-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathintegration-manifest.json
More file actions
233 lines (233 loc) · 16.5 KB
/
Copy pathintegration-manifest.json
File metadata and controls
233 lines (233 loc) · 16.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
{
"$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json",
"integration_type": "anyca-plugin",
"name": "CERTInext AnyCA REST Gateway Plugin",
"status": "production",
"support_level": "kf-supported",
"link_github": true,
"update_catalog": true,
"description": "AnyCA REST Gateway plugin for CERTInext (eMudhra) certificate lifecycle management platform",
"gateway_framework": "25.5.0",
"release_dir": "CERTInext/bin/Release",
"release_project": "CERTInext/CERTInext.csproj",
"about": {
"carest": {
"product_ids": [
"DV SSL",
"DV SSL Wildcard",
"DV SSL Multi-Domain (UCC)",
"DV SSL Wildcard Multi-Domain (UCC)",
"OV SSL",
"OV SSL Wildcard",
"OV SSL Multi-Domain (UCC)",
"OV SSL Wildcard Multi-Domain (UCC)",
"EV SSL",
"EV SSL Multi-Domain (UCC)"
],
"ca_plugin_config": [
{
"name": "ApiUrl",
"description": "REQUIRED: CERTInext API base URL. Sandbox (US): https://sandbox-us-api.certinext.io/emSignHub-API/ \u2014 Production (US): https://us-api.certinext.io/emSignHub-API/ \u2014 Production (Global/India): https://api.certinext.io/emSignHub-API/"
},
{
"name": "AccountNumber",
"description": "REQUIRED: Your CERTInext account number (numeric string). Available in the CERTInext portal."
},
{
"name": "GroupNumber",
"description": "OPTIONAL: CERTInext group (delegation) number. When set, it is included in GetProductDetails requests AND in the `delegationInformation.groupNumber` field of every SSL order so the order is routed to the correct account group. Some accounts will queue orders for additional review when this field is omitted. Available in the CERTInext portal under Delegation \u2192 Groups."
},
{
"name": "OrganizationNumber",
"description": "STRONGLY RECOMMENDED for OV/EV and faster DV issuance: numeric CERTInext organization number for a pre-vetted organization (e.g. your company's pre-vetted entry). When set, every SSL order is submitted with `organizationDetails.preVetting=\"1\"` and the configured `organizationNumber`, telling CERTInext to skip the manual organization-vetting queue. Without this value, orders are placed without any organizationDetails block and CERTInext may park them in `Pending System RA` for extended manual review (observed: tens of hours). Available in the CERTInext portal under Organizations \u2192 Pre-vetted Organizations."
},
{
"name": "TechnicalContactName",
"description": "OPTIONAL: Name sent in the `technicalPointOfContact.tpcName` field of every SSL order. Defaults to the configured RequestorName when blank. Some product configurations require a TPoC to be present; omitting it can cause CERTInext to park orders awaiting manual completion of the field."
},
{
"name": "TechnicalContactEmail",
"description": "OPTIONAL: Email sent in the `technicalPointOfContact.tpcEmail` field of every SSL order. Defaults to the configured RequestorEmail when blank."
},
{
"name": "TechnicalContactIsdCode",
"description": "OPTIONAL: International dialing code for the TPoC phone number. Defaults to the configured RequestorIsdCode when blank."
},
{
"name": "TechnicalContactMobileNumber",
"description": "OPTIONAL: Mobile number for the TPoC (digits only). Defaults to the configured RequestorMobileNumber when blank."
},
{
"name": "AuthMode",
"description": "REQUIRED: Authentication mode. 'AccessKey' (default) \u2014 uses authKey = SHA256(accessKey + ts + txn) in every request body. 'OAuth' \u2014 uses an OAuth2 bearer token (requires OAuthTokenUrl, OAuthClientId, OAuthClientSecret)."
},
{
"name": "ApiKey",
"description": "REQUIRED when AuthMode is 'AccessKey': the REST API Access Key generated in the CERTInext portal under Integrations \u2192 APIs. This value is used to compute authKey = SHA256(accessKey + ts + txn); it is never transmitted directly."
},
{
"name": "OAuthTokenUrl",
"description": "OAuth token endpoint URL. Required when AuthMode is 'OAuth'."
},
{
"name": "OAuthClientId",
"description": "OAuth client ID. Required when AuthMode is 'OAuth'."
},
{
"name": "OAuthClientSecret",
"description": "OAuth client secret. Required when AuthMode is 'OAuth'."
},
{
"name": "RequestorName",
"description": "REQUIRED: Default requestor name submitted with all certificate orders. This is the name of the person/service responsible for the certificates."
},
{
"name": "RequestorEmail",
"description": "REQUIRED: Default requestor email submitted with all certificate orders. Must be a valid email address registered in your CERTInext account."
},
{
"name": "RequestorIsdCode",
"description": "International dialing code for the requestor phone number (e.g. '1' for US). Default: '1'."
},
{
"name": "RequestorMobileNumber",
"description": "Requestor mobile number (digits only, no country code)."
},
{
"name": "SignerPlace",
"description": "City or location of the subscriber agreement signer. Required by CERTInext for all orders."
},
{
"name": "SignerIp",
"description": "IP address of the subscriber agreement signer. Required by CERTInext for all orders."
},
{
"name": "DefaultProductCode",
"description": "OPTIONAL: Default numeric product code used when not specified at template level. Product codes are provided by eMudhra (e.g. the SSL DV 1-year code for your account). Retrieve available codes from Integrations \u2192 APIs \u2192 GetProductDetails."
},
{
"name": "AccountingModel",
"description": "OPTIONAL: CERTInext billing model sent in `orderDetails.accountingModel`. \"2\" = credit-based (most accounts, default). \"1\" = cash model."
},
{
"name": "EmailNotifications",
"description": "OPTIONAL: Whether CERTInext sends lifecycle-event emails to the requestor. \"1\" = enabled, \"0\" = silent (recommended for gateway-driven orders so end users aren't surprised by CA emails). Default: \"0\"."
},
{
"name": "SubscriptionValidityYears",
"description": "OPTIONAL: Default validity in years for SSL orders. \"1\", \"2\", or \"3\". Override per template via the ValidityYears product parameter. Default: \"1\"."
},
{
"name": "SubscriptionAutoRenew",
"description": "OPTIONAL: Whether CERTInext should auto-renew certificates issued through this connector. \"0\" = disabled (recommended \u2014 renewal is driven by Keyfactor Command), \"1\" = enabled. Default: \"0\"."
},
{
"name": "SubscriptionRenewCriteriaDays",
"description": "OPTIONAL: Days before expiry at which CERTInext auto-renews (only honored when SubscriptionAutoRenew = \"1\"). Typical values: \"30\" or \"60\". Default: \"30\"."
},
{
"name": "AutoSecureWww",
"description": "OPTIONAL: If \"1\", CERTInext automatically adds the `www.` variant of the primary domain as an additional SAN. \"0\" = use only the CN/SANs supplied with the CSR. Default: \"0\"."
},
{
"name": "IgnoreExpired",
"description": "If true, expired certificates will be skipped during synchronization. Default: false."
},
{
"name": "PageSize",
"description": "Number of orders to fetch per page during synchronization. Default: 100, max: 500."
},
{
"name": "Enabled",
"description": "Enables or disables the CA connector. Set to false to create the connector record before credentials are available. Default: true."
},
{
"name": "DcvEnabled",
"description": "OPTIONAL: When true, the gateway will perform DNS-based Domain Control Validation (DCV) during enrollment for orders that require it, using the configured DNS provider plugin. Requires a DNS provider plugin (e.g. azure-azuredns-dnsplugin) to be deployed on the gateway. Default: false."
},
{
"name": "DcvTxtRecordTemplate",
"description": "OPTIONAL: Format string for the DNS TXT record hostname used during DCV. {0} is replaced with the domain name being validated. Default: _emsign-validation.{0}"
},
{
"name": "DcvPropagationDelaySeconds",
"description": "OPTIONAL: Seconds to wait after publishing the DNS TXT record before asking CERTInext to verify it. Increase for zones with slow propagation. Default: 30."
},
{
"name": "DcvTimeoutMinutes",
"description": "OPTIONAL: Maximum minutes to wait for the entire DCV flow (DNS publish + propagation + verify) before timing out the enrollment. Can also be set via the CERTINEXT_DCV_TIMEOUT_MINUTES environment variable; the env var takes precedence when both are set. Default: 10."
},
{
"name": "DcvWaitForChallengeSeconds",
"description": "OPTIONAL: How long (seconds) the plugin will wait inside Enroll() for CERTInext to expose the DCV challenge (i.e. populate `domainVerification` in TrackOrder). Under concurrent load CERTInext sometimes takes a few seconds after GenerateOrderSSL before the slot appears. Without this wait, the plugin's initial TrackOrder check sees null and skips DCV \u2014 the order then has to wait for the next gateway sync cycle to be picked up. Setting to 0 disables the wait (single-check behaviour). Can also be set via the CERTINEXT_DCV_WAIT_FOR_CHALLENGE_SECONDS environment variable; the env var takes precedence when both are set. Default: 60."
},
{
"name": "DcvWaitForIssuanceSeconds",
"description": "OPTIONAL: How long (seconds) the plugin will wait inside Enroll() after DCV verifies for CERTInext to finish generating the certificate. CERTInext issuance is async \u2014 DCV may be verified but the cert PEM isn't yet available for download. Without this wait, Enroll() returns a pending result and the issued cert is picked up by the next sync cycle. Setting to 0 disables the wait (single-fetch behaviour). Can also be set via the CERTINEXT_DCV_WAIT_FOR_ISSUANCE_SECONDS environment variable; the env var takes precedence when both are set. Default: 60."
},
{
"name": "DcvSyncMaxOrderAgeHours",
"description": "OPTIONAL: During synchronization, only pending DV orders younger than this many hours are eligible to be driven through DCV. This keeps a sync pass fast when there is a large backlog of old, never-completing pending orders (e.g. abandoned orders or domains outside the configured DNS provider's zone): they age out and are simply reported as pending rather than retried every pass. Recently-placed orders (the ones that legitimately deferred DCV) are always within the window and complete via the normal scan cadence. Set to 0 to disable the age filter (attempt DCV for all pending). Default: 24."
},
{
"name": "DcvSyncMaxPerPass",
"description": "OPTIONAL: Maximum number of pending DV orders the plugin will attempt to drive through DCV in a single synchronization pass. Bounds the per-pass cost regardless of backlog size; remaining pending orders are reported as-is and picked up on a later pass (the per-minute incremental scan keeps recent orders moving). Set to 0 to disable the cap. Default: 50."
}
],
"enrollment_config": [
{
"name": "ProductCode",
"description": "OPTIONAL: Override the numeric CERTInext product code for this template. When omitted, the default production code for the selected product is used automatically (e.g. DV SSL \u2192 838). Set this explicitly when targeting sandbox or a non-standard code."
},
{
"name": "ProfileId",
"description": "DEPRECATED: Use ProductCode instead. Kept for backward compatibility \u2014 mapped to ProductCode if ProductCode is not set."
},
{
"name": "ValidityYears",
"description": "OPTIONAL: Subscription validity in years: 1, 2, or 3. Default: 1. Note: CERTInext validates per 390-day certificate within the subscription; the 'validity' field in the order is the subscription term, not certificate lifetime."
},
{
"name": "ValidityDays",
"description": "DEPRECATED: Use ValidityYears instead. If set, value is divided by 365 and rounded up to get the subscription year count."
},
{
"name": "AutoApprove",
"description": "OPTIONAL: If true, the gateway will attempt automatic approval of certificates that are returned in a pending-approval state. Default: false."
},
{
"name": "RequesterName",
"description": "OPTIONAL: Default requester name to include in the enrollment request. Used when no requester name can be derived from the subject."
},
{
"name": "RequesterEmail",
"description": "OPTIONAL: Default requester email address. Used when no email can be derived from the subject."
},
{
"name": "RenewalWindowDays",
"description": "OPTIONAL: Number of days before certificate expiration within which a renewal is triggered. Certificates expiring further than this window are reissued instead. Certificates that have already expired also fall back to reissue. Default: 90."
},
{
"name": "KeyType",
"description": "OPTIONAL: Key algorithm to request (e.g. 'RSA2048', 'RSA4096', 'EC256', 'EC384'). If omitted, the profile default is used."
},
{
"name": "DomainName",
"description": "OPTIONAL: Primary domain for SSL/TLS orders. Derived from the CSR CN if omitted."
},
{
"name": "SignerName",
"description": "OPTIONAL: Per-template subscriber agreement signer name. Falls back to the connector-level RequestorName if omitted."
},
{
"name": "SignerPlace",
"description": "OPTIONAL: Per-template signer city/location. Falls back to the connector-level SignerPlace if omitted."
},
{
"name": "SignerIp",
"description": "OPTIONAL: Per-template signer IP address. Falls back to the connector-level SignerIp if omitted."
}
]
}
}
}