From a18eaa5f7c641c24690459c892b8ea3c66bfa2e6 Mon Sep 17 00:00:00 2001
From: Macey <11599974+doebrowsk@users.noreply.github.com>
Date: Thu, 26 Jun 2025 20:42:47 +0000
Subject: [PATCH 1/2] fix(add): address memory resource and tagging bug that
 prevent certificates from being added

Signed-off-by: Macey <11599974+doebrowsk@users.noreply.github.com>
---
 CHANGELOG.md                            |  4 ++++
 aws-acm-orchestrator/Jobs/Management.cs | 24 ++++++++++++++++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 261de90..2b6e556 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+3.0.1
+* Fixed a bug where memory streams closed early before submitting certificates to ACM in Management Add jobs
+* Fixed a bug where ACM tags would be "set" even if none where entered, preventing a certificate from being added without tags
+
 3.0.0
 * Upgrade to AWS SDK v4
   * All interactions with AWS now target the Region specified in `Store Path` with no "default" Region considered
diff --git a/aws-acm-orchestrator/Jobs/Management.cs b/aws-acm-orchestrator/Jobs/Management.cs
index b956249..faf773f 100644
--- a/aws-acm-orchestrator/Jobs/Management.cs
+++ b/aws-acm-orchestrator/Jobs/Management.cs
@@ -199,6 +199,7 @@ internal JobResult PerformAddition(AwsExtensionCredential awsCredentials, Manage
                         Logger.LogTrace($"Got certPem {certPem}");
                         //Create Memory Stream For Server Cert
                         ImportCertificateRequest icr;
+                        ImportCertificateResponse IcrResponse;
                         using (MemoryStream serverCertStream = CertStringToStream(certPem))
                         {
                             using (MemoryStream privateStream = CertStringToStream(privateKeyString))
@@ -211,17 +212,24 @@ internal JobResult PerformAddition(AwsExtensionCredential awsCredentials, Manage
                                         PrivateKey = privateStream,
                                         CertificateChain = chainStream
                                     };
+                                
+                                    icr.CertificateArn = config.JobCertificate.Alias?.Length >= 20 ? config.JobCertificate.Alias.Trim() : null; //If an arn is provided, use it, this will perform a renewal/replace
+                                    Logger.LogTrace($"Certificate arn {icr.CertificateArn}");
+                                    
+                                    if (acmTags != null && acmTags.Count > 0)
+                                    {
+                                        Logger.LogDebug($"Number of ACM tags added to certificate: {acmTags.Count}");
+                                        icr.Tags = acmTags;
+                                    }
+                                    else
+                                    {
+                                        Logger.LogDebug("No ACM tags were added to the certificate");
+                                    }
+                        
+                                    IcrResponse = AsyncHelpers.RunSync(() => AcmClient.ImportCertificateAsync(icr));
                                 }
                             }
                         }
-                        icr.CertificateArn = config.JobCertificate.Alias?.Length >= 20 ? config.JobCertificate.Alias.Trim() : null; //If an arn is provided, use it, this will perform a renewal/replace
-                        if (icr.CertificateArn == null )
-                        {
-                            icr.Tags = acmTags;
-                        }
-                        Logger.LogTrace($"Certificate arn {icr.CertificateArn}");
-                        
-                        ImportCertificateResponse IcrResponse = AsyncHelpers.RunSync(() => AcmClient.ImportCertificateAsync(icr));
                         Logger.LogTrace($"IcrResponse JSON: {JsonConvert.SerializeObject(IcrResponse)}");
                         // Ensure 200 Response
                         if (IcrResponse.HttpStatusCode == HttpStatusCode.OK)

From c46ef75eee43400a50eb99e03e2ff686ba3f0d0b Mon Sep 17 00:00:00 2001
From: Keyfactor <keyfactor@keyfactor.github.io>
Date: Thu, 26 Jun 2025 20:45:50 +0000
Subject: [PATCH 2/2] Update generated docs

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 43b2419..6fdec66 100644
--- a/README.md
+++ b/README.md
@@ -370,8 +370,8 @@ When migrating to the `AWS-ACM-v3` type please note that field usage has changed
 
     Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
 
-   | Attribute | Description |
-   | --------- | ----------- |
+   | Attribute | Description                                             |
+   | --------- |---------------------------------------------------------|
    | Category | Select "AWS Certificate Manager v3" or the customized certificate store name from the previous step. |
    | Container | Optional container to associate certificate store with. |
    | Client Machine | This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth. |