From c91221826faa6ac4e6ef1e84c7dec05a82fedb91 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:03:34 -0500 Subject: [PATCH 01/22] Update CHANGELOG.md --- CHANGELOG.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7134f25..0d35e57 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,2 @@ -๏ปฟ# v2.0.0 -* Migrate `packages.config` to `PackageReference` format -* Upgrade packages to support Keyfactor AnyCA Gateway DCOM v24.2 - * Upgrade `Keyfactor.AnyGateway.SDK` to `24.2.0-PRERELEASE-47446` -* Add support for [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls) -* Enable configuration of CA Pool-based or CA-specific certificate enrollment. If the `CAId` is specified, certificates are enrolled with the CA specified by `CAId`. Otherwise, GCP CAS selects a CA in the CA Pool based on policy. - -# v1.1.0 - - Remove template references from README - - Small bug fixes - # v1.0.0 -* Initial Release. Support for Google GA CA Service. Sync, Enroll, and Revocation. +* Initial Release. Sync, Enroll, and Revocation. From cf331f3265bbee71a7fc589ef99f57c3b6679426 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:11:59 -0500 Subject: [PATCH 02/22] Update integration-manifest.json --- integration-manifest.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index ded1f3c..ec59a05 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -1,7 +1,8 @@ { "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", "name": "HID Global AnyCA REST plugin", - "release_dir": "HydrantCAProxy/bin/Release/net6.0", + "release_dir": "HydrantCAProxy/bin/Release", + "release_project": "HydrantCAProxy/HydrantIdCAPlugin.csproj" "description": "AnyCA Gateway REST plugin that extends HydrantId Certificate Authority Service to Keyfactor Command", "status": "production", "integration_type": "anyca-plugin", From c739632fef80b9d3e535a3cdd9cd4176a26bab66 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:12:54 -0500 Subject: [PATCH 03/22] Update HydrantIdCAPlugin.csproj --- HydrantCAProxy/HydrantIdCAPlugin.csproj | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/HydrantCAProxy/HydrantIdCAPlugin.csproj b/HydrantCAProxy/HydrantIdCAPlugin.csproj index 5243e31..48b20b9 100644 --- a/HydrantCAProxy/HydrantIdCAPlugin.csproj +++ b/HydrantCAProxy/HydrantIdCAPlugin.csproj @@ -1,6 +1,6 @@ ๏ปฟ - net6.0 + net6.0;net8.0 disable true false @@ -18,4 +18,4 @@ Always - \ No newline at end of file + From a10b83185624474e5d4a7648adb788629129174c Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:15:00 -0500 Subject: [PATCH 04/22] Update integration-manifest.json --- integration-manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index ec59a05..1627910 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -2,7 +2,7 @@ "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", "name": "HID Global AnyCA REST plugin", "release_dir": "HydrantCAProxy/bin/Release", - "release_project": "HydrantCAProxy/HydrantIdCAPlugin.csproj" + "release_project": "HydrantCAProxy/HydrantIdCAPlugin.csproj", "description": "AnyCA Gateway REST plugin that extends HydrantId Certificate Authority Service to Keyfactor Command", "status": "production", "integration_type": "anyca-plugin", From 9c9c67ea0964af9514b04acff1472c319971b263 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:18:47 -0500 Subject: [PATCH 05/22] Delete docsource/configuration.md --- docsource/configuration.md | 166 ------------------------------------- 1 file changed, 166 deletions(-) delete mode 100644 docsource/configuration.md diff --git a/docsource/configuration.md b/docsource/configuration.md deleted file mode 100644 index a333d02..0000000 --- a/docsource/configuration.md +++ /dev/null @@ -1,166 +0,0 @@ -## Overview - -HID operates a PKI-as-a-service platform for customers around the globe. The AnyGateway solution for HID allows Keyfactor Command to perform: - -- **CA Sync**: - - Download all certificates issued by connected Enterprise-tier CAs in HID (full sync). -- **Certificate Enrollment**: - - Support certificate enrollment (new keys/certificate). - - Intelligent handling of Renewal vs Reissue based on certificate expiration. -- **Certificate Revocation**: - - Request revocation of previously issued certificates with mapped revocation reasons. - ---- - -## Requirements - -### ๐Ÿ” HID API Key Setup Guide - -This guide explains how to generate and use an API Key ID and Secret in HID for authenticated API access. - -#### ๐Ÿ“ Where to Find API Key Management - -1. **Log in** to your HID instance. - - Example: https://acm-stage.hydrantid.com -2. Click your **user profile icon** (top right) and select **"Profile"**. -3. In the **Profile** page, scroll to the section labeled `API Keys`. - -#### โž• Add a New API Key - -1. Click **"ADD API KEY"** (top right of the API Keys section). -2. A new API Key will be generated with: - - A unique **API ID** - - A **Secret API Key** โ€” copy it immediately as it is only shown once. - -#### ๐Ÿงพ Notes on API Keys - -- **ID** = what you'll pass in the HAWK `id` field -- **Key** = secret used to generate HAWK signature -- Each key shows `Created` and `Last Used` timestamps for traceability - -#### ๐Ÿ” Using the API ID and Key with HAWK - -HID uses [HAWK Authentication](https://github.com/hueniverse/hawk) to secure its API. - -##### Required Fields in Authorization Header: -```text -Hawk id="API_ID", ts="TIMESTAMP", nonce="RANDOM", mac="HMAC_SIGNATURE" -``` - -Each HTTP request dynamically constructs a HAWK header using: -- API ID -- Secret API Key -- Current timestamp -- Cryptographically random nonce -- SHA-256 algorithm - -### Root CA Configuration - -Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA, and any applicable intermediate CAs for HID. - ---- - -## Gateway Registration - -The Gateway Registration tab configures the root or issuing CA certificate for the respective CA in HID. -The certificate selected here should match the issuing CA identified in the [Root CA Configuration](#root-ca-configuration) step. - ---- - -## Certificate Template Creation Step - -Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. - -Naming Recommendations: -- Each Certificate Profile should be named after its Product ID. - -Behavior: -- The plugin maps HID Policy Names directly to Product IDs in the Gateway Portal. - -Example: -| HID Template | Product ID | -|:------------------|:-----------| -| `AutoEnrollment - ECDSA` | AutoEnrollment - ECDSA | -| `AutoEnrollment - RSA - 7 Day` | AutoEnrollment - RSA - 7 Day | - -Selecting "Default" bypasses specifying a template. - ---- - -# Mechanics - -## Enrollment/Renewal/Reissuance - -All certificate enrollment operations are submitted as "new" requests. However, the plugin supports intelligent handling: - -- **New Enrollment**: - - Submits a new CSR against the selected HID Policy. -- **Renewal vs Reissue**: - - Uses the prior certificate's serial number (`PriorCertSN`) to retrieve the existing certificate. - - Compares the expiration date against the current time. - - If expiration is **within** `RenewalDays` (default 30 days): Submit a **Renewal** request. - - If expiration is **outside** `RenewalDays`: Submit a **Reissue** request (new CSR, same policy). - -Template parameters: -| Parameter | Purpose | -|:---|:---| -| `RenewalDays` | Number of days before expiration considered a renewal window | -| `ValidityPeriod` | Period length (Days/Months/Years) | -| `ValidityUnits` | Value for the chosen period type | - -## Certificate Synchronization - -The plugin uses the `/api/v2/certificates` endpoint to perform full synchronization: - -- **Paging**: - - Fetches certificates in batches of 100 (default page size). -- **Filtering**: - - Only certificates with statuses `Generated` or `Revoked` are processed. -- **Retry Logic**: - - Up to **5 retry attempts** are made on API failures during synchronization before failing the job. -- **Certificate Parsing**: - - PEM chains are split into individual certificates. - -> Note: HID's API does not allow filtering certificates by CA, so all certificates from the tenant are synced. - -## Certificate Revocation - -Revocation requests are sent via a PATCH to the `/api/v2/certificates/{id}` endpoint. - -**Mapped Revocation Reasons**: - -| Keyfactor Reason (RFC 5280) | HID Reason | -|:---|:---| -| 0 (Unspecified) | Unspecified | -| 1 (KeyCompromise) | KeyCompromise | -| 2 (CACompromise) | CACompromise | -| 3 (AffiliationChanged) | AffiliationChanged | -| 4 (Superseded) | Superseded | -| 5 (CessationOfOperation) | CessationOfOperation | -| 6 (CertificateHold) | CertificateHold | -| 8 (RemoveFromCRL) | RemoveFromCRL | -| 9 (PrivilegeWithdrawn) | PrivilegeWithdrawn | -| 10 (AACompromise) | AACompromise | - -## Connection Information Validation - -The following fields are required when connecting the Gateway to HID: - -- `HydrantIdBaseUrl` -- `HydrantIdAuthId` -- `HydrantIdAuthKey` - -Missing or empty fields will cause the plugin initialization to fail. - ---- - -# Additional Notes - -- After enrollment, the plugin polls HID's `/csr/{id}/certificate` endpoint for up to **30 seconds** to retrieve the newly issued certificate. -- If the certificate is still unavailable, the enrollment will be marked **Pending** in Command and should be retried. -- The plugin uses the Keyfactor standard logging infrastructure (`Keyfactor.Logging`). - -# ๐Ÿ“Œ Related Documentation - -- [HAWK Authentication Specification](https://github.com/hueniverse/hawk) -- [HID API Documentation](https://support.hydrantid.com/hc/en-us) From c9394e24501c7bff35114a5ce4f27e54007b0d23 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 10 Nov 2025 20:22:38 +0000 Subject: [PATCH 06/22] Update generated docs --- README.md | 109 ++++++------------------------------- docsource/configuration.md | 24 ++++++++ integration-manifest.json | 4 +- 3 files changed, 44 insertions(+), 93 deletions(-) create mode 100644 docsource/configuration.md diff --git a/README.md b/README.md index 58e4ac1..fe39ec6 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,13 @@

- HydrantId AnyCA Gateway REST Plugin + HID Global AnyCA Gateway REST Plugin

Integration Status: production -Release -Issues -GitHub Downloads (all assets, all releases) +Release +Issues +GitHub Downloads (all assets, all releases)

@@ -34,97 +34,41 @@

-HydrantId operates a PKI as a service platform for customers around the globe. The AnyGateway solution for HydrantId is designed to allow Keyfactor Command: - -* CA Sync: - * Download all certificates issued by connected Enterprise tier CAs in HydrantId (full sync). -* Certificate enrollment for all published HydrantId Certificate SKUs: - * Support certificate enrollment (new keys/certificate). -* Certificate revocation: - * Request revocation of a previously issued certificate. +TODO Overview is a required section ## Compatibility -The HydrantId AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2 and later. +The HID Global AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2 and later. ## Support -The HydrantId AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. +The HID Global AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. ## Requirements -### ๐Ÿ” HydrantID API Key Setup Guide - -This guide explains how to generate and use an API Key ID and Secret in HydrantID for authenticated API access. - ---- - -#### ๐Ÿ“ Where to Find API Key Management - -1. **Log in** to your HydrantID instance. - - Example: https://acm-stage.hydrantid.com - -2. Click your **user profile icon** (top right) and select **"Profile"**. - -3. In the **Profile** page, scroll to the section labeled `API Keys`. - ---- - -#### โž• Add a New API Key - -1. Click **"ADD API KEY"** (top right of the API Keys section). -2. A new API Key will be generated with: - - A unique **API ID** - - A **Secret API Key** โ€” copy it immediately as it is only shown once. - ---- - -#### ๐Ÿงพ Notes on API Keys - -- **ID** = what you'll pass in the HAWK `id` field -- **Key** = secret used to generate HAWK signature -- Each key shows `Created` and `Last Used` timestamps for traceability - ---- - -#### ๐Ÿ” Using the API ID and Key with HAWK - -HydrantID uses [HAWK Authentication](https://github.com/hueniverse/hawk) to secure its API. - -##### Required Fields in Authorization Header: -```text -Hawk id="API_ID", ts="TIMESTAMP", nonce="RANDOM", mac="HMAC_SIGNATURE" - -### Root CA Configuration - -Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA, and if applicable, any subordinate CAs for all features to work as intended. Download the CA Certificate (and chain, if applicable) from HydrantId, and import them into the appropriate certificate store on the AnyCA Gateway REST server. - -* **Windows** - If the AnyCA Gateway REST is running on a Windows host, the root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell. -* **Linux** - If the AnyCA Gateway REST is running on a Linux host, the root CA and applicable subordinate CAs must be present in the root CA certificate store. The location of this store varies per distribution, but is most commonly `/etc/ssl/certs/ca-certificates.crt`. The following is documentation on some popular distributions. - * [Ubuntu - Managing CA certificates](https://ubuntu.com/server/docs/install-a-root-ca-certificate-in-the-trust-store) - * [RHEL 9 - Using shared system certificates](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#using-shared-system-certificates_securing-networks) - * [Fedora - Using Shared System Certificates](https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/) - -> The root CA and intermediate CAs must be trusted by both the Command server _and_ AnyCA Gateway REST server. +TODO Requirements is a required section ## Installation 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-cagateway/releases/latest) from GitHub. +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-caplugin/releases/latest) from GitHub. + +3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: -3. Copy the unzipped directory (usually called `net6.0`) to the Extensions directory: ```shell + Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations: Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions + Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions ``` - > The directory containing the HydrantId AnyCA Gateway REST plugin DLLs (`net6.0`) can be named anything, as long as it is unique within the `Extensions` directory. + > The directory containing the HID Global AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. 4. Restart the AnyCA Gateway REST service. -5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HydrantId plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. +5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. ## Configuration @@ -132,7 +76,7 @@ Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA * **Gateway Registration** - The Gateway Registration tab configures the root or issuing CA certificate for the respective CA in HydrantId. The certificate selected here should be the issuing CA identified in the [Root CA Configuration](#root-ca-configuration) step. + TODO Gateway Registration is a required section * **CA Connection** @@ -142,28 +86,11 @@ Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA * **HydrantIdAuthId** - The AuthId Obtained from HydrantId. * **HydrantIdAuthKey** - The AuthKey Obtained from HydrantId. -2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. - - The GCP CAS AnyCA Gateway REST plugin downloads all Certificate Templates in the configured GCP Region/Project and interprets them as 'Product IDs' in the Gateway Portal. - - > For example, if the connected GCP project has the following Certificate Templates: - > - > * `ServerAuth` - > * `ClientAuth` - > - > The `Edit Templates` > `Product ID` dialog dropdown will show the following available 'ProductIDs': - > - > * `Default` -> Don't use a certificate template when enrolling certificates with this Template. - > * `ServerAuth` -> Use the `ServerAuth` certificate template in GCP when enrolling certificates with this Template. - > * `ClientAuth` -> Use the `ClientAuth` certificate template in GCP when enrolling certificates with this Template. +2. TODO Certificate Template Creation Step is a required section 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates. -4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters: - - * **ValidityPeriod** - The desired lifetime time period could be Days, Months or Years. - * **ValidityUnits** - The desired lifetime time value some number indicating days, months or years. - * **RenewalDays** - The window that determines whether it is a renewal vs a re-issue. +4. TODO Custom Enrollment Parameter Creation Step is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info diff --git a/docsource/configuration.md b/docsource/configuration.md new file mode 100644 index 0000000..502f91f --- /dev/null +++ b/docsource/configuration.md @@ -0,0 +1,24 @@ +## Overview + +TODO Overview is a required section + +## Requirements + +TODO Requirements is a required section + +## Gateway Registration + +TODO Gateway Registration is a required section + +## Certificate Template Creation Step + +TODO Certificate Template Creation Step is a required section + +## Custom Enrollment Parameter Creation Step + +TODO Custom Enrollment Parameter Creation Step is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info + +## Mechanics + +TODO Mechanics is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info + diff --git a/integration-manifest.json b/integration-manifest.json index 1627910..e859acb 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -2,7 +2,7 @@ "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", "name": "HID Global AnyCA REST plugin", "release_dir": "HydrantCAProxy/bin/Release", - "release_project": "HydrantCAProxy/HydrantIdCAPlugin.csproj", + "release_project": "HydrantCAProxy/HydrantIdCAPlugin.csproj", "description": "AnyCA Gateway REST plugin that extends HydrantId Certificate Authority Service to Keyfactor Command", "status": "production", "integration_type": "anyca-plugin", @@ -42,4 +42,4 @@ ] } } -} +} \ No newline at end of file From 64b82c1393c5fc1ae080508e2e1e52d30d8cdcec Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:46:39 -0500 Subject: [PATCH 07/22] Update configuration.md --- docsource/configuration.md | 145 ++++++++++++++++++++++++++++++++++++- 1 file changed, 143 insertions(+), 2 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 502f91f..8653a51 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -1,10 +1,151 @@ ## Overview -TODO Overview is a required section +The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: + +* **CA Sync**: + * Download all certificates issued by the HydrantId CA + * Support for incremental and full synchronization + * Automatic extraction of end-entity certificates from PEM chains +* **Certificate Enrollment**: + * Support certificate enrollment with new key pairs + * Dynamic policy (profile) discovery from the CA + * Intelligent renewal vs. re-issue logic based on certificate expiration + * Support for PKCS#10 CSR format + * Configurable certificate validity periods +* **Certificate Revocation**: + * Request revocation of previously issued certificates + * Support for standard CRL revocation reasons ## Requirements -TODO Requirements is a required section +### HydrantId System Prerequisites + +Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met: + +1. **HydrantId Account**: + - Active HydrantId account with API access enabled + - Access to the HydrantId management portal + - HydrantId Certificate Authority Service configured and operational + +2. **API Credentials**: + - HydrantId API Authentication ID (AuthId) + - HydrantId API Authentication Key (AuthKey) + - These credentials must have permissions for: + - Certificate enrollment (CSR submission) + - Certificate retrieval + - Certificate revocation + - Policy/profile listing + +3. **Network Connectivity**: + - Gateway server must have HTTPS access to the HydrantId API endpoint + - Default endpoint format: `https://.hydrantid.com` + - Example: `https://acm-stage.hydrantid.com` or `https://acm.hydrantid.com` + - TLS 1.2 or higher must be supported + +### Obtaining Required Configuration Information + +#### 1. HydrantId Base URL + +The HydrantId Base URL is the root endpoint for the HydrantId API. + +**Common HydrantId environments:** +- Production: `https://acm.hydrantid.com` +- Staging: `https://acm-stage.hydrantid.com` +- Custom instances may have different URLs + +**To obtain your Base URL:** +1. Contact your HydrantId account representative +2. Check your HydrantId account documentation +3. Verify the URL is accessible from the Gateway server + +#### 2. API Authentication Credentials + +The Gateway authenticates to HydrantId using Hawk authentication protocol with an AuthId and AuthKey pair. + +**Steps to obtain API credentials:** + +1. **Access HydrantId Portal**: + - Log in to your HydrantId management portal + - Navigate to API or Integration settings + +2. **Generate API Credentials**: + - Request API credentials from your HydrantId administrator + - You will receive: + - **AuthId**: A unique identifier for your API client + - **AuthKey**: A secret key used for HMAC-based authentication + - Store these credentials securely + +3. **Verify Permissions**: + - Ensure the API credentials have the following permissions: + - Certificate enrollment (POST /api/v2/csr) + - Certificate renewal (POST /api/v2/certificates/{id}/renew) + - Certificate retrieval (GET /api/v2/certificates) + - Certificate revocation (PATCH /api/v2/certificates/{id}) + - Policy listing (GET /api/v2/policies) + +#### 3. Certificate Policies + +Certificate policies define the types of certificates that can be issued. The plugin automatically discovers available policies from the HydrantId system. + +**Policy discovery:** +- Policies are automatically retrieved when the CA is configured +- Policies appear in Keyfactor Command as "Product IDs" after CA registration +- Each policy represents a certificate template configured in HydrantId + +**To view available policies:** +1. Policies are retrieved automatically using the GET /api/v2/policies endpoint +2. Ensure the API credentials have permissions to list policies +3. Policies will be displayed during CA configuration in the Gateway + +#### 4. Certificate Validity Configuration + +For each certificate template, you can configure: + +| Parameter | Description | Example Values | +|-----------|-------------|----------------| +| **ValidityPeriod** | Time unit for certificate lifetime | `Days`, `Months`, `Years` | +| **ValidityUnits** | Numeric value for the validity period | `365` (for days), `12` (for months), `2` (for years) | +| **RenewalDays** | Days before expiration to trigger renewal vs. re-issue | `30`, `60`, `90` | + +**Renewal vs. Re-issue Logic:** +- If a certificate is within the RenewalDays window before expiration, the plugin performs a **renewal** +- If a certificate is outside the RenewalDays window, the plugin performs a **re-issue** (new enrollment) + +### Supported Revocation Reasons + +The plugin supports the following standard CRL revocation reasons: + +| Reason Code | Reason Name | HydrantId API Value | +|-------------|-------------|---------------------| +| 0 | Unspecified | `Unspecified` | +| 1 | Key Compromise | `KeyCompromise` | +| 2 | CA Compromise | `CaCompromise` | +| 3 | Affiliation Changed | `AffiliationChanged` | +| 4 | Superseded | `Superseded` | +| 5 | Cessation of Operation | `CessationOfOperation` | + +**Note**: Verify with your HydrantId administrator which revocation reasons are supported in your environment. + +## Installation + +1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). + +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-caplugin/releases/latest) from GitHub. + +3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: + + ```shell + Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations: + Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions + Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions + ``` + + > The directory containing the HID Global HydrantId AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. + +4. Restart the AnyCA Gateway REST service. + +5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HydrantId plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. + ## Gateway Registration From 0f65298f9d2d25b3cad9692bb87a1c4c9703a319 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 10 Nov 2025 20:48:45 +0000 Subject: [PATCH 08/22] Update generated docs --- README.md | 144 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 142 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fe39ec6..6022513 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,21 @@

-TODO Overview is a required section +The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: + +* **CA Sync**: + * Download all certificates issued by the HydrantId CA + * Support for incremental and full synchronization + * Automatic extraction of end-entity certificates from PEM chains +* **Certificate Enrollment**: + * Support certificate enrollment with new key pairs + * Dynamic policy (profile) discovery from the CA + * Intelligent renewal vs. re-issue logic based on certificate expiration + * Support for PKCS#10 CSR format + * Configurable certificate validity periods +* **Certificate Revocation**: + * Request revocation of previously issued certificates + * Support for standard CRL revocation reasons ## Compatibility @@ -47,7 +61,113 @@ The HID Global AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor ## Requirements -TODO Requirements is a required section +### HydrantId System Prerequisites + +Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met: + +1. **HydrantId Account**: + - Active HydrantId account with API access enabled + - Access to the HydrantId management portal + - HydrantId Certificate Authority Service configured and operational + +2. **API Credentials**: + - HydrantId API Authentication ID (AuthId) + - HydrantId API Authentication Key (AuthKey) + - These credentials must have permissions for: + - Certificate enrollment (CSR submission) + - Certificate retrieval + - Certificate revocation + - Policy/profile listing + +3. **Network Connectivity**: + - Gateway server must have HTTPS access to the HydrantId API endpoint + - Default endpoint format: `https://.hydrantid.com` + - Example: `https://acm-stage.hydrantid.com` or `https://acm.hydrantid.com` + - TLS 1.2 or higher must be supported + +### Obtaining Required Configuration Information + +#### 1. HydrantId Base URL + +The HydrantId Base URL is the root endpoint for the HydrantId API. + +**Common HydrantId environments:** +- Production: `https://acm.hydrantid.com` +- Staging: `https://acm-stage.hydrantid.com` +- Custom instances may have different URLs + +**To obtain your Base URL:** +1. Contact your HydrantId account representative +2. Check your HydrantId account documentation +3. Verify the URL is accessible from the Gateway server + +#### 2. API Authentication Credentials + +The Gateway authenticates to HydrantId using Hawk authentication protocol with an AuthId and AuthKey pair. + +**Steps to obtain API credentials:** + +1. **Access HydrantId Portal**: + - Log in to your HydrantId management portal + - Navigate to API or Integration settings + +2. **Generate API Credentials**: + - Request API credentials from your HydrantId administrator + - You will receive: + - **AuthId**: A unique identifier for your API client + - **AuthKey**: A secret key used for HMAC-based authentication + - Store these credentials securely + +3. **Verify Permissions**: + - Ensure the API credentials have the following permissions: + - Certificate enrollment (POST /api/v2/csr) + - Certificate renewal (POST /api/v2/certificates/{id}/renew) + - Certificate retrieval (GET /api/v2/certificates) + - Certificate revocation (PATCH /api/v2/certificates/{id}) + - Policy listing (GET /api/v2/policies) + +#### 3. Certificate Policies + +Certificate policies define the types of certificates that can be issued. The plugin automatically discovers available policies from the HydrantId system. + +**Policy discovery:** +- Policies are automatically retrieved when the CA is configured +- Policies appear in Keyfactor Command as "Product IDs" after CA registration +- Each policy represents a certificate template configured in HydrantId + +**To view available policies:** +1. Policies are retrieved automatically using the GET /api/v2/policies endpoint +2. Ensure the API credentials have permissions to list policies +3. Policies will be displayed during CA configuration in the Gateway + +#### 4. Certificate Validity Configuration + +For each certificate template, you can configure: + +| Parameter | Description | Example Values | +|-----------|-------------|----------------| +| **ValidityPeriod** | Time unit for certificate lifetime | `Days`, `Months`, `Years` | +| **ValidityUnits** | Numeric value for the validity period | `365` (for days), `12` (for months), `2` (for years) | +| **RenewalDays** | Days before expiration to trigger renewal vs. re-issue | `30`, `60`, `90` | + +**Renewal vs. Re-issue Logic:** +- If a certificate is within the RenewalDays window before expiration, the plugin performs a **renewal** +- If a certificate is outside the RenewalDays window, the plugin performs a **re-issue** (new enrollment) + +### Supported Revocation Reasons + +The plugin supports the following standard CRL revocation reasons: + +| Reason Code | Reason Name | HydrantId API Value | +|-------------|-------------|---------------------| +| 0 | Unspecified | `Unspecified` | +| 1 | Key Compromise | `KeyCompromise` | +| 2 | CA Compromise | `CaCompromise` | +| 3 | Affiliation Changed | `AffiliationChanged` | +| 4 | Superseded | `Superseded` | +| 5 | Cessation of Operation | `CessationOfOperation` | + +**Note**: Verify with your HydrantId administrator which revocation reasons are supported in your environment. ## Installation @@ -93,6 +213,26 @@ TODO Requirements is a required section 4. TODO Custom Enrollment Parameter Creation Step is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info +## Installation + +1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). + +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-caplugin/releases/latest) from GitHub. + +3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: + + ```shell + Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations: + Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions + Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions + ``` + + > The directory containing the HID Global HydrantId AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. + +4. Restart the AnyCA Gateway REST service. + +5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HydrantId plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. + ## License From 6f09f7a1b9b803dcc91597dcc3212bc29a25b4ef Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:52:48 -0500 Subject: [PATCH 09/22] Update configuration.md --- docsource/configuration.md | 74 +++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 8653a51..53047e8 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -149,7 +149,79 @@ The plugin supports the following standard CRL revocation reasons: ## Gateway Registration -TODO Gateway Registration is a required section + ### CA Connection Configuration + + When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: + + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | + | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | + | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | + + ### Template (Product) Configuration + + Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: + + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | + | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | + | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | + + **Important Notes:** + - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint + - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime + - RenewalDays determines the behavior for certificate renewal: + - Within window: Performs a renewal operation (maintains certificate lineage) + - Outside window: Performs a re-issue operation (new certificate enrollment) + + ### Gateway Registration Notes + + - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint + - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway + - Each CA configuration will manifest in Command as a separate CA entry + - The plugin uses Hawk authentication protocol for all API communications + - Authentication uses HMAC-SHA256 for secure API access + - The plugin automatically handles: + - Policy/template discovery + - Certificate status mapping + - End-entity certificate extraction from PEM chains + - Enrollment completion polling (30-second timeout) + + ### Security Considerations + + 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration + 2. **Secret Management**: Consider using a secrets management system for AuthKey storage + 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications + 4. **Least Privilege**: Request API credentials with minimal required permissions + 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring + 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy + + * **CA Connection** + + Populate using the configuration fields collected in the [requirements](#requirements) section. + + * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. + * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. + * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. + +2. **Certificate Template Configuration** + + After adding the CA to the Gateway, configure each certificate template: + + 1. Navigate to the Templates/Products section for the newly added CA + 2. For each template (policy) discovered from HydrantId, configure: + - **ValidityPeriod**: Select `Days`, `Months`, or `Years` + - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days) + - **RenewalDays**: Enter the renewal window in days (e.g., `30`) + + Example configurations: + - **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30` + - **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60` + - **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30` + +3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates. ## Certificate Template Creation Step From bbbf0b7ca5c0523ab2a93d247888630d402ad148 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:53:48 -0500 Subject: [PATCH 10/22] Update configuration.md --- docsource/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 53047e8..a1eeef0 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -149,7 +149,7 @@ The plugin supports the following standard CRL revocation reasons: ## Gateway Registration - ### CA Connection Configuration +### CA Connection Configuration When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: From 5863e7b15ba2aa31a2b6594fd2d100b1143ff0f0 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:55:38 -0500 Subject: [PATCH 11/22] Update configuration.md --- docsource/configuration.md | 104 ++++++++++++++++++------------------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index a1eeef0..6c580df 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -151,75 +151,75 @@ The plugin supports the following standard CRL revocation reasons: ### CA Connection Configuration - When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: + When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: - | Parameter | Description | Required | Example | - |-----------|-------------|----------|---------| - | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | - | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | - | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | + | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | + | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | - ### Template (Product) Configuration +### Template (Product) Configuration - Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: + Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: - | Parameter | Description | Required | Example | - |-----------|-------------|----------|---------| - | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | - | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | - | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | + | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | + | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | - **Important Notes:** - - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint - - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime - - RenewalDays determines the behavior for certificate renewal: - - Within window: Performs a renewal operation (maintains certificate lineage) - - Outside window: Performs a re-issue operation (new certificate enrollment) + **Important Notes:** + - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint + - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime + - RenewalDays determines the behavior for certificate renewal: + - Within window: Performs a renewal operation (maintains certificate lineage) + - Outside window: Performs a re-issue operation (new certificate enrollment) - ### Gateway Registration Notes +### Gateway Registration Notes - - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint - - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway - - Each CA configuration will manifest in Command as a separate CA entry - - The plugin uses Hawk authentication protocol for all API communications - - Authentication uses HMAC-SHA256 for secure API access - - The plugin automatically handles: - - Policy/template discovery - - Certificate status mapping - - End-entity certificate extraction from PEM chains - - Enrollment completion polling (30-second timeout) + - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint + - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway + - Each CA configuration will manifest in Command as a separate CA entry + - The plugin uses Hawk authentication protocol for all API communications + - Authentication uses HMAC-SHA256 for secure API access + - The plugin automatically handles: + - Policy/template discovery + - Certificate status mapping + - End-entity certificate extraction from PEM chains + - Enrollment completion polling (30-second timeout) - ### Security Considerations +### Security Considerations - 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration - 2. **Secret Management**: Consider using a secrets management system for AuthKey storage - 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications - 4. **Least Privilege**: Request API credentials with minimal required permissions - 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring - 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy + 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration + 2. **Secret Management**: Consider using a secrets management system for AuthKey storage + 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications + 4. **Least Privilege**: Request API credentials with minimal required permissions + 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring + 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy - * **CA Connection** + * **CA Connection** - Populate using the configuration fields collected in the [requirements](#requirements) section. + Populate using the configuration fields collected in the [requirements](#requirements) section. - * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. - * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. - * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. + * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. + * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. + * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. 2. **Certificate Template Configuration** - After adding the CA to the Gateway, configure each certificate template: + After adding the CA to the Gateway, configure each certificate template: - 1. Navigate to the Templates/Products section for the newly added CA - 2. For each template (policy) discovered from HydrantId, configure: - - **ValidityPeriod**: Select `Days`, `Months`, or `Years` - - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days) - - **RenewalDays**: Enter the renewal window in days (e.g., `30`) + 1. Navigate to the Templates/Products section for the newly added CA + 2. For each template (policy) discovered from HydrantId, configure: + - **ValidityPeriod**: Select `Days`, `Months`, or `Years` + - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days) + - **RenewalDays**: Enter the renewal window in days (e.g., `30`) - Example configurations: - - **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30` - - **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60` - - **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30` + Example configurations: + - **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30` + - **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60` + - **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30` 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates. From 64b2312fdb84d9a3b3dce0a2e460ce255769e194 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 10 Nov 2025 20:58:00 +0000 Subject: [PATCH 12/22] Update generated docs --- README.md | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6022513..2bb051c 100644 --- a/README.md +++ b/README.md @@ -196,7 +196,79 @@ The plugin supports the following standard CRL revocation reasons: * **Gateway Registration** - TODO Gateway Registration is a required section + ### CA Connection Configuration + + When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: + + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | + | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | + | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | + + ### Template (Product) Configuration + + Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: + + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | + | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | + | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | + + **Important Notes:** + - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint + - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime + - RenewalDays determines the behavior for certificate renewal: + - Within window: Performs a renewal operation (maintains certificate lineage) + - Outside window: Performs a re-issue operation (new certificate enrollment) + + ### Gateway Registration Notes + + - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint + - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway + - Each CA configuration will manifest in Command as a separate CA entry + - The plugin uses Hawk authentication protocol for all API communications + - Authentication uses HMAC-SHA256 for secure API access + - The plugin automatically handles: + - Policy/template discovery + - Certificate status mapping + - End-entity certificate extraction from PEM chains + - Enrollment completion polling (30-second timeout) + + ### Security Considerations + + 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration + 2. **Secret Management**: Consider using a secrets management system for AuthKey storage + 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications + 4. **Least Privilege**: Request API credentials with minimal required permissions + 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring + 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy + + * **CA Connection** + + Populate using the configuration fields collected in the [requirements](#requirements) section. + + * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. + * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. + * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. + + 2. **Certificate Template Configuration** + + After adding the CA to the Gateway, configure each certificate template: + + 1. Navigate to the Templates/Products section for the newly added CA + 2. For each template (policy) discovered from HydrantId, configure: + - **ValidityPeriod**: Select `Days`, `Months`, or `Years` + - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days) + - **RenewalDays**: Enter the renewal window in days (e.g., `30`) + + Example configurations: + - **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30` + - **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60` + - **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30` + + 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates. * **CA Connection** From e793c8cb310e0346e40245324666383ba17486c9 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 16:17:21 -0500 Subject: [PATCH 13/22] Update configuration.md --- docsource/configuration.md | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 6c580df..034a9f4 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -159,23 +159,6 @@ The plugin supports the following standard CRL revocation reasons: | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | -### Template (Product) Configuration - - Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: - - | Parameter | Description | Required | Example | - |-----------|-------------|----------|---------| - | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | - | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | - | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | - - **Important Notes:** - - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint - - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime - - RenewalDays determines the behavior for certificate renewal: - - Within window: Performs a renewal operation (maintains certificate lineage) - - Outside window: Performs a re-issue operation (new certificate enrollment) - ### Gateway Registration Notes - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint @@ -225,7 +208,22 @@ The plugin supports the following standard CRL revocation reasons: ## Certificate Template Creation Step -TODO Certificate Template Creation Step is a required section +### Template (Product) Configuration + + Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: + + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | + | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | + | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | + + **Important Notes:** + - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint + - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime + - RenewalDays determines the behavior for certificate renewal: + - Within window: Performs a renewal operation (maintains certificate lineage) + - Outside window: Performs a re-issue operation (new certificate enrollment) ## Custom Enrollment Parameter Creation Step From b551b88c96df9e692db80bdc1da367d9b722c9dd Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Mon, 10 Nov 2025 16:17:46 -0500 Subject: [PATCH 14/22] Update configuration.md --- docsource/configuration.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 034a9f4..c3dd40e 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -225,11 +225,3 @@ The plugin supports the following standard CRL revocation reasons: - Within window: Performs a renewal operation (maintains certificate lineage) - Outside window: Performs a re-issue operation (new certificate enrollment) -## Custom Enrollment Parameter Creation Step - -TODO Custom Enrollment Parameter Creation Step is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info - -## Mechanics - -TODO Mechanics is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info - From e24be1ec2e0245d696b07f2f9e14ec72c31d5123 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 10 Nov 2025 21:21:19 +0000 Subject: [PATCH 15/22] Update generated docs --- README.md | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 2bb051c..b9cd1f2 100644 --- a/README.md +++ b/README.md @@ -206,23 +206,6 @@ The plugin supports the following standard CRL revocation reasons: | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | - ### Template (Product) Configuration - - Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: - - | Parameter | Description | Required | Example | - |-----------|-------------|----------|---------| - | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | - | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | - | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | - - **Important Notes:** - - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint - - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime - - RenewalDays determines the behavior for certificate renewal: - - Within window: Performs a renewal operation (maintains certificate lineage) - - Outside window: Performs a re-issue operation (new certificate enrollment) - ### Gateway Registration Notes - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint @@ -278,11 +261,30 @@ The plugin supports the following standard CRL revocation reasons: * **HydrantIdAuthId** - The AuthId Obtained from HydrantId. * **HydrantIdAuthKey** - The AuthKey Obtained from HydrantId. -2. TODO Certificate Template Creation Step is a required section +2. ### Template (Product) Configuration + + Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: + + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` | + | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) | + | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | + + **Important Notes:** + - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint + - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime + - RenewalDays determines the behavior for certificate renewal: + - Within window: Performs a renewal operation (maintains certificate lineage) + - Outside window: Performs a re-issue operation (new certificate enrollment) 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates. -4. TODO Custom Enrollment Parameter Creation Step is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info +4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters: + + * **ValidityPeriod** - The desired lifetime time period could be Days, Months or Years. + * **ValidityUnits** - The desired lifetime time value some number indicating days, months or years. + * **RenewalDays** - The window that determines whether it is a renewal vs a re-issue. ## Installation From bf8787df69f88d10ccf6030bbea2e91774c0c3c5 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Thu, 13 Nov 2025 09:53:04 -0500 Subject: [PATCH 16/22] Update configuration.md --- docsource/configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index c3dd40e..9952bd4 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -146,7 +146,6 @@ The plugin supports the following standard CRL revocation reasons: 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HydrantId plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. - ## Gateway Registration ### CA Connection Configuration @@ -181,7 +180,7 @@ The plugin supports the following standard CRL revocation reasons: 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy - * **CA Connection** +**CA Connection** Populate using the configuration fields collected in the [requirements](#requirements) section. From b4c536820e3fd7b859b3dfdaab0c9e1486b9a27d Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Thu, 13 Nov 2025 09:54:42 -0500 Subject: [PATCH 17/22] Update configuration.md --- docsource/configuration.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 9952bd4..184c201 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -173,20 +173,20 @@ The plugin supports the following standard CRL revocation reasons: ### Security Considerations - 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration - 2. **Secret Management**: Consider using a secrets management system for AuthKey storage - 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications - 4. **Least Privilege**: Request API credentials with minimal required permissions - 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring - 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy +1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration +2. **Secret Management**: Consider using a secrets management system for AuthKey storage +3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications +4. **Least Privilege**: Request API credentials with minimal required permissions +5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring +6. **Credential Rotation**: Regularly rotate API credentials according to your security policy **CA Connection** - Populate using the configuration fields collected in the [requirements](#requirements) section. +Populate using the configuration fields collected in the [requirements](#requirements) section. - * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. - * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. - * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. +* **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. +* **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. +* **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. 2. **Certificate Template Configuration** From 49368284b5dfc685913563977d13ce8c917331c7 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Thu, 13 Nov 2025 09:57:12 -0500 Subject: [PATCH 18/22] Update configuration.md --- docsource/configuration.md | 86 +++++++++++++++++++------------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 184c201..622041f 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -1,9 +1,9 @@ ## Overview -The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: +The HID Global HID AnyCA Gateway REST plugin extends the capabilities of HID Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HID REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: * **CA Sync**: - * Download all certificates issued by the HydrantId CA + * Download all certificates issued by the HID CA * Support for incremental and full synchronization * Automatic extraction of end-entity certificates from PEM chains * **Certificate Enrollment**: @@ -18,18 +18,18 @@ The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of H ## Requirements -### HydrantId System Prerequisites +### HID System Prerequisites Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met: -1. **HydrantId Account**: - - Active HydrantId account with API access enabled - - Access to the HydrantId management portal - - HydrantId Certificate Authority Service configured and operational +1. **HID Account**: + - Active HID account with API access enabled + - Access to the HID management portal + - HID Certificate Authority Service configured and operational 2. **API Credentials**: - - HydrantId API Authentication ID (AuthId) - - HydrantId API Authentication Key (AuthKey) + - HID API Authentication ID (AuthId) + - HID API Authentication Key (AuthKey) - These credentials must have permissions for: - Certificate enrollment (CSR submission) - Certificate retrieval @@ -37,39 +37,39 @@ Before configuring the AnyCA Gateway plugin, ensure the following prerequisites - Policy/profile listing 3. **Network Connectivity**: - - Gateway server must have HTTPS access to the HydrantId API endpoint - - Default endpoint format: `https://.hydrantid.com` - - Example: `https://acm-stage.hydrantid.com` or `https://acm.hydrantid.com` + - Gateway server must have HTTPS access to the HID API endpoint + - Default endpoint format: `https://.HID.com` + - Example: `https://acm-stage.HID.com` or `https://acm.HID.com` - TLS 1.2 or higher must be supported ### Obtaining Required Configuration Information -#### 1. HydrantId Base URL +#### 1. HID Base URL -The HydrantId Base URL is the root endpoint for the HydrantId API. +The HID Base URL is the root endpoint for the HID API. -**Common HydrantId environments:** -- Production: `https://acm.hydrantid.com` -- Staging: `https://acm-stage.hydrantid.com` +**Common HID environments:** +- Production: `https://acm.HID.com` +- Staging: `https://acm-stage.HID.com` - Custom instances may have different URLs **To obtain your Base URL:** -1. Contact your HydrantId account representative -2. Check your HydrantId account documentation +1. Contact your HID account representative +2. Check your HID account documentation 3. Verify the URL is accessible from the Gateway server #### 2. API Authentication Credentials -The Gateway authenticates to HydrantId using Hawk authentication protocol with an AuthId and AuthKey pair. +The Gateway authenticates to HID using Hawk authentication protocol with an AuthId and AuthKey pair. **Steps to obtain API credentials:** -1. **Access HydrantId Portal**: - - Log in to your HydrantId management portal +1. **Access HID Portal**: + - Log in to your HID management portal - Navigate to API or Integration settings 2. **Generate API Credentials**: - - Request API credentials from your HydrantId administrator + - Request API credentials from your HID administrator - You will receive: - **AuthId**: A unique identifier for your API client - **AuthKey**: A secret key used for HMAC-based authentication @@ -85,12 +85,12 @@ The Gateway authenticates to HydrantId using Hawk authentication protocol with a #### 3. Certificate Policies -Certificate policies define the types of certificates that can be issued. The plugin automatically discovers available policies from the HydrantId system. +Certificate policies define the types of certificates that can be issued. The plugin automatically discovers available policies from the HID system. **Policy discovery:** - Policies are automatically retrieved when the CA is configured - Policies appear in Keyfactor Command as "Product IDs" after CA registration -- Each policy represents a certificate template configured in HydrantId +- Each policy represents a certificate template configured in HID **To view available policies:** 1. Policies are retrieved automatically using the GET /api/v2/policies endpoint @@ -115,7 +115,7 @@ For each certificate template, you can configure: The plugin supports the following standard CRL revocation reasons: -| Reason Code | Reason Name | HydrantId API Value | +| Reason Code | Reason Name | HID API Value | |-------------|-------------|---------------------| | 0 | Unspecified | `Unspecified` | | 1 | Key Compromise | `KeyCompromise` | @@ -124,13 +124,13 @@ The plugin supports the following standard CRL revocation reasons: | 4 | Superseded | `Superseded` | | 5 | Cessation of Operation | `CessationOfOperation` | -**Note**: Verify with your HydrantId administrator which revocation reasons are supported in your environment. +**Note**: Verify with your HID administrator which revocation reasons are supported in your environment. ## Installation 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-caplugin/releases/latest) from GitHub. +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global HID AnyCA Gateway REST plugin](https://github.com/Keyfactor/HID-caplugin/releases/latest) from GitHub. 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: @@ -140,28 +140,28 @@ The plugin supports the following standard CRL revocation reasons: Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions ``` - > The directory containing the HID Global HydrantId AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. + > The directory containing the HID Global HID AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. 4. Restart the AnyCA Gateway REST service. -5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HydrantId plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. +5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HID plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. ## Gateway Registration ### CA Connection Configuration - When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: + When registering the HID CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: | Parameter | Description | Required | Example | |-----------|-------------|----------|---------| - | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | - | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | - | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | + | **HIDBaseUrl** | Full URL to the HID API endpoint | Yes | `https://acm.HID.com` or `https://acm-stage.HID.com` | + | **HIDAuthId** | API Authentication ID provided by HID | Yes | `your-auth-id` | + | **HIDAuthKey** | API Authentication Key provided by HID | Yes | `your-secret-auth-key` | ### Gateway Registration Notes - - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint - - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway + - Each defined Certificate Authority in the AnyCA Gateway REST can support one HID API endpoint + - If you have multiple HID environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway - Each CA configuration will manifest in Command as a separate CA entry - The plugin uses Hawk authentication protocol for all API communications - Authentication uses HMAC-SHA256 for secure API access @@ -177,23 +177,23 @@ The plugin supports the following standard CRL revocation reasons: 2. **Secret Management**: Consider using a secrets management system for AuthKey storage 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications 4. **Least Privilege**: Request API credentials with minimal required permissions -5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring +5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HID for security monitoring 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy **CA Connection** Populate using the configuration fields collected in the [requirements](#requirements) section. -* **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. -* **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. -* **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. +* **HIDBaseUrl** - The base URL for the HID API endpoint. For example, `https://acm.HID.com` or `https://acm-stage.HID.com`. +* **HIDAuthId** - The API Authentication ID provided by HID for API access. +* **HIDAuthKey** - The API Authentication Key (secret) provided by HID for API access. 2. **Certificate Template Configuration** After adding the CA to the Gateway, configure each certificate template: 1. Navigate to the Templates/Products section for the newly added CA - 2. For each template (policy) discovered from HydrantId, configure: + 2. For each template (policy) discovered from HID, configure: - **ValidityPeriod**: Select `Days`, `Months`, or `Years` - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days) - **RenewalDays**: Enter the renewal window in days (e.g., `30`) @@ -209,7 +209,7 @@ Populate using the configuration fields collected in the [requirements](#require ### Template (Product) Configuration - Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: + Each certificate template (policy) discovered from HID requires configuration for enrollment: | Parameter | Description | Required | Example | |-----------|-------------|----------|---------| @@ -218,7 +218,7 @@ Populate using the configuration fields collected in the [requirements](#require | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | **Important Notes:** - - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint + - Template names (Product IDs) are automatically discovered from HID using the GET /api/v2/policies endpoint - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime - RenewalDays determines the behavior for certificate renewal: - Within window: Performs a renewal operation (maintains certificate lineage) From 5df4ab4ff7782e362f459b9c3718d9d5c94c25e1 Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Thu, 13 Nov 2025 10:03:36 -0500 Subject: [PATCH 19/22] Update configuration.md --- docsource/configuration.md | 103 ++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 52 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 622041f..7cd61b5 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -1,9 +1,9 @@ ## Overview -The HID Global HID AnyCA Gateway REST plugin extends the capabilities of HID Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HID REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: +The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: * **CA Sync**: - * Download all certificates issued by the HID CA + * Download all certificates issued by the HydrantId CA * Support for incremental and full synchronization * Automatic extraction of end-entity certificates from PEM chains * **Certificate Enrollment**: @@ -18,18 +18,18 @@ The HID Global HID AnyCA Gateway REST plugin extends the capabilities of HID Cer ## Requirements -### HID System Prerequisites +### HydrantId System Prerequisites Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met: -1. **HID Account**: - - Active HID account with API access enabled - - Access to the HID management portal - - HID Certificate Authority Service configured and operational +1. **HydrantId Account**: + - Active HydrantId account with API access enabled + - Access to the HydrantId management portal + - HydrantId Certificate Authority Service configured and operational 2. **API Credentials**: - - HID API Authentication ID (AuthId) - - HID API Authentication Key (AuthKey) + - HydrantId API Authentication ID (AuthId) + - HydrantId API Authentication Key (AuthKey) - These credentials must have permissions for: - Certificate enrollment (CSR submission) - Certificate retrieval @@ -37,39 +37,39 @@ Before configuring the AnyCA Gateway plugin, ensure the following prerequisites - Policy/profile listing 3. **Network Connectivity**: - - Gateway server must have HTTPS access to the HID API endpoint - - Default endpoint format: `https://.HID.com` - - Example: `https://acm-stage.HID.com` or `https://acm.HID.com` + - Gateway server must have HTTPS access to the HydrantId API endpoint + - Default endpoint format: `https://.hydrantid.com` + - Example: `https://acm-stage.hydrantid.com` or `https://acm.hydrantid.com` - TLS 1.2 or higher must be supported ### Obtaining Required Configuration Information -#### 1. HID Base URL +#### 1. HydrantId Base URL -The HID Base URL is the root endpoint for the HID API. +The HydrantId Base URL is the root endpoint for the HydrantId API. -**Common HID environments:** -- Production: `https://acm.HID.com` -- Staging: `https://acm-stage.HID.com` +**Common HydrantId environments:** +- Production: `https://acm.hydrantid.com` +- Staging: `https://acm-stage.hydrantid.com` - Custom instances may have different URLs **To obtain your Base URL:** -1. Contact your HID account representative -2. Check your HID account documentation +1. Contact your HydrantId account representative +2. Check your HydrantId account documentation 3. Verify the URL is accessible from the Gateway server #### 2. API Authentication Credentials -The Gateway authenticates to HID using Hawk authentication protocol with an AuthId and AuthKey pair. +The Gateway authenticates to HydrantId using Hawk authentication protocol with an AuthId and AuthKey pair. **Steps to obtain API credentials:** -1. **Access HID Portal**: - - Log in to your HID management portal +1. **Access HydrantId Portal**: + - Log in to your HydrantId management portal - Navigate to API or Integration settings 2. **Generate API Credentials**: - - Request API credentials from your HID administrator + - Request API credentials from your HydrantId administrator - You will receive: - **AuthId**: A unique identifier for your API client - **AuthKey**: A secret key used for HMAC-based authentication @@ -85,12 +85,12 @@ The Gateway authenticates to HID using Hawk authentication protocol with an Auth #### 3. Certificate Policies -Certificate policies define the types of certificates that can be issued. The plugin automatically discovers available policies from the HID system. +Certificate policies define the types of certificates that can be issued. The plugin automatically discovers available policies from the HydrantId system. **Policy discovery:** - Policies are automatically retrieved when the CA is configured - Policies appear in Keyfactor Command as "Product IDs" after CA registration -- Each policy represents a certificate template configured in HID +- Each policy represents a certificate template configured in HydrantId **To view available policies:** 1. Policies are retrieved automatically using the GET /api/v2/policies endpoint @@ -115,7 +115,7 @@ For each certificate template, you can configure: The plugin supports the following standard CRL revocation reasons: -| Reason Code | Reason Name | HID API Value | +| Reason Code | Reason Name | HydrantId API Value | |-------------|-------------|---------------------| | 0 | Unspecified | `Unspecified` | | 1 | Key Compromise | `KeyCompromise` | @@ -124,13 +124,13 @@ The plugin supports the following standard CRL revocation reasons: | 4 | Superseded | `Superseded` | | 5 | Cessation of Operation | `CessationOfOperation` | -**Note**: Verify with your HID administrator which revocation reasons are supported in your environment. +**Note**: Verify with your HydrantId administrator which revocation reasons are supported in your environment. ## Installation 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global HID AnyCA Gateway REST plugin](https://github.com/Keyfactor/HID-caplugin/releases/latest) from GitHub. +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-caplugin/releases/latest) from GitHub. 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: @@ -140,36 +140,36 @@ The plugin supports the following standard CRL revocation reasons: Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions ``` - > The directory containing the HID Global HID AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. + > The directory containing the HID Global HydrantId AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. 4. Restart the AnyCA Gateway REST service. -5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HID plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. +5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HydrantId plugin by hovering over the โ“˜ symbol to the right of the Gateway on the top left of the portal. ## Gateway Registration ### CA Connection Configuration - When registering the HID CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: + When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: | Parameter | Description | Required | Example | |-----------|-------------|----------|---------| - | **HIDBaseUrl** | Full URL to the HID API endpoint | Yes | `https://acm.HID.com` or `https://acm-stage.HID.com` | - | **HIDAuthId** | API Authentication ID provided by HID | Yes | `your-auth-id` | - | **HIDAuthKey** | API Authentication Key provided by HID | Yes | `your-secret-auth-key` | + | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | + | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | + | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | ### Gateway Registration Notes - - Each defined Certificate Authority in the AnyCA Gateway REST can support one HID API endpoint - - If you have multiple HID environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway - - Each CA configuration will manifest in Command as a separate CA entry - - The plugin uses Hawk authentication protocol for all API communications - - Authentication uses HMAC-SHA256 for secure API access - - The plugin automatically handles: - - Policy/template discovery - - Certificate status mapping - - End-entity certificate extraction from PEM chains - - Enrollment completion polling (30-second timeout) +- Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint +- If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway +- Each CA configuration will manifest in Command as a separate CA entry +- The plugin uses Hawk authentication protocol for all API communications +- Authentication uses HMAC-SHA256 for secure API access +- The plugin automatically handles: + - Policy/template discovery + - Certificate status mapping + - End-entity certificate extraction from PEM chains + - Enrollment completion polling (30-second timeout) ### Security Considerations @@ -177,23 +177,23 @@ The plugin supports the following standard CRL revocation reasons: 2. **Secret Management**: Consider using a secrets management system for AuthKey storage 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications 4. **Least Privilege**: Request API credentials with minimal required permissions -5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HID for security monitoring +5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy **CA Connection** Populate using the configuration fields collected in the [requirements](#requirements) section. -* **HIDBaseUrl** - The base URL for the HID API endpoint. For example, `https://acm.HID.com` or `https://acm-stage.HID.com`. -* **HIDAuthId** - The API Authentication ID provided by HID for API access. -* **HIDAuthKey** - The API Authentication Key (secret) provided by HID for API access. +* **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. +* **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. +* **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. 2. **Certificate Template Configuration** After adding the CA to the Gateway, configure each certificate template: 1. Navigate to the Templates/Products section for the newly added CA - 2. For each template (policy) discovered from HID, configure: + 2. For each template (policy) discovered from HydrantId, configure: - **ValidityPeriod**: Select `Days`, `Months`, or `Years` - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days) - **RenewalDays**: Enter the renewal window in days (e.g., `30`) @@ -209,7 +209,7 @@ Populate using the configuration fields collected in the [requirements](#require ### Template (Product) Configuration - Each certificate template (policy) discovered from HID requires configuration for enrollment: + Each certificate template (policy) discovered from HydrantId requires configuration for enrollment: | Parameter | Description | Required | Example | |-----------|-------------|----------|---------| @@ -218,9 +218,8 @@ Populate using the configuration fields collected in the [requirements](#require | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) | **Important Notes:** - - Template names (Product IDs) are automatically discovered from HID using the GET /api/v2/policies endpoint + - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime - RenewalDays determines the behavior for certificate renewal: - Within window: Performs a renewal operation (maintains certificate lineage) - Outside window: Performs a re-issue operation (new certificate enrollment) - From 1380919498e0d76f9e652af4d7386ef1c8939859 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 13 Nov 2025 15:06:00 +0000 Subject: [PATCH 20/22] Update generated docs --- README.md | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index b9cd1f2..c84d0af 100644 --- a/README.md +++ b/README.md @@ -208,33 +208,33 @@ The plugin supports the following standard CRL revocation reasons: ### Gateway Registration Notes - - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint - - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway - - Each CA configuration will manifest in Command as a separate CA entry - - The plugin uses Hawk authentication protocol for all API communications - - Authentication uses HMAC-SHA256 for secure API access - - The plugin automatically handles: - - Policy/template discovery - - Certificate status mapping - - End-entity certificate extraction from PEM chains - - Enrollment completion polling (30-second timeout) + - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint + - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway + - Each CA configuration will manifest in Command as a separate CA entry + - The plugin uses Hawk authentication protocol for all API communications + - Authentication uses HMAC-SHA256 for secure API access + - The plugin automatically handles: + - Policy/template discovery + - Certificate status mapping + - End-entity certificate extraction from PEM chains + - Enrollment completion polling (30-second timeout) ### Security Considerations - 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration - 2. **Secret Management**: Consider using a secrets management system for AuthKey storage - 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications - 4. **Least Privilege**: Request API credentials with minimal required permissions - 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring - 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy + 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration + 2. **Secret Management**: Consider using a secrets management system for AuthKey storage + 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications + 4. **Least Privilege**: Request API credentials with minimal required permissions + 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring + 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy - * **CA Connection** + **CA Connection** - Populate using the configuration fields collected in the [requirements](#requirements) section. + Populate using the configuration fields collected in the [requirements](#requirements) section. - * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. - * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. - * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. + * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`. + * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access. + * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access. 2. **Certificate Template Configuration** From 38edfd909eb145147b41c27fc2f90c15102a3d4a Mon Sep 17 00:00:00 2001 From: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Date: Thu, 13 Nov 2025 10:08:28 -0500 Subject: [PATCH 21/22] Update configuration.md --- docsource/configuration.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docsource/configuration.md b/docsource/configuration.md index 7cd61b5..0a31dd2 100644 --- a/docsource/configuration.md +++ b/docsource/configuration.md @@ -150,13 +150,13 @@ The plugin supports the following standard CRL revocation reasons: ### CA Connection Configuration - When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: +When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: - | Parameter | Description | Required | Example | - |-----------|-------------|----------|---------| - | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | - | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | - | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | +| Parameter | Description | Required | Example | +|-----------|-------------|----------|---------| +| **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | +| **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | +| **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | ### Gateway Registration Notes @@ -166,10 +166,10 @@ The plugin supports the following standard CRL revocation reasons: - The plugin uses Hawk authentication protocol for all API communications - Authentication uses HMAC-SHA256 for secure API access - The plugin automatically handles: - - Policy/template discovery - - Certificate status mapping - - End-entity certificate extraction from PEM chains - - Enrollment completion polling (30-second timeout) +- Policy/template discovery +- Certificate status mapping +- End-entity certificate extraction from PEM chains +- Enrollment completion polling (30-second timeout) ### Security Considerations From 19b450293af8041ffa21447c884eb187b386d4cd Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 13 Nov 2025 15:10:46 +0000 Subject: [PATCH 22/22] Update generated docs --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index c84d0af..de674de 100644 --- a/README.md +++ b/README.md @@ -198,13 +198,13 @@ The plugin supports the following standard CRL revocation reasons: ### CA Connection Configuration - When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: + When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters: - | Parameter | Description | Required | Example | - |-----------|-------------|----------|---------| - | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | - | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | - | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | + | Parameter | Description | Required | Example | + |-----------|-------------|----------|---------| + | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` | + | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` | + | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` | ### Gateway Registration Notes @@ -214,10 +214,10 @@ The plugin supports the following standard CRL revocation reasons: - The plugin uses Hawk authentication protocol for all API communications - Authentication uses HMAC-SHA256 for secure API access - The plugin automatically handles: - - Policy/template discovery - - Certificate status mapping - - End-entity certificate extraction from PEM chains - - Enrollment completion polling (30-second timeout) + - Policy/template discovery + - Certificate status mapping + - End-entity certificate extraction from PEM chains + - Enrollment completion polling (30-second timeout) ### Security Considerations