You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Set appropriate file permissions to restrict access
75
+
- Record the full path and password for Gateway configuration
76
+
77
+
#### 3. Certificate Profiles (Templates)
78
+
79
+
Certificate profiles define the types of certificates that can be issued. The plugin automatically discovers available profiles from the Idnomic system.
80
+
81
+
**To view available profiles:**
82
+
83
+
1. The profiles are retrieved automatically when the CA is configured
84
+
2. Profiles appear in Keyfactor Command as "Product IDs" after CA registration
85
+
3. Each profile represents a certificate template configured in Idnomic PKI
86
+
87
+
**Note**: Profile discovery uses the `list_profiles` SOAP operation. Ensure the client certificate has permissions to call this operation.
88
+
89
+
#### 4. Zones
90
+
91
+
Zones in Idnomic PKI represent organizational or security boundaries within the PKI hierarchy. Each certificate enrollment request must specify a zone.
92
+
93
+
**Common zone examples**:
94
+
-`Default`
95
+
-`Production`
96
+
-`Test`
97
+
-`DMZ`
98
+
- Custom zones as configured in your Idnomic PKI
99
+
100
+
**To identify available zones:**
101
+
102
+
1. Contact your Idnomic PKI administrator for the list of configured zones
103
+
2. Zones may be visible through the `certificate_search_properties` operation
104
+
3. Document the zone names exactly as they appear in the system (case-sensitive)
105
+
106
+
### Supported Revocation Reasons
107
+
108
+
The plugin supports the following standard CRL revocation reasons:
109
+
110
+
| Reason Code | Reason Name | Description |
111
+
|-------------|-------------|-------------|
112
+
| 0 | Unspecified | No specific reason provided |
113
+
| 1 | Key Compromise | Private key has been compromised |
114
+
| 2 | CA Compromise | Certificate Authority has been compromised |
| 4 | Superseded | Certificate has been superseded by a new certificate |
117
+
118
+
**Note**: Not all Idnomic PKI configurations support all revocation reasons. Consult your Idnomic administrator for supported reasons in your environment.
21
119
22
120
## Gateway Registration
23
121
24
-
TODO Gateway Registration is a required section
122
+
### CA Connection Configuration
123
+
124
+
When registering the Idnomic CA in the AnyCA Gateway, you'll need to provide the following configuration parameters:
125
+
126
+
| Parameter | Description | Required | Example |
127
+
|-----------|-------------|----------|---------|
128
+
|**EndpointAddress**| Full URL to the Idnomic RA connector SOAP endpoint | Yes |`https://idnomic.example.com:8443/RA/connector.cgi`|
129
+
|**ClientCertLocation**| Full file path to the client certificate PFX file on the Gateway server | Yes |`C:\Certificates\gateway-client.pfx`|
130
+
|**ClientCertPassword**| Password for the client certificate PFX file | Yes |`SecureP@ssw0rd`|
131
+
|**Enabled**| Whether the CA connection is enabled | No (default: true) |`true` or `false`|
132
+
133
+
### Template (Product) Configuration
134
+
135
+
Each certificate template discovered from Idnomic requires configuration when used for enrollment:
136
+
137
+
| Parameter | Description | Required | Example |
138
+
|-----------|-------------|----------|---------|
139
+
|**Zone**| The Idnomic PKI zone where certificates will be issued | Yes |`Production`|
140
+
141
+
**Important Notes**:
142
+
- Template names (Product IDs) are automatically discovered from Idnomic using the `list_profiles` operation
143
+
- The Zone parameter must exactly match a zone configured in your Idnomic PKI system
144
+
- Zone names are case-sensitive
145
+
- Each template can be configured with a different zone if needed
146
+
147
+
### Gateway Registration Notes
148
+
149
+
- Each defined Certificate Authority in the AnyCA Gateway REST can support one Idnomic CA endpoint
150
+
- If you have multiple Idnomic PKI instances or need to issue from different zones with different permissions, you must define multiple Certificate Authorities in the AnyCA Gateway
151
+
- Each CA configuration will manifest in Command as a separate CA entry
152
+
- The plugin uses SOAP-based communication exclusively; ensure the RA connector endpoint is properly configured for SOAP access
153
+
- Client certificate authentication is mandatory and cannot be disabled
154
+
- The "Enabled" flag allows you to temporarily disable a CA connection without removing the configuration
155
+
156
+
### Security Considerations
157
+
158
+
1.**Certificate Storage**: Store client certificates in a secure location with restricted file system permissions
159
+
2.**Password Management**: Use strong passwords for client certificate PFX files and consider using a secrets management system
160
+
3.**Network Security**: Ensure TLS/SSL is properly configured for the RA connector endpoint
161
+
4.**Least Privilege**: Request client certificates with minimal required permissions in the Idnomic PKI system
162
+
5.**Audit Logging**: Enable comprehensive logging in both the Gateway and Idnomic PKI for security monitoring
163
+
164
+
## Troubleshooting
165
+
166
+
### Connection Issues
167
+
- Verify the RA connector endpoint URL is correct and accessible
168
+
- Check that the client certificate is valid and not expired
169
+
- Confirm the client certificate is trusted by the Idnomic PKI system
170
+
- Review Gateway logs for SOAP communication errors
171
+
172
+
### Profile Discovery Issues
173
+
- Ensure the client certificate has permissions to call `list_profiles`
174
+
- Verify the RA connector is properly configured in Idnomic
175
+
- Check that profiles are published and available in the Idnomic system
176
+
177
+
### Enrollment Failures
178
+
- Verify the Zone parameter exactly matches a configured zone in Idnomic
179
+
- Confirm the selected profile supports the requested certificate attributes
180
+
- Check that the client certificate has enrollment permissions for the specified zone
181
+
- Review Idnomic PKI logs for detailed error messages
182
+
183
+
### Synchronization Issues
184
+
- Confirm the client certificate has permissions to call `search_for_certificates`
185
+
- Verify network connectivity and timeout settings
186
+
- For large certificate databases, consider adjusting synchronization schedules
187
+
188
+
## Test Cases
189
+
190
+
### Test Case 1: CA Connection Validation
191
+
192
+
**Objective**: Verify that the Gateway can successfully connect to the Idnomic RA connector using client certificate authentication.
193
+
194
+
**Prerequisites**:
195
+
- Idnomic PKI system is operational
196
+
- Valid client certificate (PFX) is available
197
+
- RA connector endpoint is accessible
198
+
199
+
**Test Steps**:
200
+
1. Configure the CA in AnyCA Gateway with valid connection parameters
201
+
2. Click "Test Connection" or trigger the Ping operation
202
+
3. Observe the connection result
203
+
204
+
**Expected Results**:
205
+
- Connection succeeds without errors
206
+
- Gateway logs show successful SOAP authentication
207
+
- No certificate validation errors occur
208
+
209
+
**Verification**:
210
+
- Review Gateway logs for successful connection message
211
+
- Check Idnomic PKI logs for incoming authenticated connection
212
+
- Verify no SSL/TLS errors in either system
213
+
214
+
---
215
+
216
+
### Test Case 2: Profile Discovery
217
+
218
+
**Objective**: Verify that the Gateway can retrieve the list of available certificate profiles from Idnomic PKI.
219
+
220
+
**Prerequisites**:
221
+
- CA connection is successfully configured
222
+
- At least one certificate profile is configured in Idnomic PKI
223
+
- Client certificate has permissions to call `list_profiles`
224
+
225
+
**Test Steps**:
226
+
1. Save the CA configuration in AnyCA Gateway
227
+
2. Navigate to the template/product configuration section
228
+
3. Observe the list of available Product IDs
229
+
230
+
**Expected Results**:
231
+
- List of profiles is populated automatically
232
+
- Profile names match those configured in Idnomic PKI
233
+
- No empty or null profile names appear
234
+
235
+
**Verification**:
236
+
- Compare the list of profiles in Gateway with Idnomic PKI configuration
237
+
- Verify profile names are correctly displayed
238
+
- Check Gateway logs for successful `list_profiles` SOAP call
239
+
240
+
---
241
+
242
+
### Test Case 3: Certificate Enrollment - Valid Request
243
+
244
+
**Objective**: Verify successful certificate enrollment through the plugin.
245
+
246
+
**Prerequisites**:
247
+
- CA and template are properly configured
248
+
- Valid Zone parameter is configured for the template
249
+
- Test CSR is available
250
+
251
+
**Test Steps**:
252
+
1. Submit an enrollment request via Keyfactor Command
253
+
2. Specify the Idnomic CA and a valid template
254
+
3. Provide a valid PKCS#10 CSR
255
+
4. Wait for enrollment to complete
256
+
257
+
**Expected Results**:
258
+
- Enrollment completes successfully
259
+
- Certificate is issued by Idnomic PKI
260
+
- Certificate is returned to Keyfactor Command
261
+
- Certificate appears in Command inventory
262
+
263
+
**Verification**:
264
+
- Verify certificate details match the CSR
265
+
- Confirm certificate is present in Idnomic PKI database
266
+
- Check that certificate chain is properly constructed
267
+
- Validate certificate can be used for its intended purpose
268
+
269
+
---
270
+
271
+
### Test Case 4: Certificate Enrollment - Invalid Zone
272
+
273
+
**Objective**: Verify proper error handling when an invalid zone is specified.
274
+
275
+
**Prerequisites**:
276
+
- CA and template are configured
277
+
- Zone parameter is set to a non-existent zone name
278
+
279
+
**Test Steps**:
280
+
1. Submit an enrollment request with invalid Zone parameter
281
+
2. Observe the enrollment result
282
+
283
+
**Expected Results**:
284
+
- Enrollment fails with clear error message
285
+
- Error message indicates invalid zone
286
+
- No certificate is issued
287
+
- System remains stable
288
+
289
+
**Verification**:
290
+
- Check error message clarity and accuracy
291
+
- Verify Gateway logs contain detailed error information
292
+
- Confirm no partial enrollment occurred in Idnomic PKI
293
+
294
+
---
295
+
296
+
### Test Case 5: Certificate Synchronization - Full Sync
297
+
298
+
**Objective**: Verify full certificate synchronization from Idnomic PKI to Keyfactor Command.
299
+
300
+
**Prerequisites**:
301
+
- CA is properly configured
302
+
- Multiple certificates exist in Idnomic PKI
303
+
- Synchronization is configured in Command
304
+
305
+
**Test Steps**:
306
+
1. Trigger a full synchronization job
307
+
2. Wait for synchronization to complete
308
+
3. Verify synchronized certificate count
309
+
310
+
**Expected Results**:
311
+
- All certificates from Idnomic PKI are synchronized
312
+
- Certificate details are accurate (subject, serial number, dates, etc.)
313
+
- No duplicate certificates appear
314
+
- Synchronization completes without errors
315
+
316
+
**Verification**:
317
+
- Compare certificate count in Command vs. Idnomic PKI
318
+
- Spot-check several certificates for data accuracy
319
+
- Review synchronization logs for any warnings or errors
320
+
- Verify certificate chains are properly synchronized
321
+
322
+
---
323
+
324
+
### Test Case 6: Certificate Synchronization - Incremental Sync
325
+
326
+
**Objective**: Verify incremental synchronization only retrieves new certificates since last sync.
327
+
328
+
**Prerequisites**:
329
+
- Initial full synchronization has been completed
330
+
- Timestamp of last sync is recorded
331
+
- New certificates have been issued since last sync
332
+
333
+
**Test Steps**:
334
+
1. Note the timestamp of the last successful sync
335
+
2. Issue one or more new certificates in Idnomic PKI
336
+
3. Trigger an incremental synchronization
337
+
4. Observe synchronized certificates
338
+
339
+
**Expected Results**:
340
+
- Only certificates issued after last sync are retrieved
341
+
- Sync completes faster than full sync
342
+
- All new certificates are properly synchronized
343
+
- Previously synchronized certificates are not duplicated
344
+
345
+
**Verification**:
346
+
- Verify only recent certificates were processed
347
+
- Check sync duration is appropriate for certificate count
348
+
- Review Gateway logs to confirm incremental sync parameters
349
+
- Validate certificate data integrity
350
+
351
+
---
352
+
353
+
### Test Case 7: Certificate Revocation - Key Compromise
354
+
355
+
**Objective**: Verify certificate revocation with reason code 1 (Key Compromise).
356
+
357
+
**Prerequisites**:
358
+
- A valid certificate issued through the Gateway exists
359
+
- Certificate is not already revoked
360
+
361
+
**Test Steps**:
362
+
1. Identify a test certificate to revoke
363
+
2. Submit revocation request with reason "Key Compromise" (code 1)
364
+
3. Wait for revocation to complete
365
+
366
+
**Expected Results**:
367
+
- Revocation succeeds
368
+
- Certificate status changes to "Revoked" in Command
369
+
- Certificate appears on CRL in Idnomic PKI
370
+
- Revocation reason is correctly recorded
371
+
372
+
**Verification**:
373
+
- Check certificate status in Keyfactor Command
374
+
- Verify certificate appears on Idnomic CRL with correct reason code
375
+
- Confirm revocation timestamp is accurate
376
+
- Validate certificate can no longer be used for authentication
377
+
378
+
---
379
+
380
+
### Test Case 8: Profile Properties Validation
381
+
382
+
**Objective**: Verify that profile-specific properties are correctly enforced during enrollment.
383
+
384
+
**Prerequisites**:
385
+
- Profiles with different configurations exist (key sizes, validity periods, etc.)
386
+
- Zone parameter is correctly configured
387
+
388
+
**Test Steps**:
389
+
1. Attempt enrollment with CSR matching profile requirements
390
+
2. Attempt enrollment with CSR not matching profile requirements (e.g., wrong key size)
391
+
3. Observe results
392
+
393
+
**Expected Results**:
394
+
- Valid enrollments succeed
395
+
- Invalid enrollments fail with descriptive error messages
396
+
- Profile constraints are properly enforced by Idnomic PKI
0 commit comments