connectionInfo)
- {
- }
- }
-}
\ No newline at end of file
diff --git a/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.csproj b/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.csproj
deleted file mode 100644
index 3d26feb..0000000
--- a/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.csproj
+++ /dev/null
@@ -1,164 +0,0 @@
-
-
-
- Debug
- AnyCPU
- {7847E86E-41F8-4849-BBAD-44A30CE9300B}
- Library
- Properties
- Keyfactor.HydrantId
- HydrantIdProxy
- v4.6.2
- 512
-
-
-
- true
- full
- false
- bin\Debug\
- DEBUG;TRACE
- prompt
- 4
-
-
- pdbonly
- true
- bin\Release\
- TRACE
- prompt
- 4
-
-
-
- ..\..\packages\BouncyCastle.1.8.5\lib\BouncyCastle.Crypto.dll
-
-
- ..\..\packages\Keyfactor.AnyGateway.SDK.21.3.2\lib\net462\CAProxy.AnyGateway.Core.dll
-
-
- ..\..\packages\Keyfactor.AnyGateway.SDK.21.3.2\lib\net462\CAProxy.Interfaces.dll
-
-
- ..\..\packages\Keyfactor.AnyGateway.SDK.21.3.2\lib\net462\CAProxyDAL.dll
-
-
- ..\..\packages\Common.Logging.3.4.1\lib\net40\Common.Logging.dll
-
-
- ..\..\packages\Common.Logging.Core.3.4.1\lib\net40\Common.Logging.Core.dll
-
-
- ..\..\packages\Keyfactor.AnyGateway.SDK.21.3.2\lib\net462\CommonCAProxy.dll
-
-
- ..\..\packages\CSS.Common.1.7.0\lib\net462\CSS.Common.dll
-
-
- ..\..\packages\CSS.PKI.2.13.0\lib\net462\CSS.PKI.dll
-
-
- ..\..\packages\HawkNet.1.4.4.0\lib\net45\HawkNet.dll
-
-
- ..\..\packages\Newtonsoft.Json.12.0.3\lib\net45\Newtonsoft.Json.dll
-
-
-
-
-
-
- ..\..\packages\System.Security.Cryptography.Algorithms.4.3.1\lib\net461\System.Security.Cryptography.Algorithms.dll
-
-
- ..\..\packages\System.Security.Cryptography.Encoding.4.3.0\lib\net46\System.Security.Cryptography.Encoding.dll
-
-
- ..\..\packages\System.Security.Cryptography.Primitives.4.3.0\lib\net46\System.Security.Cryptography.Primitives.dll
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/HydrantIdProxy/src/HydrantIdProxy/app.config b/HydrantIdProxy/src/HydrantIdProxy/app.config
deleted file mode 100644
index e7bfe44..0000000
--- a/HydrantIdProxy/src/HydrantIdProxy/app.config
+++ /dev/null
@@ -1,19 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/HydrantIdProxy/src/HydrantIdProxy/packages.config b/HydrantIdProxy/src/HydrantIdProxy/packages.config
deleted file mode 100644
index 398501b..0000000
--- a/HydrantIdProxy/src/HydrantIdProxy/packages.config
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/README.md b/README.md
index b244def..58e4ac1 100644
--- a/README.md
+++ b/README.md
@@ -1,223 +1,176 @@
+
+ HydrantId AnyCA Gateway REST Plugin
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Support
+
+ ·
+
+ Requirements
+
+ ·
+
+ Installation
+
+ ·
+
+ License
+
+ ·
+
+ Related Integrations
+
+
+
+
+HydrantId operates a PKI as a service platform for customers around the globe. The AnyGateway solution for HydrantId is designed to allow Keyfactor Command:
+
+* CA Sync:
+ * Download all certificates issued by connected Enterprise tier CAs in HydrantId (full sync).
+* Certificate enrollment for all published HydrantId Certificate SKUs:
+ * Support certificate enrollment (new keys/certificate).
+* Certificate revocation:
+ * Request revocation of a previously issued certificate.
+
+## Compatibility
+
+The HydrantId AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2 and later.
+
+## Support
+The HydrantId AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com.
+
+> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
+
+## Requirements
+
+### 🔐 HydrantID API Key Setup Guide
+
+This guide explains how to generate and use an API Key ID and Secret in HydrantID for authenticated API access.
-# HydrantId
-
-HydrantId operates a PKI as a service platform for customers around the globe. The AnyGateway solution for HydrantId is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command -Renew or Reissue Certificates from the CA
-
-#### Integration status: Production - Ready for use in production environments.
-
-## About the Keyfactor AnyCA Gateway DCOM Connector
+---
-This repository contains an AnyCA Gateway Connector, which is a plugin to the Keyfactor AnyGateway. AnyCA Gateway Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.
+#### 📍 Where to Find API Key Management
-## Support for HydrantId
+1. **Log in** to your HydrantID instance.
+ - Example: https://acm-stage.hydrantid.com
-HydrantId is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
+2. Click your **user profile icon** (top right) and select **"Profile"**.
-###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
+3. In the **Profile** page, scroll to the section labeled `API Keys`.
---
+#### ➕ Add a New API Key
----
-
+1. Click **"ADD API KEY"** (top right of the API Keys section).
+2. A new API Key will be generated with:
+ - A unique **API ID**
+ - A **Secret API Key** — copy it immediately as it is only shown once.
+---
+#### 🧾 Notes on API Keys
+- **ID** = what you'll pass in the HAWK `id` field
+- **Key** = secret used to generate HAWK signature
+- Each key shows `Created` and `Last Used` timestamps for traceability
-## Keyfactor AnyCA Gateway Framework Supported
-The Keyfactor gateway framework implements common logic shared across various gateway implementations and handles communication with Keyfactor Command. The gateway framework hosts gateway implementations or plugins that understand how to communicate with specific CAs. This allows you to integrate your third-party CAs with Keyfactor Command such that they behave in a manner similar to the CAs natively supported by Keyfactor Command.
+---
+#### 🔐 Using the API ID and Key with HAWK
+HydrantID uses [HAWK Authentication](https://github.com/hueniverse/hawk) to secure its API.
+##### Required Fields in Authorization Header:
+```text
+Hawk id="API_ID", ts="TIMESTAMP", nonce="RANDOM", mac="HMAC_SIGNATURE"
-This gateway extension was compiled against version of the AnyCA Gateway DCOM Framework. You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly.
+### Root CA Configuration
+Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA, and if applicable, any subordinate CAs for all features to work as intended. Download the CA Certificate (and chain, if applicable) from HydrantId, and import them into the appropriate certificate store on the AnyCA Gateway REST server.
-[Keyfactor CAGateway Install Guide](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm)
+* **Windows** - If the AnyCA Gateway REST is running on a Windows host, the root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell.
+* **Linux** - If the AnyCA Gateway REST is running on a Linux host, the root CA and applicable subordinate CAs must be present in the root CA certificate store. The location of this store varies per distribution, but is most commonly `/etc/ssl/certs/ca-certificates.crt`. The following is documentation on some popular distributions.
+ * [Ubuntu - Managing CA certificates](https://ubuntu.com/server/docs/install-a-root-ca-certificate-in-the-trust-store)
+ * [RHEL 9 - Using shared system certificates](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#using-shared-system-certificates_securing-networks)
+ * [Fedora - Using Shared System Certificates](https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/)
+> The root CA and intermediate CAs must be trusted by both the Command server _and_ AnyCA Gateway REST server.
+## Installation
----
+1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-cagateway/releases/latest) from GitHub.
-***
-# Getting Started
-## Standard Gateway Installation
-To begin, you must have the CA Gateway Service 21.3.2 installed and operational before attempting to configure the HydrantId plugin. This integration was tested with Keyfactor 9.3.0.0.
-To install the gateway follow these instructions.
+3. Copy the unzipped directory (usually called `net6.0`) to the Extensions directory:
-1) Gateway Server - run the installation .msi obtained from Keyfactor
+ ```shell
+ Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions
+ ```
-2) Gateway Server - If you have the rights to install the database (usually in a Non SQL PAAS Environment) Using Powershell, run the following command to create the gateway database.
+ > The directory containing the HydrantId AnyCA Gateway REST plugin DLLs (`net6.0`) can be named anything, as long as it is unique within the `Extensions` directory.
- **SQL Server Windows Auth**
- ```
- %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name]
- ```
- Note if you are using SQL Authentication, then you need to run
-
- **SQL Server SQL Authentication**
+4. Restart the AnyCA Gateway REST service.
- ```
- %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name] -u [sql user] -p [sql password]
- ```
+5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HydrantId plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
- If you do **not** have rights to created the database then have the database created ahead of time by the support team and just populate the database
+## Configuration
- ## Populate commands below
+1. Follow the [official AnyCA Gateway REST documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) to define a new Certificate Authority, and use the notes below to configure the **Gateway Registration** and **CA Connection** tabs:
- **Windows Authentication**
+ * **Gateway Registration**
- ```
- %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name]
- ```
+ The Gateway Registration tab configures the root or issuing CA certificate for the respective CA in HydrantId. The certificate selected here should be the issuing CA identified in the [Root CA Configuration](#root-ca-configuration) step.
- **SQL Server SQL Authentication**
+ * **CA Connection**
- ```
- %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name] -u [sql user] -p [sql password]
- ```
+ Populate using the configuration fields collected in the [requirements](#requirements) section.
-3) Gateway Server - run the following Powershell to import the Cmdlets
+ * **HydrantIdBaseUrl** - The Base URL For the HydrantId Endpoint similar to https://acm-stage.hydrantid.com. Get this from HydrantId.
+ * **HydrantIdAuthId** - The AuthId Obtained from HydrantId.
+ * **HydrantIdAuthKey** - The AuthKey Obtained from HydrantId.
- C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll (must be imported into Powershell)
- ```ps
- Import-Module C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll
- ```
+2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID.
-4) Gateway Server - Run the Following Powershell script to set the gateway encryption cert
+ The GCP CAS AnyCA Gateway REST plugin downloads all Certificate Templates in the configured GCP Region/Project and interprets them as 'Product IDs' in the Gateway Portal.
- ### Set-KeyfactorGatewayEncryptionCert
- This cmdlet will generate a self-signed certificate used to encrypt the database connection string. It populates a registry value with the serial number of the certificate to be used. The certificate is stored in the LocalMachine Personal Store and the registry key populated is:
+ > For example, if the connected GCP project has the following Certificate Templates:
+ >
+ > * `ServerAuth`
+ > * `ClientAuth`
+ >
+ > The `Edit Templates` > `Product ID` dialog dropdown will show the following available 'ProductIDs':
+ >
+ > * `Default` -> Don't use a certificate template when enrolling certificates with this Template.
+ > * `ServerAuth` -> Use the `ServerAuth` certificate template in GCP when enrolling certificates with this Template.
+ > * `ClientAuth` -> Use the `ClientAuth` certificate template in GCP when enrolling certificates with this Template.
- ```HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvcProxy\Parameters\EncryptSerialNumber```
- No parameters are required to run this cmdlet.
+3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
-5) Gateway Server - Run the following Powershell Script to Set the Database Connection
+4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters:
- ### Set-KeyfactorGatewayDatabaseConnection
- This cmdlet will set and encrypt the database connection string used by the AnyGateway service.
+ * **ValidityPeriod** - The desired lifetime time period could be Days, Months or Years.
+ * **ValidityUnits** - The desired lifetime time value some number indicating days, months or years.
+ * **RenewalDays** - The window that determines whether it is a renewal vs a re-issue.
- **Windows Authentication**
- ```ps
- Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name]
- ```
- **SQL Authentication**
- ```ps
- $KeyfactorCredentials = Get-Credentials
- Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name] -Account [$KeyfactorCredentials]
- ```
-## Standard Gateway Configuration Finished
----
+## License
-## HydrantId AnyGateway Specific Configuration
-It is important to note that importing the HydrantId configuration into the CA Gateway after installing the binaries must be completed. Additionally, the CA Gateway service
-must be running in order to succesfully import the configuation. When the CA Gateway service starts it will attempt to validate the connection information to
-the CA. Without the imported configuration, the service will fail to start.
-
-### Binary Installation
-
-1) Get the Latest Zip File from [Here](https://github.com/Keyfactor/hydrantid-cagateway/releases/)
-2) Gateway Server - Copy the HawkNet.dll, The HydrantIdProxy.dll and the HydrantIdProxy.dll.config to the location where the Gateway Framework was installed (usually C:\Program Files\Keyfactor\Keyfactor AnyGateway)
-
-### Configuration Changes
-1) Gateway Server - Edit the CAProxyServer.exe.config file and replace the line that says "NoOp" with the line below:
- ```
-
- ```
-2) Gateway Server - Install the Root HydrantId Certificate that was received from HydrantId
-
-3) Gateway Server - Install the Intermediate HydrantId Certificate that was received from HydrantId
-
-4) Gateway Server - Take the sample Config.json located [Here](https://github.com/Keyfactor/hydrantid-cagateway/raw/main/SampleConfig.json) and make the following modifications
-
-- *Security Settings Modifications* (Swap this out for the typical Gateway Security Settings for Test or Prod)
-
-```
- "Security": {
- "KEYFACTOR\\administrator": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
- },
- "KEYFACTOR\\SVC_AppPool": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
- },
- "KEYFACTOR\\SVC_TimerService": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
- }
-```
-- *Hydrant Environment Settings* (Modify these with the keys and Urls obtained from HydrantId)
-```
- "CAConnection": {
- "HydrantIdBaseUrl": "https://acm-stage.hydrantid.com",
- "AuthId": "SomeAuthId",
- "AuthKey": "SomeAuthPassword",
- "TemplateSync": "On"
- }
-```
-
-- *Service Settings* (Modify these to be in accordance with Keyfactor Standard Gateway Production Settings)
-```
- "ServiceSettings": {
- "ViewIdleMinutes": 1,
- "FullScanPeriodHours": 1,
- "PartialScanPeriodMinutes": 1
- }
-```
-
-5) Gateway Server - Save the newly modified config.json to the following location "C:\Program Files\Keyfactor\Keyfactor AnyGateway"
-
-### Template Installation
-
-The Template section will map the CA's products to an AD template.
-* ```ProductID```
-This is the ID of the HydrantId product to map to the specified template. If you don't know the available product IDs in your Hydrant account, put a placeholder value here and run the Set-KeyfactorGatewayConfig cmdlet according to the AnyGateway documentation. The list of available product IDs will be returned.
-* ```ValidityPeriod```
-REQUIRED: The period to use when requesting certs. It could be, Days, Months, Years depending on the Template.
-* ```ValidityUnits```
-REQUIRED: The numeric value corresponding to the ValidityPeriod. For years 1 would be 1 year, for days 7 would be 7 days.
-
- ```json
- "Templates": {
- "AutoEnrollment - RSA": {
- "ProductID": "AutoEnrollment - RSA",
- "Parameters": {
- "ValidityPeriod": "Years",
- "ValidityUnits": 1
- }
- },
- "AutoEnrollment - RSA - 7 Day": {
- "ProductID": "AutoEnrollment - RSA - 7 Day",
- "Parameters": {
- "ValidityPeriod": "Days",
- "ValidityUnits": 7
- }
- }
- }
- ```
-
-### Certificate Authority Installation
-1) Gateway Server - Start the Keyfactor Gateway Service
-2) Run the set Gateway command similar to below
-```ps
-Set-KeyfactorGatewayConfig -LogicalName "HydrantId" -FilePath [path to json file] -PublishAd
-```
-3) Command Server - Import the certificate authority in Keyfactor Portal
-
-
-***
-
-### License
-[Apache](https://apache.org/licenses/LICENSE-2.0)
+Apache License 2.0, see [LICENSE](LICENSE).
+## Related Integrations
+See all [Keyfactor Any CA Gateways (REST)](https://github.com/orgs/Keyfactor/repositories?q=anycagateway).
\ No newline at end of file
diff --git a/SampleConfig.json b/SampleConfig.json
deleted file mode 100644
index b6bca44..0000000
--- a/SampleConfig.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
- "Security": {
- "KEYFACTOR\\administrator": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
- },
- "KEYFACTOR\\SVC_AppPool": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
- },
- "KEYFACTOR\\SVC_TimerService": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
- }
- },
- "CAConnection": {
- "HydrantIdBaseUrl": "https://acm-stage.hydrantid.com",
- "AuthId": "getAuthIdFromHydrant",
- "AuthKey": "getAuthKeyFromHydrant",
- "TemplateSync": "On"
- },
- "Templates": {
- "AutoEnrollment - ECDSA": {
- "ProductID": "AutoEnrollment - ECDSA",
- "Parameters": {
- "ValidityPeriod": "Years",
- "ValidityUnits": 1
- }
- },
- "AutoEnrollment - ECDSA - 7 Day": {
- "ProductID": "AutoEnrollment - ECDSA - 7 Day",
- "Parameters": {
- "ValidityPeriod": "Days",
- "ValidityUnits": 7
- }
- },
- "AutoEnrollment - RSA": {
- "ProductID": "AutoEnrollment - RSA",
- "Parameters": {
- "ValidityPeriod": "Years",
- "ValidityUnits": 1
- }
- },
- "AutoEnrollment - RSA - 7 Day": {
- "ProductID": "AutoEnrollment - RSA - 7 Day",
- "Parameters": {
- "ValidityPeriod": "Days",
- "ValidityUnits": 7
- }
- }
- },
- "CertificateManagers": null,
- "GatewayRegistration": {
- "LogicalName": "HydrantId",
- "GatewayCertificate": {
- "StoreName": "CA",
- "StoreLocation": "LocalMachine",
- "Thumbprint": "3c97cbb4491fc8d63d12b4890c28548164198edb"
- }
- },
- "ServiceSettings": {
- "ViewIdleMinutes": 1,
- "FullScanPeriodHours": 1,
- "PartialScanPeriodMinutes": 1
- }
-}
\ No newline at end of file
diff --git a/TemplateSecurity/CaTemplateUserSecurity.csv b/TemplateSecurity/CaTemplateUserSecurity.csv
deleted file mode 100644
index 6a5fba8..0000000
--- a/TemplateSecurity/CaTemplateUserSecurity.csv
+++ /dev/null
@@ -1,7 +0,0 @@
-UserName,Rights
-Authenticated Users,GenericAll
-kftrain\Administrator,GenericAll
-keyfactor\Domain Admins,GenericAll
-keyfactor\Domain Users,GenericAll
-keyfactor\Domain Computers,GenericAll
-keyfactor\Enterprise Admins,GenericAll
diff --git a/Templates/AutoEnrollment - RSA - 7 Day.json b/Templates/AutoEnrollment - RSA - 7 Day.json
deleted file mode 100644
index 18392d8..0000000
--- a/Templates/AutoEnrollment - RSA - 7 Day.json
+++ /dev/null
@@ -1,38 +0,0 @@
-{
- "Id": 999999,
- "CommonName": "AutoEnrollment - RSA - 7 Day",
- "TemplateName": "AutoEnrollment - RSA - 7 Day",
- "Oid": "Replace OID",
- "KeySize": "2048",
- "KeyType": "RSA",
- "ForestRoot": "keyfactor.lab",
- "FriendlyName": "Replace Friendly Name",
- "KeyRetention": "AfterExpiration",
- "KeyRetentionDays": 55,
- "KeyArchival": false,
- "EnrollmentFields": [
- {
- "Id": 2222961,
- "Name": "Validity Period",
- "Options": [
- "Years",
- "Days",
- "Months"
- ],
- "DataType": 2
- },
- {
- "Id": 2222962,
- "Name": "Validity Units",
- "Options": [
- ""
- ],
- "DataType": 1
- }
- ],
- "AllowedEnrollmentTypes": 7,
- "TemplateRegexes": [],
- "UseAllowedRequesters": false,
- "AllowedRequesters": [],
- "DisplayName": "Replace Display Name"
-}
diff --git a/Templates/AutoEnrollment - RSA.json b/Templates/AutoEnrollment - RSA.json
deleted file mode 100644
index 5f37b20..0000000
--- a/Templates/AutoEnrollment - RSA.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
- "Id": 999999,
- "CommonName": "AutoEnrollment - RSA",
- "TemplateName": "AutoEnrollment - RSA",
- "Oid": "Replace OID",
- "KeySize": "2048",
- "KeyType": "RSA",
- "ForestRoot": "keyfactor.lab",
- "FriendlyName": "Replace Friendly Name",
- "KeyRetention": "AfterExpiration",
- "KeyRetentionDays": 55,
- "KeyArchival": false,
- "EnrollmentFields": [],
- "AllowedEnrollmentTypes": 7,
- "TemplateRegexes": [],
- "UseAllowedRequesters": false,
- "AllowedRequesters": [],
- "DisplayName": "Replace Display Name"
-}
\ No newline at end of file
diff --git a/docsource/configuration.md b/docsource/configuration.md
new file mode 100644
index 0000000..41a0756
--- /dev/null
+++ b/docsource/configuration.md
@@ -0,0 +1,171 @@
+## Overview
+
+HydrantId operates a PKI-as-a-service platform for customers around the globe. The AnyGateway solution for HydrantId allows Keyfactor Command to perform:
+
+- **CA Sync**:
+ - Download all certificates issued by connected Enterprise-tier CAs in HydrantId (full sync).
+- **Certificate Enrollment**:
+ - Support certificate enrollment (new keys/certificate).
+ - Intelligent handling of Renewal vs Reissue based on certificate expiration.
+- **Certificate Revocation**:
+ - Request revocation of previously issued certificates with mapped revocation reasons.
+
+---
+
+## Requirements
+
+### 🔐 HydrantID API Key Setup Guide
+
+This guide explains how to generate and use an API Key ID and Secret in HydrantID for authenticated API access.
+
+#### 📍 Where to Find API Key Management
+
+1. **Log in** to your HydrantID instance.
+ - Example: https://acm-stage.hydrantid.com
+2. Click your **user profile icon** (top right) and select **"Profile"**.
+3. In the **Profile** page, scroll to the section labeled `API Keys`.
+
+#### ➕ Add a New API Key
+
+1. Click **"ADD API KEY"** (top right of the API Keys section).
+2. A new API Key will be generated with:
+ - A unique **API ID**
+ - A **Secret API Key** — copy it immediately as it is only shown once.
+
+#### 🧾 Notes on API Keys
+
+- **ID** = what you'll pass in the HAWK `id` field
+- **Key** = secret used to generate HAWK signature
+- Each key shows `Created` and `Last Used` timestamps for traceability
+
+#### 🔐 Using the API ID and Key with HAWK
+
+HydrantID uses [HAWK Authentication](https://github.com/hueniverse/hawk) to secure its API.
+
+##### Required Fields in Authorization Header:
+```text
+Hawk id="API_ID", ts="TIMESTAMP", nonce="RANDOM", mac="HMAC_SIGNATURE"
+```
+
+Each HTTP request dynamically constructs a HAWK header using:
+- API ID
+- Secret API Key
+- Current timestamp
+- Cryptographically random nonce
+- SHA-256 algorithm
+
+### Root CA Configuration
+
+Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA, and any applicable intermediate CAs for HydrantID.
+
+Refer to:
+- [Ubuntu - Managing CA certificates](https://ubuntu.com/server/docs/install-a-root-ca-certificate-in-the-trust-store)
+- [RHEL 9 - Using shared system certificates](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#using-shared-system-certificates_securing-networks)
+- [Fedora - Using Shared System Certificates](https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/)
+
+---
+
+## Gateway Registration
+
+The Gateway Registration tab configures the root or issuing CA certificate for the respective CA in HydrantId.
+The certificate selected here should match the issuing CA identified in the [Root CA Configuration](#root-ca-configuration) step.
+
+---
+
+## Certificate Template Creation Step
+
+Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required.
+
+Naming Recommendations:
+- Each Certificate Profile should be named after its Product ID.
+
+Behavior:
+- The plugin maps HydrantID Policy Names directly to Product IDs in the Gateway Portal.
+
+Example:
+| GCP CAS Template | Product ID |
+|:------------------|:-----------|
+| `ServerAuth` | ServerAuth |
+| `ClientAuth` | ClientAuth |
+
+Selecting "Default" bypasses specifying a template.
+
+---
+
+# Mechanics
+
+## Enrollment/Renewal/Reissuance
+
+All certificate enrollment operations are submitted as "new" requests. However, the plugin supports intelligent handling:
+
+- **New Enrollment**:
+ - Submits a new CSR against the selected HydrantId Policy.
+- **Renewal vs Reissue**:
+ - Uses the prior certificate's serial number (`PriorCertSN`) to retrieve the existing certificate.
+ - Compares the expiration date against the current time.
+ - If expiration is **within** `RenewalDays` (default 30 days): Submit a **Renewal** request.
+ - If expiration is **outside** `RenewalDays`: Submit a **Reissue** request (new CSR, same policy).
+
+Template parameters:
+| Parameter | Purpose |
+|:---|:---|
+| `RenewalDays` | Number of days before expiration considered a renewal window |
+| `ValidityPeriod` | Period length (Days/Months/Years) |
+| `ValidityUnits` | Value for the chosen period type |
+
+## Certificate Synchronization
+
+The plugin uses the `/api/v2/certificates` endpoint to perform full synchronization:
+
+- **Paging**:
+ - Fetches certificates in batches of 100 (default page size).
+- **Filtering**:
+ - Only certificates with statuses `Generated` or `Revoked` are processed.
+- **Retry Logic**:
+ - Up to **5 retry attempts** are made on API failures during synchronization before failing the job.
+- **Certificate Parsing**:
+ - PEM chains are split into individual certificates.
+
+> Note: HydrantId's API does not allow filtering certificates by CA, so all certificates from the tenant are synced.
+
+## Certificate Revocation
+
+Revocation requests are sent via a PATCH to the `/api/v2/certificates/{id}` endpoint.
+
+**Mapped Revocation Reasons**:
+
+| Keyfactor Reason (RFC 5280) | HydrantID Reason |
+|:---|:---|
+| 0 (Unspecified) | Unspecified |
+| 1 (KeyCompromise) | KeyCompromise |
+| 2 (CACompromise) | CACompromise |
+| 3 (AffiliationChanged) | AffiliationChanged |
+| 4 (Superseded) | Superseded |
+| 5 (CessationOfOperation) | CessationOfOperation |
+| 6 (CertificateHold) | CertificateHold |
+| 8 (RemoveFromCRL) | RemoveFromCRL |
+| 9 (PrivilegeWithdrawn) | PrivilegeWithdrawn |
+| 10 (AACompromise) | AACompromise |
+
+## Connection Information Validation
+
+The following fields are required when connecting the Gateway to HydrantId:
+
+- `HydrantIdBaseUrl`
+- `HydrantIdAuthId`
+- `HydrantIdAuthKey`
+
+Missing or empty fields will cause the plugin initialization to fail.
+
+---
+
+# Additional Notes
+
+- After enrollment, the plugin polls HydrantId's `/csr/{id}/certificate` endpoint for up to **30 seconds** to retrieve the newly issued certificate.
+- If the certificate is still unavailable, the enrollment will be marked **Pending** in Command and should be retried.
+- The plugin uses the Keyfactor standard logging infrastructure (`Keyfactor.Logging`).
+
+# 📌 Related Documentation
+
+- [HAWK Authentication Specification](https://github.com/hueniverse/hawk)
+- [HydrantID API Documentation](https://support.hydrantid.com/hc/en-us)
diff --git a/integration-manifest.json b/integration-manifest.json
index 7699ddc..156497f 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -1,12 +1,44 @@
{
- "$schema": "https://keyfactor.github.io/integration-manifest-schema.json",
- "integration_type": "ca-gateway",
- "name": "HydrantId",
- "status": "production",
- "description": "HydrantId operates a PKI as a service platform for customers around the globe. The AnyGateway solution for HydrantId is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command -Renew or Reissue Certificates from the CA",
- "link_github": true,
- "update_catalog": true,
- "support_level": "kf-supported",
- "release_dir": "HydrantIdProxy/src/HydrantIdProxy/bin/Release"
-
-}
+ "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json",
+ "name": "HydrantId AnyCA REST plugin",
+ "release_dir": "HydrantCAProxy/bin/Release/net6.0",
+ "description": "AnyCA Gateway REST plugin that extends HydrantId Certificate Authority Service to Keyfactor Command",
+ "status": "production",
+ "integration_type": "anyca-plugin",
+ "support_level": "kf-supported",
+ "link_github": true,
+ "update_catalog": true,
+ "gateway_framework": "24.2",
+ "about": {
+ "carest": {
+ "ca_plugin_config": [
+ {
+ "name": "HydrantIdBaseUrl",
+ "description": "The Base URL For the HydrantId Endpoint similar to https://acm-stage.hydrantid.com. Get this from HydrantId."
+ },
+ {
+ "name": "HydrantIdAuthId",
+ "description": "The AuthId Obtained from HydrantId."
+ },
+ {
+ "name": "HydrantIdAuthKey",
+ "description": "The AuthKey Obtained from HydrantId."
+ }
+ ],
+ "enrollment_config": [
+ {
+ "name": "ValidityPeriod",
+ "description": "The desired lifetime time period could be Days, Months or Years."
+ },
+ {
+ "name": "ValidityUnits",
+ "description": "The desired lifetime time value some number indicating days, months or years."
+ },
+ {
+ "name": "RenewalDays",
+ "description": "The window that determines whether it is a renewal vs a re-issue."
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/readme_source.md b/readme_source.md
index 1771e70..e7b6074 100644
--- a/readme_source.md
+++ b/readme_source.md
@@ -1,179 +1,221 @@
-***
-# Getting Started
-## Standard Gateway Installation
-To begin, you must have the CA Gateway Service 21.3.2 installed and operational before attempting to configure the HydrantId plugin. This integration was tested with Keyfactor 9.3.0.0.
-To install the gateway follow these instructions.
+## Overview
-1) Gateway Server - run the installation .msi obtained from Keyfactor
+The [Google Cloud Platform (GCP) CA Services (CAS)](https://cloud.google.com/security/products/certificate-authority-service) AnyCA Gateway DCOM plugin extends the capabilities of connected GCP CAS CAs to [Keyfactor Command](https://www.keyfactor.com/products/command/) via the Keyfactor AnyCA Gateway DCOM. The plugin represents a fully featured AnyCA DCOM Plugin with the following capabilies:
-2) Gateway Server - If you have the rights to install the database (usually in a Non SQL PAAS Environment) Using Powershell, run the following command to create the gateway database.
+* CA Sync:
+ * Download all certificates issued by connected Enterprise tier CAs in GCP CAS (full sync).
+ * Download all certificates issued by connected Enterprise tier CAs in GCP CAS issued after a specified time (incremental sync).
+* Certificate enrollment for all published GoDaddy Certificate SKUs:
+ * Support certificate enrollment (new keys/certificate).
+* Certificate revocation:
+ * Request revocation of a previously issued certificate.
- **SQL Server Windows Auth**
- ```
- %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name]
- ```
- Note if you are using SQL Authentication, then you need to run
-
- **SQL Server SQL Authentication**
+> The GCP CAS AnyCA Gateway DCOM plugin is **not** supported for [DevOps Tier](https://cloud.google.com/certificate-authority-service/docs/tiers) Certificate Authority Pools.
+>
+> DevOps tier CA Pools don't offer listing, describing, or revoking certificates.
- ```
- %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name] -u [sql user] -p [sql password]
- ```
+## Compatibility
- If you do **not** have rights to created the database then have the database created ahead of time by the support team and just populate the database
+This AnyGateway is designed to be used with version 24.2 of the Keyfactor AnyCA Gateway DCOM Framework.
- ## Populate commands below
+## Requirements
- **Windows Authentication**
+### Application Default Credentials
- ```
- %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name]
- ```
+The GCP CAS AnyCA Gateway DCOM plugin connects to and authenticates with GCP CAS implicitly using [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials). This means that all authentication-related configuration of the GCP CAS AnyCA Gateway REST plugin is implied by the environment where the AnyCA Gateway REST itself is running.
- **SQL Server SQL Authentication**
+Please refer to [Google's documentation](https://cloud.google.com/docs/authentication/provide-credentials-adc) to configure ADC on the server running the AnyCA Gateway REST.
- ```
- %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name] -u [sql user] -p [sql password]
- ```
+> The easiest way to configure ADC for non-production environments is to use [User Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev).
+>
+> For production environments that use an ADC method requiring the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, you must ensure the following:
+>
+> 1. The service account that the AnyCA Gateway REST runs under must have read permission to the GCP credential JSON file.
+> 2. You must set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable for the Windows Service running the AnyCA Gateway REST using the [Windows registry editor](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users).
+> * Refer to the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment](https://learn.microsoft.com/en-us/windows/win32/procthread/environment-variables) docs.
-3) Gateway Server - run the following Powershell to import the Cmdlets
+If the selected ADC mechanism is [Service Account Key](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif-key), it's recommended that a [custom role is created](https://cloud.google.com/iam/docs/creating-custom-roles) that has the following minimum permissions:
- C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll (must be imported into Powershell)
- ```ps
- Import-Module C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll
- ```
+* `privateca.certificateTemplates.list`
+* `privateca.certificateTemplates.use`
+* `privateca.certificateAuthorities.get`
+* `privateca.certificates.create`
+* `privateca.certificates.get`
+* `privateca.certificates.list`
+* `privateca.certificates.update`
+* `privateca.caPools.get`
-4) Gateway Server - Run the Following Powershell script to set the gateway encryption cert
+> The built-in CA Service Operation Manager `roles/privateca.caManager` role can also be used, but is more permissive than a custom role with the above permissions.
- ### Set-KeyfactorGatewayEncryptionCert
- This cmdlet will generate a self-signed certificate used to encrypt the database connection string. It populates a registry value with the serial number of the certificate to be used. The certificate is stored in the LocalMachine Personal Store and the registry key populated is:
+### Root CA Configuration
- ```HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvcProxy\Parameters\EncryptSerialNumber```
- No parameters are required to run this cmdlet.
+Both the Keyfactor Command and AnyCA Gateway DCOM servers must trust the root CA, and if applicable, any subordinate CAs for all features to work as intended. Download the CA Certificate (and chain, if applicable) from GCP [CAS](https://console.cloud.google.com/security/cas), and import them into the appropriate certificate store on the AnyCA Gateway DCOM server.
-5) Gateway Server - Run the following Powershell Script to Set the Database Connection
+* **Windows** - The root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell.
+ * Certificates can be imported in MMC by "File" -> "Add/Remove Snap-in" -> "Certificates" -> "Add >" -> "Computer account" -> "Local computer".
+ * Root CAs must go in the `Trusted Root Certification Authorities` certificate store.
+ * Subordinate CAs must go in the `Intermediate Certification Authorities` certificate store.
- ### Set-KeyfactorGatewayDatabaseConnection
- This cmdlet will set and encrypt the database connection string used by the AnyGateway service.
+> If the Root CA and chain are not known by the server hosting the AnyCA Gateway DCOM, the certificate chain _may not_ be returned to Command in certificate enrollment requests.
- **Windows Authentication**
- ```ps
- Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name]
- ```
+### Template Identification
- **SQL Authentication**
- ```ps
- $KeyfactorCredentials = Get-Credentials
- Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name] -Account [$KeyfactorCredentials]
- ```
-## Standard Gateway Configuration Finished
----
+The GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls). Certificate Templates exist at the Project level in GCP. Before installing the plugin, identify the [Certificate Templates](https://console.cloud.google.com/security/cas) that you want to make available to Keyfactor Command and [create Certificate Templates in AD](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Preparing_Templates.htm).
+> Certificate Templates in GCP are not required. The plugin will not specify a template for the [CreateCertificate RPC](https://cloud.google.com/certificate-authority-service/docs/reference/rpc/google.cloud.security.privateca.v1#google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCertificate) if the `ProductId` (discussed later) is set to `Default`.
-## HydrantId AnyGateway Specific Configuration
-It is important to note that importing the HydrantId configuration into the CA Gateway after installing the binaries must be completed. Additionally, the CA Gateway service
-must be running in order to succesfully import the configuation. When the CA Gateway service starts it will attempt to validate the connection information to
-the CA. Without the imported configuration, the service will fail to start.
+## Installation
-### Binary Installation
+1. Install AnyCA Gateway DCOM v24.2 per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm).
-1) Get the Latest Zip File from [Here](https://github.com/Keyfactor/hydrantid-cagateway/releases/)
-2) Gateway Server - Copy the HawkNet.dll, The HydrantIdProxy.dll and the HydrantIdProxy.dll.config to the location where the Gateway Framework was installed (usually C:\Program Files\Keyfactor\Keyfactor AnyGateway)
+2. Download the [latest GCP CAS AnyCA Gateway DCOM plugin assemblies](https://github.com/Keyfactor/gcp-cloud-cagateway/releases/latest).
-### Configuration Changes
-1) Gateway Server - Edit the CAProxyServer.exe.config file and replace the line that says "NoOp" with the line below:
- ```
-
- ```
-2) Gateway Server - Install the Root HydrantId Certificate that was received from HydrantId
+3. Copy `*.dll` to the `C:\Program Files\Keyfactor\Keyfactor AnyGateway` directory.
-3) Gateway Server - Install the Intermediate HydrantId Certificate that was received from HydrantId
+4. Update the `CAProxyServer.config` file.
+ 1. Update the `$.configuration.unity.CAConnector` section to point at the `GoogleCAProxy` class.
-4) Gateway Server - Take the sample Config.json located [Here](https://github.com/Keyfactor/hydrantid-cagateway/raw/main/SampleConfig.json) and make the following modifications
+ ```xml
+
+ ```
-- *Security Settings Modifications* (Swap this out for the typical Gateway Security Settings for Test or Prod)
+ 2. Modify the `Newtonsoft.Json` `bindingRedirect` to redirect versions from `0.0.0.0-13.0.0.0` to `12.0.0.0`.
+ ```xml
+
+
+
+
+ ```
+
+ 3. Add a `bindingRedirect` for `Google.Apis.Auth` to redirect versions from `0.0.0.0-1.67.0.0` to `1.67.0.0`.
+
+ ```xml
+
+
+
+
+ ```
+
+ 4. Add a `bindingRedirect` for `System.Memory` to redirect versions from `0.0.0.0-4.0.1.2` to `4.0.1.1`.
+
+ ```xml
+
+
+
+
+ ```
+
+ > Depending on additional environment-specific factors, additional binding redirects may need to be applied to `CAProxyServer.config`.
+
+## Configuration
+The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the Google CA.
+
+### Templates
+
+As discussed in the [Template Identification](#template-identification), the GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls). The Keyfactor AnyCA Gateway DCOM maps [AD Certificate Templates](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-template-concepts) to GCP Certificate Templates via the `ProductID` property in the `Templates` section of configuration files.
+
+_At least one_ Certificate Template must be defined in this section with the `ProductID` set to `Default`. This Product ID corresponds to no Certificate Template for the [CreateCertificate RPC](https://cloud.google.com/certificate-authority-service/docs/reference/rpc/google.cloud.security.privateca.v1#google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCertificate).
+
+Subsequent Certificate Templates should set the `ProductID` to the Certificate Template ID in GCP CAS.
+
+```json
+"Templates": {
+ "GCPCASDefault": {
+ "ProductID": "Default",
+ "Parameters": {
+ "Lifetime": "300", /* Certificate validity in days */
+ }
+ }
+}
```
- "Security": {
- "KEYFACTOR\\administrator": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
+
+> The `Lifetime` key should be added as a Custom Enrollment Parameter/Field for each Certificate Template in Keyfactor Command per the [official Keyfactor documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm).
+
+## Security
+
+Refer to the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/cmdlets.htm) to configure the `Security` section. The following is provided as an example.
+
+```json
+/* Grant permissions on the CA to users or groups in the local domain.
+ READ: Enumerate and read contents of certificates.
+ ENROLL: Request certificates from the CA.
+ OFFICER: Perform certificate functions such as issuance and revocation. This is equivalent to "Issue and Manage" permission on the Microsoft CA.
+ ADMINISTRATOR: Configure/reconfigure the gateway.
+
+ Valid permission settings are "Allow", "None", and "Deny".
+*/
+"Security": {
+ "Keyfactor\\Administrator": {
+ "READ": "Allow",
+ "ENROLL": "Allow",
+ "OFFICER": "Allow",
+ "ADMINISTRATOR": "Allow"
},
- "KEYFACTOR\\SVC_AppPool": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
+ "Keyfactor\\gateway_test": {
+ "READ": "Allow",
+ "ENROLL": "Allow",
+ "OFFICER": "Allow",
+ "ADMINISTRATOR": "Allow"
+ },
+ "Keyfactor\\SVC_TimerService": {
+ "READ": "Allow",
+ "ENROLL": "Allow",
+ "OFFICER": "Allow",
+ "ADMINISTRATOR": "None"
},
- "KEYFACTOR\\SVC_TimerService": {
- "READ": "Allow",
- "ENROLL": "Allow",
- "OFFICER": "Allow",
- "ADMINISTRATOR": "Allow"
+ "Keyfactor\\SVC_AppPool": {
+ "READ": "Allow",
+ "ENROLL": "Allow",
+ "OFFICER": "Allow",
+ "ADMINISTRATOR": "Allow"
}
+}
```
-- *Hydrant Environment Settings* (Modify these with the keys and Urls obtained from HydrantId)
+
+## CAConnection
+
+The `CAConnection` section selects the GCP Project/CA Pool/CA whose certificate operations will be extended to Keyfactor. There are three required fields.
+
+* `ProjectId` - The Resource ID of the project that contains the Google CA Service.
+* `LocationId` - The GCP location ID where the project containing the target GCP CAS CA is located. For example, 'us-central1'.
+* `CAPoolId` - The CA Pool ID in GCP CAS to use for certificate operations. If the CA Pool has resource name `projects/my-project/locations/us-central1/caPools/my-pool`, this field should be set to `my-pool`.
+* `CAId` (optional) - The CA ID of a CA in the same CA Pool as CAPool. For example, to issue certificates from a CA with resource name `projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca`, this field should be set to `my-ca`.
+
+```json
+"CAConnection": {
+ "LocationId": "us-east1",
+ "ProjectId": "concise-frame-296019",
+ "CAPoolId":"gcp-test-pool",
+ "CAId":"ca-enterprise-subordinate-sandbox-tls"
+}
```
- "CAConnection": {
- "HydrantIdBaseUrl": "https://acm-stage.hydrantid.com",
- "AuthId": "SomeAuthId",
- "AuthKey": "SomeAuthPassword",
- "TemplateSync": "On"
+
+> If `CAId` is not specified, CA selection will defer to GCP CAS - a CA in the CA Pool identified by `CAPoolId` will be selected automatically.
+
+## GatewayRegistration
+
+There are no Google Specific Changes for the GatewayRegistration section. Refer to the Keyfactor AnyGateway Documentation for more detail on required changed to support the AnyCA Gateway
+
+```json
+ "GatewayRegistration": {
+ "LogicalName": "GoogleCASandbox",
+ "GatewayCertificate": {
+ "StoreName": "CA",
+ "StoreLocation": "LocalMachine",
+ "Thumbprint": "bc6d6b168ce5c08a690c15e03be596bbaa095ebf"
+ }
}
```
-- *Service Settings* (Modify these to be in accordance with Keyfactor Standard Gateway Production Settings)
-```
+## ServiceSettings
+
+There are no Google Specific Changes for the GatewayRegistration section. Refer to the Keyfactor AnyGateway Documentation for more detail on required changed to support the AnyCA Gateway
+
+```json
"ServiceSettings": {
- "ViewIdleMinutes": 1,
+ "ViewIdleMinutes": 8,
"FullScanPeriodHours": 1,
- "PartialScanPeriodMinutes": 1
+ "PartialScanPeriodMinutes": 60
}
```
-
-5) Gateway Server - Save the newly modified config.json to the following location "C:\Program Files\Keyfactor\Keyfactor AnyGateway"
-
-### Template Installation
-
-The Template section will map the CA's products to an AD template.
-* ```ProductID```
-This is the ID of the HydrantId product to map to the specified template. If you don't know the available product IDs in your Hydrant account, put a placeholder value here and run the Set-KeyfactorGatewayConfig cmdlet according to the AnyGateway documentation. The list of available product IDs will be returned.
-* ```ValidityPeriod```
-REQUIRED: The period to use when requesting certs. It could be, Days, Months, Years depending on the Template.
-* ```ValidityUnits```
-REQUIRED: The numeric value corresponding to the ValidityPeriod. For years 1 would be 1 year, for days 7 would be 7 days.
-
- ```json
- "Templates": {
- "AutoEnrollment - RSA": {
- "ProductID": "AutoEnrollment - RSA",
- "Parameters": {
- "ValidityPeriod": "Years",
- "ValidityUnits": 1
- }
- },
- "AutoEnrollment - RSA - 7 Day": {
- "ProductID": "AutoEnrollment - RSA - 7 Day",
- "Parameters": {
- "ValidityPeriod": "Days",
- "ValidityUnits": 7
- }
- }
- }
- ```
-
-### Certificate Authority Installation
-1) Gateway Server - Start the Keyfactor Gateway Service
-2) Run the set Gateway command similar to below
-```ps
-Set-KeyfactorGatewayConfig -LogicalName "HydrantId" -FilePath [path to json file] -PublishAd
-```
-3) Command Server - Import the certificate authority in Keyfactor Portal
-
-
-***
-
-### License
-[Apache](https://apache.org/licenses/LICENSE-2.0)