Release 2.2

CHANGELOG.md

@@ -1,3 +1,9 @@
+2.2.2
+* Removed empty constructor to resolve PAM provider error when using WinCert store types
+
+2.2.1
+* Fixed issue where https binding without cert was causing an error
+
 2.2.0
 * Added Support for GMSA Account by using no value for ServerUsernanme and ServerPassword. KF Command version 10.2 or later is required to specify empty credentials. 
 * Added local PowerShell support, triggered when specifying 'localhost' as the client machine while using the IISU or WinCert Orchestrator.  This change was tested using KF Command 10.3

IISU/ClientPSIIManager.cs

@@ -178,16 +178,17 @@ public JobResult BindCertificate(X509Certificate2 x509Cert)
                     var bindings = ps.Invoke();
                     foreach (var binding in bindings)
                     {
-                        if (binding.Properties["Protocol"].Value.ToString().Contains("http"))
+                        if (binding.Properties["Protocol"].Value.ToString().Contains("https"))
                         {
                             _logger.LogTrace("Looping Bindings....");
                             var bindingSiteName = binding.Properties["name"].Value.ToString();
-                            var bindingIpAddress = binding.Properties["Bindings"].Value.ToString()?.Split(':')[0];
-                            var bindingPort = binding.Properties["Bindings"].Value.ToString()?.Split(':')[1];
-                            var bindingHostName = binding.Properties["Bindings"].Value.ToString()?.Split(':')[2];
-                            var bindingProtocol = binding.Properties["Protocol"].Value.ToString();
-                            var bindingThumbprint = binding.Properties["thumbprint"].Value.ToString();
-                            var bindingSniFlg = binding.Properties["sniFlg"].Value.ToString();
+                            var bindingBindings = binding.Properties["Bindings"].Value.ToString()?.Split(':');
+                            var bindingIpAddress = bindingBindings?.Length > 0 ? bindingBindings[0] : null;
+                            var bindingPort = bindingBindings?.Length > 1 ? bindingBindings[1] : null;
+                            var bindingHostName = bindingBindings?.Length > 2 ? bindingBindings[2] : null;
+                            var bindingProtocol = binding.Properties["Protocol"]?.Value?.ToString();
+                            var bindingThumbprint = binding.Properties["thumbprint"]?.Value?.ToString();
+                            var bindingSniFlg = binding.Properties["sniFlg"]?.Value?.ToString();
 
                             _logger.LogTrace(
                                 $"bindingSiteName: {bindingSiteName}, bindingIpAddress: {bindingIpAddress}, bindingPort: {bindingPort}, bindingHostName: {bindingHostName}, bindingProtocol: {bindingProtocol}, bindingThumbprint: {bindingThumbprint}, bindingSniFlg: {bindingSniFlg}");

IISU/ImplementedStoreTypes/Win/Inventory.cs

@@ -32,10 +32,6 @@ public class Inventory : WinCertJobTypeBase, IInventoryJobExtension
         private ILogger _logger;
         public string ExtensionName => string.Empty;
 
-        public Inventory()
-        {
-        }
-
         public Inventory(IPAMSecretResolver resolver)
         {
             _resolver = resolver;

IISU/ImplementedStoreTypes/Win/Management.cs

@@ -36,10 +36,6 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension
 
         private string _thumbprint = string.Empty;
 
-        public Management()
-        {
-        }
-
         public Management(IPAMSecretResolver resolver)
         {
             _resolver= resolver;

IISU/Interfaces/ICertificateStoreDetailsBase.cs

@@ -1,4 +1,17 @@
-using System;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using System;
 using System.Collections.Generic;
 using System.Text;
 

IISU/Interfaces/IInventoryCertStoreDetails.cs

@@ -1,4 +1,17 @@
-namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore
 {
     internal interface IInventoryCertStoreDetails
     {

IISU/Interfaces/IInventoryJobLogger.cs

@@ -1,4 +1,17 @@
-using System;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using System;
 using System.Collections.Generic;
 using System.Text;
 

IISU/Interfaces/IJobConfigurationLoggerBase.cs

@@ -1,4 +1,17 @@
-using Keyfactor.Orchestrators.Extensions;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using Keyfactor.Orchestrators.Extensions;
 using System;
 using System.Collections.Generic;
 using System.Text;

IISU/Interfaces/IManagementCertStoreDetails.cs

@@ -1,4 +1,17 @@
-using System;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using System;
 using System.Collections.Generic;
 using System.Text;
 

IISU/Interfaces/IManagementJobLogger.cs

@@ -1,4 +1,17 @@
-using Keyfactor.Orchestrators.Common.Enums;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using Keyfactor.Orchestrators.Common.Enums;
 
 namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore
 {

IISU/JobConfigurationParser.cs

@@ -1,4 +1,18 @@
-using Keyfactor.Orchestrators.Extensions;
+// Copyright 2023 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Keyfactor.Orchestrators.Extensions;
 using Microsoft.PowerShell.Commands;
 using Newtonsoft.Json;
 using System;

IISU/Models/DTOs/CertificateStoreDetailPropertiesDTO.cs

@@ -1,4 +1,17 @@
-using System;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using System;
 using System.Collections.Generic;
 using System.Text;
 

IISU/Models/DTOs/CertificateStoreDetailsDTO.cs

@@ -1,4 +1,17 @@
-using System;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using System;
 using System.Collections.Generic;
 using System.Text;
 

IISU/Models/DTOs/JobCertificateDTO.cs

@@ -1,4 +1,17 @@
-using Keyfactor.Orchestrators.Extensions;
+// Copyright 2022 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using Keyfactor.Orchestrators.Extensions;
 using System;
 using System.Collections.Generic;
 using System.Text;

IISU/Models/InventoryJobLogger.cs

@@ -1,4 +1,18 @@
-using Keyfactor.Orchestrators.Extensions;
+// Copyright 2023 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Keyfactor.Orchestrators.Extensions;
 using System;
 using System.Collections.Generic;
 using System.Text;

IISU/Models/JobProperties.cs

@@ -1,4 +1,4 @@
-// Copyright 2022 Keyfactor
+// Copyright 2023 Keyfactor
 // 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

IISU/Models/ManagementJobLogger.cs

@@ -1,4 +1,18 @@
-using Keyfactor.Orchestrators.Common.Enums;
+// Copyright 2023 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;
 using System;
 using System.Collections.Generic;

IISU/PowerShellCertRequest.cs

@@ -1,4 +1,18 @@
-using Keyfactor.Orchestrators.Extensions;
+// Copyright 2023 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Keyfactor.Orchestrators.Extensions;
 using Newtonsoft.Json;
 using System;
 using System.Collections;

README.md

@@ -120,23 +120,9 @@ In version 2.0 of the IIS Orchestrator, the certificate store type has been rena
 1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type.
 1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.)
 
-**Note:** There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.
+**Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.**
 
-**Note:** In order to leverage GMSA accounts when running the Orchestrator service, version 10.2 of Keyfactor Command is required as it corrects an issue using the "No Value" checkbox when configuring certificate store server credentials.
-
-**Note:** In Command versions up to 10.3, a certificate store is uniquely identified by the target machine and certificate store path,
-which means that the WinCert and IISU store types cannot both be used at the same time on the same server for the same local machine store.
-(You can’t manage the “My” personal store on the same server with WinCert and IISU at the same time.)
-This is anticipated to be corrected in Command version 10.4, which will include the certificate store type as part of the uniqueness test.
-
-**Targeting IIS on Server 2016:** To align with modern security practices and to remove encryption algorithms that are no longer considered secure, version 10.3 of the Command platform changed the set of encryption algorithms used when generating PFX files from 3DES/SHA1/RC4 to AES256/SHA256/3DES.
-This change makes PFX files (which orchestrator management add jobs use internally) incompatible with Server 2016, as Server 2016 does not support the newer algorithms.
-If IIS running on Server 2016 needs to be targeted in your environment, the Command application setting “Enable Legacy Encryption” must be enabled to include the older insecure algorithms when generating PFX files.
-
-When targeting Server 2016 without the legacy encryption enabled, the orchestrator management add job may complete successfully, as the certificate will be delivered, however IIS will be unable to use the certificate as evidenced by a broken certificate binding.
-When examining the certificate, it will show that it has a private key, however attempts to manage or access the keys can generate errors such as “no key found” or “missing stored keyset”.
-Event logs on the target server may contain: "A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001."
-In some cases the orchestrator job can fail with "Add job failed for Site 'My' on server 'xxxxxx' with error: 'Index was outside the bounds of the array.'"
+**Note: If Looking to use GMSA Accounts to run the Service Kefyactor Command 10.2 or greater is required for No Value checkbox to work**
 
 ## Creating New Certificate Store Types
 Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates.
@@ -169,7 +155,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION
 Store Path Type	| Multiple Choice | Determines what restrictions are applied to the store path field when configuring a new store.
 Store Path Value | My,WebHosting | Comma separated list of options configure multiple choice. This, combined with the hostname, will determine the location used for the certificate store management and inventory.
 Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias.
-Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be useless.
 PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
 
 ![](images/IISUCertStoreAdv.png)
@@ -244,7 +230,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION
 --|--|--
 Store Path Type	| Freeform | Allows users to type in a valid certificate store.
 Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias.
-Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Typically the personal store would have private keys, whereas trusted root would not.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be useless.
 PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
 
 ![](images/WinCertAdvanced.png)