diff --git a/CHANGELOG.md b/CHANGELOG.md
index aa79eb0..0696ada 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+v2.8.0
+- Added new custom field - Remove Root Certificate from Chain - to allow adding certificate entries with the root CA certificate removed from the chain.
+- Added SSH KeyboardInteractive Authentication support if Password Authentication is not enabled.
+
v2.7.0
- Modified RFJKS store type support java keystores of both PKCS12 and JKS
- Added support for OpenSSH private keys for SSH authentication
diff --git a/README.md b/README.md
index 1ef294c..af82683 100644
--- a/README.md
+++ b/README.md
@@ -219,7 +219,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer for the user assigned to the certificate store/discovery job. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. If the certificate store/discovery job is configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have access to read/write to the certificate store location, OR the config.json file must be set up to use the alternative upload/download file.
-3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. SSH Key Authentication is not available when running locally as an agent. The following private key formats are supported:
+3. SSH Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. When using a password, the connection is attempted using SSH Password Authentication. If that fails, Keyboard Interactive Authentication is automatically attempted. One or both of these must be enabled on the Linux box being managed. If private key authentication is desired, copy and paste the full SSH private key into the Password textbox (or pointer to the private key if using a PAM provider). Please note that SSH Private Key Authentication is not available when running locally as an agent. The following private key formats are supported:
- PKCS#1 (BEGIN RSA PRIVATE KEY)
- PKCS#8 (BEGIN PRIVATE KEY)
- ECDSA OPENSSH (BEGIN OPENSSH PRIVATE KEY)
@@ -369,6 +369,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
+
- Entry Parameters Tab:
@@ -402,7 +404,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.**.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- Entry Parameters Tab:
@@ -436,7 +439,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.**.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message.
- **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false.
- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false.
@@ -476,6 +480,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format.
- Entry Parameters Tab:
@@ -511,6 +516,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- Entry Parameters Tab:
@@ -545,6 +551,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder.
- Entry Parameters Tab:
diff --git a/RemoteFile/InventoryBase.cs b/RemoteFile/InventoryBase.cs
index 7d6aa2f..327e945 100644
--- a/RemoteFile/InventoryBase.cs
+++ b/RemoteFile/InventoryBase.cs
@@ -31,6 +31,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
logger.LogDebug($"Begin {config.Capability} for job id {config.JobId}...");
logger.LogDebug($"Server: { config.CertificateStoreDetails.ClientMachine }");
logger.LogDebug($"Store Path: { config.CertificateStoreDetails.StorePath }");
+ logger.LogDebug($"Store Properties: {config.CertificateStoreDetails.Properties.ToString()}");
logger.LogDebug($"Job Properties:");
foreach (KeyValuePair keyValue in config.JobProperties ?? new Dictionary())
{
@@ -54,7 +55,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, userName, userPassword, config.CertificateStoreDetails.StorePath, storePassword, config.JobProperties);
certificateStore.Initialize(sudoImpersonatedUser);
- certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, true);
+ certificateStore.LoadCertificateStore(certificateStoreSerializer, true);
List collections = certificateStore.GetCertificateChains();
diff --git a/RemoteFile/ManagementBase.cs b/RemoteFile/ManagementBase.cs
index 175452b..9645068 100644
--- a/RemoteFile/ManagementBase.cs
+++ b/RemoteFile/ManagementBase.cs
@@ -29,8 +29,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
{
ILogger logger = LogHandler.GetClassLogger(this.GetType());
logger.LogDebug($"Begin {config.Capability} for job id {config.JobId}...");
- logger.LogDebug($"Server: { config.CertificateStoreDetails.ClientMachine }");
- logger.LogDebug($"Store Path: { config.CertificateStoreDetails.StorePath }");
+ logger.LogDebug($"Server: {config.CertificateStoreDetails.ClientMachine}");
+ logger.LogDebug($"Store Path: {config.CertificateStoreDetails.StorePath}");
+ logger.LogDebug($"Store Properties: {config.CertificateStoreDetails.Properties.ToString()}");
logger.LogDebug($"Job Properties:");
foreach (KeyValuePair keyValue in config.JobProperties == null ? new Dictionary() : config.JobProperties)
{
@@ -50,6 +51,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
string sudoImpersonatedUser = properties.SudoImpersonatedUser == null || string.IsNullOrEmpty(properties.SudoImpersonatedUser.Value) ?
ApplicationSettings.DefaultSudoImpersonatedUser :
properties.SudoImpersonatedUser.Value;
+ bool removeRootCertificate = properties.RemoveRootCertificate == null || string.IsNullOrEmpty(properties.RemoveRootCertificate.Value) ?
+ false :
+ Convert.ToBoolean(properties.RemoveRootCertificate.Value);
certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, userName, userPassword, config.CertificateStoreDetails.StorePath, storePassword, config.JobProperties);
certificateStore.Initialize(sudoImpersonatedUser);
@@ -67,8 +71,8 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
else
throw new RemoteFileException($"Certificate store {config.CertificateStoreDetails.StorePath} does not exist on server {config.CertificateStoreDetails.ClientMachine}.");
}
- certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, false);
- certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword, X509KeyStorageFlags.EphemeralKeySet).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword);
+ certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
+ certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword, X509KeyStorageFlags.EphemeralKeySet).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, removeRootCertificate);
certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler));
logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
@@ -82,7 +86,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
}
else
{
- certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, false);
+ certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
certificateStore.DeleteCertificateByAlias(config.JobCertificate.Alias);
certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler));
}
diff --git a/RemoteFile/ReenrollmentBase.cs b/RemoteFile/ReenrollmentBase.cs
index ed7ca86..086f293 100644
--- a/RemoteFile/ReenrollmentBase.cs
+++ b/RemoteFile/ReenrollmentBase.cs
@@ -68,6 +68,9 @@ public JobResult ProcessJobToDo(ReenrollmentJobConfiguration config, SubmitReenr
string sudoImpersonatedUser = properties.SudoImpersonatedUser == null || string.IsNullOrEmpty(properties.SudoImpersonatedUser.Value) ?
ApplicationSettings.DefaultSudoImpersonatedUser :
properties.SudoImpersonatedUser.Value;
+ bool removeRootCertificate = properties.RemoveRootCertificate == null || string.IsNullOrEmpty(properties.RemoveRootCertificate.Value) ?
+ false :
+ Convert.ToBoolean(properties.RemoveRootCertificate.Value);
bool createCSROnDevice = properties.CreateCSROnDevice == null || string.IsNullOrEmpty(properties.CreateCSROnDevice.Value) ?
ApplicationSettings.CreateCSROnDevice :
Convert.ToBoolean(properties.CreateCSROnDevice.Value);
@@ -118,8 +121,8 @@ public JobResult ProcessJobToDo(ReenrollmentJobConfiguration config, SubmitReenr
cert = keyTypeEnum == SupportedKeyTypeEnum.RSA ? cert.CopyWithPrivateKey((RSA)alg) : cert.CopyWithPrivateKey((ECDsa)alg);
// save certificate
- certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, false);
- certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), overwrite, null);
+ certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
+ certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), overwrite, null, removeRootCertificate);
certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler));
logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs
index 3a8dd18..9de5ccf 100644
--- a/RemoteFile/RemoteCertificateStore.cs
+++ b/RemoteFile/RemoteCertificateStore.cs
@@ -103,7 +103,7 @@ internal RemoteCertificateStore(string server, string serverId, string serverPas
logger.MethodExit(LogLevel.Debug);
}
- internal void LoadCertificateStore(ICertificateStoreSerializer certificateStoreSerializer, string storeProperties, bool isInventory)
+ internal void LoadCertificateStore(ICertificateStoreSerializer certificateStoreSerializer, bool isInventory)
{
logger.MethodEntry(LogLevel.Debug);
@@ -242,7 +242,7 @@ internal void CreateCertificateStore(ICertificateStoreSerializer certificateStor
logger.MethodExit(LogLevel.Debug);
}
- internal void AddCertificate(string alias, string certificateEntry, bool overwrite, string pfxPassword)
+ internal void AddCertificate(string alias, string certificateEntry, bool overwrite, string pfxPassword, bool removeRootCertificate)
{
logger.MethodEntry(LogLevel.Debug);
@@ -251,7 +251,9 @@ internal void AddCertificate(string alias, string certificateEntry, bool overwri
Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
Pkcs12Store certs = storeBuilder.Build();
- byte[] newCertBytes = Convert.FromBase64String(certificateEntry);
+ byte[] newCertBytes = removeRootCertificate && !string.IsNullOrEmpty(pfxPassword) ?
+ RemoveRootCertificate(Convert.FromBase64String(certificateEntry), pfxPassword) :
+ Convert.FromBase64String(certificateEntry);
Pkcs12Store newEntry = storeBuilder.Build();
@@ -454,11 +456,38 @@ internal void Initialize(string sudoImpersonatedUser)
else
RemoteHandler = new WinRMHandler(Server, ServerId, ServerPassword, treatAsLocal);
- RemoteHandler.Initialize();
-
logger.MethodExit(LogLevel.Debug);
}
+ private byte[] RemoveRootCertificate(byte[] binCert, string password)
+ {
+ Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
+ Pkcs12Store store = storeBuilder.Build();
+ Pkcs12Store store2 = storeBuilder.Build();
+
+ byte[] rtnCert = new byte[1];
+
+ using (MemoryStream ms = new MemoryStream(binCert))
+ {
+ store.Load(ms, password.ToCharArray());
+ }
+
+ foreach (string alias in store.Aliases)
+ {
+ X509CertificateEntry[] chain = store.GetCertificateChain(alias);
+ chain = chain.Where(p => p.Certificate.SubjectDN.ToString() != p.Certificate.IssuerDN.ToString()).ToArray();
+ store2.SetKeyEntry(alias, store.GetKey(alias), chain);
+
+ using (MemoryStream ms = new MemoryStream())
+ {
+ store2.Save(ms, password.ToCharArray(), new SecureRandom());
+ rtnCert = ms.ToArray();
+ }
+ }
+
+ return rtnCert;
+ }
+
private bool AreValuesSafeRegex(string[] values)
{
bool valueIsSafe = true;
diff --git a/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs b/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs
index 179e929..f8a0ca6 100644
--- a/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs
+++ b/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs
@@ -33,8 +33,6 @@ public static void AreLinuxPermissionsValid(string permissions)
throw new RemoteFileException($"Invalid format for Linux file permissions. This value must be exactly 3 digits long with each digit between 0-7 but found {permissions} instead.");
}
- public abstract void Initialize();
-
public abstract void Terminate();
public abstract string RunCommand(string commandText, object[] arguments, bool withSudo, string[] passwordsToMaskInLog);
diff --git a/RemoteFile/RemoteHandlers/IRemoteHandler.cs b/RemoteFile/RemoteHandlers/IRemoteHandler.cs
index 34f93a9..619e3b9 100644
--- a/RemoteFile/RemoteHandlers/IRemoteHandler.cs
+++ b/RemoteFile/RemoteHandlers/IRemoteHandler.cs
@@ -13,8 +13,6 @@ namespace Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers
///
interface IRemoteHandler
{
- void Initialize();
-
void Terminate();
string RunCommand(string commandText, object[] arguments, bool withSudo, string[] passwordsToMaskInLog);
diff --git a/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs b/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs
index 8195ad4..f7b45ac 100644
--- a/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs
+++ b/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs
@@ -27,12 +27,6 @@ class LinuxLocalHandler : BaseRemoteHandler
private Command BaseCommand { get; set; }
internal LinuxLocalHandler()
- {
- _logger.MethodEntry(LogLevel.Debug);
- _logger.MethodExit(LogLevel.Debug);
- }
-
- public override void Initialize()
{
_logger.MethodEntry(LogLevel.Debug);
diff --git a/RemoteFile/RemoteHandlers/SSHHandler.cs b/RemoteFile/RemoteHandlers/SSHHandler.cs
index dd08404..81563b5 100644
--- a/RemoteFile/RemoteHandlers/SSHHandler.cs
+++ b/RemoteFile/RemoteHandlers/SSHHandler.cs
@@ -18,6 +18,9 @@
using Keyfactor.Logging;
using Keyfactor.PKI.PrivateKeys;
using Keyfactor.PKI.PEM;
+using static Microsoft.ApplicationInsights.MetricDimensionNames.TelemetryContext;
+using Renci.SshNet.Common;
+using Org.BouncyCastle.Bcpg;
namespace Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers
{
@@ -26,6 +29,8 @@ class SSHHandler : BaseRemoteHandler
private ConnectionInfo Connection { get; set; }
private string SudoImpersonatedUser { get; set; }
private bool IsStoreServerLinux { get; set; }
+ private string UserId { get; set; }
+ private string Password { get; set; }
private SshClient sshClient;
internal SSHHandler(string server, string serverLogin, string serverPassword, bool isStoreServerLinux, string sudoImpersonatedUser)
@@ -35,11 +40,14 @@ internal SSHHandler(string server, string serverLogin, string serverPassword, bo
Server = server;
SudoImpersonatedUser = sudoImpersonatedUser;
IsStoreServerLinux = isStoreServerLinux;
+ UserId = serverLogin;
+ Password = serverPassword;
- List authenticationMethods = new List();
if (serverPassword.Length < PASSWORD_LENGTH_MAX)
{
- authenticationMethods.Add(new PasswordAuthenticationMethod(serverLogin, serverPassword));
+ KeyboardInteractiveAuthenticationMethod keyboardAuthentication = new KeyboardInteractiveAuthenticationMethod(UserId);
+ keyboardAuthentication.AuthenticationPrompt += KeyboardAuthentication_AuthenticationPrompt;
+ Connection = new ConnectionInfo(server, serverLogin, new PasswordAuthenticationMethod(serverLogin, serverPassword), keyboardAuthentication);
}
else
{
@@ -60,18 +68,9 @@ internal SSHHandler(string server, string serverLogin, string serverPassword, bo
}
}
- authenticationMethods.Add(new PrivateKeyAuthenticationMethod(serverLogin, privateKeyFile));
+ Connection = new ConnectionInfo(server, serverLogin, new PrivateKeyAuthenticationMethod(serverLogin, privateKeyFile));
}
- Connection = new ConnectionInfo(server, serverLogin, authenticationMethods.ToArray());
-
- _logger.MethodExit(LogLevel.Debug);
- }
-
- public override void Initialize()
- {
- _logger.MethodEntry(LogLevel.Debug);
-
try
{
sshClient = new SshClient(Connection);
@@ -382,6 +381,17 @@ public override void RemoveCertificateFile(string path, string fileName)
RunCommand($"rm {path}{fileName}", null, ApplicationSettings.UseSudo, null);
}
+ private void KeyboardAuthentication_AuthenticationPrompt(object sender, AuthenticationPromptEventArgs e)
+ {
+ _logger.MethodEntry(LogLevel.Debug);
+ foreach (AuthenticationPrompt prompt in e.Prompts)
+ {
+ if (prompt.Request.StartsWith("Password"))
+ prompt.Response = Password;
+ }
+ _logger.MethodExit(LogLevel.Debug);
+ }
+
private void SplitStorePathFile(string pathFileName, out string path, out string fileName)
{
_logger.MethodEntry(LogLevel.Debug);
diff --git a/RemoteFile/RemoteHandlers/WinRMHandler.cs b/RemoteFile/RemoteHandlers/WinRMHandler.cs
index c884283..1d1a041 100644
--- a/RemoteFile/RemoteHandlers/WinRMHandler.cs
+++ b/RemoteFile/RemoteHandlers/WinRMHandler.cs
@@ -43,13 +43,6 @@ internal WinRMHandler(string server, string serverLogin, string serverPassword,
}
}
- _logger.MethodExit(LogLevel.Debug);
- }
-
- public override void Initialize()
- {
- _logger.MethodEntry(LogLevel.Debug);
-
try
{
if (RunLocal)
@@ -69,8 +62,8 @@ public override void Initialize()
catch (Exception ex)
{
- _logger.LogError($"Exception during Initialize...{RemoteFileException.FlattenExceptionMessages(ex, ex.Message)}");
- throw ex;
+ _logger.LogError($"Exception attempting to connect to server...{RemoteFileException.FlattenExceptionMessages(ex, ex.Message)}");
+ throw;
}
_logger.MethodExit(LogLevel.Debug);
diff --git a/readme_source.md b/readme_source.md
index a84bf82..83aca6f 100644
--- a/readme_source.md
+++ b/readme_source.md
@@ -118,7 +118,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer for the user assigned to the certificate store/discovery job. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. If the certificate store/discovery job is configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have access to read/write to the certificate store location, OR the config.json file must be set up to use the alternative upload/download file.
-3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. SSH Key Authentication is not available when running locally as an agent. The following private key formats are supported:
+3. SSH Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. When using a password, the connection is attempted using SSH Password Authentication. If that fails, Keyboard Interactive Authentication is automatically attempted. One or both of these must be enabled on the Linux box being managed. If private key authentication is desired, copy and paste the full SSH private key into the Password textbox (or pointer to the private key if using a PAM provider). Please note that SSH Private Key Authentication is not available when running locally as an agent. The following private key formats are supported:
- PKCS#1 (BEGIN RSA PRIVATE KEY)
- PKCS#8 (BEGIN PRIVATE KEY)
- ECDSA OPENSSH (BEGIN OPENSSH PRIVATE KEY)
@@ -268,6 +268,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
+
- Entry Parameters Tab:
@@ -301,7 +303,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.**.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- Entry Parameters Tab:
@@ -335,7 +338,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.**.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message.
- **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false.
- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false.
@@ -375,6 +379,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format.
- Entry Parameters Tab:
@@ -410,6 +415,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- Entry Parameters Tab:
@@ -444,6 +450,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y".
- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner:group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group needs to be set as well, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. If the group is NOT supplied, the group value will be set per normal behavior of the Linux "Install" command.
- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above.
+ - **Name:** RemoveRootCertificate, **Display Name:** Remove Root Certificate from Chain, **Type:** Bool, **Default Value:** False. This custom field is **not required**. If not present, value is set to the Default Value. This value determines whether root CA certificates should be included in the certificate chain when adding/renewing certificates in Management Add jobs. If set to False, the root CA certificate is included in the chain. If True, it is removed and only the non-root CA certificates are included in the chain when adding the entry to the certificate store.
- **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder.
- Entry Parameters Tab: