Merge branch 'main' into release-1.0

indrora · web-flow · commit f8ca24c8222d · 2026-06-18T12:44:41.000-07:00
diff --git a/README.md b/README.md
@@ -120,6 +120,11 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 The CAPlugin currently supports **one** authentication method: **AWS Access Key ID + Secret Access Key**.  
 **OAuth** and **Default SDK authentication** will be enabled in later updates. There is functionality present via the **Keyfactor AWS Authentication** library, but these alternate methods are currently ***untested***.
 
+### Known Issues
+
+At present, a fresh install of Keyfactor Command 24.4 used in conjuction with Keyfactor Gateway REST 25.4.0.0 is confirmed as working.  A fresh install of Command 25.3 used with REST 25.4.0.0 is also confirmed as working.
+Latest version of Command 25.4 may run into issues, investigation into compatibility issues is ongoing.
+
 ### What you need ready
 
 Before configuring the CAPlugin, have the following prepared:
diff --git a/aws-pca-caplugin/AWSPCACAPlugin.cs b/aws-pca-caplugin/AWSPCACAPlugin.cs
@@ -440,35 +440,59 @@ public async Task<EnrollmentResult> Enroll(
                     string priorRequestId;
                     try
                     {
-                        priorRequestId = await _certificateDataReader
-                            .GetRequestIDBySerialNumber(priorSn)
+                        return await IssueAndFetchAsync(
+                                csr,
+                                productInfo.ProductID,
+                                days,
+                                signingAlgorithm,
+                                "Certificate Issued")
                             .ConfigureAwait(false);
                     }
-                    catch (Exception ex)
+
+                case EnrollmentType.RenewOrReissue:
                     {
-                        return new EnrollmentResult
+                        if (productInfo.ProductParameters == null ||
+                            !TryGetProductParam(productInfo.ProductParameters, "PriorCertSN", out var priorSn) ||
+                            string.IsNullOrWhiteSpace(priorSn))
+                            return new EnrollmentResult
+                            {
+                                Status = (int)EndEntityStatus.FAILED,
+                                StatusMessage =
+                                    "Renew/Reissue requires ProductParameters['PriorCertSN'] (hex serial number)."
+                            };
+
+                        string priorRequestId;
+                        try
                         {
-                            Status = (int)EndEntityStatus.FAILED,
-                            StatusMessage = $"Could not resolve PriorCertSN to request id: {ex.Message}"
-                        };
-                    }
+                            priorRequestId = await _certificateDataReader
+                                .GetRequestIDBySerialNumber(priorSn)
+                                .ConfigureAwait(false);
+                        }
+                        catch (Exception ex)
+                        {
+                            return new EnrollmentResult
+                            {
+                                Status = (int)EndEntityStatus.FAILED,
+                                StatusMessage = $"Could not resolve PriorCertSN to request id: {ex.Message}"
+                            };
+                        }
 
-                    var expiration = _certificateDataReader.GetExpirationDateByRequestId(priorRequestId);
-                    var isRenewal = expiration.HasValue && expiration.Value.ToUniversalTime() <= DateTime.UtcNow;
+                        var expiration = _certificateDataReader.GetExpirationDateByRequestId(priorRequestId);
+                        var isRenewal = expiration.HasValue && expiration.Value.ToUniversalTime() <= DateTime.UtcNow;
 
-                    var msg = isRenewal ? "Certificate Renewed" : "Certificate Reissued";
-                    var token = BuildIdempotencyToken(isRenewal ? "renew" : "reissue", priorRequestId, csr);
+                        var msg = isRenewal ? "Certificate Renewed" : "Certificate Reissued";
+                        var token = BuildIdempotencyToken(isRenewal ? "renew" : "reissue", priorRequestId, csr);
 
-                    // Still "IssueCertificate" under the hood; PCA doesn't have first-class renew/reissue.
-                    return await IssueAndFetchAsync(
-                            csr,
-                            productInfo.ProductID,
-                            days,
-                            msg,
-                            // Optional: stable-ish idempotency (helps avoid duplicates if caller retries quickly)
-                            token)
-                        .ConfigureAwait(false);
-                }
+                        // Still "IssueCertificate" under the hood; PCA doesn't have first-class renew/reissue.
+                        return await IssueAndFetchAsync(
+                                csr,
+                                productInfo.ProductID,
+                                days,
+                                msg,
+                                // Optional: stable-ish idempotency (helps avoid duplicates if caller retries quickly)
+                                token)
+                            .ConfigureAwait(false);
+                    }
 
                 default:
                     return new EnrollmentResult
diff --git a/aws-pca-caplugin/Client/ACMPCAClient.cs b/aws-pca-caplugin/Client/ACMPCAClient.cs
@@ -781,4 +781,4 @@ private static class ConfigKeys
         public const string Region = "Region";
         public const string S3Bucket = "S3Bucket";
     }
-}
+}
diff --git a/docsource/configuration.md b/docsource/configuration.md
@@ -13,6 +13,11 @@ Download the **PCA root certificate** from AWS and have it ready to import into
 The CAPlugin currently supports **one** authentication method: **AWS Access Key ID + Secret Access Key**.  
 **OAuth** and **Default SDK authentication** will be enabled in later updates. There is functionality present via the **Keyfactor AWS Authentication** library, but these alternate methods are currently ***untested***.
 
+### Known Issues
+
+At present, a fresh install of Keyfactor Command 24.4 used in conjuction with Keyfactor Gateway REST 25.4.0.0 is confirmed as working.  A fresh install of Command 25.3 used with REST 25.4.0.0 is also confirmed as working.
+Latest version of Command 25.4 may run into issues, investigation into compatibility issues is ongoing. 
+
 ### What you need ready
 
 Before configuring the CAPlugin, have the following prepared:

Original file line number	Diff line number	Diff line change
`@@ -781,4 +781,4 @@ private static class ConfigKeys`
`781`	`781`	`public const string Region = "Region";`
`782`	`782`	`public const string S3Bucket = "S3Bucket";`
`783`	`783`	`}`
`784`		`-}`
	`784`	`+}`