From eea5a9b0959d295b0099b055557dc921d3608464 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 10 Nov 2021 16:10:31 +0000 Subject: [PATCH 01/29] Update generated README --- README.md | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 754ce6c..70b4237 100644 --- a/README.md +++ b/README.md @@ -4,49 +4,49 @@ This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center. *** -## Introduction -This AnyGateway plug enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. -## Prerequisites +# Introduction +This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. +# Prerequisites -### Certificate Chain +## Certificate Chain In order to enroll for certificates the Keyfactor Command server must trust the trust chain. Once you create your Root and/or Subordinate CA, make sure to import the certificate chain into the AnyGateway and Command Server certificate store -### API Allow List +## API Allow List The GlobalSign API can filter requested based on IP address. Ensure that appropiate IP address is allowed to make requests to the GlobalSign API. -### Domain Point of Contact +## Domain Point of Contact This AnyGateway plugin uses the contact information of the GCC Domain point of contact when enrolling for certificates. These fields are required to submit and enrollment and must be populated on the Domain's point of contact. This can be found in the GlobalSign Portal in the Manage Domains page. ### Migration In the event that a system is being upgraded from the Legacy GlobalSign CA Gateway (19.4 or older), a migration from the legacy database format to the AnyGateway format will be required. -To begin the migration process, copy the GlobalSignEsentMigrator.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory. Afterwardsm, the DatabaseManagementConsole.exe.config will need to be updated to reference the GlobalSignEsentMigrator. This is one by modifying the mapping for the IDatabaseMigrator inteface in the config file. +To begin the migration process, copy the GlobalSignEsentMigrator.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory. Afterwards, the DatabaseManagementConsole.exe.config will need to be updated to reference the GlobalSignEsentMigrator. This is done by modifying the mapping for the IDatabaseMigrator inteface in the config file. ```xml ``` -## Install +# Install * Download latest successful build from [GitHub Releases](/releases/latest) -* Copy GloabalSignCAProxy.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory +* Copy GlobalSignCAProxy.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory * Update the CAProxyServer.config file - * Update the CAConnection section to point at the GloabalSignCAProxy class + * Update the CAConnection section to point at the GlobalSignCAProxy class ```xml - + ``` -## Configuration +# Configuration The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the AnyGateway. -### Templates +## Templates The Template section will map the CA's SSL profile to an AD template. The Lifetime parameter is required and represents the certificate duration in months. ```json "Templates": { "WebServer": { - "ProductID": "PEV", + "ProductID": "PV_SHA2", "Parameters": { "Lifetime":"12" } @@ -63,8 +63,8 @@ The Template section will map the CA's SSL profile to an AD template. The Lifeti * Cloud SSL SHA 256 ECDSA (PV_CLOUD_ECC2) -### Security -The security section does not change specifically for the Entrust CA Gateway. Refer to the AnyGateway Documentation for more detail. +## Security +The security section does not change specifically for the GlobalSign CA Gateway. Refer to the AnyGateway Documentation for more detail. ```json /*Grant permissions on the CA to users or groups in the local domain. READ: Enumerate and read contents of certificates. @@ -99,7 +99,7 @@ The security section does not change specifically for the Entrust CA Gateway. R } } ``` -### CerificateManagers +## CerificateManagers The Certificate Managers section is optional. If configured, all users or groups granted OFFICER permissions under the Security section must be configured for at least one Template and one Requester. @@ -124,7 +124,7 @@ The Certificate Managers section is optional. } } ``` -### CAConnection +## CAConnection The CA Connection section will determine the API endpoint and configuration data used to connect to Entrust CA Gateway. * ```IsTest``` This determines if the test API endpoints are used with the Gateway. @@ -146,11 +146,11 @@ This is the password that will be used to connect to the GloabalSign API "Password":"password" }, ``` -### GatewayRegistration -There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail. +## GatewayRegistration +There are no specific Changes for the GatewayRegistration section. Refer to the AnyGateway Documentation for more detail. ```json "GatewayRegistration": { - "LogicalName": "GlobalsSignCASandbox", + "LogicalName": "GlobalSignCASandbox", "GatewayCertificate": { "StoreName": "CA", "StoreLocation": "LocalMachine", @@ -159,8 +159,8 @@ There are no specific Changes for the GatewayRegistration section. Refer to the } ``` -### ServiceSettings -There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail. +## ServiceSettings +There are no specific Changes for the ServiceSettings section. Refer to the AnyGateway Documentation for more detail. ```json "ServiceSettings": { "ViewIdleMinutes": 8, From f8c7e3a34611e0b9301c759a35dd7e5f8035c599 Mon Sep 17 00:00:00 2001 From: Rex Wheeler Date: Wed, 1 Dec 2021 17:01:41 -0800 Subject: [PATCH 02/29] Add compatibility note --- README.md.tpl | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md.tpl b/README.md.tpl index 2c59d96..96fa229 100644 --- a/README.md.tpl +++ b/README.md.tpl @@ -5,7 +5,11 @@ *** # Introduction -This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. +This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. + +# Compatibility +This AnyGateway is designed to be used with version 21.3.2 of the Keyfactor AnyGateway Framework + # Prerequisites ## Certificate Chain @@ -167,4 +171,4 @@ There are no specific Changes for the ServiceSettings section. Refer to the AnyG "FullScanPeriodHours": 24, "PartialScanPeriodMinutes": 240 } -``` \ No newline at end of file +``` From f8cbe256485a238e8783acdc222d9168838c688d Mon Sep 17 00:00:00 2001 From: Rex Wheeler Date: Wed, 1 Dec 2021 17:03:30 -0800 Subject: [PATCH 03/29] Delete keyfactor-extension-generate-readme.yml --- .../keyfactor-extension-generate-readme.yml | 28 ------------------- 1 file changed, 28 deletions(-) delete mode 100644 .github/workflows/keyfactor-extension-generate-readme.yml diff --git a/.github/workflows/keyfactor-extension-generate-readme.yml b/.github/workflows/keyfactor-extension-generate-readme.yml deleted file mode 100644 index 4aeada6..0000000 --- a/.github/workflows/keyfactor-extension-generate-readme.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Update README -on: [workflow_dispatch] - -jobs: - update_readme: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@master - - - uses: cuchi/jinja2-action@v1.2.0 - with: - template: README.md.tpl - output_file: README.md - data_file: integration-manifest.json - env: - GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} - - - uses: stefanzweifel/git-auto-commit-action@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - push_options: '--force' - commit_message: Update generated README - commit_user_name: Keyfactor - commit_user_email: keyfactor@keyfactor.github.io - commit_author: Keyfactor - From 16602430f73660efaba82a94206871c37ffd3750 Mon Sep 17 00:00:00 2001 From: Rex Wheeler Date: Wed, 1 Dec 2021 17:03:47 -0800 Subject: [PATCH 04/29] Create keyfactor-extension-generate-readme.yml --- .../keyfactor-extension-generate-readme.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/keyfactor-extension-generate-readme.yml diff --git a/.github/workflows/keyfactor-extension-generate-readme.yml b/.github/workflows/keyfactor-extension-generate-readme.yml new file mode 100644 index 0000000..8b82c7e --- /dev/null +++ b/.github/workflows/keyfactor-extension-generate-readme.yml @@ -0,0 +1,27 @@ +name: Update README +on: [push, workflow_dispatch] + +jobs: + update_readme: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@master + + - uses: cuchi/jinja2-action@v1.2.0 + with: + template: README.md.tpl + output_file: README.md + data_file: integration-manifest.json + env: + GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} + + - uses: stefanzweifel/git-auto-commit-action@v4 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + push_options: '--force' + commit_message: Update generated README + commit_user_name: Keyfactor + commit_user_email: keyfactor@keyfactor.github.io + commit_author: Keyfactor From 3fda4336754fa7bd593e23369bf137aca7da5ca5 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 2 Dec 2021 01:04:58 +0000 Subject: [PATCH 05/29] Update generated README --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 70b4237..5d96557 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,11 @@ This integration allows for the Synchronization, Enrollment, and Revocation of T *** # Introduction -This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. +This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. + +# Compatibility +This AnyGateway is designed to be used with version 21.3.2 of the Keyfactor AnyGateway Framework + # Prerequisites ## Certificate Chain From 3f03db882ccb571f328639bf5eb36532cc2ce117 Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Mon, 19 Sep 2022 15:38:14 -0700 Subject: [PATCH 06/29] update workflow/readme --- .../keyfactor-extension-generate-readme.yml | 27 ---- .../workflows/keyfactor-extension-release.yml | 120 ------------------ .../workflows/keyfactor-starter-workflow.yml | 26 ++++ integration-manifest.json | 3 +- README.md.tpl => readme_source.md | 6 - 5 files changed, 28 insertions(+), 154 deletions(-) delete mode 100644 .github/workflows/keyfactor-extension-generate-readme.yml delete mode 100644 .github/workflows/keyfactor-extension-release.yml create mode 100644 .github/workflows/keyfactor-starter-workflow.yml rename README.md.tpl => readme_source.md (98%) diff --git a/.github/workflows/keyfactor-extension-generate-readme.yml b/.github/workflows/keyfactor-extension-generate-readme.yml deleted file mode 100644 index 8b82c7e..0000000 --- a/.github/workflows/keyfactor-extension-generate-readme.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Update README -on: [push, workflow_dispatch] - -jobs: - update_readme: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@master - - - uses: cuchi/jinja2-action@v1.2.0 - with: - template: README.md.tpl - output_file: README.md - data_file: integration-manifest.json - env: - GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} - - - uses: stefanzweifel/git-auto-commit-action@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - push_options: '--force' - commit_message: Update generated README - commit_user_name: Keyfactor - commit_user_email: keyfactor@keyfactor.github.io - commit_author: Keyfactor diff --git a/.github/workflows/keyfactor-extension-release.yml b/.github/workflows/keyfactor-extension-release.yml deleted file mode 100644 index 84430ff..0000000 --- a/.github/workflows/keyfactor-extension-release.yml +++ /dev/null @@ -1,120 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: Keyfactor Extension - Release - -# Controls when the action will run. -on: - # Triggers the workflow on push - push: - #only run this workflow when pushing to a branch that contains a release number. ignore -pre - branches: - - 'release-[1-9].[0-9]+' - - '!release-[1-9].[0-9]+-pre*' - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: windows-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - - name: Setup Envrionment - id: setup_env - run: | - echo "Setup Envrionment Variables for Workflow" - echo "Working Path: ${Env:GITHUB_WORKSPACE}" - $slnPath = (Get-ChildItem -Include *.sln -File -Recurse).fullname - $relName = "${{ github.ref }}".Split("/") - $repoName = "${{ github.repository }}".Split("/") - echo "Solution File Path: ${slnPath}" - echo "SOLUTION_PATH=${slnPath}" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Release Name: $($relName[-1])" - echo "RELEASE_NAME=$($relName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Repo Name: $($repoName[-1])" - echo "REPO_NAME=$($repoName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - - - uses: actions/setup-dotnet@v1 - with: - dotnet-version: '3.1.x' # SDK Version to use; x will use the latest version of the 3.1 channel - #dotnet-version: - - - name: Add Package Source - run: | - dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json -n github -u ${{ github.actor }} -p ${{ secrets.BUILD_PACKAGE_ACCESS }} --store-password-in-clear-text - - # Configures msbuild path envrionment - - name: setup-msbuild - uses: microsoft/setup-msbuild@v1 - - # Restores Packages to Local Machine - - name: restore nuget packages - run: | - nuget restore ${{ env.SOLUTION_PATH }} - - - name: Create Release - id: create_release - #uses: zendesk/action-create-release@v1 - uses: keyfactor/action-create-release@786b73035fa09790f9eb11bb86834a6d7af1c256 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_name: ${{ env.RELEASE_NAME }} - body: | - [Changelog](/CHANGELOG.md) - draft: false - prerelease: false - auto_increment_type: patch - tag_schema: semantic - commitish: ${{ github.sha }} - - #update version number of AssemblyInfo.cs file - - name: Increment Assembly Version - run: | - $VersionRegex = "\d+\.\d+\.\d+" - $assemblyFilePath = (Get-ChildItem -Include AssemblyInfo.cs -File -Recurse).fullname - $newVer = "${{ steps.create_release.outputs.current_tag }}".TrimStart('v') - foreach($currentFile in $assemblyFilePath) - { - $filecontent = Get-Content($currentFile) - attrib $currentFile -r - $filecontent -replace $VersionRegex, $newVer | Out-File $currentFile - } - - - name: Execute MSBuild Commands - run: | - MSBuild.exe $Env:SOLUTION_PATH -p:RestorePackagesConfig=false -p:Configuration=Release - - - name: Archive Files - if: ${{ success() }} - run: | - md ${{ github.workspace }}\zip\Keyfactor - Compress-Archive -Path ${{ github.workspace }}\src\GlobalSignCAProxy\bin\Release\GlobalSignCAProxy.dll,${{ github.workspace }}\src\GlobalSignEsentMigrator\bin\Release\GlobalSignEsentMigrator.dll,${{ github.workspace }}\src\GlobalSignCAProxy\app.config -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force - - - name: Upload Release Asset (x64) - if: ${{ success() }} - id: upload-release-asset-x64 - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ github.workspace }}\zip\Keyfactor\${{ env.REPO_NAME}}.zip - asset_name: ${{ env.REPO_NAME}}_${{ steps.create_release.outputs.current_tag }}.zip - asset_content_type: application/zip - - - name: On Failure Remove Tags and Release - if: ${{ failure() }} - uses: dev-drprasad/delete-tag-and-release@v0.2.0 - with: - delete_release: true # default: false - tag_name: ${{ steps.create_release.outputs.current_tag }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml new file mode 100644 index 0000000..456da13 --- /dev/null +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -0,0 +1,26 @@ +name: Starter Workflow +on: [workflow_dispatch, push, pull_request] + +jobs: + call-create-github-release-workflow: + uses: Keyfactor/actions/.github/workflows/github-release.yml@main + + call-dotnet-build-and-release-workflow: + needs: [call-create-github-release-workflow] + uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main + with: + release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} + release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} + release_dir: globalsign-mssl-cagateway\src\GlobalSignCAProxy\bin\Release + secrets: + token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} + + call-generate-readme-workflow: + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main + + call-update-catalog-workflow: + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main + secrets: + token: ${{ secrets.SDK_SYNC_PAT }} diff --git a/integration-manifest.json b/integration-manifest.json index 2a752f0..1a0b680 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -2,6 +2,7 @@ "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", "integration_type": "ca-gateway", "name": "GlobalSign Managed SSL AnyGateway", - "status": "prototype", + "status": "production", + "link_github": false, "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center." } \ No newline at end of file diff --git a/README.md.tpl b/readme_source.md similarity index 98% rename from README.md.tpl rename to readme_source.md index 96fa229..163578d 100644 --- a/README.md.tpl +++ b/readme_source.md @@ -1,9 +1,3 @@ -# {{ name }} -## {{ integration_type | capitalize }} - -{{ description }} - -*** # Introduction This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. From a597a4058d63afb4dacd965141c8bfacacd36f79 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 19 Sep 2022 22:38:59 +0000 Subject: [PATCH 07/29] Update generated README --- README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5d96557..e76c96d 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,20 @@ # GlobalSign Managed SSL AnyGateway -## Ca-gateway This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center. -*** +#### Integration status: Production - Ready for use in production environments. + +## About the Keyfactor AnyGateway CA Connector + +This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. + +--- + + + + +--- + # Introduction This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. @@ -172,3 +183,4 @@ There are no specific Changes for the ServiceSettings section. Refer to the AnyG "PartialScanPeriodMinutes": 240 } ``` + From 36f4e56cbf6a4d1218e36f7de83fa42b257116d3 Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Mon, 19 Sep 2022 15:38:14 -0700 Subject: [PATCH 08/29] update workflow/readme --- .../keyfactor-extension-generate-readme.yml | 27 ---- .../workflows/keyfactor-extension-release.yml | 120 ------------------ .../workflows/keyfactor-starter-workflow.yml | 39 ++++++ integration-manifest.json | 3 +- README.md.tpl => readme_source.md | 6 - 5 files changed, 41 insertions(+), 154 deletions(-) delete mode 100644 .github/workflows/keyfactor-extension-generate-readme.yml delete mode 100644 .github/workflows/keyfactor-extension-release.yml create mode 100644 .github/workflows/keyfactor-starter-workflow.yml rename README.md.tpl => readme_source.md (98%) diff --git a/.github/workflows/keyfactor-extension-generate-readme.yml b/.github/workflows/keyfactor-extension-generate-readme.yml deleted file mode 100644 index 8b82c7e..0000000 --- a/.github/workflows/keyfactor-extension-generate-readme.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Update README -on: [push, workflow_dispatch] - -jobs: - update_readme: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@master - - - uses: cuchi/jinja2-action@v1.2.0 - with: - template: README.md.tpl - output_file: README.md - data_file: integration-manifest.json - env: - GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} - - - uses: stefanzweifel/git-auto-commit-action@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - push_options: '--force' - commit_message: Update generated README - commit_user_name: Keyfactor - commit_user_email: keyfactor@keyfactor.github.io - commit_author: Keyfactor diff --git a/.github/workflows/keyfactor-extension-release.yml b/.github/workflows/keyfactor-extension-release.yml deleted file mode 100644 index 84430ff..0000000 --- a/.github/workflows/keyfactor-extension-release.yml +++ /dev/null @@ -1,120 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: Keyfactor Extension - Release - -# Controls when the action will run. -on: - # Triggers the workflow on push - push: - #only run this workflow when pushing to a branch that contains a release number. ignore -pre - branches: - - 'release-[1-9].[0-9]+' - - '!release-[1-9].[0-9]+-pre*' - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: windows-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - - name: Setup Envrionment - id: setup_env - run: | - echo "Setup Envrionment Variables for Workflow" - echo "Working Path: ${Env:GITHUB_WORKSPACE}" - $slnPath = (Get-ChildItem -Include *.sln -File -Recurse).fullname - $relName = "${{ github.ref }}".Split("/") - $repoName = "${{ github.repository }}".Split("/") - echo "Solution File Path: ${slnPath}" - echo "SOLUTION_PATH=${slnPath}" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Release Name: $($relName[-1])" - echo "RELEASE_NAME=$($relName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Repo Name: $($repoName[-1])" - echo "REPO_NAME=$($repoName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - - - uses: actions/setup-dotnet@v1 - with: - dotnet-version: '3.1.x' # SDK Version to use; x will use the latest version of the 3.1 channel - #dotnet-version: - - - name: Add Package Source - run: | - dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json -n github -u ${{ github.actor }} -p ${{ secrets.BUILD_PACKAGE_ACCESS }} --store-password-in-clear-text - - # Configures msbuild path envrionment - - name: setup-msbuild - uses: microsoft/setup-msbuild@v1 - - # Restores Packages to Local Machine - - name: restore nuget packages - run: | - nuget restore ${{ env.SOLUTION_PATH }} - - - name: Create Release - id: create_release - #uses: zendesk/action-create-release@v1 - uses: keyfactor/action-create-release@786b73035fa09790f9eb11bb86834a6d7af1c256 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_name: ${{ env.RELEASE_NAME }} - body: | - [Changelog](/CHANGELOG.md) - draft: false - prerelease: false - auto_increment_type: patch - tag_schema: semantic - commitish: ${{ github.sha }} - - #update version number of AssemblyInfo.cs file - - name: Increment Assembly Version - run: | - $VersionRegex = "\d+\.\d+\.\d+" - $assemblyFilePath = (Get-ChildItem -Include AssemblyInfo.cs -File -Recurse).fullname - $newVer = "${{ steps.create_release.outputs.current_tag }}".TrimStart('v') - foreach($currentFile in $assemblyFilePath) - { - $filecontent = Get-Content($currentFile) - attrib $currentFile -r - $filecontent -replace $VersionRegex, $newVer | Out-File $currentFile - } - - - name: Execute MSBuild Commands - run: | - MSBuild.exe $Env:SOLUTION_PATH -p:RestorePackagesConfig=false -p:Configuration=Release - - - name: Archive Files - if: ${{ success() }} - run: | - md ${{ github.workspace }}\zip\Keyfactor - Compress-Archive -Path ${{ github.workspace }}\src\GlobalSignCAProxy\bin\Release\GlobalSignCAProxy.dll,${{ github.workspace }}\src\GlobalSignEsentMigrator\bin\Release\GlobalSignEsentMigrator.dll,${{ github.workspace }}\src\GlobalSignCAProxy\app.config -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force - - - name: Upload Release Asset (x64) - if: ${{ success() }} - id: upload-release-asset-x64 - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ github.workspace }}\zip\Keyfactor\${{ env.REPO_NAME}}.zip - asset_name: ${{ env.REPO_NAME}}_${{ steps.create_release.outputs.current_tag }}.zip - asset_content_type: application/zip - - - name: On Failure Remove Tags and Release - if: ${{ failure() }} - uses: dev-drprasad/delete-tag-and-release@v0.2.0 - with: - delete_release: true # default: false - tag_name: ${{ steps.create_release.outputs.current_tag }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml new file mode 100644 index 0000000..7835254 --- /dev/null +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -0,0 +1,39 @@ +name: Starter Workflow +on: [workflow_dispatch, push, pull_request] + +jobs: + call-create-github-release-workflow: + uses: Keyfactor/actions/.github/workflows/github-release.yml@main + get-manifest-properties: + runs-on: windows-latest + outputs: + update_catalog: ${{ steps.read-json.outputs.prop }} + steps: + - uses: actions/checkout@v3 + - name: Read json + id: read-json + shell: pwsh + run: | + $json = Get-Content integration-manifest.json | ConvertFrom-Json + echo "::set-output name=prop::$(echo $json.update_catalog)" + + call-dotnet-build-and-release-workflow: + needs: [call-create-github-release-workflow] + uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main + with: + release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} + release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} + release_dir: globalsign-mssl-cagateway\src\GlobalSignCAProxy\bin\Release + secrets: + token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} + + call-generate-readme-workflow: + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main + + call-update-catalog-workflow: + needs: get-manifest-properties + if: needs.get-manifest-properties.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') + uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main + secrets: + token: ${{ secrets.SDK_SYNC_PAT }} diff --git a/integration-manifest.json b/integration-manifest.json index 2a752f0..1a0b680 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -2,6 +2,7 @@ "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", "integration_type": "ca-gateway", "name": "GlobalSign Managed SSL AnyGateway", - "status": "prototype", + "status": "production", + "link_github": false, "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center." } \ No newline at end of file diff --git a/README.md.tpl b/readme_source.md similarity index 98% rename from README.md.tpl rename to readme_source.md index 96fa229..163578d 100644 --- a/README.md.tpl +++ b/readme_source.md @@ -1,9 +1,3 @@ -# {{ name }} -## {{ integration_type | capitalize }} - -{{ description }} - -*** # Introduction This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. From f3688fbc1522f498ae0a5fc7889df95373d48bca Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Mon, 19 Sep 2022 16:22:51 -0700 Subject: [PATCH 09/29] add catalog build to manifest --- integration-manifest.json | 1 + 1 file changed, 1 insertion(+) diff --git a/integration-manifest.json b/integration-manifest.json index 1a0b680..80517a2 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -3,6 +3,7 @@ "integration_type": "ca-gateway", "name": "GlobalSign Managed SSL AnyGateway", "status": "production", + "update_catalog": true, "link_github": false, "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center." } \ No newline at end of file From b9e73cdd1dcd189f618237825984baccbb808e07 Mon Sep 17 00:00:00 2001 From: David Galey Date: Tue, 20 Sep 2022 14:33:28 -0400 Subject: [PATCH 10/29] Readme fix --- README.md.tpl | 170 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 README.md.tpl diff --git a/README.md.tpl b/README.md.tpl new file mode 100644 index 0000000..37e6cc4 --- /dev/null +++ b/README.md.tpl @@ -0,0 +1,170 @@ +# {{ name }} +## {{ integration_type | capitalize }} + +{{ description }} + +*** +## Introduction +This AnyGateway plug enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. +## Prerequisites + +### Certificate Chain + +In order to enroll for certificates the Keyfactor Command server must trust the trust chain. Once you create your Root and/or Subordinate CA, make sure to import the certificate chain into the AnyGateway and Command Server certificate store + +### API Allow List +The GlobalSign API can filter requested based on IP address. Ensure that appropiate IP address is allowed to make requests to the GlobalSign API. + +### Domain Point of Contact +This AnyGateway plugin uses the contact information of the GCC Domain point of contact when enrolling for certificates. These fields are required to submit and enrollment and must be populated on the Domain's point of contact. This can be found in the GlobalSign Portal in the Manage Domains page. + +### Migration +In the event that a system is being upgraded from the Legacy GlobalSign CA Gateway (19.4 or older), a migration from the legacy database format to the AnyGateway format will be required. + +To begin the migration process, copy the GlobalSignEsentMigrator.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory. Afterwardsm, the DatabaseManagementConsole.exe.config will need to be updated to reference the GlobalSignEsentMigrator. This is one by modifying the mapping for the IDatabaseMigrator inteface in the config file. +```xml + +``` + + +## Install +* Download latest successful build from [GitHub Releases](/releases/latest) + +* Copy GloabalSignCAProxy.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory + +* Update the CAProxyServer.config file + * Update the CAConnection section to point at the GloabalSignCAProxy class + ```xml + + ``` + +## Configuration +The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the AnyGateway. + +### Templates +The Template section will map the CA's SSL profile to an AD template. The Lifetime parameter is required and represents the certificate duration in months. + ```json + "Templates": { + "WebServer": { + "ProductID": "PEV", + "Parameters": { + "Lifetime":"12" + } + } +} + ``` + The following product codes are supported: + * Extended SSL SHA 256 (PEV_SHA2) + * Organizational SSL SHA 256 (PV_SHA2) + * Intranet SSL SHA 1 (PV_INTRA) + * Intranet SSL SHA 2 (PV_INTRA_SHA2) + * Intranet SSL SHA 256 ECDSA (PV_INTRA_ECCP256) + * Cloud SSL SHA 256 (PV_CLOUD) + * Cloud SSL SHA 256 ECDSA (PV_CLOUD_ECC2) + + +### Security +The security section does not change specifically for the Entrust CA Gateway. Refer to the AnyGateway Documentation for more detail. +```json + /*Grant permissions on the CA to users or groups in the local domain. + READ: Enumerate and read contents of certificates. + ENROLL: Request certificates from the CA. + OFFICER: Perform certificate functions such as issuance and revocation. This is equivalent to "Issue and Manage" permission on the Microsoft CA. + ADMINISTRATOR: Configure/reconfigure the gateway. + Valid permission settings are "Allow", "None", and "Deny".*/ + "Security": { + "Keyfactor\\Administrator": { + "READ": "Allow", + "ENROLL": "Allow", + "OFFICER": "Allow", + "ADMINISTRATOR": "Allow" + }, + "Keyfactor\\gateway_test": { + "READ": "Allow", + "ENROLL": "Allow", + "OFFICER": "Allow", + "ADMINISTRATOR": "Allow" + }, + "Keyfactor\\SVC_TimerService": { + "READ": "Allow", + "ENROLL": "Allow", + "OFFICER": "Allow", + "ADMINISTRATOR": "None" + }, + "Keyfactor\\SVC_AppPool": { + "READ": "Allow", + "ENROLL": "Allow", + "OFFICER": "Allow", + "ADMINISTRATOR": "Allow" + } + } +``` +### CerificateManagers +The Certificate Managers section is optional. + If configured, all users or groups granted OFFICER permissions under the Security section + must be configured for at least one Template and one Requester. + Uses "" to specify all templates. Uses "Everyone" to specify all requesters. + Valid permission values are "Allow" and "Deny". +```json + "CertificateManagers":{ + "DOMAIN\\Username":{ + "Templates":{ + "MyTemplateShortName":{ + "Requesters":{ + "Everyone":"Allow", + "DOMAIN\\Groupname":"Deny" + } + }, + "":{ + "Requesters":{ + "Everyone":"Allow" + } + } + } + } + } +``` +### CAConnection +The CA Connection section will determine the API endpoint and configuration data used to connect to GlobalSign MSSL API. +* ```IsTest``` +This determines if the test API endpoints are used with the Gateway. +* ```PickupRetries``` +This is the number of times the AnyGateway will attempt to pickup an new certificate before reporting an error. This setting applies to new, renewed, or reissued certificates. +* ```PickupDelay``` +This is the number of seconds between retries when attempting to download a certificate. +* ```Username``` +This is the username that will be used to connect to the GloabalSign API +* ```Password``` +This is the password that will be used to connect to the GloabalSign API + +```json + "CAConnection": { + "IsTest":"false", + "PickupRetries":5, + "PickupDelay":150, + "Username":"PAR12344_apiuser", + "Password":"password" + }, +``` +### GatewayRegistration +There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail. +```json + "GatewayRegistration": { + "LogicalName": "GlobalsSignCASandbox", + "GatewayCertificate": { + "StoreName": "CA", + "StoreLocation": "LocalMachine", + "Thumbprint": "bc6d6b168ce5c08a690c15e03be596bbaa095ebf" + } + } +``` + +### ServiceSettings +There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail. +```json + "ServiceSettings": { + "ViewIdleMinutes": 8, + "FullScanPeriodHours": 24, + "PartialScanPeriodMinutes": 240 + } +``` \ No newline at end of file From 321ee872732f5f14b34e1055873ea229a06c0e5f Mon Sep 17 00:00:00 2001 From: David Galey Date: Tue, 20 Sep 2022 14:36:46 -0400 Subject: [PATCH 11/29] readme fix --- globalsign-mssl-cagateway.sln | 91 ++++++++++++++++++----------------- readme_source.md | 6 +-- 2 files changed, 49 insertions(+), 48 deletions(-) diff --git a/globalsign-mssl-cagateway.sln b/globalsign-mssl-cagateway.sln index 1ee891c..2340dd0 100644 --- a/globalsign-mssl-cagateway.sln +++ b/globalsign-mssl-cagateway.sln @@ -1,45 +1,46 @@ - -Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 16 -VisualStudioVersion = 16.0.31129.286 -MinimumVisualStudioVersion = 10.0.40219.1 -Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignCAProxy", "src\GlobalSignCAProxy\GlobalSignCAProxy.csproj", "{8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}" -EndProject -Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignCAProxyTests", "tests\GlobalSignCAProxyTests\GlobalSignCAProxyTests.csproj", "{4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}" -EndProject -Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignEsentMigrator", "src\GlobalSignEsentMigrator\GlobalSignEsentMigrator.csproj", "{1614CAC6-6CB6-4BCF-A758-186FD53ACF42}" -EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{D6E8054B-47A1-46F9-AC37-1650406414D5}" - ProjectSection(SolutionItems) = preProject - CHANGELOG.md = CHANGELOG.md - integration-manifest.json = integration-manifest.json - .github\workflows\keyfactor-extension-generate-readme.yml = .github\workflows\keyfactor-extension-generate-readme.yml - .github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml - README.md.tpl = README.md.tpl - EndProjectSection -EndProject -Global - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|Any CPU = Debug|Any CPU - Release|Any CPU = Release|Any CPU - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Debug|Any CPU.Build.0 = Debug|Any CPU - {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Release|Any CPU.ActiveCfg = Release|Any CPU - {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Release|Any CPU.Build.0 = Release|Any CPU - {4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}.Debug|Any CPU.Build.0 = Debug|Any CPU - {4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}.Release|Any CPU.ActiveCfg = Release|Any CPU - {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Debug|Any CPU.Build.0 = Debug|Any CPU - {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Release|Any CPU.ActiveCfg = Release|Any CPU - {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Release|Any CPU.Build.0 = Release|Any CPU - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection - GlobalSection(ExtensibilityGlobals) = postSolution - SolutionGuid = {BFD6977D-A793-4130-A8E1-EEFCA6AA88AC} - EndGlobalSection -EndGlobal + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.31129.286 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignCAProxy", "src\GlobalSignCAProxy\GlobalSignCAProxy.csproj", "{8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignCAProxyTests", "tests\GlobalSignCAProxyTests\GlobalSignCAProxyTests.csproj", "{4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignEsentMigrator", "src\GlobalSignEsentMigrator\GlobalSignEsentMigrator.csproj", "{1614CAC6-6CB6-4BCF-A758-186FD53ACF42}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{D6E8054B-47A1-46F9-AC37-1650406414D5}" + ProjectSection(SolutionItems) = preProject + CHANGELOG.md = CHANGELOG.md + integration-manifest.json = integration-manifest.json + .github\workflows\keyfactor-extension-generate-readme.yml = .github\workflows\keyfactor-extension-generate-readme.yml + .github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml + README.md.tpl = README.md.tpl + readme_source.md = readme_source.md + EndProjectSection +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Release|Any CPU = Release|Any CPU + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Debug|Any CPU.Build.0 = Debug|Any CPU + {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Release|Any CPU.ActiveCfg = Release|Any CPU + {8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}.Release|Any CPU.Build.0 = Release|Any CPU + {4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}.Debug|Any CPU.Build.0 = Debug|Any CPU + {4AFA9664-CBC2-4116-A7F9-13667CAA0D5A}.Release|Any CPU.ActiveCfg = Release|Any CPU + {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Debug|Any CPU.Build.0 = Debug|Any CPU + {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Release|Any CPU.ActiveCfg = Release|Any CPU + {1614CAC6-6CB6-4BCF-A758-186FD53ACF42}.Release|Any CPU.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {BFD6977D-A793-4130-A8E1-EEFCA6AA88AC} + EndGlobalSection +EndGlobal diff --git a/readme_source.md b/readme_source.md index 163578d..97d25ce 100644 --- a/readme_source.md +++ b/readme_source.md @@ -123,7 +123,7 @@ The Certificate Managers section is optional. } ``` ## CAConnection -The CA Connection section will determine the API endpoint and configuration data used to connect to Entrust CA Gateway. +The CA Connection section will determine the API endpoint and configuration data used to connect to GlobalSign MSSL API. * ```IsTest``` This determines if the test API endpoints are used with the Gateway. * ```PickupRetries``` @@ -131,9 +131,9 @@ This is the number of times the AnyGateway will attempt to pickup an new certifi * ```PickupDelay``` This is the number of seconds between retries when attempting to download a certificate. * ```Username``` -This is the username that will be used to connect to the GloabalSign API +This is the username that will be used to connect to the GlobalSign API * ```Password``` -This is the password that will be used to connect to the GloabalSign API +This is the password that will be used to connect to the GlobalSign API ```json "CAConnection": { From 2c7b6645ad37e72fe0e47ac4875d055266b704c7 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 20 Sep 2022 18:37:28 +0000 Subject: [PATCH 12/29] Update generated README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e76c96d..43f2092 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ The Certificate Managers section is optional. } ``` ## CAConnection -The CA Connection section will determine the API endpoint and configuration data used to connect to Entrust CA Gateway. +The CA Connection section will determine the API endpoint and configuration data used to connect to GlobalSign MSSL API. * ```IsTest``` This determines if the test API endpoints are used with the Gateway. * ```PickupRetries``` @@ -148,9 +148,9 @@ This is the number of times the AnyGateway will attempt to pickup an new certifi * ```PickupDelay``` This is the number of seconds between retries when attempting to download a certificate. * ```Username``` -This is the username that will be used to connect to the GloabalSign API +This is the username that will be used to connect to the GlobalSign API * ```Password``` -This is the password that will be used to connect to the GloabalSign API +This is the password that will be used to connect to the GlobalSign API ```json "CAConnection": { From ae40a3133b1d3f3fb53da4ad11a203793b5aae20 Mon Sep 17 00:00:00 2001 From: Mikey Henderson Date: Fri, 30 Sep 2022 16:57:50 -0700 Subject: [PATCH 13/29] add support statement (#19) * add support statement * Update generated README --- README.md | 9 +++++++++ integration-manifest.json | 1 + 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 43f2092..58b84a1 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,15 @@ This repository contains an AnyGateway CA Connector, which is a plugin to the Ke --- +## Support for GlobalSign Managed SSL AnyGateway + +GlobalSign Managed SSL AnyGateway is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. + +###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +___ + + + --- diff --git a/integration-manifest.json b/integration-manifest.json index 80517a2..6effc41 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -5,5 +5,6 @@ "status": "production", "update_catalog": true, "link_github": false, + "support_level": "kf-supported", "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center." } \ No newline at end of file From 2796a41f8aff9ea53fe3d8bfc5028a0b3bf5bcff Mon Sep 17 00:00:00 2001 From: David Galey Date: Thu, 3 Nov 2022 14:14:54 -0400 Subject: [PATCH 14/29] update readme with better migration instructions --- readme_source.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/readme_source.md b/readme_source.md index 97d25ce..8a77d78 100644 --- a/readme_source.md +++ b/readme_source.md @@ -16,13 +16,23 @@ The GlobalSign API can filter requested based on IP address. Ensure that approp ## Domain Point of Contact This AnyGateway plugin uses the contact information of the GCC Domain point of contact when enrolling for certificates. These fields are required to submit and enrollment and must be populated on the Domain's point of contact. This can be found in the GlobalSign Portal in the Manage Domains page. -### Migration +## Migration In the event that a system is being upgraded from the Legacy GlobalSign CA Gateway (19.4 or older), a migration from the legacy database format to the AnyGateway format will be required. -To begin the migration process, copy the GlobalSignEsentMigrator.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory. Afterwards, the DatabaseManagementConsole.exe.config will need to be updated to reference the GlobalSignEsentMigrator. This is done by modifying the mapping for the IDatabaseMigrator inteface in the config file. +Database migration requires version 21.10 of the Keyfactor AnyGateway Framework (newer versions remove the migration capability). + +To succesfully migrate and upgrade your GlobalSign CA Gateway, follow these steps: +1. Install Keyfactor AnyGateway Framework 21.10 +2. Follow the steps below in the Install section to copy over the GlobalSignCAProxy.dll, but do NOT configure the gateway yet. +3. Additionally, copy over the GlobalSignEsentMigrator.dll file to the Program Files\Keyfactor\Keyfactor AnyGateway directory +4. Modify the DatabaseManagementConsole.exe.config file to update the IDatabaseMigrator definition: ```xml - -``` + +``` +5. Create your new database and use the appropriate cmdlets you configure the gateway's database connection (see AnyGateway documentation for details) +6. Use the DatabaseManagementConsole.exe migrate verb to migrate your ESENT database into the new SQL database (see AnyGateway documentation, or run 'DatabaseManagementConsole.exe help migrate' for details) +7. Once the database has been migrated, you can run the actual gateway configuration cmdlet to configure your gateway. +8. Optional: You can now upgrade to the latest version of the AnyGateway Framework if you wish (if you do so, after upgrading, make sure to run the DatabaseManagementConsole.exe with the upgrade verb to upgrade your database to the latest) # Install From 22cce50c47533af225069594e6a3ea1c325d3677 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 3 Nov 2022 18:15:30 +0000 Subject: [PATCH 15/29] Update generated README --- README.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 58b84a1..89cf383 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ This integration allows for the Synchronization, Enrollment, and Revocation of T This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. ---- ## Support for GlobalSign Managed SSL AnyGateway @@ -21,9 +20,6 @@ ___ - ---- - # Introduction This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from GlobalSign's Managed SSL/TLS offering. @@ -42,13 +38,23 @@ The GlobalSign API can filter requested based on IP address. Ensure that approp ## Domain Point of Contact This AnyGateway plugin uses the contact information of the GCC Domain point of contact when enrolling for certificates. These fields are required to submit and enrollment and must be populated on the Domain's point of contact. This can be found in the GlobalSign Portal in the Manage Domains page. -### Migration +## Migration In the event that a system is being upgraded from the Legacy GlobalSign CA Gateway (19.4 or older), a migration from the legacy database format to the AnyGateway format will be required. -To begin the migration process, copy the GlobalSignEsentMigrator.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory. Afterwards, the DatabaseManagementConsole.exe.config will need to be updated to reference the GlobalSignEsentMigrator. This is done by modifying the mapping for the IDatabaseMigrator inteface in the config file. +Database migration requires version 21.10 of the Keyfactor AnyGateway Framework (newer versions remove the migration capability). + +To succesfully migrate and upgrade your GlobalSign CA Gateway, follow these steps: +1. Install Keyfactor AnyGateway Framework 21.10 +2. Follow the steps below in the Install section to copy over the GlobalSignCAProxy.dll, but do NOT configure the gateway yet. +3. Additionally, copy over the GlobalSignEsentMigrator.dll file to the Program Files\Keyfactor\Keyfactor AnyGateway directory +4. Modify the DatabaseManagementConsole.exe.config file to update the IDatabaseMigrator definition: ```xml - -``` + +``` +5. Create your new database and use the appropriate cmdlets you configure the gateway's database connection (see AnyGateway documentation for details) +6. Use the DatabaseManagementConsole.exe migrate verb to migrate your ESENT database into the new SQL database (see AnyGateway documentation, or run 'DatabaseManagementConsole.exe help migrate' for details) +7. Once the database has been migrated, you can run the actual gateway configuration cmdlet to configure your gateway. +8. Optional: You can now upgrade to the latest version of the AnyGateway Framework if you wish (if you do so, after upgrading, make sure to run the DatabaseManagementConsole.exe with the upgrade verb to upgrade your database to the latest) # Install From eef911a041752b1350ca75cdedeba636f5cbbe52 Mon Sep 17 00:00:00 2001 From: Mikey Henderson Date: Wed, 16 Nov 2022 11:50:42 -0800 Subject: [PATCH 16/29] add link to public integraions catalog (#20) * add link to public integrations catalog * add secret --- .github/workflows/keyfactor-starter-workflow.yml | 2 ++ integration-manifest.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 7835254..8e6cb0e 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -30,6 +30,8 @@ jobs: call-generate-readme-workflow: if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main + secrets: + token: ${{ secrets.APPROVE_README_PUSH }} call-update-catalog-workflow: needs: get-manifest-properties diff --git a/integration-manifest.json b/integration-manifest.json index 6effc41..b11362e 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -4,7 +4,7 @@ "name": "GlobalSign Managed SSL AnyGateway", "status": "production", "update_catalog": true, - "link_github": false, + "link_github": true, "support_level": "kf-supported", "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center." } \ No newline at end of file From db8da04ea9b7656dbef17dd2cc34c8ab7becf1d2 Mon Sep 17 00:00:00 2001 From: David Galey Date: Wed, 16 Nov 2022 14:59:02 -0500 Subject: [PATCH 17/29] update changelog --- CHANGELOG.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6163096..b894178 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,2 +1,20 @@ 1.0.0 -Inital Release. Support for Enroll, Sync, and Revocation. \ No newline at end of file +Inital Release. Support for Enroll, Sync, and Revocation. + +1.0.5 +Fix bug where certain domains would not get parsed correctly. + +1.0.9 +Use DNS SAN in place of CN if present for domain lookup and enrollment + +1.0.10 +Add additional logging output + +1.0.11 +Convert GlobalSign status codes to Keyfactor status codes for syncing + +1.0.12 +Fix authentication bug when picking up certificates + +1.0.15 +Better datetime parsing of returned certificates \ No newline at end of file From f428e61455997d272e5155c18e8a93110316a6fb Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 11 Jan 2024 18:44:04 +0000 Subject: [PATCH 18/29] Update generated README --- README.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 89cf383..1f84bae 100644 --- a/README.md +++ b/README.md @@ -4,20 +4,29 @@ This integration allows for the Synchronization, Enrollment, and Revocation of T #### Integration status: Production - Ready for use in production environments. + ## About the Keyfactor AnyGateway CA Connector This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. - ## Support for GlobalSign Managed SSL AnyGateway -GlobalSign Managed SSL AnyGateway is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. +GlobalSign Managed SSL AnyGateway is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. -___ +--- + + + + + + + + +--- # Introduction From ebd484039fa2f4994e2e6acbe288b697053e71b5 Mon Sep 17 00:00:00 2001 From: David Galey Date: Thu, 18 Jan 2024 12:09:09 -0500 Subject: [PATCH 19/29] Apply all sans to enrollment request --- .../Api/GlobalSignEnrollRequest.cs | 224 +++++++++--------- src/GlobalSignCAProxy/GlobalSignCAProxy.cs | 14 +- 2 files changed, 126 insertions(+), 112 deletions(-) diff --git a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs index 038cee3..232aa06 100644 --- a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs +++ b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs @@ -1,112 +1,118 @@ -// Copyright 2021 Keyfactor -// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. -// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions -// and limitations under the License. - -using Keyfactor.Extensions.AnyGateway.GlobalSign.Services.Order; +// Copyright 2021 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Extensions.AnyGateway.GlobalSign.Services.Order; + using System.Collections.Generic; namespace Keyfactor.Extensions.AnyGateway.GlobalSign.Api -{ - public class GlobalSignEnrollRequest - { - internal GlobalSignCAConfig Config; - - public GlobalSignEnrollRequest(GlobalSignCAConfig config) - { - Config = config; - } - public string CSR { get; set; } - public string ProductCode { get; set; } - public string CommonName { get; set; } - public string BaseOption - { - get - { - if (!string.IsNullOrEmpty(CommonName)) - { - if (CommonName.StartsWith("*")) - { - return "wildcard"; - } - else - { - return null; - } - } - else - { - return null; - } - } - } - public string OrderKind { get; set; } - public string Licenses { get; set; } - public string Months { get; set; } - public string MsslProfileId { get; set; } - public string MsslDomainId { get; set; } - public string FirstName { get; set; } - public string LastName { get; set; } - public string Phone { get; set; } - public string Email { get; set; } - public List SANs { get; set; } - public PvSealInfo Seal { get; set; } - public MsslEvProfileInfo EVProfile { get; set; } - public BmV2PvOrderRequest Request - { - get - { - BmV2PvOrderRequest request = new BmV2PvOrderRequest(); - request.OrderRequestHeader = new OrderRequestHeader { AuthToken = Config.GetOrderAuthToken() }; - request.MSSLProfileID = MsslProfileId; - request.MSSLDomainID = MsslDomainId; - request.ContactInfo = new ContactInfo - { - FirstName = FirstName, - LastName = LastName, - Phone = Phone, - Email = Email - }; - if (SANs != null) - { - if (SANs.Count > 0) - { - List sans = new List(); - foreach (string item in SANs) - { - SANEntry entry = new SANEntry(); - entry.SubjectAltName = item; - if (item.StartsWith("*")) - { - entry.SubjectAltName = "13"; - } - else - { - entry.SubjectAltName = "7"; - } - } - request.SANEntries = sans.ToArray(); - } - } - ValidityPeriod validityPeriod = new ValidityPeriod(); - validityPeriod.Months = Months; - request.OrderRequestParameter = new OrderRequestParameter - { - ProductCode = ProductCode, - OrderKind = OrderKind, - Licenses = Licenses, - CSR = CSR, - ValidityPeriod = validityPeriod - }; - if (!string.IsNullOrEmpty(BaseOption)) - { - request.OrderRequestParameter.BaseOption = BaseOption; - } - - return request; - } - } - } -} +{ + public class GlobalSignEnrollRequest + { + internal GlobalSignCAConfig Config; + + public GlobalSignEnrollRequest(GlobalSignCAConfig config) + { + Config = config; + } + + public string CSR { get; set; } + public string ProductCode { get; set; } + public string CommonName { get; set; } + + public string BaseOption + { + get + { + if (!string.IsNullOrEmpty(CommonName)) + { + if (CommonName.StartsWith("*")) + { + return "wildcard"; + } + else + { + return null; + } + } + else + { + return null; + } + } + } + + public string OrderKind { get; set; } + public string Licenses { get; set; } + public string Months { get; set; } + public string MsslProfileId { get; set; } + public string MsslDomainId { get; set; } + public string FirstName { get; set; } + public string LastName { get; set; } + public string Phone { get; set; } + public string Email { get; set; } + public List SANs { get; set; } + public PvSealInfo Seal { get; set; } + public MsslEvProfileInfo EVProfile { get; set; } + + public BmV2PvOrderRequest Request + { + get + { + BmV2PvOrderRequest request = new BmV2PvOrderRequest(); + request.OrderRequestHeader = new OrderRequestHeader { AuthToken = Config.GetOrderAuthToken() }; + request.MSSLProfileID = MsslProfileId; + request.MSSLDomainID = MsslDomainId; + request.ContactInfo = new ContactInfo + { + FirstName = FirstName, + LastName = LastName, + Phone = Phone, + Email = Email + }; + if (SANs != null) + { + if (SANs.Count > 0) + { + List sans = new List(); + foreach (string item in SANs) + { + SANEntry entry = new SANEntry(); + entry.SubjectAltName = item; + if (item.StartsWith("*")) + { + entry.SubjectAltName = "13"; + } + else + { + entry.SubjectAltName = "7"; + } + sans.Add(entry); + } + request.SANEntries = sans.ToArray(); + } + } + ValidityPeriod validityPeriod = new ValidityPeriod(); + validityPeriod.Months = Months; + request.OrderRequestParameter = new OrderRequestParameter + { + ProductCode = ProductCode, + OrderKind = OrderKind, + Licenses = Licenses, + CSR = CSR, + ValidityPeriod = validityPeriod + }; + if (!string.IsNullOrEmpty(BaseOption)) + { + request.OrderRequestParameter.BaseOption = BaseOption; + } + + return request; + } + } + } +} \ No newline at end of file diff --git a/src/GlobalSignCAProxy/GlobalSignCAProxy.cs b/src/GlobalSignCAProxy/GlobalSignCAProxy.cs index c49c955..2b7939d 100644 --- a/src/GlobalSignCAProxy/GlobalSignCAProxy.cs +++ b/src/GlobalSignCAProxy/GlobalSignCAProxy.cs @@ -82,9 +82,9 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe { Logger.Warn("Subject is missing a CN value. Using SAN domain lookup instead"); } + var sanDict = new Dictionary(san, StringComparer.OrdinalIgnoreCase); if (commonName == null) { - var sanDict = new Dictionary(san, StringComparer.OrdinalIgnoreCase); foreach (string dnsSan in sanDict["dns"]) { var tempDomain = validDomains.Where(d => dnsSan.EndsWith(d.DomainName, StringComparison.OrdinalIgnoreCase)).FirstOrDefault(); @@ -112,6 +112,12 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe var months = productInfo.ProductParameters["Lifetime"]; Logger.Debug($"Using validity: {months} months."); + List sanList = new List(); + foreach (string dnsSan in sanDict["dns"]) + { + sanList.Add(dnsSan); + } + var productType = GlobalSignCertType.AllTypes.Where(x => x.ProductCode.Equals(productInfo.ProductID, StringComparison.InvariantCultureIgnoreCase)).FirstOrDefault(); CAConnectorCertificate priorCert = null; @@ -134,6 +140,7 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe Phone = domain?.ContactInfo?.Phone, CommonName = commonName, ProductCode = productType.ProductCode, + SANs = sanList, }; return apiClient.Enroll(request); @@ -156,7 +163,8 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe Phone = domain?.ContactInfo?.Phone, CommonName = commonName, ProductCode = productType.ProductCode, - RenewalTargetOrderId = priorCert.CARequestID + RenewalTargetOrderId = priorCert.CARequestID, + SANs = sanList }; return apiClient.Renew(renewRequest); @@ -167,7 +175,7 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe GlobalSignReissueRequest reissueRequest = new GlobalSignReissueRequest(Config) { CSR = csr, - OrderID = priorCert.CARequestID + OrderID = priorCert.CARequestID, }; return apiClient.Reissue(reissueRequest, priorSn); From cfa5c4ac31bf7e6eef550ee972ba22437392e483 Mon Sep 17 00:00:00 2001 From: Dave Galey <89407235+dgaley@users.noreply.github.com> Date: Thu, 18 Jan 2024 12:38:08 -0500 Subject: [PATCH 20/29] Update keyfactor-starter-workflow.yml --- .../workflows/keyfactor-starter-workflow.yml | 54 ++++++------------- 1 file changed, 16 insertions(+), 38 deletions(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 8e6cb0e..6d8de53 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -1,41 +1,19 @@ -name: Starter Workflow -on: [workflow_dispatch, push, pull_request] +name: Keyfactor Bootstrap Workflow -jobs: - call-create-github-release-workflow: - uses: Keyfactor/actions/.github/workflows/github-release.yml@main - get-manifest-properties: - runs-on: windows-latest - outputs: - update_catalog: ${{ steps.read-json.outputs.prop }} - steps: - - uses: actions/checkout@v3 - - name: Read json - id: read-json - shell: pwsh - run: | - $json = Get-Content integration-manifest.json | ConvertFrom-Json - echo "::set-output name=prop::$(echo $json.update_catalog)" - - call-dotnet-build-and-release-workflow: - needs: [call-create-github-release-workflow] - uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main - with: - release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} - release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} - release_dir: globalsign-mssl-cagateway\src\GlobalSignCAProxy\bin\Release - secrets: - token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' - call-generate-readme-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@v2 secrets: - token: ${{ secrets.APPROVE_README_PUSH }} - - call-update-catalog-workflow: - needs: get-manifest-properties - if: needs.get-manifest-properties.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') - uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main - secrets: - token: ${{ secrets.SDK_SYNC_PAT }} + token: ${{ secrets.V2BUILDTOKEN}} + APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} From 99e5bfd2fcb7cd6956cc1d1d80eb9197b076373f Mon Sep 17 00:00:00 2001 From: Dave Galey <89407235+dgaley@users.noreply.github.com> Date: Thu, 18 Jan 2024 12:41:34 -0500 Subject: [PATCH 21/29] Update integration-manifest.json --- integration-manifest.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index b11362e..12f39e0 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -5,6 +5,7 @@ "status": "production", "update_catalog": true, "link_github": true, + "release_dir": "src\\GlobalSignCAProxy\\bin\\Release", "support_level": "kf-supported", "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center." -} \ No newline at end of file +} From e814199eac4ab88021adaf36620326f2e8e2e479 Mon Sep 17 00:00:00 2001 From: David Galey Date: Tue, 27 Feb 2024 01:15:34 -0500 Subject: [PATCH 22/29] Add logging of enroll request --- .../Api/GlobalSignEnrollRequest.cs | 29 +++++++++---------- .../Client/GlobalSignApiClient.cs | 12 ++++++++ 2 files changed, 26 insertions(+), 15 deletions(-) diff --git a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs index 232aa06..57722c8 100644 --- a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs +++ b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs @@ -1,20 +1,20 @@ -// Copyright 2021 Keyfactor -// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. -// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions -// and limitations under the License. - -using Keyfactor.Extensions.AnyGateway.GlobalSign.Services.Order; +// Copyright 2021 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Extensions.AnyGateway.GlobalSign.Services.Order; using System.Collections.Generic; namespace Keyfactor.Extensions.AnyGateway.GlobalSign.Api -{ +{ public class GlobalSignEnrollRequest { internal GlobalSignCAConfig Config; - + public GlobalSignEnrollRequest(GlobalSignCAConfig config) { Config = config; @@ -85,13 +85,12 @@ public BmV2PvOrderRequest Request entry.SubjectAltName = item; if (item.StartsWith("*")) { - entry.SubjectAltName = "13"; + entry.SANOptionType = "13"; } else { - entry.SubjectAltName = "7"; - } - sans.Add(entry); + entry.SANOptionType = "7"; + } } request.SANEntries = sans.ToArray(); } @@ -110,7 +109,7 @@ public BmV2PvOrderRequest Request { request.OrderRequestParameter.BaseOption = BaseOption; } - + return request; } } diff --git a/src/GlobalSignCAProxy/Client/GlobalSignApiClient.cs b/src/GlobalSignCAProxy/Client/GlobalSignApiClient.cs index 3cfe28d..f84dbb0 100644 --- a/src/GlobalSignCAProxy/Client/GlobalSignApiClient.cs +++ b/src/GlobalSignCAProxy/Client/GlobalSignApiClient.cs @@ -257,6 +257,18 @@ public EnrollmentResult Enroll(GlobalSignEnrollRequest enrollRequest) Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); using (this.OrderService) { + var rawRequest = enrollRequest.Request; + Logger.Trace($"Request details:"); + Logger.Trace($"Profile ID: {rawRequest.MSSLProfileID}"); + Logger.Trace($"Domain ID: {rawRequest.MSSLDomainID}"); + Logger.Trace($"Contact Info: {rawRequest.ContactInfo.FirstName}, {rawRequest.ContactInfo.LastName}, {rawRequest.ContactInfo.Email}, {rawRequest.ContactInfo.Phone}"); + Logger.Trace($"SAN Count: {rawRequest.SANEntries.Count()}"); + if (rawRequest.SANEntries.Count() > 0) + { + Logger.Trace($"SANs: {string.Join(",", rawRequest.SANEntries.Select(s => s.SubjectAltName))}"); + } + Logger.Trace($"Product Code: {rawRequest.OrderRequestParameter.ProductCode}"); + Logger.Trace($"Order Kind: {rawRequest.OrderRequestParameter.OrderKind}"); var response = OrderService.PVOrder(enrollRequest.Request); if (response.OrderResponseHeader.SuccessCode == 0) { From ec140fe0b45f8c9976468421a51266803cd42f56 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 27 Feb 2024 06:15:38 +0000 Subject: [PATCH 23/29] Update generated README --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1f84bae..3863234 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,22 @@ + # GlobalSign Managed SSL AnyGateway This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center. #### Integration status: Production - Ready for use in production environments. - ## About the Keyfactor AnyGateway CA Connector This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. - ## Support for GlobalSign Managed SSL AnyGateway GlobalSign Managed SSL AnyGateway is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +--- + --- @@ -23,6 +24,11 @@ GlobalSign Managed SSL AnyGateway is supported by Keyfactor for Keyfactor custom +## Keyfactor AnyGateway Framework Supported + +This gateway was compiled against version of the AnyGateway Framework. You will need at least this version of the AnyGateway Framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly. + +[Keyfactor CAGateway Install Guide](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm) From 5697c60dc1908d51b74caa34ce0a173c48277d00 Mon Sep 17 00:00:00 2001 From: David Galey Date: Wed, 17 Apr 2024 11:01:11 -0400 Subject: [PATCH 24/29] Add SAN logging --- src/GlobalSignCAProxy/GlobalSignCAProxy.cs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/GlobalSignCAProxy/GlobalSignCAProxy.cs b/src/GlobalSignCAProxy/GlobalSignCAProxy.cs index 2b7939d..4c261d9 100644 --- a/src/GlobalSignCAProxy/GlobalSignCAProxy.cs +++ b/src/GlobalSignCAProxy/GlobalSignCAProxy.cs @@ -19,11 +19,15 @@ using Newtonsoft.Json; +using Org.BouncyCastle.Crypto.Tls; + using System; using System.Collections.Concurrent; using System.Collections.Generic; using System.Linq; +using System.Text; using System.Threading; +using System.Web.Services.Configuration; namespace Keyfactor.Extensions.AnyGateway.GlobalSign { @@ -82,7 +86,21 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe { Logger.Warn("Subject is missing a CN value. Using SAN domain lookup instead"); } + StringBuilder rawSanList = new StringBuilder(); + rawSanList.Append("Raw SAN List:\n"); + foreach (var sanType in san.Keys) + { + rawSanList.Append($"SAN Type: {sanType}. Values: "); + foreach (var indivSan in san[sanType]) + { + rawSanList.Append($"{indivSan},"); + } + rawSanList.Append('\n'); + } + Logger.Trace(rawSanList.ToString()); + var sanDict = new Dictionary(san, StringComparer.OrdinalIgnoreCase); + Logger.Trace($"DNS SAN Count: {sanDict["dns"].Count()}"); if (commonName == null) { foreach (string dnsSan in sanDict["dns"]) From 16924822df090e52db04cdf6aef1cfb8007bf0d3 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 17 Apr 2024 15:01:20 +0000 Subject: [PATCH 25/29] Update generated README --- README.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3863234..450b1d8 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,9 @@ This integration allows for the Synchronization, Enrollment, and Revocation of T #### Integration status: Production - Ready for use in production environments. -## About the Keyfactor AnyGateway CA Connector +## About the Keyfactor AnyCA Gateway DCOM Connector -This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. +This repository contains an AnyCA Gateway Connector, which is a plugin to the Keyfactor AnyGateway. AnyCA Gateway Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. ## Support for GlobalSign Managed SSL AnyGateway @@ -24,9 +24,14 @@ GlobalSign Managed SSL AnyGateway is supported by Keyfactor for Keyfactor custom -## Keyfactor AnyGateway Framework Supported +## Keyfactor AnyCA Gateway Framework Supported +The Keyfactor gateway framework implements common logic shared across various gateway implementations and handles communication with Keyfactor Command. The gateway framework hosts gateway implementations or plugins that understand how to communicate with specific CAs. This allows you to integrate your third-party CAs with Keyfactor Command such that they behave in a manner similar to the CAs natively supported by Keyfactor Command. + + + + +This gateway extension was compiled against version of the AnyCA Gateway DCOM Framework. You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly. -This gateway was compiled against version of the AnyGateway Framework. You will need at least this version of the AnyGateway Framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly. [Keyfactor CAGateway Install Guide](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm) From ba19f0496922e70e16de3d966d19818615912a6c Mon Sep 17 00:00:00 2001 From: David Galey Date: Fri, 19 Apr 2024 12:03:19 -0400 Subject: [PATCH 26/29] add sans properly --- src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs index 57722c8..e43fe51 100644 --- a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs +++ b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs @@ -91,6 +91,7 @@ public BmV2PvOrderRequest Request { entry.SANOptionType = "7"; } + sans.Add(entry); } request.SANEntries = sans.ToArray(); } From 900fd63e3f558ba679afe05b31c5f9178caa2fe8 Mon Sep 17 00:00:00 2001 From: David Galey Date: Fri, 26 Apr 2024 13:38:15 -0400 Subject: [PATCH 27/29] more san fixes --- .../Api/GlobalSignEnrollRequest.cs | 42 +++++++++++++++---- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs index e43fe51..8a2f0fa 100644 --- a/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs +++ b/src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs @@ -1,17 +1,21 @@ -// Copyright 2021 Keyfactor -// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. -// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions -// and limitations under the License. - +// Copyright 2021 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using CSS.Common.Logging; + using Keyfactor.Extensions.AnyGateway.GlobalSign.Services.Order; using System.Collections.Generic; +using System.Linq; +using System.Text; namespace Keyfactor.Extensions.AnyGateway.GlobalSign.Api { - public class GlobalSignEnrollRequest + public class GlobalSignEnrollRequest : LoggingClientBase { internal GlobalSignCAConfig Config; @@ -81,21 +85,40 @@ public BmV2PvOrderRequest Request List sans = new List(); foreach (string item in SANs) { + if (string.Equals(item, CommonName, System.StringComparison.OrdinalIgnoreCase)) + { + Logger.Info($"SAN Entry {item} matches CN, removing from request"); + continue; + } SANEntry entry = new SANEntry(); entry.SubjectAltName = item; + StringBuilder sb = new StringBuilder(); + sb.Append($"Adding SAN entry of type "); if (item.StartsWith("*")) { entry.SANOptionType = "13"; + sb.Append("WILDCARD"); } else { entry.SANOptionType = "7"; + sb.Append("FQDN"); } + sb.Append($" and value {item} to request"); + Logger.Info(sb.ToString()); sans.Add(entry); } request.SANEntries = sans.ToArray(); } } + List