From f842ba1100ad613cbf9a5ed98802246d8b383b0b Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 10 Jan 2024 19:22:32 +0000 Subject: [PATCH 01/14] Update generated README --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 070bddb..f992025 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,11 @@ Csc Global operates a PKI as a service platform for customers around the globe. This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. +## Support for CSC Global +CSC Global + +###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. --- From 024085c2d2b118e418751be57fad9250095c0373 Mon Sep 17 00:00:00 2001 From: Mikey Henderson Date: Thu, 11 Jan 2024 05:47:57 -0800 Subject: [PATCH 02/14] Add CName support (#15) * Newrel (#5) * Update SampleConfig.json * Update CreateTemplate.ps1 * Cname (#7) * Fix Meta Data Sync Issue * Syncfixes (#10) * Fixed Sync Issue that Impacts all clients * Update CHANGELOG.md * Sync Troubleshooting * Simplified Syncing process * New Templates Added * Update SampleConfig.json * Update readme_source.md * Update generated README * Update readme_source.md * Update generated README * Update readme_source.md * Update generated README * Sample Workflow * Update README.md * Update generated README * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md --------- Co-authored-by: Keyfactor * Jsonupdates (#11) * Template Install Updates for New Templates * Update generated README * Update generated README * Fix issue with CSC CNAME auto validation, have to add headers to CSR. (#13) * Fix issue with CSC CNAME auto validation, have to add headers to CSR. * Update Change Log * update to bootstrap workflow * Update generated README * Update changelog --------- Co-authored-by: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Co-authored-by: Keyfactor Co-authored-by: Michael Henderson --- .../keyfactor-bootstrap-workflow.yml | 19 +++++++++ .../workflows/keyfactor-starter-workflow.yml | 42 ------------------- CHANGELOG.md | 4 ++ CscGlobalCaProxy/RequestManager.cs | 24 +++++++++-- README.md | 2 +- integration-manifest.json | 16 +++---- 6 files changed, 54 insertions(+), 53 deletions(-) create mode 100644 .github/workflows/keyfactor-bootstrap-workflow.yml delete mode 100644 .github/workflows/keyfactor-starter-workflow.yml diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml new file mode 100644 index 0000000..6d8de53 --- /dev/null +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -0,0 +1,19 @@ +name: Keyfactor Bootstrap Workflow + +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' + +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@v2 + secrets: + token: ${{ secrets.V2BUILDTOKEN}} + APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml deleted file mode 100644 index 0aad6f0..0000000 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Starter Workflow -on: [workflow_dispatch, push, pull_request] - -jobs: - call-create-github-release-workflow: - uses: Keyfactor/actions/.github/workflows/github-release.yml@main - - get-manifest-properties: - runs-on: windows-latest - outputs: - update_catalog: ${{ steps.read-json.outputs.prop }} - steps: - - uses: actions/checkout@v3 - - name: Read json - id: read-json - shell: pwsh - run: | - $json = Get-Content integration-manifest.json | ConvertFrom-Json - echo "::set-output name=prop::$(echo $json.update_catalog)" - - call-dotnet-build-and-release-workflow: - needs: [call-create-github-release-workflow] - uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main - with: - release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} - release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} - release_dir: CscGlobalCaProxy/bin/Release - secrets: - token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} - - call-generate-readme-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main - secrets: - token: ${{ secrets.APPROVE_README_PUSH }} - - call-update-catalog-workflow: - needs: get-manifest-properties - if: needs.get-manifest-properties.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') - uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main - secrets: - token: ${{ secrets.SDK_SYNC_PAT }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 17f9cf3..7753ddf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ + +v1.1.0 +- Add Support for CNAME Domain Validation + v1.0.10 - Sync Issue where Sync only works after service restart fixed - Sync Fix when errors occur in the CSC Api so next sync works diff --git a/CscGlobalCaProxy/RequestManager.cs b/CscGlobalCaProxy/RequestManager.cs index b223cdd..a86161e 100644 --- a/CscGlobalCaProxy/RequestManager.cs +++ b/CscGlobalCaProxy/RequestManager.cs @@ -108,10 +108,20 @@ public DomainControlValidation GetDomainControlValidation(string methodType, str }; } + + public static Func Pemify = ss => + ss.Length <= 64 ? ss : ss.Substring(0, 64) + "\n" + Pemify(ss.Substring(64)); + public RegistrationRequest GetRegistrationRequest(EnrollmentProductInfo productInfo, string csr, Dictionary sans) { - var bytes = Encoding.UTF8.GetBytes(csr); + + var cert = "-----BEGIN CERTIFICATE REQUEST-----\r\n"; + cert = cert + Pemify(csr); + cert = cert + "\r\n-----END CERTIFICATE REQUEST-----"; + + + var bytes = Encoding.UTF8.GetBytes(cert); var encodedString = Convert.ToBase64String(bytes); var commonNameValidationEmail = productInfo.ProductParameters["CN DCV Email (admin@yourdomain.com)"]; var methodType = productInfo.ProductParameters["Domain Control Validation Method"]; @@ -174,7 +184,11 @@ public Notifications GetNotifications(EnrollmentProductInfo productInfo) public RenewalRequest GetRenewalRequest(EnrollmentProductInfo productInfo, string uUId, string csr, Dictionary sans) { - var bytes = Encoding.UTF8.GetBytes(csr); + var cert = "-----BEGIN CERTIFICATE REQUEST-----\r\n"; + cert = cert + Pemify(csr); + cert = cert + "\r\n-----END CERTIFICATE REQUEST-----"; + + var bytes = Encoding.UTF8.GetBytes(cert); var encodedString = Convert.ToBase64String(bytes); var commonNameValidationEmail = productInfo.ProductParameters["CN DCV Email (admin@yourdomain.com)"]; var methodType = productInfo.ProductParameters["Domain Control Validation Method"]; @@ -228,7 +242,11 @@ private List GetSubjectAlternativeNames(EnrollmentProduc public ReissueRequest GetReissueRequest(EnrollmentProductInfo productInfo, string uUId, string csr, Dictionary sans) { - var bytes = Encoding.UTF8.GetBytes(csr); + var cert = "-----BEGIN CERTIFICATE REQUEST-----\r\n"; + cert = cert + Pemify(csr); + cert = cert + "\r\n-----END CERTIFICATE REQUEST-----"; + + var bytes = Encoding.UTF8.GetBytes(cert); var encodedString = Convert.ToBase64String(bytes); var commonNameValidationEmail = productInfo.ProductParameters["CN DCV Email (admin@yourdomain.com)"]; var methodType = productInfo.ProductParameters["Domain Control Validation Method"]; diff --git a/README.md b/README.md index f992025..6fa11a1 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ This repository contains an AnyGateway CA Connector, which is a plugin to the Ke ## Support for CSC Global -CSC Global +CSC Global is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. diff --git a/integration-manifest.json b/integration-manifest.json index 2fd6fdb..f56d39a 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -1,9 +1,11 @@ { - "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", - "integration_type": "ca-gateway", - "name": "CSC Global", - "status": "production", - "description": "Csc Global operates a PKI as a service platform for customers around the globe. The AnyGateway solution for CscGlobal is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command", - "link_github": true, - "update_catalog": true + "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", + "integration_type": "ca-gateway", + "name": "CSC Global", + "status": "production", + "description": "Csc Global operates a PKI as a service platform for customers around the globe. The AnyGateway solution for CscGlobal is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command", + "link_github": true, + "update_catalog": true, + "support_level": "kf-supported", + "release_dir": "CscGlobalCaProxy/bin/Release" } From 0dd4bf0b9fac82e19257e31363ea73b12f0c67a5 Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Tue, 21 May 2024 09:22:42 -0400 Subject: [PATCH 03/14] Fix for Revoke Issue, get end entity cert only. --- CscGlobalCaProxy/CscGlobalCaProxy.cs | 87 +++++++++++++++++++++------- 1 file changed, 65 insertions(+), 22 deletions(-) diff --git a/CscGlobalCaProxy/CscGlobalCaProxy.cs b/CscGlobalCaProxy/CscGlobalCaProxy.cs index 96a8535..a595af6 100644 --- a/CscGlobalCaProxy/CscGlobalCaProxy.cs +++ b/CscGlobalCaProxy/CscGlobalCaProxy.cs @@ -96,27 +96,24 @@ public override void Synchronize(ICertificateDataReader certificateDataReader, if (fileContent.Length > 0) { + Logger.Trace($"File Content {fileContent}"); var certData = fileContent.Replace("\r\n", string.Empty); - var splitCerts = - certData.Split(new[] { "-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----" }, - StringSplitOptions.RemoveEmptyEntries); - foreach (var cert in splitCerts) - if (!cert.Contains(".crt")) + var certString = GetEndEntityCertificate(certData); + var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(certString)); + + if (certString.Length > 0) + { + blockingBuffer.Add(new CAConnectorCertificate { - Logger.Trace($"Split Cert Value: {cert}"); - - var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(cert)); - blockingBuffer.Add(new CAConnectorCertificate - { - CARequestID = $"{currentResponseItem?.Uuid}", - Certificate = cert, - SubmissionDate = currentResponseItem?.OrderDate == null - ? Convert.ToDateTime(currentCert.NotBefore) - : Convert.ToDateTime(currentResponseItem.OrderDate), - Status = certStatus, - ProductID = productId - }, cancelToken); - } + CARequestID = $"{currentResponseItem?.Uuid}", + Certificate = certString, + SubmissionDate = currentResponseItem?.OrderDate == null + ? Convert.ToDateTime(currentCert.NotBefore) + : Convert.ToDateTime(currentResponseItem.OrderDate), + Status = certStatus, + ProductID = productId + }, cancelToken); + } } } } @@ -134,6 +131,41 @@ public override void Synchronize(ICertificateDataReader certificateDataReader, Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); } + private string GetEndEntityCertificate(string certData) + { + var splitCerts = + certData.Split(new[] {"-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----"}, + StringSplitOptions.RemoveEmptyEntries); + + X509Certificate2Collection col = new X509Certificate2Collection(); + foreach (var cert in splitCerts) + { + Logger.Trace($"Split Cert Value: {cert}"); + + //skip these headers that came with the split function + if (!cert.Contains(".crt")) + { + col.Import(cert); + } + } + + Logger.Trace("Getting End Entity Certificate"); + var currentCert = CSS.PKI.X509.X509Utilities.GetEndEntityCertificate(col); + Logger.Trace("Converting to Byte Array"); + var byteArray = currentCert?.Export(X509ContentType.Cert); + Logger.Trace("Initializing empty string"); + + var certString = string.Empty; + if (byteArray != null) + { + certString = Convert.ToBase64String(byteArray); + } + + Logger.Trace($"Got certificate {certString}"); + + return certString; + } + [Obsolete] public override EnrollmentResult Enroll(string csr, string subject, Dictionary san, EnrollmentProductInfo productInfo, @@ -247,13 +279,24 @@ public override CAConnectorCertificate GetSingleRecord(string caRequestId) .Result; Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}"); + + var fileContent = + Encoding.ASCII.GetString( + Convert.FromBase64String(certificateResponse?.Certificate ?? string.Empty)); + + Logger.Trace($"File Content {fileContent}"); + var certData = fileContent.Replace("\r\n", string.Empty); + var certString = GetEndEntityCertificate(certData); + Logger.Trace($"Cert String Content {certString}"); + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + return new CAConnectorCertificate { CARequestID = keyfactorCaId, - Certificate = certificateResponse.Certificate, - Status = _requestManager.MapReturnStatus(certificateResponse.Status), - SubmissionDate = Convert.ToDateTime(certificateResponse.OrderDate) + Certificate = certString, + Status = _requestManager.MapReturnStatus(certificateResponse?.Status), + SubmissionDate = Convert.ToDateTime(certificateResponse?.OrderDate) }; } From feb53c9079336fa8f6b7fd559c460229179789cf Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 21 May 2024 13:23:30 +0000 Subject: [PATCH 04/14] Update generated README --- README.md | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 6fa11a1..a8f4aef 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,13 @@ + # CSC Global Csc Global operates a PKI as a service platform for customers around the globe. The AnyGateway solution for CscGlobal is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command #### Integration status: Production - Ready for use in production environments. +## About the Keyfactor AnyCA Gateway DCOM Connector -## About the Keyfactor AnyGateway CA Connector - -This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. - +This repository contains an AnyCA Gateway Connector, which is a plugin to the Keyfactor AnyGateway. AnyCA Gateway Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. ## Support for CSC Global @@ -16,6 +15,8 @@ CSC Global is supported by Keyfactor for Keyfactor customers. If you have a supp ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +--- + --- @@ -23,6 +24,16 @@ CSC Global is supported by Keyfactor for Keyfactor customers. If you have a supp +## Keyfactor AnyCA Gateway Framework Supported +The Keyfactor gateway framework implements common logic shared across various gateway implementations and handles communication with Keyfactor Command. The gateway framework hosts gateway implementations or plugins that understand how to communicate with specific CAs. This allows you to integrate your third-party CAs with Keyfactor Command such that they behave in a manner similar to the CAs natively supported by Keyfactor Command. + + + + +This gateway extension was compiled against version of the AnyCA Gateway DCOM Framework. You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly. + + +[Keyfactor CAGateway Install Guide](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm) @@ -464,3 +475,4 @@ Set-KeyfactorGatewayConfig -LogicalName "CSCGlobal" -FilePath [path to json file ### License [Apache](https://apache.org/licenses/LICENSE-2.0) + From 5e491a99b0c7ead88195809cca504afa69133b5b Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Tue, 21 May 2024 16:01:40 +0000 Subject: [PATCH 05/14] Fixed Revoke Issues --- CscGlobalCaProxy/CscGlobalCaProxy.cs | 95 +++++++++++++++++----------- CscGlobalCaProxy/RequestManager.cs | 6 ++ 2 files changed, 63 insertions(+), 38 deletions(-) diff --git a/CscGlobalCaProxy/CscGlobalCaProxy.cs b/CscGlobalCaProxy/CscGlobalCaProxy.cs index a595af6..3eadd4d 100644 --- a/CscGlobalCaProxy/CscGlobalCaProxy.cs +++ b/CscGlobalCaProxy/CscGlobalCaProxy.cs @@ -34,24 +34,34 @@ public CscGlobalCaProxy() public override int Revoke(string caRequestId, string hexSerialNumber, uint revocationReason) { - Logger.Trace($"Staring Revoke Method"); - var revokeResponse = - Task.Run(async () => - await CscGlobalClient.SubmitRevokeCertificateAsync(caRequestId.Substring(0, 36))) - .Result; //todo fix to use pipe delimiter + try + { + Logger.Trace($"Staring Revoke Method"); + var revokeResponse = + Task.Run(async () => + await CscGlobalClient.SubmitRevokeCertificateAsync(caRequestId.Substring(0, 36))) + .Result; //todo fix to use pipe delimiter - Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}"); - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}"); + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - var revokeResult = _requestManager.GetRevokeResult(revokeResponse); + var revokeResult = _requestManager.GetRevokeResult(revokeResponse); - if (revokeResult == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.FAILED)) + if (revokeResult == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.FAILED)) + { + if (!string.IsNullOrEmpty(revokeResponse?.RegistrationError?.Description)) + { + throw new UnsuccessfulRequestException($"Revoke Failed with message {revokeResponse?.RegistrationError?.Description}", 30); + } + } + + return revokeResult; + } + catch(Exception e) { - return -1; + throw new Exception($"Revoke Failed with message {e?.Message}"); } - return revokeResult; - } [Obsolete] @@ -145,7 +155,7 @@ private string GetEndEntityCertificate(string certData) //skip these headers that came with the split function if (!cert.Contains(".crt")) { - col.Import(cert); + col.Import(Encoding.UTF8.GetBytes(cert)); } } @@ -271,33 +281,42 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe public override CAConnectorCertificate GetSingleRecord(string caRequestId) { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - var keyfactorCaId = caRequestId.Substring(0, 36); //todo fix to use pipe delimiter - Logger.Trace($"Keyfactor Ca Id: {keyfactorCaId}"); - var certificateResponse = - Task.Run(async () => await CscGlobalClient.SubmitGetCertificateAsync(keyfactorCaId)) - .Result; - - Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}"); - - var fileContent = - Encoding.ASCII.GetString( - Convert.FromBase64String(certificateResponse?.Certificate ?? string.Empty)); - - Logger.Trace($"File Content {fileContent}"); - var certData = fileContent.Replace("\r\n", string.Empty); - var certString = GetEndEntityCertificate(certData); - Logger.Trace($"Cert String Content {certString}"); - - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + var keyfactorCaId = caRequestId?.Substring(0, 36); //todo fix to use pipe delimiter + Logger.Trace($"Keyfactor Ca Id: {keyfactorCaId}"); + var certificateResponse = + Task.Run(async () => await CscGlobalClient.SubmitGetCertificateAsync(keyfactorCaId)) + .Result; + + Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}"); + + var fileContent = + Encoding.ASCII.GetString( + Convert.FromBase64String(certificateResponse?.Certificate ?? string.Empty)); + + Logger.Trace($"File Content {fileContent}"); + var certData = fileContent?.Replace("\r\n", string.Empty); + var certString = String.Empty; + if (!string.IsNullOrEmpty(certData)) + certString = GetEndEntityCertificate(certData); + Logger.Trace($"Cert String Content {certString}"); - return new CAConnectorCertificate + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + + return new CAConnectorCertificate + { + CARequestID = keyfactorCaId, + Certificate = certString, + Status = _requestManager.MapReturnStatus(certificateResponse?.Status), + SubmissionDate = Convert.ToDateTime(certificateResponse?.OrderDate) + }; + } + catch(Exception e) { - CARequestID = keyfactorCaId, - Certificate = certString, - Status = _requestManager.MapReturnStatus(certificateResponse?.Status), - SubmissionDate = Convert.ToDateTime(certificateResponse?.OrderDate) - }; + throw new Exception($"Error Occurred getting single cert {e.Message}"); + } } public override void Initialize(ICAConnectorConfigProvider configProvider) diff --git a/CscGlobalCaProxy/RequestManager.cs b/CscGlobalCaProxy/RequestManager.cs index a86161e..31b0231 100644 --- a/CscGlobalCaProxy/RequestManager.cs +++ b/CscGlobalCaProxy/RequestManager.cs @@ -160,6 +160,12 @@ private string GetCertificateType(string productId) return "2"; case "CSC TrustedSecure Premium Wildcard Certificate": return "1"; + case "CSC Trusted Secure Domain Validated SSL": + return "4"; + case "CSC Trusted Secure Domain Validated Wildcard SSL": + return "5"; + case "CSC Trusted Secure Domain Validated UC Certificate": + return "6"; case "CSC TrustedSecure Domain Validated SSL": return "4"; case "CSC TrustedSecure Domain Validated Wildcard SSL": From 9760471d1c9ec4aed77e7529a28b016197ca0e7d Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Tue, 21 May 2024 12:11:27 -0400 Subject: [PATCH 06/14] Update CHANGELOG.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7753ddf..da74ba0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +v1.1.1 +-Fix Revoke Serial Number Mismatch KF 10.1 and 22.1.0 GW combination +-Only Syncing and GetSingleRecord on End Entity Cert to prevent errors. v1.1.0 - Add Support for CNAME Domain Validation From 1eca766089c4ba72702f1c409f5876cdc7ccb783 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Tue, 21 May 2024 12:11:41 -0400 Subject: [PATCH 07/14] Update CHANGELOG.md --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index da74ba0..1227ce2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ v1.1.1 --Fix Revoke Serial Number Mismatch KF 10.1 and 22.1.0 GW combination --Only Syncing and GetSingleRecord on End Entity Cert to prevent errors. +- Fix Revoke Serial Number Mismatch KF 10.1 and 22.1.0 GW combination +- Only Syncing and GetSingleRecord on End Entity Cert to prevent errors. v1.1.0 - Add Support for CNAME Domain Validation From 1d490af67968fcf5f1a8487dbaacb7317a2c8150 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 22 May 2024 18:22:19 +0000 Subject: [PATCH 08/14] Update generated README --- README.md | 604 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 342 insertions(+), 262 deletions(-) diff --git a/README.md b/README.md index 6aa8693..a8f4aef 100644 --- a/README.md +++ b/README.md @@ -1,101 +1,141 @@ -CSC Global -Csc Global operates a PKI as a service platform for customers around the globe. The AnyGateway solution for CscGlobal is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command -Integration status: Production - Ready for use in production environments. -About the Keyfactor AnyCA Gateway DCOM Connector +# CSC Global + +Csc Global operates a PKI as a service platform for customers around the globe. The AnyGateway solution for CscGlobal is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command + +#### Integration status: Production - Ready for use in production environments. + +## About the Keyfactor AnyCA Gateway DCOM Connector This repository contains an AnyCA Gateway Connector, which is a plugin to the Keyfactor AnyGateway. AnyCA Gateway Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. -Support for CSC Global + +## Support for CSC Global CSC Global is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com -To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab. -Keyfactor AnyCA Gateway Framework Supported +###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. + +--- + + +--- + + + + + +## Keyfactor AnyCA Gateway Framework Supported The Keyfactor gateway framework implements common logic shared across various gateway implementations and handles communication with Keyfactor Command. The gateway framework hosts gateway implementations or plugins that understand how to communicate with specific CAs. This allows you to integrate your third-party CAs with Keyfactor Command such that they behave in a manner similar to the CAs natively supported by Keyfactor Command. -This gateway extension was compiled against version of the AnyCA Gateway DCOM Framework. You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly. -Keyfactor CAGateway Install Guide -Getting Started -Standard Gateway Installation -To begin, you must have the CA Gateway Service 21.3.2 installed and operational before attempting to configure the CSC Global plugin. This integration was tested with Keyfactor 8.7.0.0. To install the gateway follow these instructions. - Gateway Server - run the installation .msi - Get from Keyfactor +This gateway extension was compiled against version of the AnyCA Gateway DCOM Framework. You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly. - Gateway Server - If you have the rights to install the database (usually in a Non SQL PAAS Environment) Using Powershell, run the following command to create the gateway database. - SQL Server Windows Auth +[Keyfactor CAGateway Install Guide](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm) + - %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name] - Note if you are using SQL Authentication, then you need to run +--- - SQL Server SQL Authentication - %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name] -u [sql user] -p [sql password] +*** +# Getting Started +## Standard Gateway Installation +To begin, you must have the CA Gateway Service 21.3.2 installed and operational before attempting to configure the CSC Global plugin. This integration was tested with Keyfactor 8.7.0.0. +To install the gateway follow these instructions. - If you do not have rights to created the database then have the database created ahead of time by the support team and just populate the database - Populate commands below +1) Gateway Server - run the installation .msi - Get from Keyfactor - Windows Authentication +2) Gateway Server - If you have the rights to install the database (usually in a Non SQL PAAS Environment) Using Powershell, run the following command to create the gateway database. - %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name] + **SQL Server Windows Auth** + ``` + %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name] + ``` + Note if you are using SQL Authentication, then you need to run + + **SQL Server SQL Authentication** - SQL Server SQL Authentication + ``` + %InstallLocation%\DatabaseManagementConsole.exe create -s [database server name] -d [database name] -u [sql user] -p [sql password] + ``` - %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name] -u [sql user] -p [sql password] + If you do **not** have rights to created the database then have the database created ahead of time by the support team and just populate the database - Gateway Server - run the following Powershell to import the Cmdlets + ## Populate commands below - C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll (must be imported into Powershell) + **Windows Authentication** - Import-Module C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll + ``` + %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name] + ``` - Gateway Server - Run the Following Powershell script to set the gateway encryption cert - Set-KeyfactorGatewayEncryptionCert + **SQL Server SQL Authentication** - This cmdlet will generate a self-signed certificate used to encrypt the database connection string. It populates a registry value with the serial number of the certificate to be used. The certificate is stored in the LocalMachine Personal Store and the registry key populated is: + ``` + %InstallLocation%\DatabaseManagementConsole.exe populate -s [database server name] -d [database name] -u [sql user] -p [sql password] + ``` - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvcProxy\Parameters\EncryptSerialNumber No parameters are required to run this cmdlet. +3) Gateway Server - run the following Powershell to import the Cmdlets - Gateway Server - Run the following Powershell Script to Set the Database Connection - Set-KeyfactorGatewayDatabaseConnection + C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll (must be imported into Powershell) + ```ps + Import-Module C:\Program Files\Keyfactor\Keyfactor AnyGateway\ConfigurationCmdlets.dll + ``` - This cmdlet will set and encrypt the database connection string used by the AnyGateway service. +4) Gateway Server - Run the Following Powershell script to set the gateway encryption cert - Windows Authentication + ### Set-KeyfactorGatewayEncryptionCert + This cmdlet will generate a self-signed certificate used to encrypt the database connection string. It populates a registry value with the serial number of the certificate to be used. The certificate is stored in the LocalMachine Personal Store and the registry key populated is: - Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name] + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvcProxy\Parameters\EncryptSerialNumber + No parameters are required to run this cmdlet. - SQL Authentication +5) Gateway Server - Run the following Powershell Script to Set the Database Connection - $KeyfactorCredentials = Get-Credentials - Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name] -Account [$KeyfactorCredentials] + ### Set-KeyfactorGatewayDatabaseConnection + This cmdlet will set and encrypt the database connection string used by the AnyGateway service. -Standard Gateway Configuration Finished -CSC Global AnyGateway Specific Configuration + **Windows Authentication** + ```ps + Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name] + ``` -It is important to note that importing the CSC Global configuration into the CA Gateway prior to installing the binaries must be completed. Additionally, the CA Gateway service must be running in order to succesfully import the configuation. When the CA Gateway service starts it will attempt to validate the connection information to the CA. Without the imported configuration, the service will fail to start. -Binary Installation + **SQL Authentication** + ```ps + $KeyfactorCredentials = Get-Credentials + Set-KeyfactorGatewayDatabaseConnection -Server [db server name] -Database [database name] -Account [$KeyfactorCredentials] + ``` +## Standard Gateway Configuration Finished +--- - Get the Latest Zip File from Here - Gateway Server - Copy the CscGlobalCaProxy.dll to the location where the Gateway Framework was installed (usually C:\Program Files\Keyfactor\Keyfactor AnyGateway) -Configuration Changes +## CSC Global AnyGateway Specific Configuration +It is important to note that importing the CSC Global configuration into the CA Gateway prior to installing the binaries must be completed. Additionally, the CA Gateway service +must be running in order to succesfully import the configuation. When the CA Gateway service starts it will attempt to validate the connection information to +the CA. Without the imported configuration, the service will fail to start. - Gateway Server - Edit the CAProxyServer.exe.config file and replace the line that says "NoOp" with the line below: +### Binary Installation - +1) Get the Latest Zip File from [Here](https://github.com/Keyfactor/cscglobal-cagateway/releases) +2) Gateway Server - Copy the CscGlobalCaProxy.dll to the location where the Gateway Framework was installed (usually C:\Program Files\Keyfactor\Keyfactor AnyGateway) - Gateway Server - Install the Root CSC Global Certificate that was received from CSC Global +### Configuration Changes +1) Gateway Server - Edit the CAProxyServer.exe.config file and replace the line that says "NoOp" with the line below: + ``` + + ``` +2) Gateway Server - Install the Root CSC Global Certificate that was received from CSC Global - Gateway Server - Install the Intermediate CSC Global Certificate that was received from CSC Global +3) Gateway Server - Install the Intermediate CSC Global Certificate that was received from CSC Global - Gateway Server - Take the sample Config.json located Here and make the following modifications +4) Gateway Server - Take the sample Config.json located [Here](https://github.com/Keyfactor/cscglobal-cagateway/raw/main/SampleConfig.json) and make the following modifications - Security Settings Modifications (Swap this out for the typical Gateway Security Settings for Test or Prod) +- *Security Settings Modifications* (Swap this out for the typical Gateway Security Settings for Test or Prod) +``` "Security": { "KEYFACTOR\\administrator": { "READ": "Allow", @@ -115,20 +155,20 @@ Configuration Changes "OFFICER": "Allow", "ADMINISTRATOR": "Allow" } - - CSC Global Environment Settings (Modify these with the keys and Urls obtained from Csc Global) - +``` +- *CSC Global Environment Settings* (Modify these with the keys and Urls obtained from Csc Global) +``` "CAConnection": { "CscGlobalURL": "https://apis-ote.cscglobal.com/dbs/api/v2", "ApiKey": "SALDJDSFKLDFS", "BearerToken": "ASDLKFSALDKSDALK", "TemplateSync": "On" } +``` -Template Settings - - For template settings you can either hard code them in the template parameters as shown on the last template or make them show up as enrollment parameters. You can also have a combination of both enrollment parameters and hard coded parameters in the template parameters. You can also build a workflow in Keyfactor to change them during enrollment based on some parameters as shown in the attached workflow 1. - +**Template Settings** +- For template settings you can either hard code them in the template parameters as shown on the last template or make them show up as enrollment parameters. You can also have a combination of both enrollment parameters and hard coded parameters in the template parameters. You can also build a workflow in Keyfactor to change them during enrollment based on some parameters as shown in the attached workflow 1. +``` "Templates": { "CSC TrustedSecure Premium Certificate": { "ProductID": "CSC TrustedSecure Premium Certificate", @@ -171,9 +211,10 @@ Template Settings } } } +``` - Gateway Settings - +- *Gateway Settings* +``` "CertificateManagers": null, "GatewayRegistration": { "LogicalName": "CscGlobal", @@ -183,216 +224,255 @@ Template Settings "Thumbprint": "525c47fb3a5e0655fbd4be963ca1e94d5fecb43d" } } +``` - Service Settings (Modify these to be in accordance with Keyfactor Standard Gateway Production Settings) - +- *Service Settings* (Modify these to be in accordance with Keyfactor Standard Gateway Production Settings) +``` "ServiceSettings": { "ViewIdleMinutes": 1, "FullScanPeriodHours": 1, "PartialScanPeriodMinutes": 1 } - - Gateway Server - Save the newly modified config.json to the following location "C:\Program Files\Keyfactor\Keyfactor AnyGateway" - -Template Installation - -PLEASE NOTE, AT THIS TIME THE RAPID_SSL TEMPLATE IS NOT SUPPORTED BY THE CSC API AND WILL NOT WORK WITH THIS INTEGRATION - - Create ADFS Certificate Templates for the Following Products - - CSC TrustedSecure Premium Certificate - CSC TrustedSecure EV Certificate - CSC TrustedSecure UC Certificate - CSC TrustedSecure Premium Wildcard Certificate - CSC TrustedSecure Domain Validated SSL - CSC TrustedSecure Domain Validated Wildcard SSL - CSC TrustedSecure Domain Validated UC Certificate - - Import Into Keyfactor using the template import functionality - - Edit each template and modify the Details and Enrollment Fields as Follows CSC TrustedSecure Premium Certificate - Details Tab* - -CONFIG ELEMENT DESCRIPTION -Template Short Name CSC TrustedSecure Premium Certificate -Template Display Name CSC TrustedSecure Premium Certificate -Friendly Name CSC TrustedSecure Premium Certificate -Keys Size 2048 -Enforce RFC 2818 Compliance True -CSR Enrollment True -Pfx Enrollment True - -CSC TrustedSecure Premium Certificate - Enrollment Fields -NAME DATA TYPE VALUES -Term Multiple Choice 12,24 -Applicant First Name String N/A -Applicant Last Name String N/A -Applicant Email Address String N/A -Applicant Phone (+nn.nnnnnnnn) String N/A -Domain Control Validation Method Multiple Choice EMAIL -Organization Contact Multiple Choice Get From CSC Differs For Clients -Business Unit Multiple Choice Get From CSC Differs For Clients -Notification Email(s) Comma Separated String N/A -CN DCV Email (admin@yourdomain.com) String N/A - -CSC TrustedSecure EV Certificate - Details Tab -CONFIG ELEMENT DESCRIPTION -Template Short Name CSC TrustedSecure EV Certificate -Template Display Name CSC TrustedSecure EV Certificate -Friendly Name CSC TrustedSecure EV Certificate -Keys Size 2048 -Enforce RFC 2818 Compliance True -CSR Enrollment True -Pfx Enrollment True - -CSC TrustedSecure EV Certificate - Enrollment Fields -NAME DATA TYPE VALUES -Term Multiple Choice 12,24 -Applicant First Name String N/A -Applicant Last Name String N/A -Applicant Email Address String N/A -Applicant Phone (+nn.nnnnnnnn) String N/A -Domain Control Validation Method Multiple Choice EMAIL -Organization Contact Multiple Choice Get From CSC Differs For Clients -Business Unit Multiple Choice Get From CSC Differs For Clients -Notification Email(s) Comma Separated String N/A -CN DCV Email (admin@yourdomain.com) String N/A -Organization Country String N/A - -CSC TrustedSecure UC Certificate - Details Tab -CONFIG ELEMENT DESCRIPTION -Template Short Name CSC TrustedSecure UC Certificate -Template Display Name CSC TrustedSecure UC Certificate -Friendly Name CSC TrustedSecure UC Certificate -Keys Size 2048 -Enforce RFC 2818 Compliance True -CSR Enrollment True -Pfx Enrollment True - -CSC TrustedSecure UC Certificate - Enrollment Fields -NAME DATA TYPE VALUES -Term Multiple Choice 12,24 -Applicant First Name String N/A -Applicant Last Name String N/A -Applicant Email Address String N/A -Applicant Phone (+nn.nnnnnnnn) String N/A -Domain Control Validation Method Multiple Choice EMAIL -Organization Contact Multiple Choice Get From CSC Differs For Clients -Business Unit Multiple Choice Get From CSC Differs For Clients -Notification Email(s) Comma Separated String N/A -CN DCV Email (admin@yourdomain.com) String N/A -Addtl Sans Comma Separated DVC Emails String N/A - -CSC TrustedSecure Premium Wildcard Certificate - Details Tab -CONFIG ELEMENT DESCRIPTION -Template Short Name CSC TrustedSecure Premium Wildcard Certificate -Template Display Name CSC TrustedSecure Premium Wildcard Certificate -Friendly Name CSC TrustedSecure Premium Wildcard Certificate -Keys Size 2048 -Enforce RFC 2818 Compliance True -CSR Enrollment True -Pfx Enrollment True - -CSC TrustedSecure Premium Wildcard Certificate - Enrollment Fields -NAME DATA TYPE VALUES -Term Multiple Choice 12,24 -Applicant First Name String N/A -Applicant Last Name String N/A -Applicant Email Address String N/A -Applicant Phone (+nn.nnnnnnnn) String N/A -Domain Control Validation Method Multiple Choice EMAIL -Organization Contact Multiple Choice Get From CSC Differs For Clients -Business Unit Multiple Choice Get From CSC Differs For Clients -Notification Email(s) Comma Separated String N/A -CN DCV Email (admin@yourdomain.com) String N/A - -CSC TrustedSecure Domain Validated SSL - Details Tab -CONFIG ELEMENT DESCRIPTION -Template Short Name CSC TrustedSecure Domain Validated SSL -Template Display Name CSC TrustedSecure Domain Validated SSL -Friendly Name CSC TrustedSecure Domain Validated SSL -Keys Size 2048 -Enforce RFC 2818 Compliance True -CSR Enrollment True -Pfx Enrollment True - -CSC TrustedSecure Domain Validated SSL - Enrollment Fields -NAME DATA TYPE VALUES -Term Multiple Choice 12,24 -Applicant First Name String N/A -Applicant Last Name String N/A -Applicant Email Address String N/A -Applicant Phone (+nn.nnnnnnnn) String N/A -Domain Control Validation Method Multiple Choice EMAIL -Organization Contact Multiple Choice Get From CSC Differs For Clients -Business Unit Multiple Choice Get From CSC Differs For Clients -Notification Email(s) Comma Separated String N/A -CN DCV Email (admin@yourdomain.com) String N/A - -CSC TrustedSecure Domain Validated Wildcard SSL - Details Tab -CONFIG ELEMENT DESCRIPTION -Template Short Name CSC TrustedSecure Domain Validated Wildcard SSL -Template Display Name CSC TrustedSecure Domain Validated Wildcard SSL -Friendly Name CSC TrustedSecure Domain Validated Wildcard SSL -Keys Size 2048 -Enforce RFC 2818 Compliance True -CSR Enrollment True -Pfx Enrollment True - -CSC TrustedSecure Domain Validated Wildcard SSL - Enrollment Fields -NAME DATA TYPE VALUES -Term Multiple Choice 12,24 -Applicant First Name String N/A -Applicant Last Name String N/A -Applicant Email Address String N/A -Applicant Phone (+nn.nnnnnnnn) String N/A -Domain Control Validation Method Multiple Choice EMAIL -Organization Contact Multiple Choice Get From CSC Differs For Clients -Business Unit Multiple Choice Get From CSC Differs For Clients -Notification Email(s) Comma Separated String N/A -CN DCV Email (admin@yourdomain.com) String N/A - -CSC TrustedSecure Domain Validated UC Certificate - Details Tab -CONFIG ELEMENT DESCRIPTION -Template Short Name CSC TrustedSecure Domain Validated UC Certificate -Template Display Name CSC TrustedSecure Domain Validated UC Certificate -Friendly Name CSC TrustedSecure Domain Validated UC Certificate -Keys Size 2048 -Enforce RFC 2818 Compliance True -CSR Enrollment True -Pfx Enrollment True - -CSC TrustedSecure Domain Validated UC Certificate - Enrollment Fields -NAME DATA TYPE VALUES -Term Multiple Choice 12,24 -Applicant First Name String N/A -Applicant Last Name String N/A -Applicant Email Address String N/A -Applicant Phone (+nn.nnnnnnnn) String N/A -Domain Control Validation Method Multiple Choice EMAIL -Organization Contact Multiple Choice Get From CSC Differs For Clients -Business Unit Multiple Choice Get From CSC Differs For Clients -Notification Email(s) Comma Separated String N/A -CN DCV Email (admin@yourdomain.com) String N/A -Addtl Sans Comma Separated DVC Emails String N/A -Certificate Authority Installation - - Gateway Server - Start the Keyfactor Gateway Service - Run the set Gateway command similar to below - +``` + +5) Gateway Server - Save the newly modified config.json to the following location "C:\Program Files\Keyfactor\Keyfactor AnyGateway" + +### Template Installation + +**PLEASE NOTE, AT THIS TIME THE RAPID_SSL TEMPLATE IS NOT SUPPORTED BY THE CSC API AND WILL NOT WORK WITH THIS INTEGRATION** + +1) **Create ADFS Certificate Templates for the Following Products** +- CSC TrustedSecure Premium Certificate +- CSC TrustedSecure EV Certificate +- CSC TrustedSecure UC Certificate +- CSC TrustedSecure Premium Wildcard Certificate +- CSC TrustedSecure Domain Validated SSL +- CSC TrustedSecure Domain Validated Wildcard SSL +- CSC TrustedSecure Domain Validated UC Certificate + +2) **Import Into Keyfactor using the template import functionality** + +3) **Edit each template and modify the Details and Enrollment Fields as Follows** +*CSC TrustedSecure Premium Certificate - Details Tab** + +CONFIG ELEMENT | DESCRIPTION +----------------------------|------------------ +Template Short Name | CSC TrustedSecure Premium Certificate +Template Display Name | CSC TrustedSecure Premium Certificate +Friendly Name | CSC TrustedSecure Premium Certificate +Keys Size | 2048 +Enforce RFC 2818 Compliance | True +CSR Enrollment | True +Pfx Enrollment | True + + +**CSC TrustedSecure Premium Certificate - Enrollment Fields** + +NAME | DATA TYPE | VALUES +-----|--------------|----------------- +Term | Multiple Choice | 12,24 +Applicant First Name | String | N/A +Applicant Last Name | String | N/A +Applicant Email Address | String | N/A +Applicant Phone (+nn.nnnnnnnn) | String | N/A +Domain Control Validation Method | Multiple Choice | EMAIL +Organization Contact | Multiple Choice | Get From CSC Differs For Clients +Business Unit | Multiple Choice | Get From CSC Differs For Clients +Notification Email(s) Comma Separated | String | N/A +CN DCV Email (admin@yourdomain.com) | String | N/A + +**CSC TrustedSecure EV Certificate - Details Tab** + +CONFIG ELEMENT | DESCRIPTION +----------------------------|------------------ +Template Short Name | CSC TrustedSecure EV Certificate +Template Display Name | CSC TrustedSecure EV Certificate +Friendly Name | CSC TrustedSecure EV Certificate +Keys Size | 2048 +Enforce RFC 2818 Compliance | True +CSR Enrollment | True +Pfx Enrollment | True + + +**CSC TrustedSecure EV Certificate - Enrollment Fields** + +NAME | DATA TYPE | VALUES +-----|--------------|----------------- +Term | Multiple Choice | 12,24 +Applicant First Name | String | N/A +Applicant Last Name | String | N/A +Applicant Email Address | String | N/A +Applicant Phone (+nn.nnnnnnnn) | String | N/A +Domain Control Validation Method | Multiple Choice | EMAIL +Organization Contact | Multiple Choice | Get From CSC Differs For Clients +Business Unit | Multiple Choice | Get From CSC Differs For Clients +Notification Email(s) Comma Separated | String | N/A +CN DCV Email (admin@yourdomain.com) | String | N/A +Organization Country | String | N/A + +**CSC TrustedSecure UC Certificate - Details Tab** + +CONFIG ELEMENT | DESCRIPTION +----------------------------|------------------ +Template Short Name | CSC TrustedSecure UC Certificate +Template Display Name | CSC TrustedSecure UC Certificate +Friendly Name | CSC TrustedSecure UC Certificate +Keys Size | 2048 +Enforce RFC 2818 Compliance | True +CSR Enrollment | True +Pfx Enrollment | True + + +**CSC TrustedSecure UC Certificate - Enrollment Fields** + +NAME | DATA TYPE | VALUES +-----|--------------|----------------- +Term | Multiple Choice | 12,24 +Applicant First Name | String | N/A +Applicant Last Name | String | N/A +Applicant Email Address | String | N/A +Applicant Phone (+nn.nnnnnnnn) | String | N/A +Domain Control Validation Method | Multiple Choice | EMAIL +Organization Contact | Multiple Choice | Get From CSC Differs For Clients +Business Unit | Multiple Choice | Get From CSC Differs For Clients +Notification Email(s) Comma Separated | String | N/A +CN DCV Email (admin@yourdomain.com) | String | N/A +Addtl Sans Comma Separated DVC Emails | String | N/A + + +**CSC TrustedSecure Premium Wildcard Certificate - Details Tab** + +CONFIG ELEMENT | DESCRIPTION +----------------------------|------------------ +Template Short Name | CSC TrustedSecure Premium Wildcard Certificate +Template Display Name | CSC TrustedSecure Premium Wildcard Certificate +Friendly Name | CSC TrustedSecure Premium Wildcard Certificate +Keys Size | 2048 +Enforce RFC 2818 Compliance | True +CSR Enrollment | True +Pfx Enrollment | True + + +**CSC TrustedSecure Premium Wildcard Certificate - Enrollment Fields** + +NAME | DATA TYPE | VALUES +-----|--------------|----------------- +Term | Multiple Choice | 12,24 +Applicant First Name | String | N/A +Applicant Last Name | String | N/A +Applicant Email Address | String | N/A +Applicant Phone (+nn.nnnnnnnn) | String | N/A +Domain Control Validation Method | Multiple Choice | EMAIL +Organization Contact | Multiple Choice | Get From CSC Differs For Clients +Business Unit | Multiple Choice | Get From CSC Differs For Clients +Notification Email(s) Comma Separated | String | N/A +CN DCV Email (admin@yourdomain.com) | String | N/A + +**CSC TrustedSecure Domain Validated SSL - Details Tab** + +CONFIG ELEMENT | DESCRIPTION +----------------------------|------------------ +Template Short Name | CSC TrustedSecure Domain Validated SSL +Template Display Name | CSC TrustedSecure Domain Validated SSL +Friendly Name | CSC TrustedSecure Domain Validated SSL +Keys Size | 2048 +Enforce RFC 2818 Compliance | True +CSR Enrollment | True +Pfx Enrollment | True + + +**CSC TrustedSecure Domain Validated SSL - Enrollment Fields** + +NAME | DATA TYPE | VALUES +-----|--------------|----------------- +Term | Multiple Choice | 12,24 +Applicant First Name | String | N/A +Applicant Last Name | String | N/A +Applicant Email Address | String | N/A +Applicant Phone (+nn.nnnnnnnn) | String | N/A +Domain Control Validation Method | Multiple Choice | EMAIL +Organization Contact | Multiple Choice | Get From CSC Differs For Clients +Business Unit | Multiple Choice | Get From CSC Differs For Clients +Notification Email(s) Comma Separated | String | N/A +CN DCV Email (admin@yourdomain.com) | String | N/A + +**CSC TrustedSecure Domain Validated Wildcard SSL - Details Tab** + +CONFIG ELEMENT | DESCRIPTION +----------------------------|------------------ +Template Short Name | CSC TrustedSecure Domain Validated Wildcard SSL +Template Display Name | CSC TrustedSecure Domain Validated Wildcard SSL +Friendly Name | CSC TrustedSecure Domain Validated Wildcard SSL +Keys Size | 2048 +Enforce RFC 2818 Compliance | True +CSR Enrollment | True +Pfx Enrollment | True + + +**CSC TrustedSecure Domain Validated Wildcard SSL - Enrollment Fields** + +NAME | DATA TYPE | VALUES +-----|--------------|----------------- +Term | Multiple Choice | 12,24 +Applicant First Name | String | N/A +Applicant Last Name | String | N/A +Applicant Email Address | String | N/A +Applicant Phone (+nn.nnnnnnnn) | String | N/A +Domain Control Validation Method | Multiple Choice | EMAIL +Organization Contact | Multiple Choice | Get From CSC Differs For Clients +Business Unit | Multiple Choice | Get From CSC Differs For Clients +Notification Email(s) Comma Separated | String | N/A +CN DCV Email (admin@yourdomain.com) | String | N/A + +**CSC TrustedSecure Domain Validated UC Certificate - Details Tab** + +CONFIG ELEMENT | DESCRIPTION +----------------------------|------------------ +Template Short Name | CSC TrustedSecure Domain Validated UC Certificate +Template Display Name | CSC TrustedSecure Domain Validated UC Certificate +Friendly Name | CSC TrustedSecure Domain Validated UC Certificate +Keys Size | 2048 +Enforce RFC 2818 Compliance | True +CSR Enrollment | True +Pfx Enrollment | True + + +**CSC TrustedSecure Domain Validated UC Certificate - Enrollment Fields** + +NAME | DATA TYPE | VALUES +-----|--------------|----------------- +Term | Multiple Choice | 12,24 +Applicant First Name | String | N/A +Applicant Last Name | String | N/A +Applicant Email Address | String | N/A +Applicant Phone (+nn.nnnnnnnn) | String | N/A +Domain Control Validation Method | Multiple Choice | EMAIL +Organization Contact | Multiple Choice | Get From CSC Differs For Clients +Business Unit | Multiple Choice | Get From CSC Differs For Clients +Notification Email(s) Comma Separated | String | N/A +CN DCV Email (admin@yourdomain.com) | String | N/A +Addtl Sans Comma Separated DVC Emails | String | N/A + + +### Certificate Authority Installation +1) Gateway Server - Start the Keyfactor Gateway Service +2) Run the set Gateway command similar to below +```ps Set-KeyfactorGatewayConfig -LogicalName "CSCGlobal" -FilePath [path to json file] -PublishAd +``` +3) Command Server - Import the certificate authority in Keyfactor Portal - Command Server - Import the certificate authority in Keyfactor Portal - -Meta Data Fix Patch for Version 1.0.9 Steps +*** +### Meta Data Fix Patch for Version 1.0.9 Steps +1) Stop the CSC Global Gateway Service +2) Run the following SQL In your CSC Global Gateway Database
- Stop the CSC Global Gateway Service - Run the following SQL In your CSC Global Gateway Database +```Delete Certificates WHERE LEN("CARequestId") <> 36``` -Delete Certificates WHERE LEN("CARequestId") <> 36 +3) Copy the New CSCGlobal v1.0.9 or later Binaries to the Gateway Directory Typically “c:\Progam Files\Keyfactor\Keyfactor AnyGateway” on the Gateway Server +4) Start the Gateway service and wait for the next sync between the GW Database and Keyfactor - Copy the New CSCGlobal v1.0.9 or later Binaries to the Gateway Directory Typically “c:\Progam Files\Keyfactor\Keyfactor AnyGateway” on the Gateway Server - Start the Gateway service and wait for the next sync between the GW Database and Keyfactor +### License +[Apache](https://apache.org/licenses/LICENSE-2.0) -License -Apache From 0d72ea11cc10ca3831a1f152ac13999edfe35e03 Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Thu, 17 Oct 2024 14:56:46 -0400 Subject: [PATCH 09/14] fixed bug --- CscGlobalCaProxy/Client/CscGlobalClient.cs | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/CscGlobalCaProxy/Client/CscGlobalClient.cs b/CscGlobalCaProxy/Client/CscGlobalClient.cs index 962460f..291f98c 100644 --- a/CscGlobalCaProxy/Client/CscGlobalClient.cs +++ b/CscGlobalCaProxy/Client/CscGlobalClient.cs @@ -59,7 +59,7 @@ public async Task SubmitRegistrationAsync( public async Task SubmitRenewalAsync( RenewalRequest renewalRequest) { - using (var resp = await RestClient.PostAsync("/tls/renewal", new StringContent( + using (var resp = await RestClient.PostAsync("/dbs/api/v2/tls/renewal", new StringContent( JsonConvert.SerializeObject(renewalRequest), Encoding.ASCII, "application/json"))) { Logger.Trace(JsonConvert.SerializeObject(renewalRequest)); @@ -67,17 +67,22 @@ public async Task SubmitRenewalAsync( var settings = new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }; if (resp.StatusCode == HttpStatusCode.BadRequest) //Csc Sends Errors back in 400 Json Response { + var rawErrorResponse = await resp.Content.ReadAsStringAsync(); + Logger.Trace("Logging Error Response Raw"); + Logger.Trace(rawErrorResponse); var errorResponse = - JsonConvert.DeserializeObject(await resp.Content.ReadAsStringAsync(), + JsonConvert.DeserializeObject(rawErrorResponse, settings); var response = new RenewalResponse(); response.RegistrationError = errorResponse; response.Result = null; return response; } - + var rawRenewResponse = await resp.Content.ReadAsStringAsync(); + Logger.Trace("Logging Success Response Raw"); + Logger.Trace(rawRenewResponse); var renewalResponse = - JsonConvert.DeserializeObject(await resp.Content.ReadAsStringAsync()); + JsonConvert.DeserializeObject(rawRenewResponse); return renewalResponse; } } From 0d10fd3b17cc4aeca09d2c64bad6ced75f105705 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Thu, 17 Oct 2024 15:01:21 -0400 Subject: [PATCH 10/14] Update CHANGELOG.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1227ce2..58c5574 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +v1.1.2 +- Fix Renewal bug referencing the wrong REST Resource V1 + v1.1.1 - Fix Revoke Serial Number Mismatch KF 10.1 and 22.1.0 GW combination - Only Syncing and GetSingleRecord on End Entity Cert to prevent errors. From 09a9aefe8fc9dcf24f770bd3382365360348879a Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Mon, 21 Oct 2024 13:55:42 -0400 Subject: [PATCH 11/14] Fixed Missing UID --- CscGlobalCaProxy/RequestManager.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CscGlobalCaProxy/RequestManager.cs b/CscGlobalCaProxy/RequestManager.cs index 31b0231..14217c2 100644 --- a/CscGlobalCaProxy/RequestManager.cs +++ b/CscGlobalCaProxy/RequestManager.cs @@ -24,14 +24,14 @@ public EnrollmentResult GetRenewResponse(RenewalResponse renewResponse) return new EnrollmentResult { Status = 30, //failure - CARequestID = renewResponse.Result.Status.Uuid, + CARequestID = renewResponse?.Result?.Status?.Uuid, StatusMessage = renewResponse.RegistrationError.Description }; return new EnrollmentResult { Status = 13, //success - + CARequestID = renewResponse.Result.Status.Uuid, StatusMessage = $"Renewal Successfully Completed For {renewResponse.Result.CommonName}" }; } From d0c9b5fb0f19116c462fa276e9ac72ebb8bdffd5 Mon Sep 17 00:00:00 2001 From: Brian Hill Date: Mon, 21 Oct 2024 13:59:33 -0400 Subject: [PATCH 12/14] null check --- CscGlobalCaProxy/RequestManager.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CscGlobalCaProxy/RequestManager.cs b/CscGlobalCaProxy/RequestManager.cs index 14217c2..ff04bab 100644 --- a/CscGlobalCaProxy/RequestManager.cs +++ b/CscGlobalCaProxy/RequestManager.cs @@ -31,7 +31,7 @@ public EnrollmentResult GetRenewResponse(RenewalResponse renewResponse) return new EnrollmentResult { Status = 13, //success - CARequestID = renewResponse.Result.Status.Uuid, + CARequestID = renewResponse?.Result?.Status?.Uuid, StatusMessage = $"Renewal Successfully Completed For {renewResponse.Result.CommonName}" }; } From 311daa2c131f8c0ef8e8a6e03e0b96dcac68674d Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Tue, 14 Jan 2025 10:52:25 -0500 Subject: [PATCH 13/14] Update readme_source.md --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index 9df82a1..36f31f3 100644 --- a/readme_source.md +++ b/readme_source.md @@ -1,7 +1,7 @@ *** # Getting Started ## Standard Gateway Installation -To begin, you must have the CA Gateway Service 21.3.2 installed and operational before attempting to configure the CSC Global plugin. This integration was tested with Keyfactor 8.7.0.0. +To begin, you must have the CA Gateway Service 22.1.0 installed and operational before attempting to configure the CSC Global plugin. This integration was tested with Keyfactor 10.4.0.0. To install the gateway follow these instructions. 1) Gateway Server - run the installation .msi - Get from Keyfactor From fd796cbea373d518cf6d3e8029dbb2480f313e49 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 14 Jan 2025 15:53:02 +0000 Subject: [PATCH 14/14] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a8f4aef..9f9c99c 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ This gateway extension was compiled against version of the AnyCA Gateway DCOM F *** # Getting Started ## Standard Gateway Installation -To begin, you must have the CA Gateway Service 21.3.2 installed and operational before attempting to configure the CSC Global plugin. This integration was tested with Keyfactor 8.7.0.0. +To begin, you must have the CA Gateway Service 22.1.0 installed and operational before attempting to configure the CSC Global plugin. This integration was tested with Keyfactor 10.4.0.0. To install the gateway follow these instructions. 1) Gateway Server - run the installation .msi - Get from Keyfactor