|
5 | 5 | <p align="center"> |
6 | 6 | <!-- Badges --> |
7 | 7 | <img src="https://img.shields.io/badge/integration_status-pilot-3D1973?style=flat-square" alt="Integration Status: pilot" /> |
8 | | -<a href="https://github.com/Keyfactor/aws-pca-caplugin-dev/releases"><img src="https://img.shields.io/github/v/release/Keyfactor/aws-pca-caplugin-dev?style=flat-square" alt="Release" /></a> |
9 | | -<img src="https://img.shields.io/github/issues/Keyfactor/aws-pca-caplugin-dev?style=flat-square" alt="Issues" /> |
10 | | -<img src="https://img.shields.io/github/downloads/Keyfactor/aws-pca-caplugin-dev/total?style=flat-square&label=downloads&color=28B905" alt="GitHub Downloads (all assets, all releases)" /> |
| 8 | +<a href="https://github.com/Keyfactor/aws-pca-caplugin/releases"><img src="https://img.shields.io/github/v/release/Keyfactor/aws-pca-caplugin?style=flat-square" alt="Release" /></a> |
| 9 | +<img src="https://img.shields.io/github/issues/Keyfactor/aws-pca-caplugin?style=flat-square" alt="Issues" /> |
| 10 | +<img src="https://img.shields.io/github/downloads/Keyfactor/aws-pca-caplugin/total?style=flat-square&label=downloads&color=28B905" alt="GitHub Downloads (all assets, all releases)" /> |
11 | 11 | </p> |
12 | 12 |
|
13 | 13 | <p align="center"> |
@@ -53,7 +53,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and |
53 | 53 |
|
54 | 54 | 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). |
55 | 55 |
|
56 | | -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [AWSPCA CA Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/aws-pca-caplugin-dev/releases/latest) from GitHub. |
| 56 | +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [AWSPCA CA Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/aws-pca-caplugin/releases/latest) from GitHub. |
57 | 57 |
|
58 | 58 | 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: |
59 | 59 |
|
@@ -110,7 +110,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and |
110 | 110 | 4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters: |
111 | 111 |
|
112 | 112 | * **LifetimeDays** - OPTIONAL: The number of days of validity to use when requesting certs. If not provided, default is 365 |
113 | | - * **SigningAlgorithm** - Required: Signing Algorithm to use with the PCA. |
| 113 | + * **SigningAlgorithm** - Required: AWS ACM PCA certificate signature algorithm to use when issuing certificates. Value is an AWS PCA SigningAlgorithm enum name (case-insensitive), e.g. SHA256WITHRSA, SHA384WITHRSA, SHA256WITHECDSA. If omitted, the plugin selects a default compatible with the CA key algorithm. |
114 | 114 |
|
115 | 115 |
|
116 | 116 | ## Authentication (Access Key + Secret) |
@@ -338,6 +338,52 @@ When `SigningAlgorithm` is omitted, the plugin selects: |
338 | 338 | - SM2 -> `SM3WITHSM2` |
339 | 339 | - ML-DSA -> exact-match (`ML_DSA_44/65/87`) |
340 | 340 |
|
| 341 | +--- |
| 342 | +
|
| 343 | +## Signing algorithm selection (ACM PCA) |
| 344 | +
|
| 345 | +The connector supports an optional **template / product parameter** named `SigningAlgorithm` that controls the **certificate signature algorithm** |
| 346 | +passed to AWS ACM PCA `IssueCertificate`. |
| 347 | +
|
| 348 | +- If **not set**, the plugin will **auto-select** a compatible default based on the CA `KeyAlgorithm` returned by |
| 349 | + `DescribeCertificateAuthority`. |
| 350 | +- If **set**, the plugin validates the value and **rejects incompatible combinations** before calling AWS. |
| 351 | +
|
| 352 | +### Where to configure |
| 353 | +
|
| 354 | +Set `SigningAlgorithm` on the **AnyGateway template** (product parameters), alongside `LifetimeDays`. |
| 355 | +
|
| 356 | +### Valid `SigningAlgorithm` values (AWS PCA) |
| 357 | +
|
| 358 | +- RSA family: `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA` |
| 359 | +- ECDSA family: `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA` |
| 360 | +- SM2: `SM3WITHSM2` |
| 361 | +- ML-DSA (post-quantum): `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87` |
| 362 | +
|
| 363 | +### Allowed CA key algorithm <-> signing algorithm combinations |
| 364 | +
|
| 365 | +The CA key algorithm is the PCA CA **KeyAlgorithm** (not the subject key in the CSR). The signing algorithm must match the CA key family. |
| 366 | +
|
| 367 | +| CA KeyAlgorithm | Allowed SigningAlgorithm values | |
| 368 | +|---|---| |
| 369 | +| `RSA_2048`, `RSA_3072`, `RSA_4096` | `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA` | |
| 370 | +| `EC_prime256v1`, `EC_secp384r1`, `EC_secp521r1` | `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA` | |
| 371 | +| `SM2` | `SM3WITHSM2` | |
| 372 | +| `ML_DSA_44` | `ML_DSA_44` | |
| 373 | +| `ML_DSA_65` | `ML_DSA_65` | |
| 374 | +| `ML_DSA_87` | `ML_DSA_87` | |
| 375 | +
|
| 376 | +### Auto-selection defaults |
| 377 | +
|
| 378 | +When `SigningAlgorithm` is omitted, the plugin selects: |
| 379 | +
|
| 380 | +- RSA CAs -> `SHA256WITHRSA` |
| 381 | +- EC P-256 -> `SHA256WITHECDSA` |
| 382 | +- EC P-384 -> `SHA384WITHECDSA` |
| 383 | +- EC P-521 -> `SHA512WITHECDSA` |
| 384 | +- SM2 -> `SM3WITHSM2` |
| 385 | +- ML-DSA -> exact-match (`ML_DSA_44/65/87`) |
| 386 | +
|
341 | 387 |
|
342 | 388 | ## License |
343 | 389 |
|
|
0 commit comments