You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Migrate to Universal Orchestrator (KF9 / .NET Core)
3
3
* Perform Renewals using RenewalThumbprint
4
4
5
5
1.0.3
@@ -8,8 +8,9 @@
8
8
* 1 SNI Enabled
9
9
* 2 Non SNI binding which uses Central Certificate Store
10
10
* 3 SNI binding which uses Central Certificate Store
11
+
* Last release to support Windows Orchestrator (KF8)
11
12
12
13
1.0.2
13
-
* Remove dependnce on Windows.Web.Administration on the orchestrator server. The agent will now use the local version on the managed server via remote powershell
14
+
* Remove dependence on Windows.Web.Administration on the orchestrator server. The agent will now use the local version on the managed server via remote powershell
14
15
* add support for the IncludePortInSPN flag
15
16
* add support to use credentials from Keyfactor for Add/Remove/Inventory jobs.
stringfailureMessage=$"Inventory job failed for Site '{config.CertificateStoreDetails.StorePath}' on server '{config.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
129
+
_logger.LogWarning(failureMessage);
130
+
123
131
returnnewJobResult
124
132
{
125
133
Result=OrchestratorJobStatusJobResult.Failure,
126
-
FailureMessage=
127
-
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ex.Message}"
stringfailureMessage=$"Remove job failed for Site '{config.CertificateStoreDetails.StorePath}' on server '{config.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
147
+
_logger.LogWarning(failureMessage);
148
+
142
149
returnnewJobResult
143
150
{
144
151
Result=OrchestratorJobStatusJobResult.Failure,
145
-
FailureMessage=
146
-
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ex.Message}"
152
+
JobHistoryId=config.JobHistoryId,
153
+
FailureMessage=failureMessage
147
154
};
148
155
}
149
156
}
@@ -207,7 +214,8 @@ function InstallPfxToMachineStore([byte[]]$bytes, [string]$password, [string]$st
207
214
if(ps.HadErrors)
208
215
returnnewJobResult
209
216
{
210
-
Result=OrchestratorJobStatusJobResult.Failure,
217
+
Result=OrchestratorJobStatusJobResult.Failure,
218
+
JobHistoryId=config.JobHistoryId,
211
219
FailureMessage=
212
220
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ps.Streams.Error.ReadAll().First().ErrorDetails.Message}"
213
221
};
@@ -296,7 +304,8 @@ function InstallPfxToMachineStore([byte[]]$bytes, [string]$password, [string]$st
296
304
if(ps.HadErrors)
297
305
returnnewJobResult
298
306
{
299
-
Result=OrchestratorJobStatusJobResult.Failure,
307
+
Result=OrchestratorJobStatusJobResult.Failure,
308
+
JobHistoryId=config.JobHistoryId,
300
309
FailureMessage=
301
310
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ps.Streams.Error.ReadAll().First().ErrorDetails.Message}"
302
311
};
@@ -313,12 +322,16 @@ function InstallPfxToMachineStore([byte[]]$bytes, [string]$password, [string]$st
stringfailureMessage=$"Add job failed for Site '{config.CertificateStoreDetails.StorePath}' on server '{config.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
328
+
_logger.LogWarning(failureMessage);
329
+
317
330
returnnewJobResult
318
331
{
319
332
Result=OrchestratorJobStatusJobResult.Failure,
320
-
FailureMessage=
321
-
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ex.Message}"
Copy file name to clipboardExpand all lines: README.md
+31-25Lines changed: 31 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,27 +1,34 @@
1
-
# Windows IIS Orchestrator
1
+
# Windows IIS Binding Orchestrator
2
2
## Orchestrator
3
3
4
-
The IIS-With-Bindings AnyAgent allows a user to create, configure, and manage a Keyfactor certificate store defined as an Internet Information Systems (IIS) binding definition. The certificate itself will still be stored in the defined server's personal certificate store, but the management within Keyfactor will be abstracted to appear as if the binding itself houses the certificate.
4
+
The IISBindings orchestrator treats the certificates bound (actively in use) on a Microsoft Internet Information Server (IIS) as a Keyfactor certificate store. Inventory and Management functions are supported. The orchestrator replaces the IIS orchestrator (which did not support binding.)
5
5
6
6
<!-- add integration specific information below -->
7
7
***
8
-
**IIS With Binding AnyAgent Configuration**
8
+
**IIS Binding Orchestrator Configuration**
9
9
10
10
**Overview**
11
11
12
-
The IIS-With-Bindings AnyAgent allows a user to create, configure, and manage a Keyfactor certificate store defined as an Internet Information Systems (IIS) binding definition. The certificate itself will still be stored in the defined server's personal certificate store, but the management within Keyfactor will be abstracted to appear as if the binding itself houses the certificate.
12
+
The IIS Binding Orchestrator remotely manages certificates in a Windows Server local machine certificate store.
13
+
The "Personal" (My) and "Web Hosting" Stores are supported.
14
+
Only certificates that are bound to an IIS web site are managed.
15
+
Unbound certificates are ignored.
13
16
14
17
This agent implements three job types – Inventory, Management Add, and Management Remove. Below are the steps necessary to configure this AnyAgent.
15
18
16
-
**1. Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent**
19
+
WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow
20
+
the server running the orchestrator to manage the server running IIS.
21
+
22
+
**1. Create the New Certificate Store Type for the IIS Binding Orchestrator**
17
23
18
24
In Keyfactor Command create a new Certificate Store Type similar to the one below:
19
25
20
26
#### STORE TYPE CONFIGURATION
21
27
CONFIG ELEMENT | DESCRIPTION
22
-
---------------------|------------------
28
+
------------------|------------------
23
29
Name |Descriptive name for the Store Type
24
30
Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISBinding
31
+
Custom Capability|Store type name orchestrator will register with. Must be "IISBindings".
25
32
Needs Server |Must be checked
26
33
Blueprint Allowed |Unchecked
27
34
Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
@@ -30,7 +37,7 @@ Supports Custom Alias |Determines if an individual entry within a store can have
30
37
Uses PowerShell |Unchecked
31
38
Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. This must be Multiple Choice
32
39
Store Path Value|A comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting
33
-
Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is requried since IIS will need the private key material to establish TLS connections.
40
+
Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections.
34
41
PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined).
35
42
Job Types |Inventory, Add, and Remove are the supported job types.
36
43
@@ -44,25 +51,16 @@ Job Types |Inventory, Add, and Remove are the supported job types.
This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.<br/>
-**Site Name** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The site name for the web site being bound to – i.e. "Default Web Site"
68
66
-**IP Address** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The IP address for the web site being bound to. Default is "\*" for all IP Addresses.
@@ -71,19 +69,27 @@ This section must be configured with binding fields. The parameters will be popu
71
69
-*Protocol* - Required (Adding an entry, Removing an entry, Reenrolling an entry)
72
70
- https
73
71
- http
74
-
-**Sni Flag** – Optional. Set the SNI flag assoicated with the binding being created.Default is "0". Acceptable values are:
72
+
-**Sni Flag** – Optional. Set the SNI flag associated with the binding being created.Default is "0". Acceptable values are:
**2. Register the IIS-With-Bindings AnyAgent with Keyfactor**
84
-
See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representitive.
89
+
**2. Register the IIS Binding Orchestrator with Keyfactor**
90
+
See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative.
85
91
86
-
**3. Create an IIS With Binding Certificate Store within Keyfactor Command**
92
+
**3. Create an IIS Binding Certificate Store within Keyfactor Command**
87
93
88
94
In Keyfactor Command create a new Certificate Store similar to the one below, selecting IIS With Binding as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent".
0 commit comments