From ba02d92488bf7f5a5ec6f8409b5c322c37507eaa Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Wed, 5 Mar 2025 22:39:11 -0600 Subject: [PATCH 1/9] Ab#69145 Fixed a PowerShell compatibility issue when using LocalMachine. LocalMachine will always run PowerShell 5.1. --- CHANGELOG.md | 5 ++- IISU/ClientPSIIManager.cs | 73 +------------------------------ IISU/PSHelper.cs | 14 +----- IISU/Scripts/PowerShellScripts.cs | 63 +------------------------- 4 files changed, 7 insertions(+), 148 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a26d151..7a7609d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +2.5.2 +* Fixed a PowerShell compatibility issue when using LocalMachine. LocalMachine will always run PowerShell 5.1. + 2.5.1 * Fixed WinSQL service name when InstanceID differs from InstanceName @@ -5,7 +8,7 @@ * Added the Bindings to the end of the thumbprint to make the alias unique. * Using new IISWebBindings commandlet to use additional SSL flags when binding certificate to website. * Added multi-platform support for .Net6 and .Net8. -* Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absense of the WebAdministration module in PS SDK 7.4.x+) +* Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absence of the WebAdministration module in PS SDK 7.4.x+) * Fixed issue to update multiple websites when using the same cert. * Removed renewal thumbprint logic to update multiple website; each job now updates its own specific certificate. diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index 996b46d..e71ba5f 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -567,78 +567,7 @@ private object PerformIISUnBinding(string webSiteName, string protocol, string i /// private object PerformIISBinding(string webSiteName, string protocol, string ipAddress, string port, string hostName, string sslFlags, string thumbprint, string storeName) { - //string funcScript = @" - // param ( - // $SiteName, # The name of the IIS site - // $IPAddress, # The IP Address for the binding - // $Port, # The port number for the binding - // $Hostname, # Hostname for the binding (if any) - // $Protocol, # Protocol (e.g., HTTP, HTTPS) - // $Thumbprint, # Certificate thumbprint for HTTPS bindings - // $StoreName, # Certificate store location (e.g., ""My"" for personal certs) - // $SslFlags # SSL flags (if any) - // ) - - // # Set Execution Policy (optional, depending on your environment) - // Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force - - // ## Check if the IISAdministration module is available - // #$module = Get-Module -Name IISAdministration -ListAvailable - - // #if (-not $module) { - // # throw ""The IISAdministration module is not installed on this system."" - // #} - - // # Check if the IISAdministration module is already loaded - // if (-not (Get-Module -Name IISAdministration)) { - // try { - // # Attempt to import the IISAdministration module - // Import-Module IISAdministration -ErrorAction Stop - // } - // catch { - // throw ""Failed to load the IISAdministration module. Ensure it is installed and available."" - // } - // } - - // # Retrieve the existing binding information - // $myBinding = ""${IPAddress}:${Port}:${Hostname}"" - // Write-Host ""myBinding: "" $myBinding - - // $siteBindings = Get-IISSiteBinding -Name $SiteName - // $existingBinding = $siteBindings | Where-Object { $_.bindingInformation -eq $myBinding -and $_.protocol -eq $Protocol } - - // Write-Host ""Binding:"" $existingBinding - - // if ($null -ne $existingBinding) { - // # Remove the existing binding - // Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false - - // Write-Host ""Removed existing binding: $($existingBinding.BindingInformation)"" - // } - - // # Create the new binding with modified properties - // $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" - - // try - // { - // New-IISSiteBinding -Name $SiteName ` - // -BindingInformation $newBindingInfo ` - // -Protocol $Protocol ` - // -CertificateThumbprint $Thumbprint ` - // -CertStoreLocation $StoreName ` - // -SslFlag $SslFlags - - // Write-Host ""New binding added: $newBindingInfo"" - // } - // catch { - // throw $_ - // } - //"; -#if NET6_0 - string funcScript = PowerShellScripts.UpdateIISBindingsV6; -#elif NET8_0_OR_GREATER - string funcScript = PowerShellScripts.UpdateIISBindingsV8; -#endif + string funcScript = PowerShellScripts.UpdateIISBindings; ps.AddScript(funcScript); ps.AddParameter("SiteName", webSiteName); diff --git a/IISU/PSHelper.cs b/IISU/PSHelper.cs index e1016f6..e5494be 100644 --- a/IISU/PSHelper.cs +++ b/IISU/PSHelper.cs @@ -50,22 +50,10 @@ public static Runspace GetClientPsRunspace(string winRmProtocol, string clientMa if (isLocal) { -#if NET6_0 + _logger.LogTrace("Establishing a local RunSpace."); PowerShellProcessInstance instance = new PowerShellProcessInstance(new Version(5, 1), null, null, false); Runspace rs = RunspaceFactory.CreateOutOfProcessRunspace(new TypeTable(Array.Empty()), instance); return rs; -#elif NET8_0_OR_GREATER - try - { - InitialSessionState iss = InitialSessionState.CreateDefault(); - Runspace rs = RunspaceFactory.CreateRunspace(iss); - return rs; - } - catch (global::System.Exception) - { - throw new Exception($"An error occurred while attempting to create the PowerShell instance. This version requires .Net8 and PowerShell SDK 7.2 or greater. Please verify the version of .Net8 and PowerShell installed on your machine."); - } -#endif } else { diff --git a/IISU/Scripts/PowerShellScripts.cs b/IISU/Scripts/PowerShellScripts.cs index 3da10e3..54d36a4 100644 --- a/IISU/Scripts/PowerShellScripts.cs +++ b/IISU/Scripts/PowerShellScripts.cs @@ -8,68 +8,7 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.Scripts { public class PowerShellScripts { - public const string UpdateIISBindingsV6 = @" - param ( - $SiteName, # The name of the IIS site - $IPAddress, # The IP Address for the binding - $Port, # The port number for the binding - $Hostname, # Hostname for the binding (if any) - $Protocol, # Protocol (e.g., HTTP, HTTPS) - $Thumbprint, # Certificate thumbprint for HTTPS bindings - $StoreName, # Certificate store location (e.g., ""My"" for personal certs) - $SslFlags # SSL flags (if any) - ) - - # Set Execution Policy (optional, depending on your environment) - Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force - - # Check if the WebAdministration module is available - $module = Get-Module -Name WebAdministration -ListAvailable - - if (-not $module) { - throw ""The WebAdministration module is not installed on this system."" - } - - # Check if the WebAdministration module is already loaded - if (-not (Get-Module -Name WebAdministration)) { - try { - # Attempt to import the WebAdministration module - Import-Module WebAdministration -ErrorAction Stop - } - catch { - throw ""Failed to load the WebAdministration module. Ensure it is installed and available."" - } - } - - # Retrieve the existing binding information - $myBinding = ""${IPAddress}:${Port}:${Hostname}"" - Write-Host ""myBinding: "" $myBinding - - $siteBindings = Get-IISSiteBinding -Name $SiteName - $existingBinding = $siteBindings | Where-Object { $_.bindingInformation -eq $myBinding -and $_.protocol -eq $Protocol } - - Write-Host ""Binding:"" $existingBinding - - if ($null -ne $existingBinding) { - # Remove the existing binding - Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false - - Write-Host ""Removed existing binding: $($existingBinding.BindingInformation)"" - } - - # Create the new binding with modified properties - $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" - - New-IISSiteBinding -Name $SiteName ` - -BindingInformation $newBindingInfo ` - -Protocol $Protocol ` - -CertificateThumbprint $Thumbprint ` - -CertStoreLocation $StoreName ` - -SslFlag $SslFlags - - Write-Host ""New binding added: $newBindingInfo"""; - - public const string UpdateIISBindingsV8 = @" + public const string UpdateIISBindings = @" param ( $SiteName, # The name of the IIS site $IPAddress, # The IP Address for the binding From 0d44164f840604edaad8733d2fadd182e0d1a052 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 6 Mar 2025 04:40:10 +0000 Subject: [PATCH 2/9] Update generated docs --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c928b28..5e3e399 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ The WinSql Certificate Store Type, referred to by its short name 'WinSql,' is de This integration is compatible with Keyfactor Universal Orchestrator version 10.1 and later. ## Support -The Windows Certificate Universal Orchestrator extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. +The Windows Certificate Universal Orchestrator extension If you have a support issue, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com. > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. @@ -198,6 +198,8 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat ![WinCert Advanced Tab](docsource/images/WinCert-advanced-store-type-dialog.png) + > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. + #### Custom Fields Tab Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: @@ -279,6 +281,8 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat ![IISU Advanced Tab](docsource/images/IISU-advanced-store-type-dialog.png) + > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. + #### Custom Fields Tab Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: @@ -366,6 +370,8 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat ![WinSql Advanced Tab](docsource/images/WinSql-advanced-store-type-dialog.png) + > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. + #### Custom Fields Tab Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: From 065229622b8adf988aba0677bc7e8272814e3815 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Thu, 8 May 2025 08:35:16 -0700 Subject: [PATCH 3/9] chore(docs): Regen docs. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5e3e399..1a1058a 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Related Integrations

- + ## Overview The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: From 6f12821001bbedef0f217129564ab902bdb07b8d Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 8 May 2025 15:37:05 +0000 Subject: [PATCH 4/9] Update generated docs --- README.md | 170 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 120 insertions(+), 50 deletions(-) diff --git a/README.md b/README.md index 1a1058a..456c4c2 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Related Integrations

- + ## Overview The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: @@ -154,13 +154,22 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
Windows Certificate (WinCert) -* **Create WinCert using kfutil**: +### Using kfutil: + +#### Using online definition from GitHub: +This will reach out to GitHub and pull the latest store-type definition +```shell +# Windows Certificate +kfutil store-types create WinCert +``` - ```shell - # Windows Certificate - kfutil store-types create WinCert - ``` +#### Offline creation using integration-manifest file: +If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. +```shell +kfutil store-types create --from-file integration-manifest.json +``` +### Manually * **Create WinCert manually in the Command UI**:
Create WinCert manually in the Command UI @@ -231,19 +240,28 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat -
+
IIS Bound Certificate (IISU) -* **Create IISU using kfutil**: +### Using kfutil: - ```shell - # IIS Bound Certificate - kfutil store-types create IISU - ``` +#### Using online definition from GitHub: +This will reach out to GitHub and pull the latest store-type definition +```shell +# IIS Bound Certificate +kfutil store-types create IISU +``` +#### Offline creation using integration-manifest file: +If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. +```shell +kfutil store-types create --from-file integration-manifest.json +``` + +### Manually * **Create IISU manually in the Command UI**:
Create IISU manually in the Command UI @@ -320,19 +338,28 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat -
+
WinSql (WinSql) -* **Create WinSql using kfutil**: +### Using kfutil: + +#### Using online definition from GitHub: +This will reach out to GitHub and pull the latest store-type definition +```shell +# WinSql +kfutil store-types create WinSql +``` - ```shell - # WinSql - kfutil store-types create WinSql - ``` +#### Offline creation using integration-manifest file: +If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. +```shell +kfutil store-types create --from-file integration-manifest.json +``` +### Manually * **Create WinSql manually in the Command UI**:
Create WinSql manually in the Command UI @@ -405,7 +432,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat -
+
@@ -414,6 +441,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat 1. **Download the latest Windows Certificate Universal Orchestrator extension from GitHub.** Navigate to the [Windows Certificate Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/iis-orchestrator/releases/latest). Refer to the compatibility matrix below to determine whether the `net6.0` or `net8.0` asset should be downloaded. Then, click the corresponding asset to download the zip archive. + | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `iis-orchestrator` .NET version to download | | --------- | ----------- | ----------- | ----------- | | Older than `11.0.0` | | | `net6.0` | @@ -443,8 +471,14 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm). +6. **(optional) PAM Integration** + + The Windows Certificate Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider. + + To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension, and follow the associated instructions to install it on the Universal Orchestrator (remote). -> The above installation steps can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). + +> The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). @@ -455,6 +489,8 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
Windows Certificate (WinCert) +### Store Creation + * **Manually with the Command UI**
Create Certificate Stores manually in the UI @@ -466,6 +502,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat 2. **Add a Certificate Store.** Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. + | Attribute | Description | | --------- | ----------- | | Category | Select "Windows Certificate" or the customized certificate store name from the previous step. | @@ -479,12 +516,9 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | - - - -
+ * **Using kfutil**
Create Certificate Stores with kfutil @@ -497,6 +531,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat 2. **Populate the generated CSV file** Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + | Attribute | Description | | --------- | ----------- | | Category | Select "Windows Certificate" or the customized certificate store name from the previous step. | @@ -510,18 +545,29 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | - - - - - 3. **Import the CSV file to create the certificate stores** + 3. **Import the CSV file to create the certificate stores** ```shell kfutil stores import csv --store-type-name WinCert --file WinCert.csv ``` + +* **PAM Provider Eligible Fields** +
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator + + If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. + + | Attribute | Description | + | --------- | ----------- | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + + Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side. + + > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). + +> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
@@ -529,6 +575,8 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
IIS Bound Certificate (IISU) +### Store Creation + * **Manually with the Command UI**
Create Certificate Stores manually in the UI @@ -540,6 +588,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat 2. **Add a Certificate Store.** Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. + | Attribute | Description | | --------- | ----------- | | Category | Select "IIS Bound Certificate" or the customized certificate store name from the previous step. | @@ -553,12 +602,9 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | - - - -
+ * **Using kfutil**
Create Certificate Stores with kfutil @@ -571,6 +617,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat 2. **Populate the generated CSV file** Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + | Attribute | Description | | --------- | ----------- | | Category | Select "IIS Bound Certificate" or the customized certificate store name from the previous step. | @@ -584,18 +631,29 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | - - - - - 3. **Import the CSV file to create the certificate stores** + 3. **Import the CSV file to create the certificate stores** ```shell kfutil stores import csv --store-type-name IISU --file IISU.csv ``` + +* **PAM Provider Eligible Fields** +
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator + + If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. + + | Attribute | Description | + | --------- | ----------- | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + + Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side. + + > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). + +> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
@@ -603,6 +661,8 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
WinSql (WinSql) +### Store Creation + * **Manually with the Command UI**
Create Certificate Stores manually in the UI @@ -614,6 +674,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat 2. **Add a Certificate Store.** Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. + | Attribute | Description | | --------- | ----------- | | Category | Select "WinSql" or the customized certificate store name from the previous step. | @@ -628,12 +689,9 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | | RestartService | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. | - - - -
+ * **Using kfutil**
Create Certificate Stores with kfutil @@ -646,6 +704,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat 2. **Populate the generated CSV file** Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + | Attribute | Description | | --------- | ----------- | | Category | Select "WinSql" or the customized certificate store name from the previous step. | @@ -660,18 +719,29 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | | RestartService | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. | - - - - - 3. **Import the CSV file to create the certificate stores** + 3. **Import the CSV file to create the certificate stores** ```shell kfutil stores import csv --store-type-name WinSql --file WinSql.csv ``` + +* **PAM Provider Eligible Fields** +
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator + + If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. + + | Attribute | Description | + | --------- | ----------- | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + + Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side. + + > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). + +> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
From 0d23e1235263f94d01a5cf9deedf629436035cc9 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Thu, 8 May 2025 08:55:04 -0700 Subject: [PATCH 5/9] chore(ci): Bump starter workflow version --- .github/workflows/keyfactor-starter-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index a4649f2..64919a4 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 + uses: keyfactor/actions/.github/workflows/starter.yml@v3 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} From b14eb2a87a15f0b47e591ff18f786d3f4203390f Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Thu, 8 May 2025 08:56:26 -0700 Subject: [PATCH 6/9] chore(ci): Add dependabot.yml --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..671250d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +# See GitHub's documentation for more information on this file: +# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + - package-ecosystem: "nuget" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file From ea26ca8c52c792ced384be9afe30a8efba596f6b Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Thu, 8 May 2025 09:33:16 -0700 Subject: [PATCH 7/9] fix(ci): Revert starter workflow to `3.1.2` --- .github/workflows/keyfactor-starter-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 64919a4..a4649f2 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v3 + uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} From 63f34745b0a4700f2f597f71262eae8bfd35b013 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Thu, 15 May 2025 08:53:56 -0700 Subject: [PATCH 8/9] chore(ci): Pin bootstrap workflow to `v3.2.0` --- .github/workflows/keyfactor-starter-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index a4649f2..9ac93ee 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 + uses: keyfactor/actions/.github/workflows/starter.yml@3.2.0 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} From 04c2556070a48ecacb6058607c002738f7d54064 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 15 May 2025 15:55:55 +0000 Subject: [PATCH 9/9] Update generated docs --- README.md | 71 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 58 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 456c4c2..523256f 100644 --- a/README.md +++ b/README.md @@ -145,7 +145,7 @@ For customers wishing to use something other than the local administrator accoun - Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding. -## Create Certificate Store Types +## Certificate Store Types To use the Windows Certificate Universal Orchestrator extension, you **must** create the Certificate Store Types required for your usecase. This only needs to happen _once_ per Keyfactor Command instance. @@ -154,7 +154,20 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
Windows Certificate (WinCert) -### Using kfutil: + +### Supported Operations + +| Operation | Is Supported | +|--------------|------------------------------------------------------------------------------------------------------------------------| +| Add | ✅ Checked | +| Remove | ✅ Checked | +| Discovery | 🔲 Unchecked | +| Reenrollment | ✅ Checked | +| Create | 🔲 Unchecked | + +### Creation Using kfutil: +`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types. +For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) #### Using online definition from GitHub: This will reach out to GitHub and pull the latest store-type definition @@ -165,11 +178,15 @@ kfutil store-types create WinCert #### Offline creation using integration-manifest file: If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. +You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command +in your offline environment. ```shell kfutil store-types create --from-file integration-manifest.json ``` -### Manually +### Manual Creation +If you do not wish to use the `kfutil` CLI then certificate store types can be creating in the web UI as described below. + * **Create WinCert manually in the Command UI**:
Create WinCert manually in the Command UI @@ -225,8 +242,6 @@ kfutil store-types create --from-file integration-manifest.json ![WinCert Custom Fields Tab](docsource/images/WinCert-custom-fields-store-type-dialog.png) - - #### Entry Parameters Tab | Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry | @@ -246,7 +261,20 @@ kfutil store-types create --from-file integration-manifest.json
IIS Bound Certificate (IISU) -### Using kfutil: + +### Supported Operations + +| Operation | Is Supported | +|--------------|------------------------------------------------------------------------------------------------------------------------| +| Add | ✅ Checked | +| Remove | ✅ Checked | +| Discovery | 🔲 Unchecked | +| Reenrollment | ✅ Checked | +| Create | 🔲 Unchecked | + +### Creation Using kfutil: +`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types. +For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) #### Using online definition from GitHub: This will reach out to GitHub and pull the latest store-type definition @@ -257,11 +285,15 @@ kfutil store-types create IISU #### Offline creation using integration-manifest file: If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. +You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command +in your offline environment. ```shell kfutil store-types create --from-file integration-manifest.json ``` -### Manually +### Manual Creation +If you do not wish to use the `kfutil` CLI then certificate store types can be creating in the web UI as described below. + * **Create IISU manually in the Command UI**:
Create IISU manually in the Command UI @@ -317,8 +349,6 @@ kfutil store-types create --from-file integration-manifest.json ![IISU Custom Fields Tab](docsource/images/IISU-custom-fields-store-type-dialog.png) - - #### Entry Parameters Tab | Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry | @@ -344,7 +374,20 @@ kfutil store-types create --from-file integration-manifest.json
WinSql (WinSql) -### Using kfutil: + +### Supported Operations + +| Operation | Is Supported | +|--------------|------------------------------------------------------------------------------------------------------------------------| +| Add | ✅ Checked | +| Remove | ✅ Checked | +| Discovery | 🔲 Unchecked | +| Reenrollment | 🔲 Unchecked | +| Create | 🔲 Unchecked | + +### Creation Using kfutil: +`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types. +For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) #### Using online definition from GitHub: This will reach out to GitHub and pull the latest store-type definition @@ -355,11 +398,15 @@ kfutil store-types create WinSql #### Offline creation using integration-manifest file: If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. +You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command +in your offline environment. ```shell kfutil store-types create --from-file integration-manifest.json ``` -### Manually +### Manual Creation +If you do not wish to use the `kfutil` CLI then certificate store types can be creating in the web UI as described below. + * **Create WinSql manually in the Command UI**:
Create WinSql manually in the Command UI @@ -416,8 +463,6 @@ kfutil store-types create --from-file integration-manifest.json ![WinSql Custom Fields Tab](docsource/images/WinSql-custom-fields-store-type-dialog.png) - - #### Entry Parameters Tab | Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry |