Keyfactor
diff --git a/‎.github/workflows/keyfactor-starter-workflow.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/keyfactor-starter-workflow.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql‎
Lines changed: 80 additions & 0 deletions b/‎Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎Migration-Scripts/Legacy-IIS/CreateIISUCertStoreType.sql‎
Lines changed: 5 additions & 5 deletions b/‎Migration-Scripts/Legacy-IIS/CreateIISUCertStoreType.sql‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎README.md‎
Lines changed: 543 additions & 352 deletions b/‎README.md‎
Lines changed: 543 additions & 352 deletions
diff --git a/‎docsource/content.md‎
Lines changed: 53 additions & 0 deletions b/‎docsource/content.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎docsource/iisu.md‎
Lines changed: 15 additions & 0 deletions b/‎docsource/iisu.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎docsource/images/IISU-advanced-store-type-dialog.png‎
40.7 KB b/‎docsource/images/IISU-advanced-store-type-dialog.png‎
40.7 KB
diff --git a/‎docsource/images/IISU-basic-store-type-dialog.png‎
50.3 KB b/‎docsource/images/IISU-basic-store-type-dialog.png‎
50.3 KB
diff --git a/‎docsource/images/IISU-custom-fields-store-type-dialog.png‎
39.6 KB b/‎docsource/images/IISU-custom-fields-store-type-dialog.png‎
39.6 KB
diff --git a/‎docsource/images/IISU-entry-parameters-store-type-dialog.png‎
42.6 KB b/‎docsource/images/IISU-entry-parameters-store-type-dialog.png‎
42.6 KB
@@ -11,9 +11,10 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@dual-platform-without-doctool
+    uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
       APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      scan_token: ${{ secrets.SAST_TOKEN }}
@@ -0,0 +1,80 @@
+SET NOCOUNT ON
+
+BEGIN TRY
+    BEGIN TRANSACTION
+
+    DECLARE @IISUShortName VARCHAR(50) = 'IISU'
+    DECLARE @SniFlagParameter VARCHAR(50) = 'SniFlag'
+
+    DECLARE @StoreTypeId INT
+
+    -- get store type id
+    SELECT @StoreTypeId = storetypes.[StoreType]
+    FROM [cms_agents].[CertStoreTypes] AS storetypes
+    WHERE @IISUShortName = storetypes.[ShortName]
+
+    -- get list of cert stores guids of that type
+    SELECT certstores.[Id]
+    INTO #StoreGuids
+    FROM [cms_agents].[CertStores] AS certstores
+    WHERE @StoreTypeId = certstores.[CertStoreType]
+
+    -- get list of certstoreinventoryitems matching on store guid
+    SELECT inventory.[Id], inventory.[EntryParameters]
+    INTO #InventoryItems
+    FROM [cms_agents].[CertStoreInventoryItems] AS inventory
+        INNER JOIN #StoreGuids ON #StoreGuids.[Id] = inventory.[CertStoreId]
+
+    -- update entry parameters to new setting
+    UPDATE [cms_agents].[CertStoreTypeEntryParameters]
+    SET [DisplayName] = 'SSL Flags',
+        [Type] = '0',
+        [DefaultValue] = '0',
+        [Options] = NULL
+    WHERE [StoreTypeId] = @StoreTypeId
+        AND [Name] = @SniFlagParameter
+
+    -- perform batch processing on certstoreinventoryitems to alter their EntryParameters to change the SNiFlag value to be a simple character instead of lots of text
+    -- replace 0 - No SNI
+    UPDATE inventoryitems
+    SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '0 - No SNI', '0')
+    FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
+        INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
+    WHERE inventoryitems.[EntryParameters] LIKE '%0 - No SNI%'
+
+    -- replace 1 - SNI Enabled
+    UPDATE inventoryitems
+    SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '1 - SNI Enabled', '1')
+    FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
+        INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
+    WHERE inventoryitems.[EntryParameters] LIKE '%1 - SNI Enabled%'
+
+    -- replace 2 - Non SNI Binding
+    UPDATE inventoryitems
+    SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '2 - Non SNI Binding', '2')
+    FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
+        INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
+    WHERE inventoryitems.[EntryParameters] LIKE '%2 - Non SNI Binding%'
+
+    -- replace 3 - SNI Binding
+    UPDATE inventoryitems
+    SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '3 - SNI Binding', '3')
+    FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
+        INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
+    WHERE inventoryitems.[EntryParameters] LIKE '%3 - SNI Binding%'
+
+    COMMIT TRANSACTION
+END TRY
+
+BEGIN CATCH
+    IF (@@TRANCOUNT > 0)
+    BEGIN
+        ROLLBACK TRANSACTION;
+    END
+
+    SELECT
+       ERROR_MESSAGE() AS ErrorMessage,
+       ERROR_SEVERITY() AS Severity,
+       ERROR_STATE() AS ErrorState;
+END CATCH
+
@@ -358,14 +358,14 @@ BEGIN TRY
 		)
 		VALUES	
 		(
-			@current_storetype_id,  -- StoreTypeId
+			@current_storetype_id,	-- StoreTypeId
 			'SniFlag',				-- Name
-			'SNI Support',			-- DisplayName
-			2,					    -- Type
+			'SSL Flags',			-- DisplayName
+			0,						-- Type
 			14,						-- RequiredWhen
 			NULL,					-- DependsOn
-			'0 - No SNI',			-- DefaultValue
-			'0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding'	-- Options
+			'0',					-- DefaultValue
+			NULL					-- Options
 		);
 
 	-- create Protocol entry parameter
 
@@ -0,0 +1,53 @@
+## Overview
+
+The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store.  Users are able to determine which store they wish to place certificates in by entering the correct store path.  For a complete list of local machine cert stores you can execute the PowerShell command:
+
+	Get-ChildItem Cert:\LocalMachine
+
+The returned list will contain the actual certificate store name to be used when entering store location.
+
+By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
+
+This extension implements four job types:  Inventory, Management Add/Remove, and Reenrollment.
+
+WinRM is used to remotely manage the certificate stores and IIS bindings.  WinRM must be properly configured to allow the orchestrator on the server to manage the certificates.  Setting up WinRM is not in the scope of this document.
+
+**Note:**
+In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options:
+1. Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type.
+1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type.
+1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.)
+
+**Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.**
+
+**Note: If Looking to use GMSA Accounts to run the Service Keyfactor Command 10.2 or greater is required for No Value checkbox to work**
+
+## Requirements
+
+### Security and Permission Considerations
+
+From an official support point of view, Local Administrator permissions are required on the target server. Some customers have been successful with using other accounts and granting rights to the underlying certificate and private key stores. Due to complexities with the interactions between Group Policy, WinRM, User Account Control, and other unpredictable customer environmental factors, Keyfactor cannot provide assistance with using accounts other than the local administrator account.
+ 
+For customers wishing to use something other than the local administrator account, the following information may be helpful:
+ 
+*	The WinCert extensions (WinCert, IISU, WinSQL) create a WinRM (remote PowerShell) session to the target server in order to manipulate the Windows Certificate Stores, perform binding (in the case of the IISU extension), or to access the registry (in the case of the WinSQL extension). 
+ 
+*	When the WinRM session is created, the certificate store credentials are used if they have been specified, otherwise the WinRM session is created in the context of the Universal Orchestrator (UO) Service account (which potentially could be the network service account, a regular account, or a GMSA account)
+ 
+*	WinRM needs to be properly set up between the server hosting the UO and the target server. This means that a WinRM client running on the UO server when running in the context of the UO service account needs to be able to create a session on the target server using the configured credentials of the target server and any PowerShell commands running on the remote session need to have appropriate permissions. 
+ 
+*	Even though a given account may be in the administrators group or have administrative privileges on the target system and may be able to execute certificate and binding operations when running locally, the same account may not work when being used via WinRM. User Account Control (UAC) can get in the way and filter out administrative privledges. UAC / WinRM configuration has a LocalAccountTokenFilterPolicy setting that can be adjusted to not filter out administrative privledges for remote users, but enabling this may have other security ramifications. 
+ 
+*	The following list may not be exhaustive, but in general the account (when running under a remote WinRM session) needs permissions to:
+    -	Instantiate and open a .NET X509Certificates.X509Store object for the target certificate store and be able to read and write both the certificates and related private keys. Note that ACL permissions on the stores and private keys are separate.
+    -	Use the Import-Certificate, Get-WebSite, Get-WebBinding, and New-WebBinding PowerShell CmdLets.
+    -	Create and delete temporary files.
+    -	Execute certreq commands.
+    -	Access any Cryptographic Service Provider (CSP) referenced in re-enrollment jobs.
+    -	Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding.
+
+## Note Regarding Client Machine
+
+If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine".  In this instance the value to the left of the pipe (|) is ignored.  It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique.  To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection.  
+
+Here are the settings required for each Store Type previously configured.
@@ -0,0 +1,15 @@
+## Overview
+
+The IIS Bound Certificate Certificate Store Type, identified by its short name 'IISU,' is designed for the management of certificates bound to IIS (Internet Information Services) servers. This store type allows users to automate and streamline the process of adding, removing, and reenrolling certificates for IIS sites, making it significantly easier to manage web server certificates.
+
+### Key Features and Representation
+
+The IISU store type represents the IIS servers and their certificate bindings. It specifically caters to managing SSL/TLS certificates tied to IIS websites, allowing bind operations such as specifying site names, IP addresses, ports, and enabling Server Name Indication (SNI). By default, it supports job types like Inventory, Add, Remove, and Reenrollment, thereby offering comprehensive management capabilities for IIS certificates.
+
+### Limitations and Areas of Confusion
+
+- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues.
+
+- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured.
+
+- **Custom Alias and Private Keys:** The store type does not support custom aliases for individual entries and requires private keys because IIS certificates without private keys would be invalid.