From 917a554dd099297c6e738ec6a577b623d492b7a1 Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Mon, 25 Apr 2022 12:51:31 -0700 Subject: [PATCH 1/4] update starter workflow and readme --- .../keyfactor-extension-generate-readme.yml | 26 ---- .../keyfactor-extension-prerelease.yml | 111 --------------- .../workflows/keyfactor-extension-release.yml | 133 ------------------ .../keyfactor-extension-update-catalog.yml | 34 ----- .../workflows/keyfactor-starter-workflow.yml | 26 ++++ README.md.tpl => readme_source.md | 5 - 6 files changed, 26 insertions(+), 309 deletions(-) delete mode 100644 .github/workflows/keyfactor-extension-generate-readme.yml delete mode 100644 .github/workflows/keyfactor-extension-prerelease.yml delete mode 100644 .github/workflows/keyfactor-extension-release.yml delete mode 100644 .github/workflows/keyfactor-extension-update-catalog.yml create mode 100644 .github/workflows/keyfactor-starter-workflow.yml rename README.md.tpl => readme_source.md (99%) diff --git a/.github/workflows/keyfactor-extension-generate-readme.yml b/.github/workflows/keyfactor-extension-generate-readme.yml deleted file mode 100644 index 17f35d0..0000000 --- a/.github/workflows/keyfactor-extension-generate-readme.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Update README -on: [push, workflow_dispatch] - -jobs: - update_readme: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@master - - - uses: cuchi/jinja2-action@v1.2.0 - with: - template: README.md.tpl - output_file: README.md - data_file: integration-manifest.json - env: - GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} - - - uses: stefanzweifel/git-auto-commit-action@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - commit_message: Update generated README - commit_user_name: Keyfactor - commit_user_email: keyfactor@keyfactor.github.io - commit_author: Keyfactor diff --git a/.github/workflows/keyfactor-extension-prerelease.yml b/.github/workflows/keyfactor-extension-prerelease.yml deleted file mode 100644 index cb45f48..0000000 --- a/.github/workflows/keyfactor-extension-prerelease.yml +++ /dev/null @@ -1,111 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: Keyfactor Extension - Pre Release - -# Controls when the action will run. -on: - # Triggers the workflow on push - push: - #only run this workflow when pushing to a branch that has the prerelease suffix - branches: - - 'release--[12].[0-9]+.[0-9]+-pre*' - - '!release-[12].[0-9]+.[0-9]+' - - - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: windows-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - - name: Setup Envrionment - id: setup_env - run: | - echo "Setup Envrionment Variables for Workflow" - echo "Working Path: ${Env:GITHUB_WORKSPACE}" - $slnPath = (Get-ChildItem -Include *.sln -File -Recurse).fullname - $relName = "${{ github.ref }}".Split("/") - $repoName = "${{ github.repository }}".Split("/") - echo "Solution File Path: ${slnPath}" - echo "SOLUTION_PATH=${slnPath}" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Release Name: $($relName[-1])" - echo "RELEASE_NAME=$($relName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Repo Name: $($repoName[-1])" - echo "REPO_NAME=$($repoName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - - - uses: actions/setup-dotnet@v1 - with: - dotnet-version: '3.1.x' # SDK Version to use; x will use the latest version of the 3.1 channel - #dotnet-version: - - - name: Add Package Source - run: | - dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json -n github -u ${{ github.actor }} -p ${{ secrets.BUILD_PACKAGE_ACCESS }} --store-password-in-clear-text - - # Configures msbuild path envrionment - - name: setup-msbuild - uses: microsoft/setup-msbuild@v1 - - # Restores Packages to Local Machine - - name: restore nuget packages - run: | - nuget restore ${{ env.SOLUTION_PATH }} - - # Runs a set of commands using the runners shell - - name: Execute MSBuild Commands - run: | - MSBuild.exe $Env:SOLUTION_PATH -p:RestorePackagesConfig=true -p:Configuration=Release - - - name: Archive Files - run: | - md ${{ github.workspace }}\zip\Keyfactor - Compress-Archive -Path ${{ github.workspace }}\src\GoogleCAProxy\bin\Release\*.dll,${{ github.workspace }}\src\GoogleCAProxy\bin\Release\app.config -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force - - - - name: Upload a Build Artifact - uses: actions/upload-artifact@v2.2.2 - with: - # Artifact name - name: ${{ env.REPO_NAME}}.zip - # A file, directory or wildcard pattern that describes what to upload - path: | - ${{ github.workspace }}\zip\Keyfactor\${{ env.REPO_NAME}}.zip - # The desired behavior if no files are found using the provided path. - if-no-files-found: error # optional, default is warn - - - name: Create Release - id: create_release - #uses: zendesk/action-create-release@v1 - Update when PR is approved - uses: keyfactor/action-create-release@786b73035fa09790f9eb11bb86834a6d7af1c256 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_name: Release ${{ env.RELEASE_NAME }} - body: | - [Changelog](../CHANGELOG.MD) - draft: false - prerelease: true - auto_increment_type: patch - tag_schema: semantic - commitish: ${{ github.sha }} - - - name: Upload Release Asset (x64) - id: upload-release-asset-x64 - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ github.workspace }}\zip\Keyfactor\${{ env.REPO_NAME}}.zip - asset_name: ${{ env.REPO_NAME}}.zip - asset_content_type: application/zip diff --git a/.github/workflows/keyfactor-extension-release.yml b/.github/workflows/keyfactor-extension-release.yml deleted file mode 100644 index cc7bae1..0000000 --- a/.github/workflows/keyfactor-extension-release.yml +++ /dev/null @@ -1,133 +0,0 @@ -# below is the folder name for the project where the binaries will be found. -env: - project_folder: GoDaddy - - -name: Keyfactor Extension - Release - -# Controls when the action will run. -on: - # Triggers the workflow on pull requests closing - pull_request: - # only run this workflow when closing a PR to a branch that contains a release number. ignore -pre - branches: - - 'release-[0-9]+.[0-9]+' - - '!release-[0-9]+.[0-9]+-pre' - types: [closed] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: windows-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - - name: Setup Environment - id: setup_env - run: | - echo "Setup Envrionment Variables for Workflow" - echo "Working Path: ${Env:GITHUB_WORKSPACE}" - $slnPath = (Get-ChildItem -Include *.sln -File -Recurse).fullname - $relName = "${{ github.ref }}".Split("/") - $repoName = "${{ github.repository }}".Split("/") - echo "Solution File Path: ${slnPath}" - echo "SOLUTION_PATH=${slnPath}" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Release Name: $($relName[-1])" - echo "RELEASE_NAME=$($relName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - echo "Repo Name: $($repoName[-1])" - echo "REPO_NAME=$($repoName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - - - uses: actions/setup-dotnet@v1 - with: - dotnet-version: '3.1.x' # SDK Version to use; x will use the latest version of the 3.1 channel - #dotnet-version: - - - name: Add Package Source - run: | - dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json -n github -u ${{ github.actor }} -p ${{ secrets.BUILD_PACKAGE_ACCESS }} --store-password-in-clear-text - - # Configures msbuild path envrionment - - name: setup-msbuild - uses: microsoft/setup-msbuild@v1 - - # Restores Packages to Local Machine - - name: restore nuget packages - run: | - nuget restore ${{ env.SOLUTION_PATH }} - - - name: Create Release - id: create_release - #uses: zendesk/action-create-release@v1 - uses: keyfactor/action-create-release@786b73035fa09790f9eb11bb86834a6d7af1c256 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_name: Release ${{ env.RELEASE_NAME }} - body: | - [Changelog](../CHANGELOG.MD) - draft: false - prerelease: false - auto_increment_type: patch - tag_schema: semantic - commitish: ${{ github.sha }} - - #update version number of AssemblyInfo.cs file - - name: Increment Assembly Version - run: | - $VersionRegex = "\d+\.\d+\.\d+" - $assemblyFilePath = (Get-ChildItem -Include AssemblyInfo.cs -File -Recurse).fullname - $filecontent = Get-Content($assemblyFilePath) - $newVer = "${{ steps.create_release.outputs.current_tag }}".TrimStart('v') - attrib $assemblyFilePath -r - $filecontent -replace $VersionRegex, $newVer | Out-File $assemblyFilePath - - - name: Execute MSBuild Commands - run: | - MSBuild.exe $Env:SOLUTION_PATH -p:RestorePackagesConfig=false -p:Configuration=Release - - - name: Archive Files - if: ${{ success() }} - run: | - md ${{ github.workspace }}\zip\Keyfactor - Compress-Archive -Path ${{env.project_folder}}\bin\Release\*.dll,${{ github.workspace }}\${{env.project_folder}}\bin\Release\*.json -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force - - - name: Upload Release Asset (x64) - if: ${{ success() }} - id: upload-release-asset-x64 - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ github.workspace }}\zip\Keyfactor\${{ env.REPO_NAME}}.zip - asset_name: ${{ env.REPO_NAME}}_${{ steps.create_release.outputs.current_tag }}.zip - asset_content_type: application/zip - - - name: check in new assembly version - if: ${{ success() }} - uses: stefanzweifel/git-auto-commit-action@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - file_pattern: Properties/AssemblyInfo.cs - commit_message: Updated AssemblyInfo to version ${{ steps.create_release.outputs.current_tag }} - commit_user_name: Keyfactor - commit_user_email: keyfactor@keyfactor.github.io - commit_author: Keyfactor - - - name: On Failure Remove Tags and Release - if: ${{ failure() }} - uses: dev-drprasad/delete-tag-and-release@v0.2.0 - with: - delete_release: true # default: false - tag_name: ${{ steps.create_release.outputs.current_tag }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/keyfactor-extension-update-catalog.yml b/.github/workflows/keyfactor-extension-update-catalog.yml deleted file mode 100644 index a9634e0..0000000 --- a/.github/workflows/keyfactor-extension-update-catalog.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Generate Catalog Entry -on: [push, workflow_dispatch] - -jobs: - generate_entry: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@master - - - uses: actions/checkout@v2 - with: - token: ${{ secrets.SDK_SYNC_PAT }} - path: './catalog-temp/' - repository: 'Keyfactor/integrations-catalog' - - - uses: cuchi/jinja2-action@v1.2.0 - with: - template: ./catalog-temp/_integration.md.tpl - output_file: ${{ format('./catalog-temp/_integrations/{0}.md', github.event.repository.name) }} - data_file: integration-manifest.json - variables: | - repository= ${{ format('https://github.com/{0}', github.repository) }} - env: - GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} - - - uses: EndBug/add-and-commit@v7 - with: - author_name: 'Keyfactor' - author_email: 'keyfactor@keyfactor.github.io' - branch: 'main' - message: ${{ format('Added the manifest for {0}', github.event.repository.name) }} - add: ${{ format('_integrations/{0}.md --force', github.event.repository.name) }} - cwd: './catalog-temp/' diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml new file mode 100644 index 0000000..b80ec25 --- /dev/null +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -0,0 +1,26 @@ +name: Starter Workflow +on: [workflow_dispatch, push, pull_request] + +jobs: + call-create-github-release-workflow: + uses: Keyfactor/actions/.github/workflows/github-release.yml@main + + call-dotnet-build-and-release-workflow: + needs: [call-create-github-release-workflow] + uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main + with: + release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} + release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} + release_dir: GoDaddy/bin/Release # TODO: set build output directory to upload as a release, relative to checkout workspace + secrets: + token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} + + call-generate-readme-workflow: + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main + + call-update-catalog-workflow: + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main + secrets: + token: ${{ secrets.SDK_SYNC_PAT }} diff --git a/README.md.tpl b/readme_source.md similarity index 99% rename from README.md.tpl rename to readme_source.md index 1d06892..de9e089 100644 --- a/README.md.tpl +++ b/readme_source.md @@ -1,8 +1,3 @@ -# {{ name }} -## {{ integration_type | capitalize }} - -{{ description }} - *** # GoDaddy Supported Certificate Types From 6fd3c005b904769401c242b9c800ef8ed99cac7e Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 25 Apr 2022 19:52:30 +0000 Subject: [PATCH 2/4] Update generated README --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6edcc42..e3676fb 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,15 @@ # GoDaddy CA Gateway -## Ca-gateway GoDaddy is a domain registrar, web hosting company, and most relevant here, a public certificate authority. The GoDaddy AnyGateway is designed to allow Keyfactor Command the ability to - Sync certificates Issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command - Certificate Reissue/Renewal - + +#### Integration status: Pilot - Ready for use in test environments. Not for use in production. + +## About the Keyfactor + + + +--- + *** # GoDaddy Supported Certificate Types From 897fd126a399fa4da369f65e851e6ae298237b2b Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Wed, 27 Apr 2022 16:18:27 -0700 Subject: [PATCH 3/4] Delete generated readme.md --- README.md | 259 ------------------------------------------------------ 1 file changed, 259 deletions(-) delete mode 100644 README.md diff --git a/README.md b/README.md deleted file mode 100644 index 6edcc42..0000000 --- a/README.md +++ /dev/null @@ -1,259 +0,0 @@ -# GoDaddy CA Gateway -## Ca-gateway - -GoDaddy is a domain registrar, web hosting company, and most relevant here, a public certificate authority. The GoDaddy AnyGateway is designed to allow Keyfactor Command the ability to - Sync certificates Issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command - Certificate Reissue/Renewal - -*** - -# GoDaddy Supported Certificate Types -GoDaddy supports the following certificate products: -- Domain Validated SSL (DV_SSL) -- Domain Validated Wildcard SSL (DV_WILDCARD_SSL) -- Domain Validated SSL With SANs (UCC_DV_SSL) -- Organization Validated SSL (OV_SSL) -- Organization Validated Wildcard SSL (OV_WILDCARD_SSL) -- Organization Validated SSL With SANs (UCC_OV_SSL) -- Organization Validated Code Signing (OV_CS) **NOTE: GoDaddy is no longer selling new credits for this product type** -- Organization Validated Driver Signing (OV_DS) **NOTE: GoDaddy is no longer selling new credits for this product type** -- Extended Validation SSL (EV_SSL) -- Extended Validation SSL With SANs (UCC_EV_SSL) - - -# GoDaddy Resources - -- [GoDaddy Portal](https://ae.godaddy.com/) -- [GoDaddy API Guide](https://developer.godaddy.com/doc) -- [Create GoDaddy SSOKey](https://developer.godaddy.com/keys?hbi_code=1) - - - -# Getting Started -### Prerequsites -To begin, you must have the AnyGateway Service installed and operational before attempting to configure the GoDaddy AnyGateway plugin. **INSTALLATION INSTRUCTIONS LINK** - -A production GoDaddy account must be set up that will be associated with the gateway and an API Key/Secret created. For more information on how to create an API Key, follow the instructions [here](https://developer.godaddy.com/keys). - - -### Installation and Configuration -##### Step 1 - Install the GoDaddy root and intermediate certificates. -There are four CA certificate chains that are supported by GoDaddy that can be used in the GoDaddy AnyGateway. For each of these CA chains that are to be supported by the local installation of the GoDaddy AnyGateway, the root and intermediate certificates must be installed in the Intermediate Certification Authorities store on the AnyGateway server and the root certificate must be installed in the Trusted Root Certification Authorities store on the AnyGateway server. -- GoDaddy SHA-1 (GODADDY_SHA_1) - - [Root Certificate](https://certs.godaddy.com/repository/gd-class2-root.crt) - - [Intermediate Certificate](https://certs.godaddy.com/repository/gd_intermediate.crt.pem) -- GoDaddy SHA256 (GODADDY_SHA_2) - - [Root Certificate](https://certs.godaddy.com/repository/gdroot-g2.crt) - - [Intermediate Certificate](https://certs.godaddy.com/repository/gdig2.crt.pem) -- Starfield SHA-1 (STARFIELD_SHA_1) - - [Root Certificate](https://certs.godaddy.com/repository/sf-class2-root.crt) - - [Intermediate Certificate](https://certs.godaddy.com/repository/sf_intermediate.crt.pem) -- Starfield SHA256 (STARFIELD_SHA_2) - - [Root Certificate](https://certs.godaddy.com/repository/sfroot-g2.crt) - - [Intermediate Certificate](https://certs.godaddy.com/repository/sfig2.crt.pem) - - -##### Step 2 - Create Templates in Active Directory -For each GoDaddy product being supported, you must create a Certificate Template on the Keyfactor Command server. Make note of the template name of each, as it will be referenced in a future step. - - -##### Step 3 - Stop the Keyfactor AnyGateway service - - -##### Step 4 - Install the GoDaddy AnyGateway binaries -Once the AnyGateway configuration has been imported, the GoDaddy AnyGateway binaries need to be placed in the Keyfactor AnyGateway Service install directory -(C:\\Program Files\\Keyfactor\\Keyfactor AnyGateway for default installations). -The following binaries need to be placed in the install directory: -GoDaddyCAProxy.dll -RestSharp.dll - -##### Step 5 - Modify the CAProxyServer.exe.config file -Edit the CAProxyServer.exe.config file in the Keyfactor Gateway installation folder. Modify the "unity" section "* - -Once this is done, restart the Keyfactor AnyGateway service. - - -##### Step 6 - Modify the AnyGatewayConfig.json file -After installing the Keyfactor AnyGateway service (see Prerequisites), there should be a AnyGatewayConfig.json file located in your root c:\ folder. Edit it as follows: - -```json -{ - /*Maps the Active Directory template to the CA certificate type. - When enrollment is requested for an Active Directory certificate template, - the corresponding CA type will be enrolled. - Templates are specified by CommonName*/ - "Templates":{ - "GoDaddyDVSSL": { - "ProductID": "DV_SSL" - }, - "GoDaddyDVWildcardSSL": { - "ProductID": "DV_WILDCARD_SSL" - }, - "GoDaddyUCCDVSSL": { - "ProductID": "UCC_DV_SSL" - } - }, - /*Grant permissions on the CA to users or groups in the local domain. - READ: Enumerate and read contents of certificates. - ENROLL: Request certificates from the CA. - OFFICER: Perform certificate functions such as issuance and revocation. This is equivalent to "Issue and Manage" permission on the Microsoft CA. - ADMINISTRATOR: Configure/reconfigure the gateway. - Valid permission settings are "Allow", "None", and "Deny".*/ - "Security":{ - /* Replace "Keyfactor\\Administrator with the domain\\account that has administrative privileges */ - "Keyfactor\\Administrator":{ - "READ":"Allow", - "ENROLL":"Allow", - "OFFICER":"Allow", - "ADMINISTRATOR":"Allow" - }, - /* Replace "Keyfactor\\SVC_TimerService with the domain\\account service account that will perform enrollment, sync, and revocation */ - by the Command Service. */ - "Keyfactor\\SVC_TimerService":{ - "READ":"Allow", - "ENROLL":"Allow", - "OFFICER":"Allow", - "ADMINISTRATOR":"None" - }, - /*Replace Keyfactor\\SVC_AppPool with the Application Pool Account for Keyfactor Command needs read at minimum. There are some function in Command that are not delegated to the logged in user (may be a result of local lab configuration TBD) so this allows the command portal to enumerate templates available in the AnyGateway CA - */ - "Keyfactor\\SVC_AppPool":{ - "READ":"Allow", //List the templates supported by the CA - "ENROLL":"Allow", - "OFFICER":"Allow",//Required to allow the portal to revoke a certificate. TODO: Ensure this is the case or if it should be delegated - "ADMINISTRATOR":"None" - } - }, - /*The Certificate Managers section is optional. - If configured, all users or groups granted OFFICER permissions under the Security section - must be configured for at least one Template and one Requester. - Uses "" to specify all templates. Uses "Everyone" to specify all requesters. - Valid permission values are "Allow" and "Deny".*/ - "CertificateManagers":null, - /*"CertificateManagers":{ - "DOMAIN\\Username":{ - "Templates":{ - "MyTemplateShortName":{ - "Requesters":{ - "Everyone":"Allow", - "DOMAIN\\Groupname":"Deny" - } - }, - "":{ - "Requesters":{ - "Everyone":"Allow" - } - } - } - } - },*/ - /*Information necessary to authenticate to the CA.*/ - "CAConnection":{ - // Base URL for GoDaddy API calls. This value should probably not need to change from what is shown below - "APIUrl": "https://api.ote-godaddy.com", - // The ShopperId is the "Customer #" found by selecting the pulldown on the top right of the GoDaddy portal home page - // after signing in using the account being used for the Gateway - "ShopperId": "9999999999", - // The APIKey is the GoDaddy API Key and secret mentioned in "Prerequisites" - "APIKey": "sso-key {large string value API Key}:{large string value API Secret}", - // One of four values based on the CA chain enrolled certificates should be validated against - GODADDY_SHA_1, GODADDY_SHA_2, - // STARTFIELD_SHA1, or STARTFIELD_SHA2 - "RootType": "GODADDY_SHA_2", - // The SyncPageSize represents the number of certificates that will be returned for each GoDaddy "get certificates" API call during a - // "sync" operation. The API call will be repeated in batches of this number until all cerificates are retrieved from the GoDady CA. - // GoDaddy has no imposed limit on the number of certificates that can be returned, but due to the amount of data being returned for - // each call, this number should be set to something reasonable, 50-500. - "SyncPageSize": "50", - // EnrollmentRetries is the number of tries an Enroll operation will attempt to successfully enroll a certificate (defined as a certificate - // being ISSUED or PENDING_ISSUANCE) against the GoDaddy CA before returning an error. - "EnrollmentRetries": "2", - // SecondsBetweenEnrollmentRetries is the amount of time an Enroll operation will wait between enrollment requests against the GoDaddy - // CA if the previous attempt did not produce a certificate with a status of ISSUED or PENDING_ISSUANCE. - "SecondsBetweenEnrollmentRetries": "5" - }, - /*Information to register the Gateway for client connections.*/ - "GatewayRegistration":{ - // LogicalName is the Logical Name of the CA set up in Keyfactor - PKI Management => Certificate Authorities (later step) - "LogicalName": "GoDaddyCA", - // GatewayCertificate is the location and thumbprint of the GoDaddy intermediate CA certificate installed in a previous step - "GatewayCertificate": { - "StoreName": "CA", - "StoreLocation": "LocalMachine", - "Thumbprint": "‎27ac9369faf25207bb2627cefaccbe4ef9c319b8" - } - }, - /*Settings for the Gateway Service*/ - "ServiceSettings":{ - // ViewIdleMinutes - Number of minutes a Sync operation can take before a timeout is reported - "ViewIdleMinutes":8, - // How often, in hours, a full scan will occur - "FullScanPeriodHours": 1, - // How often, in minutes, a partial scan will occur. NOTE: for the GoDady AnyGateway, a partial scan is the same as a full scan - "PartialScanPeriodMinutes":15 - } -} -``` - - -##### Step 7 - Start the Keyfactor AnyGateway Service - - -##### Step 8 - Follow the AnyGateway instructions to set up your database and configuration - - -##### Step 9 - Add the GoDaddy CA to Keyfactor Command - - -##### Step 10 - Add the GoDaddy Products (Templates) to Keyfactor Command -For each of the three templates (GoDaddyDVSSL, GoDaddyDVWildcardSSL, and GoDaddyUCCDVSSL) configured in Step 4 in the AnyGatewayConfig.json file, create a corresponding template in Keyfactor Command. **NOTE:** The Template Short Name of each **must** exactly match the corresponding labels set up in the AnyGatewayConfig.json file. - - -##### Step 11 - Add Custom Enrollment Fields -For each template set up in Step 8, certain custom enrollment fields **must** be added: - -**GoDaddyDVSSL and GoDaddyDVWildcardSSL:** - - CertificatePeriodInYears (required) - Number of years the certificate will be validated - - LastName (required) - Last name of certificate requestor - - FirstName (required) - First name of certificate requestor - - Email (required) - Email address of requestor - - Phone (required) - Phone number of requestor - -**GoDaddyUCCDVSSL:** - - All enrollment fields for GoDaddyDVSSL **and** - - SlotSize (optional) - Represents the maximum number of SANs that a certificate may have. Default is "FIVE" if this is not supplied. Only valid for GoDaddy UCC* product type certificates. This should be a multiple choice selection with the following values: - - FIVE - - TEN - - FIFTEEN - - TWENTY - - THIRTY - - FOURTY - - FIFTY - - ONE_HUNDRED - - **GoDaddyOVSSL, GoDaddyOVWildcardSSL, GoDaddyOVCS, and GoDaddyOVDS:** - - All enrollment fields for GoDaddyDVSSL **and** - - JobTitle (required) - The job title of the certificate requestor - - Organization Name (required) The name of the organization to be validated against - - OrganizationAddress (required) - The address of the organization to be validated against - - OrganizationCity (required) - The city of the organization to be validated against - - OrganizationState (required) - The full state name (no abbreviations) of the organization to be validated against - - OrganizationCountry (required) - The 2 character abbreviation of the organization to be validated against - - OrganizationPhone (required) - The phone number of the organization to be validated against - - **GoDaddyUCCEVSSL:** - - All enrollment fields for GoDaddyOVSSL **and** - - SlotSize (optional) - As described under GoDaddyUCCDVSSL - - **GoDaddyEVSSL:** - - All enrollment fields for GoDaddyOVSSL **and** - - JurisdictionState (required) - The full state name (no abbreviations) of where documents were filed to create the organization - - JurisdictionCountry (required) - The two character country abbreviation of where documents were filed to create the organization - - RegistrationNumber (required) - The registration number assigned to the organization when its documents were filed for registration - - **GoDaddyUCCEVSSL:** - - All enrollment fields for GoDaddyEVSSL **and** - - SlotSize (optional) - As described under GoDaddyUCCDVSSL - - -*** - -### License -[Apache](https://apache.org/licenses/LICENSE-2.0) From 2cd045c67f88c9367bf8138e8c0a19368ec78717 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 27 Apr 2022 23:20:18 +0000 Subject: [PATCH 4/4] Update generated README --- README.md | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 270 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..70cc2e4 --- /dev/null +++ b/README.md @@ -0,0 +1,270 @@ +# GoDaddy CA Gateway + +GoDaddy is a domain registrar, web hosting company, and most relevant here, a public certificate authority. The GoDaddy AnyGateway is designed to allow Keyfactor Command the ability to - Sync certificates Issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command - Certificate Reissue/Renewal + +#### Integration status: Pilot - Ready for use in test environments. Not for use in production. + +## About the Keyfactor AnyGateway CA Connector + +This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. + +--- +## integration_type = ca-gateway + +*** + +# GoDaddy Supported Certificate Types +GoDaddy supports the following certificate products: +- Domain Validated SSL (DV_SSL) +- Domain Validated Wildcard SSL (DV_WILDCARD_SSL) +- Domain Validated SSL With SANs (UCC_DV_SSL) +- Organization Validated SSL (OV_SSL) +- Organization Validated Wildcard SSL (OV_WILDCARD_SSL) +- Organization Validated SSL With SANs (UCC_OV_SSL) +- Organization Validated Code Signing (OV_CS) **NOTE: GoDaddy is no longer selling new credits for this product type** +- Organization Validated Driver Signing (OV_DS) **NOTE: GoDaddy is no longer selling new credits for this product type** +- Extended Validation SSL (EV_SSL) +- Extended Validation SSL With SANs (UCC_EV_SSL) + + +# GoDaddy Resources + +- [GoDaddy Portal](https://ae.godaddy.com/) +- [GoDaddy API Guide](https://developer.godaddy.com/doc) +- [Create GoDaddy SSOKey](https://developer.godaddy.com/keys?hbi_code=1) + + + +# Getting Started +### Prerequsites +To begin, you must have the AnyGateway Service installed and operational before attempting to configure the GoDaddy AnyGateway plugin. **INSTALLATION INSTRUCTIONS LINK** + +A production GoDaddy account must be set up that will be associated with the gateway and an API Key/Secret created. For more information on how to create an API Key, follow the instructions [here](https://developer.godaddy.com/keys). + + +### Installation and Configuration +##### Step 1 - Install the GoDaddy root and intermediate certificates. +There are four CA certificate chains that are supported by GoDaddy that can be used in the GoDaddy AnyGateway. For each of these CA chains that are to be supported by the local installation of the GoDaddy AnyGateway, the root and intermediate certificates must be installed in the Intermediate Certification Authorities store on the AnyGateway server and the root certificate must be installed in the Trusted Root Certification Authorities store on the AnyGateway server. +- GoDaddy SHA-1 (GODADDY_SHA_1) + - [Root Certificate](https://certs.godaddy.com/repository/gd-class2-root.crt) + - [Intermediate Certificate](https://certs.godaddy.com/repository/gd_intermediate.crt.pem) +- GoDaddy SHA256 (GODADDY_SHA_2) + - [Root Certificate](https://certs.godaddy.com/repository/gdroot-g2.crt) + - [Intermediate Certificate](https://certs.godaddy.com/repository/gdig2.crt.pem) +- Starfield SHA-1 (STARFIELD_SHA_1) + - [Root Certificate](https://certs.godaddy.com/repository/sf-class2-root.crt) + - [Intermediate Certificate](https://certs.godaddy.com/repository/sf_intermediate.crt.pem) +- Starfield SHA256 (STARFIELD_SHA_2) + - [Root Certificate](https://certs.godaddy.com/repository/sfroot-g2.crt) + - [Intermediate Certificate](https://certs.godaddy.com/repository/sfig2.crt.pem) + + +##### Step 2 - Create Templates in Active Directory +For each GoDaddy product being supported, you must create a Certificate Template on the Keyfactor Command server. Make note of the template name of each, as it will be referenced in a future step. + + +##### Step 3 - Stop the Keyfactor AnyGateway service + + +##### Step 4 - Install the GoDaddy AnyGateway binaries +Once the AnyGateway configuration has been imported, the GoDaddy AnyGateway binaries need to be placed in the Keyfactor AnyGateway Service install directory +(C:\\Program Files\\Keyfactor\\Keyfactor AnyGateway for default installations). +The following binaries need to be placed in the install directory: +GoDaddyCAProxy.dll +RestSharp.dll + +##### Step 5 - Modify the CAProxyServer.exe.config file +Edit the CAProxyServer.exe.config file in the Keyfactor Gateway installation folder. Modify the "unity" section "* + +Once this is done, restart the Keyfactor AnyGateway service. + + +##### Step 6 - Modify the AnyGatewayConfig.json file +After installing the Keyfactor AnyGateway service (see Prerequisites), there should be a AnyGatewayConfig.json file located in your root c:\ folder. Edit it as follows: + +```json +{ + /*Maps the Active Directory template to the CA certificate type. + When enrollment is requested for an Active Directory certificate template, + the corresponding CA type will be enrolled. + Templates are specified by CommonName*/ + "Templates":{ + "GoDaddyDVSSL": { + "ProductID": "DV_SSL" + }, + "GoDaddyDVWildcardSSL": { + "ProductID": "DV_WILDCARD_SSL" + }, + "GoDaddyUCCDVSSL": { + "ProductID": "UCC_DV_SSL" + } + }, + /*Grant permissions on the CA to users or groups in the local domain. + READ: Enumerate and read contents of certificates. + ENROLL: Request certificates from the CA. + OFFICER: Perform certificate functions such as issuance and revocation. This is equivalent to "Issue and Manage" permission on the Microsoft CA. + ADMINISTRATOR: Configure/reconfigure the gateway. + Valid permission settings are "Allow", "None", and "Deny".*/ + "Security":{ + /* Replace "Keyfactor\\Administrator with the domain\\account that has administrative privileges */ + "Keyfactor\\Administrator":{ + "READ":"Allow", + "ENROLL":"Allow", + "OFFICER":"Allow", + "ADMINISTRATOR":"Allow" + }, + /* Replace "Keyfactor\\SVC_TimerService with the domain\\account service account that will perform enrollment, sync, and revocation */ + by the Command Service. */ + "Keyfactor\\SVC_TimerService":{ + "READ":"Allow", + "ENROLL":"Allow", + "OFFICER":"Allow", + "ADMINISTRATOR":"None" + }, + /*Replace Keyfactor\\SVC_AppPool with the Application Pool Account for Keyfactor Command needs read at minimum. There are some function in Command that are not delegated to the logged in user (may be a result of local lab configuration TBD) so this allows the command portal to enumerate templates available in the AnyGateway CA + */ + "Keyfactor\\SVC_AppPool":{ + "READ":"Allow", //List the templates supported by the CA + "ENROLL":"Allow", + "OFFICER":"Allow",//Required to allow the portal to revoke a certificate. TODO: Ensure this is the case or if it should be delegated + "ADMINISTRATOR":"None" + } + }, + /*The Certificate Managers section is optional. + If configured, all users or groups granted OFFICER permissions under the Security section + must be configured for at least one Template and one Requester. + Uses "" to specify all templates. Uses "Everyone" to specify all requesters. + Valid permission values are "Allow" and "Deny".*/ + "CertificateManagers":null, + /*"CertificateManagers":{ + "DOMAIN\\Username":{ + "Templates":{ + "MyTemplateShortName":{ + "Requesters":{ + "Everyone":"Allow", + "DOMAIN\\Groupname":"Deny" + } + }, + "":{ + "Requesters":{ + "Everyone":"Allow" + } + } + } + } + },*/ + /*Information necessary to authenticate to the CA.*/ + "CAConnection":{ + // Base URL for GoDaddy API calls. This value should probably not need to change from what is shown below + "APIUrl": "https://api.ote-godaddy.com", + // The ShopperId is the "Customer #" found by selecting the pulldown on the top right of the GoDaddy portal home page + // after signing in using the account being used for the Gateway + "ShopperId": "9999999999", + // The APIKey is the GoDaddy API Key and secret mentioned in "Prerequisites" + "APIKey": "sso-key {large string value API Key}:{large string value API Secret}", + // One of four values based on the CA chain enrolled certificates should be validated against - GODADDY_SHA_1, GODADDY_SHA_2, + // STARTFIELD_SHA1, or STARTFIELD_SHA2 + "RootType": "GODADDY_SHA_2", + // The SyncPageSize represents the number of certificates that will be returned for each GoDaddy "get certificates" API call during a + // "sync" operation. The API call will be repeated in batches of this number until all cerificates are retrieved from the GoDady CA. + // GoDaddy has no imposed limit on the number of certificates that can be returned, but due to the amount of data being returned for + // each call, this number should be set to something reasonable, 50-500. + "SyncPageSize": "50", + // EnrollmentRetries is the number of tries an Enroll operation will attempt to successfully enroll a certificate (defined as a certificate + // being ISSUED or PENDING_ISSUANCE) against the GoDaddy CA before returning an error. + "EnrollmentRetries": "2", + // SecondsBetweenEnrollmentRetries is the amount of time an Enroll operation will wait between enrollment requests against the GoDaddy + // CA if the previous attempt did not produce a certificate with a status of ISSUED or PENDING_ISSUANCE. + "SecondsBetweenEnrollmentRetries": "5" + }, + /*Information to register the Gateway for client connections.*/ + "GatewayRegistration":{ + // LogicalName is the Logical Name of the CA set up in Keyfactor - PKI Management => Certificate Authorities (later step) + "LogicalName": "GoDaddyCA", + // GatewayCertificate is the location and thumbprint of the GoDaddy intermediate CA certificate installed in a previous step + "GatewayCertificate": { + "StoreName": "CA", + "StoreLocation": "LocalMachine", + "Thumbprint": "‎27ac9369faf25207bb2627cefaccbe4ef9c319b8" + } + }, + /*Settings for the Gateway Service*/ + "ServiceSettings":{ + // ViewIdleMinutes - Number of minutes a Sync operation can take before a timeout is reported + "ViewIdleMinutes":8, + // How often, in hours, a full scan will occur + "FullScanPeriodHours": 1, + // How often, in minutes, a partial scan will occur. NOTE: for the GoDady AnyGateway, a partial scan is the same as a full scan + "PartialScanPeriodMinutes":15 + } +} +``` + + +##### Step 7 - Start the Keyfactor AnyGateway Service + + +##### Step 8 - Follow the AnyGateway instructions to set up your database and configuration + + +##### Step 9 - Add the GoDaddy CA to Keyfactor Command + + +##### Step 10 - Add the GoDaddy Products (Templates) to Keyfactor Command +For each of the three templates (GoDaddyDVSSL, GoDaddyDVWildcardSSL, and GoDaddyUCCDVSSL) configured in Step 4 in the AnyGatewayConfig.json file, create a corresponding template in Keyfactor Command. **NOTE:** The Template Short Name of each **must** exactly match the corresponding labels set up in the AnyGatewayConfig.json file. + + +##### Step 11 - Add Custom Enrollment Fields +For each template set up in Step 8, certain custom enrollment fields **must** be added: + +**GoDaddyDVSSL and GoDaddyDVWildcardSSL:** + - CertificatePeriodInYears (required) - Number of years the certificate will be validated + - LastName (required) - Last name of certificate requestor + - FirstName (required) - First name of certificate requestor + - Email (required) - Email address of requestor + - Phone (required) - Phone number of requestor + +**GoDaddyUCCDVSSL:** + - All enrollment fields for GoDaddyDVSSL **and** + - SlotSize (optional) - Represents the maximum number of SANs that a certificate may have. Default is "FIVE" if this is not supplied. Only valid for GoDaddy UCC* product type certificates. This should be a multiple choice selection with the following values: + - FIVE + - TEN + - FIFTEEN + - TWENTY + - THIRTY + - FOURTY + - FIFTY + - ONE_HUNDRED + + **GoDaddyOVSSL, GoDaddyOVWildcardSSL, GoDaddyOVCS, and GoDaddyOVDS:** + - All enrollment fields for GoDaddyDVSSL **and** + - JobTitle (required) - The job title of the certificate requestor + - Organization Name (required) The name of the organization to be validated against + - OrganizationAddress (required) - The address of the organization to be validated against + - OrganizationCity (required) - The city of the organization to be validated against + - OrganizationState (required) - The full state name (no abbreviations) of the organization to be validated against + - OrganizationCountry (required) - The 2 character abbreviation of the organization to be validated against + - OrganizationPhone (required) - The phone number of the organization to be validated against + + **GoDaddyUCCEVSSL:** + - All enrollment fields for GoDaddyOVSSL **and** + - SlotSize (optional) - As described under GoDaddyUCCDVSSL + + **GoDaddyEVSSL:** + - All enrollment fields for GoDaddyOVSSL **and** + - JurisdictionState (required) - The full state name (no abbreviations) of where documents were filed to create the organization + - JurisdictionCountry (required) - The two character country abbreviation of where documents were filed to create the organization + - RegistrationNumber (required) - The registration number assigned to the organization when its documents were filed for registration + + **GoDaddyUCCEVSSL:** + - All enrollment fields for GoDaddyEVSSL **and** + - SlotSize (optional) - As described under GoDaddyUCCDVSSL + + +*** + +### License +[Apache](https://apache.org/licenses/LICENSE-2.0) + + +