Initial doc change. Checking layout and format.

Bob Pokorny · Bob Pokorny · commit 8cb771390465 · 2025-03-27T09:31:35.000-05:00
diff --git a/WindowsCertStore.sln b/WindowsCertStore.sln
@@ -23,6 +23,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{630203
 		images\IISUCertStoreBasic.png = images\IISUCertStoreBasic.png
 		images\IISUCustomFields.png = images\IISUCustomFields.png
 		images\IISUEntryParams.png = images\IISUEntryParams.png
+		images\orchestrator-agent.png = images\orchestrator-agent.png
 		images\ReEnrollment1.png = images\ReEnrollment1.png
 		images\ReEnrollment1a.png = images\ReEnrollment1a.png
 		images\ReEnrollment1b.png = images\ReEnrollment1b.png
@@ -36,6 +37,30 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{630203
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WinCertTestConsole", "WinCertTestConsole\WinCertTestConsole.csproj", "{D0F4A3CC-5236-4393-9C97-AE55ACE319F2}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docsource", "docsource", "{CFCAC7FE-C9E1-4822-A1B5-45F16E62F5FF}"
+	ProjectSection(SolutionItems) = preProject
+		docsource\content.md = docsource\content.md
+		docsource\iisu.md = docsource\iisu.md
+		docsource\wincert.md = docsource\wincert.md
+		docsource\winsql.md = docsource\winsql.md
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{60C10FF8-54FC-4C18-A2EA-F3580ABF0405}"
+	ProjectSection(SolutionItems) = preProject
+		docsource\images\IISU-advanced-store-type-dialog.png = docsource\images\IISU-advanced-store-type-dialog.png
+		docsource\images\IISU-basic-store-type-dialog.png = docsource\images\IISU-basic-store-type-dialog.png
+		docsource\images\IISU-custom-fields-store-type-dialog.png = docsource\images\IISU-custom-fields-store-type-dialog.png
+		docsource\images\IISU-entry-parameters-store-type-dialog.png = docsource\images\IISU-entry-parameters-store-type-dialog.png
+		docsource\images\WinCert-advanced-store-type-dialog.png = docsource\images\WinCert-advanced-store-type-dialog.png
+		docsource\images\WinCert-basic-store-type-dialog.png = docsource\images\WinCert-basic-store-type-dialog.png
+		docsource\images\WinCert-custom-fields-store-type-dialog.png = docsource\images\WinCert-custom-fields-store-type-dialog.png
+		docsource\images\WinCert-entry-parameters-store-type-dialog.png = docsource\images\WinCert-entry-parameters-store-type-dialog.png
+		docsource\images\WinSql-advanced-store-type-dialog.png = docsource\images\WinSql-advanced-store-type-dialog.png
+		docsource\images\WinSql-basic-store-type-dialog.png = docsource\images\WinSql-basic-store-type-dialog.png
+		docsource\images\WinSql-custom-fields-store-type-dialog.png = docsource\images\WinSql-custom-fields-store-type-dialog.png
+		docsource\images\WinSql-entry-parameters-store-type-dialog.png = docsource\images\WinSql-entry-parameters-store-type-dialog.png
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -65,6 +90,8 @@ Global
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{6302034E-DF8C-4B65-AC36-CED24C068999} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}
+		{CFCAC7FE-C9E1-4822-A1B5-45F16E62F5FF} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}
+		{60C10FF8-54FC-4C18-A2EA-F3580ABF0405} = {CFCAC7FE-C9E1-4822-A1B5-45F16E62F5FF}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {E0FA12DA-6B82-4E64-928A-BB9965E636C1}
diff --git a/docsource/content.md b/docsource/content.md
@@ -1,15 +1,29 @@
 ## Overview
+The Windows Certificate Orchestrator Extension is a multi-purpose integration that can remotely manage certificates on a Windows Server's Local Machine Store.  This extension currently manages certificates for the current store types:
+* WinCert - Certificates defined by path set for the Certificate Store
+* WinIIS - IIS Bound certificates 
+* WinSQL - Certificates that are bound to the specified SQL Instances
 
-The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store.  Users are able to determine which store they wish to place certificates in by entering the correct store path.  For a complete list of local machine cert stores you can execute the PowerShell command:
+By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
+For a complete list of local machine cert stores you can execute the PowerShell command:
 
 	Get-ChildItem Cert:\LocalMachine
 
 The returned list will contain the actual certificate store name to be used when entering store location.
 
-By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
-
 This extension implements four job types:  Inventory, Management Add/Remove, and Reenrollment.
 
+The Keyfactor Universal Orchestrator (UO) and WinCert Extension can be installed on either Windows or Linux operating systems.  A UO service managing certificates on remote servers is considered to be acting as an Orchestrator, while a UO Service managing local certificates on the same server running the service is considered an Agent.  When acting as an Orchestrator, connectivity from the orchestrator server hosting the WinCert extension to the orchestrated server hosting the certificate stores(s) being managed is achieved via either an SSH (for Linux orchestrated servers) or WinRM (for Windows orchestrated servers) connection.  When acting as an agent (Windows only), WinRM may still be used, OR the certificate store can be configured to bypass a WinRM connection and instead directly access the orchestrator server's certificate stores.
+
+![](images/orchestrator-agent.png)
+
+Please refer to the READMEs for each supported store type for more information on proper configuration and setup for these different stores.  The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below:
+
+| | UO Installed on Windows | UO Installed on Linux |
+|-----|-----|------|
+|Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection |
+|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | Not Supported |  
+
 WinRM is used to remotely manage the certificate stores and IIS bindings.  WinRM must be properly configured to allow the orchestrator on the server to manage the certificates.  Setting up WinRM is not in the scope of this document.
 
 **Note:**
@@ -24,6 +38,14 @@ In version 2.0 of the IIS Orchestrator, the certificate store type has been rena
 
 ## Requirements
 
+<details>
+<summary><b>Using the WinCert Extension on Linux:</b></summary>
+</details>
+
+<details>
+<summary><b>Using the WinCert Extension on Windows servers:</b></summary>
+</details>
+
 ### Security and Permission Considerations
 
 From an official support point of view, Local Administrator permissions are required on the target server. Some customers have been successful with using other accounts and granting rights to the underlying certificate and private key stores. Due to complexities with the interactions between Group Policy, WinRM, User Account Control, and other unpredictable customer environmental factors, Keyfactor cannot provide assistance with using accounts other than the local administrator account.
@@ -46,7 +68,8 @@ For customers wishing to use something other than the local administrator accoun
     -	Access any Cryptographic Service Provider (CSP) referenced in re-enrollment jobs.
     -	Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding.
 
-## Note Regarding Client Machine
+## Client Machine Instructions
+Prior to version 2.6, this extension would only run in the Windows environment.  Version 2.6 and greater is capable of running on Linux, however, only the SSH protocol is supported.
 
 If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine".  In this instance the value to the left of the pipe (|) is ignored.  It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique.  To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection.  
 
diff --git a/images/orchestrator-agent.png b/images/orchestrator-agent.png
diff --git a/integration-manifest.json b/integration-manifest.json
@@ -55,24 +55,24 @@
                             "Required": false,
                             "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
                         },
-                        {
-                            "Name": "WinRM Protocol",
-                            "DisplayName": "WinRM Protocol",
-                            "Type": "MultipleChoice",
-                            "DependsOn": "",
-                            "DefaultValue": "https,http",
-                            "Required": true,
-                            "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication."
-                        },
-                        {
-                            "Name": "WinRM Port",
-                            "DisplayName": "WinRM Port",
-                            "Type": "String",
-                            "DependsOn": "",
-                            "DefaultValue": "5986",
-                            "Required": true,
-                            "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP."
-                        },
+                      {
+                        "Name": "WinRM Protocol",
+                        "DisplayName": "WinRM Protocol",
+                        "Type": "MultipleChoice",
+                        "DependsOn": "",
+                        "DefaultValue": "https,http,ssh",
+                        "Required": true,
+                        "Description": "Multiple choice value specifying which protocol to use.  Protocols https or http use WinRM to connect from Windows to Windows Servers.  Using ssh is only supported when running the orchestrator in a Linux environment."
+                      },
+                      {
+                        "Name": "WinRM Port",
+                        "DisplayName": "WinRM Port",
+                        "Type": "String",
+                        "DependsOn": "",
+                        "DefaultValue": "5986",
+                        "Required": true,
+                        "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP.  By default, when using ssh in a Linux environment, the default port number is 22."
+                      },
                         {
                             "Name": "ServerUsername",
                             "DisplayName": "Server Username",
@@ -174,9 +174,9 @@
                             "DisplayName": "WinRM Protocol",
                             "Type": "MultipleChoice",
                             "DependsOn": "",
-                            "DefaultValue": "https,http",
+                            "DefaultValue": "https,http,ssh",
                             "Required": true,
-                            "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication."
+                            "Description": "Multiple choice value specifying which protocol to use.  Protocols https or http use WinRM to connect from Windows to Windows Servers.  Using ssh is only supported when running the orchestrator in a Linux environment."
                         },
                         {
                             "Name": "WinRM Port",
@@ -185,7 +185,7 @@
                             "DependsOn": "",
                             "DefaultValue": "5986",
                             "Required": true,
-                            "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP."
+                            "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP.  By default, when using ssh in a Linux environment, the default port number is 22."
                         },
                         {
                             "Name": "ServerUsername",
@@ -373,24 +373,24 @@
                             "Required": false,
                             "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
                         },
-                        {
-                            "Name": "WinRM Protocol",
-                            "DisplayName": "WinRM Protocol",
-                            "Type": "MultipleChoice",
-                            "DependsOn": "",
-                            "DefaultValue": "https,http",
-                            "Required": true,
-                            "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication."
-                        },
-                        {
-                            "Name": "WinRM Port",
-                            "DisplayName": "WinRM Port",
-                            "Type": "String",
-                            "DependsOn": "",
-                            "DefaultValue": "5986",
-                            "Required": true,
-                            "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP."
-                        },
+                      {
+                        "Name": "WinRM Protocol",
+                        "DisplayName": "WinRM Protocol",
+                        "Type": "MultipleChoice",
+                        "DependsOn": "",
+                        "DefaultValue": "https,http,ssh",
+                        "Required": true,
+                        "Description": "Multiple choice value specifying which protocol to use.  Protocols https or http use WinRM to connect from Windows to Windows Servers.  Using ssh is only supported when running the orchestrator in a Linux environment."
+                      },
+                      {
+                        "Name": "WinRM Port",
+                        "DisplayName": "WinRM Port",
+                        "Type": "String",
+                        "DependsOn": "",
+                        "DefaultValue": "5986",
+                        "Required": true,
+                        "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP.  By default, when using ssh in a Linux environment, the default port number is 22."
+                      },
                         {
                             "Name": "ServerUsername",
                             "DisplayName": "Server Username",
