Doc updates (#26)

* Updated ReadMe.  Updated images in ReadMe for IISU version 2.0.  Added additional debug and trace info.

Co-authored-by: Bob Pokorny <[email protected]>
Co-authored-by: Keyfactor <[email protected]>

Author: 3 people

IISU.sln

@@ -1,45 +1,48 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 17
-VisualStudioVersion = 17.2.32616.157
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IISU", "IISU\IISU.csproj", "{33FBC5A1-3466-4F10-B9A6-7186F804A65A}"
-EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}"
-	ProjectSection(SolutionItems) = preProject
-		CHANGELOG.md = CHANGELOG.md
-		integration-manifest.json = integration-manifest.json
-		.github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml
-		readme_source.md = readme_source.md
-	EndProjectSection
-EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{6302034E-DF8C-4B65-AC36-CED24C068999}"
-	ProjectSection(SolutionItems) = preProject
-		images\ReEnrollment1.png = images\ReEnrollment1.png
-		images\ReEnrollment1a.png = images\ReEnrollment1a.png
-		images\ReEnrollment1b.png = images\ReEnrollment1b.png
-		images\Screen1.png = images\Screen1.png
-		images\Screen2.png = images\Screen2.png
-	EndProjectSection
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Any CPU = Debug|Any CPU
-		Release|Any CPU = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.Build.0 = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-	GlobalSection(NestedProjects) = preSolution
-		{6302034E-DF8C-4B65-AC36-CED24C068999} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}
-	EndGlobalSection
-	GlobalSection(ExtensibilityGlobals) = postSolution
-		SolutionGuid = {E0FA12DA-6B82-4E64-928A-BB9965E636C1}
-	EndGlobalSection
-EndGlobal
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32929.386
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IISU", "IISU\IISU.csproj", "{33FBC5A1-3466-4F10-B9A6-7186F804A65A}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}"
+	ProjectSection(SolutionItems) = preProject
+		CHANGELOG.md = CHANGELOG.md
+		integration-manifest.json = integration-manifest.json
+		.github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml
+		readme_source.md = readme_source.md
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{6302034E-DF8C-4B65-AC36-CED24C068999}"
+	ProjectSection(SolutionItems) = preProject
+		images\AddCertStore.png = images\AddCertStore.png
+		images\CertStoreType-c.png = images\CertStoreType-c.png
+		images\CertStoreType.png = images\CertStoreType.png
+		images\ReEnrollment1.png = images\ReEnrollment1.png
+		images\ReEnrollment1a.png = images\ReEnrollment1a.png
+		images\ReEnrollment1b.png = images\ReEnrollment1b.png
+		images\Screen1.png = images\Screen1.png
+		images\Screen2.png = images\Screen2.png
+	EndProjectSection
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{33FBC5A1-3466-4F10-B9A6-7186F804A65A}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{6302034E-DF8C-4B65-AC36-CED24C068999} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {E0FA12DA-6B82-4E64-928A-BB9965E636C1}
+	EndGlobalSection
+EndGlobal

IISU/Jobs/ReEnrollment.cs

@@ -116,7 +116,13 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi
 
                 // Execute the -new command
                 ps.AddScript($"certreq -new -q $infFilename $csrFilename");
+                _logger.LogDebug($"Subject Text: {subjectText}");
+                _logger.LogDebug($"SAN: {SAN}");
+                _logger.LogDebug($"Provider Name: {providerName}");
+                _logger.LogDebug($"Key Type: {keyType}");
+                _logger.LogDebug($"Key Size: {keySize}");
                 _logger.LogTrace("Attempting to create the CSR by Invoking the script.");
+
                 Collection<PSObject> results = ps.Invoke();
                 _logger.LogTrace("Completed the attempt in creating the CSR.");
                 ps.Commands.Clear();
@@ -126,9 +132,9 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi
                     ps.AddScript($"$CSR = Get-Content $csrFilename");
                     _logger.LogTrace("Attempting to get the contents of the CSR file.");
                     results = ps.Invoke();
-                    _logger.LogTrace("Completet getting the CSR Contents.");
+                    _logger.LogTrace("Finished getting the CSR Contents.");
                 }
-                catch (Exception e)
+                catch (Exception)
                 {
                     var psError = ps.Streams.Error.ReadAll().Aggregate(String.Empty, (current, error) => current + error.ErrorDetails.Message);
                     throw new PowerShellCertException($"Error creating CSR File. {psError}");
@@ -174,7 +180,7 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi
                     _logger.LogTrace("Attempting to accept or bind the certificate to the HSM.");
                     ps.AddScript("certreq -accept $cerFilename");
                     ps.Invoke();
-                    _logger.LogTrace("Successfully bind the certificate to the HSM.");
+                    _logger.LogTrace("Successfully bound the certificate to the HSM.");
                     ps.Commands.Clear();
 
                     // Delete the temp files

README.md

@@ -56,7 +56,13 @@ This agent implements four job types – Inventory, Management Add, Remove and R
 WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow
 the server running the orchestrator to manage the server running IIS.
 
-**Note if you are upgrading from version 1.1.2 you must run the IISWBin 1.1.3 upgrade script.sql SQL Script**
+**Note:**
+In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options:
+1. Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type.
+1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type.
+1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.)
+
+**Note: There is an additional certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.**
 
 **1. Create the New Certificate Store Type for the IIS Orchestrator**
 
@@ -66,8 +72,8 @@ In Keyfactor Command create a new Certificate Store Type similar to the one belo
 CONFIG ELEMENT	| DESCRIPTION
 ------------------|------------------
 Name	|Descriptive name for the Store Type
-Short Name	|The short name that identifies the registered functionality of the orchestrator. Must be IISWBin
-Custom Capability|Store type name orchestrator will register with. Must be "IISBindings".
+Short Name	|The short name that identifies the registered functionality of the orchestrator. Must be IISU
+Custom Capability|Store type name orchestrator will register with. Must be "IISU".
 Needs Server	|Must be checked
 Blueprint Allowed	|Unchecked
 Requires Store Password	|Determines if a store password is required when configuring an individual store.  This must be unchecked.
@@ -80,7 +86,7 @@ Private Keys	|This determines if Keyfactor can send the private key associated w
 PFX Password Style	|This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store.  This can be either Default (system generated) or Custom (user determined).
 Job Types	|Inventory, Add, and Remove are the supported job types. 
 
-![](images/screen1.gif)
+![](images/certstoretype.png)
 
 **Advanced Settings:**
 - **Custom Alias** – Forbidden
@@ -97,8 +103,12 @@ Parameter Name|Display Name|Parameter Type|Default Value|Required|Description
 spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service
 WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on
 WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on
+ServerUsername|Server Username|Secret||No|The username to log into the IIS Server
+ServerPassword|Server Password|Secret||No|The password that matches the username to log into the IIS Server
+ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not
+
 
-![](images/screen1-b.gif)
+![](images/certstoretype-c.png)
 
 **Entry Parameters:**
 This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.<br/>
@@ -115,7 +125,7 @@ This section must be configured with binding fields. The parameters will be popu
    - 1 - SNI Enabled
    - 2 - Non SNI Binding
    - 3 - SNI Binding
-- **Prover Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command.  If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used.
+- **Provider Name** - Optional. To get a list of Crypto Providers, open PowerShell and issue the 'certutil -csplist' command.  If no Provider Name is provided, the 'Microsoft Strong Cryptographic Provider' will be used.
 - **SAN** - Required.  The SAN must have one entry that matches the Subject Name when using ReEnrollment.  Multiple SANs maybe chained together using '&'.  Example: dns=www.mysite.com&dns=www.mysite2.com.
 
 Parameter Name|Parameter Type|Default Value|Required
@@ -129,17 +139,16 @@ Protocol  |Multiple Choice|https|Yes
 Provider Name	|String||No
 SAN	|String||Yes
 
-![](images/screen1-c.gif)
+![](images/screen2.png)
 
-**2. Register the IIS Binding Orchestrator with Keyfactor**
+**2. Register the IIS Universal Orchestrator with Keyfactor**
 See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation.  Get from your Keyfactor contact/representative.
 
 **3. Create an IIS Binding Certificate Store within Keyfactor Command**
 
-In Keyfactor Command create a new Certificate Store similar to the one below, selecting IIS With Binding as the Category and the parameters as described in &quot;Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent&quot;.
+In Keyfactor Command create a new Certificate Store similar to the one below, selecting "IISU" as the Category and the parameters as described in &quot;Create the New Certificate Store Type for the New IIS AnyAgent&quot;.<br>
 
-![](images/screen2.gif)
-![](images/screen2-a.gif)
+![](images/AddCertStore.png)
 
 #### STORE CONFIGURATION 
 CONFIG ELEMENT	|DESCRIPTION
@@ -149,9 +158,14 @@ Container	|This is a logical grouping of like stores. This configuration is opti
 Client Machine	|The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell.
 Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin)
 Store Path	|My or WebHosting
+Orchestrator	|This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. 
+SPN with Port?|
 WinRm Protocol|http or https
 WinRm Port |Port to run WinRm on Default for http is 5985
-Orchestrator	|This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. 
+Server Username|Username to log into the IIS Server
+Server Password|Password for the username required to log into the IIS Server
+Use SSL|Determines whether SSL is used ot not
+
 Inventory Schedule	|The interval that the system will use to report on what certificates are currently in the store.