Update generated docs

Keyfactor · Keyfactor · commit a3b72289c2ef · 2025-04-02T16:04:47.000Z
diff --git a/README.md b/README.md
@@ -64,8 +64,6 @@ If the A10 is acting as an SSL offloader for a backend web server, the **SSL Cer
 
 
 ### ThunderMgmt
-TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
-
 
 #### 🔐 Management Certificates
 
@@ -167,10 +165,94 @@ curl -X POST https://<vThunder-IP>/axapi/v3/auth \
 <details><summary>A10 Thunder Management Certificates (ThunderMgmt)</summary>
 
 ### A10 Thunder Management Certificates Requirements
-TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
 
+#### A10 Certificate Management Orchestrator Extension
+
+This orchestrator extension automates the process of uploading, inventorying, and deploying SSL certificates from a Linux SCP server to an A10 vThunder device. Due to A10 API limitations, certificates must be pulled from the SCP server directly by the A10 device itself.
+
+---
+
+##### 📌 How It Works
+
+1. **The orchestrator** connects to a Linux server via SCP to inventory available certificates.
+2. It stores relevant metadata and pushes new certificates and keys to the SCP server.
+3. It then instructs the **A10 device** to retrieve the certificate and private key from the Linux server using API calls.
+4. The A10 device loads the certificate and key directly from the SCP server for use on its **management interface**.
+
+---
+
+##### ⚙️ Configuration Fields
+
+| Name              | Display Name                  | Description                                                  | Type   | Required |
+|-------------------|-------------------------------|--------------------------------------------------------------|--------|----------|
+| OrchToScpServerIp | Orch To Scp Server IP         | IP from the orchestrator to the SCP Linux server             | String | ✅        |
+| ScpPort           | Port Used For SCP             | Port used to connect to the SCP server                       | String | ✅        |
+| ScpUserName       | Username Used For SCP         | Username for SCP access on the Linux server                  | Secret | ✅        |
+| ScpPassword       | Password Used For SCP         | Password for SCP access on the Linux server                  | Secret | ✅        |
+| A10ToScpServerIp  | A10 Device To SCP Server IP   | IP used by the A10 device to reach the SCP server (can be private) | String | ✅   |
+| allowInvalidCert  | Allow Invalid Cert on A10 API | If true, allows self-signed/untrusted certs for A10 API access | Bool   | ✅ (default: true) |
+
+---
+
+##### 📡 API Call Example (From A10 Device)
+
+```http
+POST /axapi/v3/web-service/secure/certificate
+```
+
+**Payload:**
+```json
+{
+  "certificate": {
+    "load": 1,
+    "file-url": "scp://ec2-user:dda@172.31.93.107:/home/ec2-user/26125.crt"
+  }
+}
+```
+
+> A similar call is made for loading the private key onto the A10 device using a separate AXAPI endpoint.
+
+- The A10 device **must have access** to the SCP server via the specified IP (`A10ToScpServerIp`).
+- Ensure the certificate and key file paths are correct and accessible to the SCP user.
 
-TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+---
+
+##### 🔐 Linux Server Requirements
+
+###### User Access
+- The SCP user (`ScpUserName`, e.g., `ec2-user`) must:
+  - Have SSH/SCP access.
+  - Authenticate with a password.
+  - Have **read and write** permissions in the SCP location.
+
+> New certificates and **private keys** are generated by Keyfactor and uploaded to this location by the orchestrator. Therefore, write access is essential.
+
+###### SCP Directory Permissions
+- Ensure the directory (e.g., `/home/ec2-user/`) is:
+  - Writable by the orchestrator (to upload new certs/keys).
+  - Readable by both the orchestrator and the A10 device (via SCP).
+
+---
+
+##### 🔄 Alternate Design Consideration
+
+It may be possible to use the A10 device itself as the SCP target location if it supports read/write SCP operations **outside the CLI context**. However, A10 devices typically restrict file access through CLI or API mechanisms only, and not through standard SCP server operations. This limitation is why a separate Linux SCP server is currently required.
+
+---
+
+##### 🔓 Network and Port Requirements
+
+| Source             | Destination         | Port | Protocol | Purpose                       |
+|--------------------|---------------------|------|----------|-------------------------------|
+| Orchestrator       | Linux SCP Server    | 22   | TCP      | Inventory and upload via SCP  |
+| A10 Device         | Linux SCP Server    | 22   | TCP      | Cert and key retrieval via SCP|
+| Orchestrator/Admin | A10 Device (API)    | 443  | HTTPS    | API calls to load certificate |
+
+---
+
+##### ✅ Summary
+
+This extension coordinates certificate and private key delivery by using SCP as a bridge between orchestrator logic and A10's strict API requirements. It ensures secure and automated deployment for the management interface certificates with minimal manual intervention.
 </details>
 
 
@@ -252,8 +334,6 @@ TODO Global Store Type Section is an optional section. If this section doesn't s
 
 <details><summary>A10 Thunder Management Certificates (ThunderMgmt)</summary>
 
-TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
-
 
 * **Create ThunderMgmt using kfutil**:
 
@@ -381,8 +461,6 @@ TODO Certificate Store Configuration is an optional section. If this section doe
 
 <details><summary>A10 Thunder Management Certificates (ThunderMgmt)</summary>
 
-TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
-
 TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
 
 
