameter Type|Default Value|Required|Description
+Name|Display Name|Type|Default Value / Options|Required|Description
---|---|---|---|---|---
-spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service
-WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on
-WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on
-ServerUsername|Server Username|Secret||No|The username to log into the Server
-ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server
-ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not
+WinRm Protocol|WinRm Protocol|Multiple Choice| https,http |Yes|Protocol that target server WinRM listener is using
+WinRm Port|WinRm Port|String|5986|Yes| Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS
+spnwithport|SPN With Port|Bool|false|No|Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
+ServerUsername|Server Username|Secret||No|The username to log into the target server (This field is automatically created)
+ServerPassword|Server Password|Secret||No|The password that matches the username to log into the target server (This field is automatically created)
+ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not (This field is automatically created)
+
+*Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.*
**Entry Parameters:**
-- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server.
-- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs.
-Parameter Name|Parameter Type|Default Value|Required When
----|---|---|---
-ProviderName |String||
-SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications)
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
+For the WinCert store type they are used to control how reenrollment jobs are performed.
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server.
+SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA.
+
+None of the above entry parameters have the "Depends On" field set.
@@ -267,19 +270,18 @@ In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. C
#### STORE CONFIGURATION
CONFIG ELEMENT |DESCRIPTION
----------------|---------------
-Category |Select the IISU from the dropdown. This is the name of the Certificate Store Type you previously create.
-Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store.
-Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell.
-Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin)
-Store Path |Select My or WebHosting from the dropdown.
-Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type.
-SPN with Port?| Defaulted to False
-WinRm Protocol|Select either http or https
-WinRm Port |Port to run WinRm on Default for http is 5985
-Server Username|Username to log into the IIS Server
-Server Password|Password for the username required to log into the IIS Server
-Use SSL|Determines whether SSL is used or not
-Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store.
+Category | Select IIS Bound Certificate or the customized certificate store display name from above.
+Container | Optional container to associate certificate store with.
+Client Machine | Hostname of the IIS server containing the certificate store to be managed.
+Store Path | Windows certificate store to manage. Choose "My" for the Personal Store or "WebHosting" for the Web Hosting Store.
+Orchestrator | Select an approved orchestrator capable of managing IIS Bound Certificates (one that has declared the IISU capability)
+WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.)
+WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986)
+SPN with Port | Typically False. Needed in some Kerberos configurations.
+Server Username | Username to use when establishing the WinRM session to the Client Machine. Account needs to be an administrator or have been granted rights to manage IIS configuration and manipulate the local machine certificate store.
+Server Password | Password to use when establishing the WinRM session to the Client Machine
+Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting
+Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store.
@@ -295,25 +297,27 @@ In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. C
#### STORE CONFIGURATION
CONFIG ELEMENT |DESCRIPTION
----------------|---------------
-Category |The type of certificate store to be configured. Select category based on the display name configured above for WinCert.
-Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store.
-Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell.
-Store Path |Enter the specific name of the certificate store path you want to use.
-Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type.
-SPN with Port?|Defaults to False
-WinRm Protocol|Select http or https
-WinRm Port |Port to run WinRm on Default for http is 5985
-Server Username|Username to log into the IIS Server
-Server Password|Password for the username required to log into the IIS Server
-Use SSL|Determines whether SSL is used or not
-Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store.
-
-
+Category | Select Windows Certificate or the customized certificate store display name from above.
+Container | Optional container to associate certificate store with.
+Client Machine | Hostname of the server containing the certificate store to be managed.
+Store Path | Windows certificate store to manage. Store must exist in the Local Machine store on the target server.
+Orchestrator | Select an approved orchestrator capable of managing Windows Certificates (one that has declared the WinCert capability)
+WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.)
+WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986)
+SPN with Port | Typically False. Needed in some Kerberos configurations.
+Server Username | Username to use when establishing the WinRM session to the Client Machine. Account needs to be an admin or have been granted rights to manipulate the local machine certificate store.
+Server Password | Password to use when establishing the WinRM session to the Client Machine
+Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting
+Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store.
+
+
## Test Cases
+
+IISU
Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot
----|------------------------|------------------------------------|--------------|----------------|-------------------------
@@ -324,16 +328,14 @@ Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot
5 |New Cert Enrollment New Host Name|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding Created With different host on Same Port and IP Address|True|
6 |New Cert Enrollment Same Site New Port |**Site Name:** FirstSite
**Port:** 4443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding on different port will be created with new cert enrolled|True|
7 |Remove Cert and Binding From Test Case 6|**Site Name:** FirstSite
**Port:** 4443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert and Binding From Test Case 6 Removed|True|
-8 |Renew Same Cert on 2 Different Sites|`SITE 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`SITE 2`
**First Site**
**Site Name:** SecondSite
**Port:** 443
**IP Address:**`*`
**Host Name:** cstiis04.cstpki.int
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both sites because it has the same thrumbprint|True|
-9 |Renew Same Cert on Same Site Same Binding Settings Different Hostname|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|
-10 |Renew Single Cert on Same Site Same Binding Settings Different Hostname Different Certs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on only one binding because the other binding does not match thrumbprint|True|
-11 |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.160`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|
-12 |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 543
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|
+8 |Renew Same Cert on 2 Different Sites|`SITE 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`SITE 2`
**First Site**
**Site Name:** SecondSite
**Port:** 443
**IP Address:**`*`
**Host Name:** cstiis04.cstpki.int
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both sites because it has the same thumbprint|True|
+9 |Renew Same Cert on Same Site Same Binding Settings Different Hostname|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|
+10 |Renew Single Cert on Same Site Same Binding Settings Different Hostname Different Certs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on only one binding because the other binding does not match thumbprint|True|
+11 |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.160`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|
+12 |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 543
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|
13 |ReEnrollment to Fortanix HSM|**Subject Name:** cn=www.mysite.com
**Port:** 433
**IP Address:**`*`
**Host Name:** mysite.command.local
**Site Name:**Default Web Site
**Sni Flag:** 0 - No SNI
**Protocol:** https
**Provider Name:** Fortanix KMS CNG Provider
**SAN:** dns=www.mysite.com&dns=mynewsite.com|Cert will be generated with keys stored in Fortanix HSM and the cert will be bound to the supplied site.|true|
14 |New Cert Enrollment To New Binding With Pam Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from Pam Provider|True|
15 |New Cert Enrollment Default Site No HostName|**Site Name:** Default Web Site
**Port:** 443
**IP Address:**`*`
**Host Name:**
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Installed with no HostName|True|
-
-
-
-
+
+
diff --git a/images/AddCertStore.png b/images/AddCertStore.png
deleted file mode 100644
index 2d18d0e..0000000
Binary files a/images/AddCertStore.png and /dev/null differ
diff --git a/images/CertStoreType-c.png b/images/CertStoreType-c.png
deleted file mode 100644
index c308691..0000000
Binary files a/images/CertStoreType-c.png and /dev/null differ
diff --git a/images/CertStoreType.png b/images/CertStoreType.png
deleted file mode 100644
index b44d7a6..0000000
Binary files a/images/CertStoreType.png and /dev/null differ
diff --git a/images/IISCertStore.png b/images/IISCertStore.png
deleted file mode 100644
index a4be6ad..0000000
Binary files a/images/IISCertStore.png and /dev/null differ
diff --git a/images/IISUAddCertStore.png b/images/IISUAddCertStore.png
index def6510..3855927 100644
Binary files a/images/IISUAddCertStore.png and b/images/IISUAddCertStore.png differ
diff --git a/images/IISUCertStoreAdv.png b/images/IISUCertStoreAdv.png
new file mode 100644
index 0000000..07cfd94
Binary files /dev/null and b/images/IISUCertStoreAdv.png differ
diff --git a/images/IISUCertStoreBasic.png b/images/IISUCertStoreBasic.png
index 54e9cbc..28c2eb3 100644
Binary files a/images/IISUCertStoreBasic.png and b/images/IISUCertStoreBasic.png differ
diff --git a/images/IISUCustomFields.png b/images/IISUCustomFields.png
index 7d38af7..4be01a5 100644
Binary files a/images/IISUCustomFields.png and b/images/IISUCustomFields.png differ
diff --git a/images/IISUEntryParams.png b/images/IISUEntryParams.png
index a05f36f..0b3a5c3 100644
Binary files a/images/IISUEntryParams.png and b/images/IISUEntryParams.png differ
diff --git a/images/Screen1.png b/images/Screen1.png
deleted file mode 100644
index e2740ec..0000000
Binary files a/images/Screen1.png and /dev/null differ
diff --git a/images/Screen2.png b/images/Screen2.png
deleted file mode 100644
index 762f071..0000000
Binary files a/images/Screen2.png and /dev/null differ
diff --git a/images/WinCertAddCertStore.png b/images/WinCertAddCertStore.png
new file mode 100644
index 0000000..81e24e5
Binary files /dev/null and b/images/WinCertAddCertStore.png differ
diff --git a/images/WinCertAdvanced.png b/images/WinCertAdvanced.png
index 5175a95..feef117 100644
Binary files a/images/WinCertAdvanced.png and b/images/WinCertAdvanced.png differ
diff --git a/images/WinCertBasic.png b/images/WinCertBasic.png
index 3b28ac6..58f954a 100644
Binary files a/images/WinCertBasic.png and b/images/WinCertBasic.png differ
diff --git a/images/WinCertCustom.png b/images/WinCertCustom.png
index 193f6c9..83018f0 100644
Binary files a/images/WinCertCustom.png and b/images/WinCertCustom.png differ
diff --git a/images/WinCertEntryParams.png b/images/WinCertEntryParams.png
index 8506dac..0eb8c90 100644
Binary files a/images/WinCertEntryParams.png and b/images/WinCertEntryParams.png differ
diff --git a/images/WinCertStore.png b/images/WinCertStore.png
deleted file mode 100644
index d9e9ffe..0000000
Binary files a/images/WinCertStore.png and /dev/null differ
diff --git a/images/screen1-a.gif b/images/screen1-a.gif
deleted file mode 100644
index b482318..0000000
Binary files a/images/screen1-a.gif and /dev/null differ
diff --git a/images/screen1-b.gif b/images/screen1-b.gif
deleted file mode 100644
index b1768f0..0000000
Binary files a/images/screen1-b.gif and /dev/null differ
diff --git a/images/screen1-c.gif b/images/screen1-c.gif
deleted file mode 100644
index c22c84e..0000000
Binary files a/images/screen1-c.gif and /dev/null differ
diff --git a/images/screen1.gif b/images/screen1.gif
deleted file mode 100644
index 05f1b4b..0000000
Binary files a/images/screen1.gif and /dev/null differ
diff --git a/images/screen2-a.gif b/images/screen2-a.gif
deleted file mode 100644
index e70529a..0000000
Binary files a/images/screen2-a.gif and /dev/null differ
diff --git a/images/screen2.gif b/images/screen2.gif
deleted file mode 100644
index 6b1796e..0000000
Binary files a/images/screen2.gif and /dev/null differ
diff --git a/images/screen3.gif b/images/screen3.gif
deleted file mode 100644
index e3a8912..0000000
Binary files a/images/screen3.gif and /dev/null differ
diff --git a/images/screen4.gif b/images/screen4.gif
deleted file mode 100644
index f8fa31d..0000000
Binary files a/images/screen4.gif and /dev/null differ
diff --git a/images/screen5.gif b/images/screen5.gif
deleted file mode 100644
index b8a7ddf..0000000
Binary files a/images/screen5.gif and /dev/null differ
diff --git a/images/screen6.gif b/images/screen6.gif
deleted file mode 100644
index 5b09732..0000000
Binary files a/images/screen6.gif and /dev/null differ
diff --git a/images/screen7.gif b/images/screen7.gif
deleted file mode 100644
index 56a894d..0000000
Binary files a/images/screen7.gif and /dev/null differ
diff --git a/images/screen8.gif b/images/screen8.gif
deleted file mode 100644
index 41562f1..0000000
Binary files a/images/screen8.gif and /dev/null differ
diff --git a/images/screen9.gif b/images/screen9.gif
deleted file mode 100644
index 0a90f66..0000000
Binary files a/images/screen9.gif and /dev/null differ
diff --git a/integration-manifest.json b/integration-manifest.json
index effd81d..a3bae7b 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -4,7 +4,7 @@
"name": "IIS Orchestrator",
"status": "production",
"link_github": true,
- "description": "The IIS Orchestrator treats the certificates bound (actively in use) on a Microsoft Internet Information Server (IIS) as a Keyfactor certificate store. Inventory and Management functions are supported. The orchestrator replaces the IIS orchestrator that ships with Keyfactor Command (which did not support binding.)",
+ "description": "The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) “WinCert” which manages certificates in a Windows local machine store, and 2) “IISU” which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated “IIS” cert store type that ships with Keyfactor Command. The “IISU” extension also replaces the “IISBin” certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from “IIS Orchestrator” as it now supports certificates that are not in use by IIS.",
"about": {
"orchestrator": {
"UOFramework": "10.1",
diff --git a/readme-src/readme-pam-support.md b/readme-src/readme-pam-support.md
index c4730c0..03aa5f9 100644
--- a/readme-src/readme-pam-support.md
+++ b/readme-src/readme-pam-support.md
@@ -1,5 +1,5 @@
|Name|Description|
|----|-----------|
-|Server UserName|The user id that will be used to authenticate into the server hosting the store|
+|Server Username|The user id that will be used to authenticate into the server hosting the store|
|Server Password|The password that will be used to authenticate into the server hosting the store|
diff --git a/readme_source.md b/readme_source.md
index c166c26..4aa7d33 100644
--- a/readme_source.md
+++ b/readme_source.md
@@ -9,7 +9,7 @@ The returned list will contain the actual certificate store name to be used when
By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
-This agent implements four job types: Inventory, Management Add/Remove, and ReEnrollment.
+This extension implements four job types: Inventory, Management Add/Remove, and ReEnrollment.
WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document.
@@ -19,85 +19,80 @@ In version 2.0 of the IIS Orchestrator, the certificate store type has been rena
1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type.
1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.)
-**Note: There is an additional certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.**
+**Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.**
## Creating New Certificate Store Types
-Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates. Below describes how each of these certificate store types are created and configured.
+Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates.
+Below describes how each of these certificate store types are created and configured.
IISU Extension
-**In Keyfactor Command create a new Certificate Store Type similar to the one below:**
+**In Keyfactor Command create a new Certificate Store Type as specified below:**
**Basic Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Name |A descriptive name for the extension. Example: IISU
-Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISU.
-Custom Capability|Store type name orchestrator will register with. Check the box and enter IISU.
-Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment.
-General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked
-Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
-Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked.
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | IIS Bound Certificate | Display name for the store type (may be customized)
+Short Name| IISU | Short display name for the store type
+Custom Capability | IISU | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
**Advanced Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. Select Multiple Choice.
-Store Path Value|This must be a comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting
-Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden.
-Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections.
-PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined).
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Multiple Choice | Determines what restrictions are applied to the store path field when configuring a new store.
+Store Path Value | My,WebHosting | Comma separated list of options configure multiple choice. This, combined with the hostname, will determine the location used for the certificate store management and inventory.
+Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be useless.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
-
+
**Custom Fields:**
-- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote
+target server containing the certificate store to be managed
-Parameter Name|Display Name|Parameter Type|Default Value|Required|Description
+Name|Display Name|Type|Default Value / Options|Required|Description
---|---|---|---|---|---
-spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service
-WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on
-WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on
-ServerUsername|Server Username|Secret||No|The username to log into the Server
-ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server
-ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not
+WinRm Protocol|WinRm Protocol|Multiple Choice| https,http |Yes|Protocol that target server WinRM listener is using
+WinRm Port|WinRm Port|String|5986|Yes| Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS
+spnwithport|SPN With Port|Bool|false|No|Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
+ServerUsername|Server Username|Secret||No|The username to log into the target server (This field is automatically created)
+ServerPassword|Server Password|Secret||No|The password that matches the username to log into the target server (This field is automatically created)
+ServerUseSsl|Use SSL|Bool|true|Yes|Determine whether the server uses SSL or not (This field is automatically created)
+
+*Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.*
+
**Entry Parameters:**
-This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
-
-- **Site Name** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The site name for the web site being bound to – i.e. "Default Web Site"
-- **IP Address** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The IP address for the web site being bound to. Default is "\*" for all IP Addresses.
-- **Port** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The port for the web site being bound to. Default is "443".
-- **Host Name** – Optional. The host name for the web site being bound to.
-- **Protocol** - Required (Adding an entry, Removing an entry, Reenrolling an entry)
- - https
- - http
-- **Sni Flag** – Optional. Set the SNI flag associated with the binding being created. Default is "0". Acceptable values are:
- - 0 - No SNI
- - 1 - SNI Enabled
- - 2 - Non SNI Binding
- - 3 - SNI Binding
-- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server.
-- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs.
-
-Parameter Name|Parameter Type|Default Value|Required When
----|---|---|---
-Port|String|443|Adding Entry, Removing Entry, Reenrolling and Entry
-IPAddress|String|*|Adding Entry, Reenrolling an Entry
-HostName |String||
-SiteName |String|Default Web Site|Adding Entry, Removing Entry, Reenrolling an Entry
-SniFlag |String|0 - No SNI|
-Protocol |Multiple Choice|https|Adding Entry, Removing Entry, Reenrolling an Entry
-ProviderName |String||
-SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications)
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
+
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+SiteName | IIS Site Name|String|Default Web Site|Adding, Removing, Reenrolling | IIS web site to bind certificate to
+IPAddress | IP Address | String | * | Adding, Removing, Reenrolling | IP address to bind certificate to (use '*' for all IP addresses)
+Port | Port | String | 443 || Adding, Removing, Reenrolling|IP port for bind certificate to
+HostName | Host Name | String |||| Host name (host header) to bind certificate to, leave blank for all host names
+SniFlag | SNI Support | Multiple Choice | 0 - No SNI||Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding")
+Protocol | Protocol | Multiple Choice | https| Adding, Removing, Reenrolling|Protocol to bind to (always "https").
(Multiple choice configuration should be "https")
+ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server.
+SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA.
+
+None of the above entry parameters have the "Depends On" field set.
@@ -112,53 +107,60 @@ Click Save to save the Certificate Store Type.
**Basic Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Name |A descriptive name for the extension. Example: WinCert
-Short Name |The short name that identifies the registered functionality of the orchestrator. Must be WinCert.
-Custom Capability|Store type name orchestrator will register with. Check the box and enter WinCert.
-Job Types |Inventory (Checked), check the additional checkboxes: Add, Remove, and Reenrollment.
-General Settings|Needs Server - Checked
Blueprint Allowed - Unchecked
Uses PowerShell - Unchecked
-Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
-Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked.
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | Windows Certificate | Display name for the store type (may be customized)
+Short Name| WinCert | Short display name for the store type
+Custom Capability | WinCert | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
**Advanced Settings:**
-CONFIG ELEMENT | DESCRIPTION
-------------------|------------------
-Store Path Type |Select Freeform. Allows users to type in a valid certificate store.
-Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Forbidden.
-Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections.
-PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined).
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Freeform | Allows users to type in a valid certificate store.
+Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be useless.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
**Custom Fields:**
-- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed
-Parameter Name|Display Name|Parameter Type|Default Value|Required|Description
+Name|Display Name|Type|Default Value / Options|Required|Description
---|---|---|---|---|---
-spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service
-WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on
-WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on
-ServerUsername|Server Username|Secret||No|The username to log into the Server
-ServerPassword|Server Password|Secret||No|The password that matches the username to log into the Server
-ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not
+WinRm Protocol|WinRm Protocol|Multiple Choice| https,http |Yes|Protocol that target server WinRM listener is using
+WinRm Port|WinRm Port|String|5986|Yes| Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS
+spnwithport|SPN With Port|Bool|false|No|Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
+ServerUsername|Server Username|Secret||No|The username to log into the target server (This field is automatically created)
+ServerPassword|Server Password|Secret||No|The password that matches the username to log into the target server (This field is automatically created)
+ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not (This field is automatically created)
+
+*Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.*
**Entry Parameters:**
-- **Provider Name** - Optional. Name of the Windows cryptographic provider to use when generating and storing the private key for the certificate being enrolled by a reenrollment job. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be changed when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' in a command shell on the target Server.
-- **SAN** - Optional. Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs.
-Parameter Name|Parameter Type|Default Value|Required When
----|---|---|---
-ProviderName |String||
-SAN |String||Reenrolling an Entry (if the CA follows RFC 2818 specifications)
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
+For the WinCert store type they are used to control how reenrollment jobs are performed.
+
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server.
+SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA.
+None of the above entry parameters have the "Depends On" field set.
@@ -179,19 +181,18 @@ In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. C
#### STORE CONFIGURATION
CONFIG ELEMENT |DESCRIPTION
----------------|---------------
-Category |Select the IISU from the dropdown. This is the name of the Certificate Store Type you previously create.
-Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store.
-Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell.
-Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin)
-Store Path |Select My or WebHosting from the dropdown.
-Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type.
-SPN with Port?| Defaulted to False
-WinRm Protocol|Select either http or https
-WinRm Port |Port to run WinRm on Default for http is 5985
-Server Username|Username to log into the IIS Server
-Server Password|Password for the username required to log into the IIS Server
-Use SSL|Determines whether SSL is used or not
-Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store.
+Category | Select IIS Bound Certificate or the customized certificate store display name from above.
+Container | Optional container to associate certificate store with.
+Client Machine | Hostname of the IIS server containing the certificate store to be managed.
+Store Path | Windows certificate store to manage. Choose "My" for the Personal Store or "WebHosting" for the Web Hosting Store.
+Orchestrator | Select an approved orchestrator capable of managing IIS Bound Certificates (one that has declared the IISU capability)
+WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.)
+WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986)
+SPN with Port | Typically False. Needed in some Kerberos configurations.
+Server Username | Username to use when establishing the WinRM session to the Client Machine. Account needs to be an administrator or have been granted rights to manage IIS configuration and manipulate the local machine certificate store.
+Server Password | Password to use when establishing the WinRM session to the Client Machine
+Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting
+Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store.
@@ -207,25 +208,27 @@ In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. C
#### STORE CONFIGURATION
CONFIG ELEMENT |DESCRIPTION
----------------|---------------
-Category |The type of certificate store to be configured. Select category based on the display name configured above for WinCert.
-Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store.
-Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell.
-Store Path |Enter the specific name of the certificate store path you want to use.
-Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type.
-SPN with Port?|Defaults to False
-WinRm Protocol|Select http or https
-WinRm Port |Port to run WinRm on Default for http is 5985
-Server Username|Username to log into the IIS Server
-Server Password|Password for the username required to log into the IIS Server
-Use SSL|Determines whether SSL is used or not
-Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store.
-
-
+Category | Select Windows Certificate or the customized certificate store display name from above.
+Container | Optional container to associate certificate store with.
+Client Machine | Hostname of the server containing the certificate store to be managed.
+Store Path | Windows certificate store to manage. Store must exist in the Local Machine store on the target server.
+Orchestrator | Select an approved orchestrator capable of managing Windows Certificates (one that has declared the WinCert capability)
+WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.)
+WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986)
+SPN with Port | Typically False. Needed in some Kerberos configurations.
+Server Username | Username to use when establishing the WinRM session to the Client Machine. Account needs to be an admin or have been granted rights to manipulate the local machine certificate store.
+Server Password | Password to use when establishing the WinRM session to the Client Machine
+Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting
+Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store.
+
+
## Test Cases
+
+IISU
Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot
----|------------------------|------------------------------------|--------------|----------------|-------------------------
@@ -236,15 +239,13 @@ Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot
5 |New Cert Enrollment New Host Name|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding Created With different host on Same Port and IP Address|True|
6 |New Cert Enrollment Same Site New Port |**Site Name:** FirstSite
**Port:** 4443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding on different port will be created with new cert enrolled|True|
7 |Remove Cert and Binding From Test Case 6|**Site Name:** FirstSite
**Port:** 4443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert and Binding From Test Case 6 Removed|True|
-8 |Renew Same Cert on 2 Different Sites|`SITE 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`SITE 2`
**First Site**
**Site Name:** SecondSite
**Port:** 443
**IP Address:**`*`
**Host Name:** cstiis04.cstpki.int
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both sites because it has the same thrumbprint|True|
-9 |Renew Same Cert on Same Site Same Binding Settings Different Hostname|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|
-10 |Renew Single Cert on Same Site Same Binding Settings Different Hostname Different Certs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on only one binding because the other binding does not match thrumbprint|True|
-11 |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.160`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|
-12 |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 543
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|
+8 |Renew Same Cert on 2 Different Sites|`SITE 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`SITE 2`
**First Site**
**Site Name:** SecondSite
**Port:** 443
**IP Address:**`*`
**Host Name:** cstiis04.cstpki.int
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both sites because it has the same thumbprint|True|
+9 |Renew Same Cert on Same Site Same Binding Settings Different Hostname|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|
+10 |Renew Single Cert on Same Site Same Binding Settings Different Hostname Different Certs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on only one binding because the other binding does not match thumbprint|True|
+11 |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.160`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|
+12 |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 543
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|
13 |ReEnrollment to Fortanix HSM|**Subject Name:** cn=www.mysite.com
**Port:** 433
**IP Address:**`*`
**Host Name:** mysite.command.local
**Site Name:**Default Web Site
**Sni Flag:** 0 - No SNI
**Protocol:** https
**Provider Name:** Fortanix KMS CNG Provider
**SAN:** dns=www.mysite.com&dns=mynewsite.com|Cert will be generated with keys stored in Fortanix HSM and the cert will be bound to the supplied site.|true|
14 |New Cert Enrollment To New Binding With Pam Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from Pam Provider|True|
15 |New Cert Enrollment Default Site No HostName|**Site Name:** Default Web Site
**Port:** 443
**IP Address:**`*`
**Host Name:**
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Installed with no HostName|True|
-
-
-
-
+
+