Skip to content

Commit 4df0357

Browse files
committed
docs: add reference/ JSON captures from a known-working CERTInext lab
Sanitised JSON dumps from a running localhost-kind kfclab lab on 2026-05-22. Useful as wire-format reference when writing or debugging configuration scripts against a clean install: docs/reference/ ├── README.md provenance + how to read ├── gateway/ │ ├── certificate-profiles.json all 8 sandbox products │ └── claims.json gateway authz table └── command/ ├── certificate-authority.json the CERTInext CA record └── templates-certinext.json 8 imported AnyCA_<product> Captured via `kfclab snapshot` with the AnyGateway collector wired in to the snapshot CLI (kfclab commit 514cc27). The Command CA record's ClientSecret is masked by Command itself on read; no other sensitive fields are present (no access keys, no PAM literals, no OAuth secrets). Not included (not GET-able from the live gateway): the /config/configuration shape — see QUICKSTART.md step 3 for the canonical POST/PUT body shape that produced this state.
1 parent 59a1039 commit 4df0357

5 files changed

Lines changed: 723 additions & 0 deletions

File tree

docs/reference/README.md

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
# Reference JSON — known-working lab state
2+
3+
Sanitised JSON captures of a fully-configured CERTInext lab. Useful as
4+
**wire-format reference** when you're writing or debugging
5+
configuration scripts: every blob here is what the live gateway and
6+
Command returned (POST/PUT bodies aren't shown — those are documented
7+
in [`QUICKSTART.md`](../../QUICKSTART.md)).
8+
9+
## Source
10+
11+
Generated from the `kfclab` localhost-kind reference lab on
12+
2026-05-22 via:
13+
14+
```
15+
kfclab snapshot -f examples/localhost-kind/kfclab.yaml --out /tmp/snap
16+
```
17+
18+
Then trimmed to the CERTInext-relevant subset, with sensitive fields
19+
either already masked by the upstream API (`ClientSecret`) or omitted
20+
entirely (no access keys, no PAM literals).
21+
22+
## Layout
23+
24+
```
25+
docs/reference/
26+
├── README.md (this file)
27+
├── gateway/
28+
│ ├── certificate-profiles.json GET /AnyGatewayREST/config/certificateprofile
29+
│ └── claims.json GET /AnyGatewayREST/config/claim
30+
└── command/
31+
├── certificate-authority.json GET /KeyfactorAPI/CertificateAuthorities (CERTInext record)
32+
└── templates-certinext.json GET /KeyfactorAPI/Templates filtered by ConfigurationTenant
33+
```
34+
35+
## `gateway/certificate-profiles.json`
36+
37+
Eight profiles, one per CERTInext sandbox product. Each carries the
38+
same `key_algs` block — the canonical "permit RSA 2048–8192 + ECDSA
39+
P-256/384/521 + Ed25519/Ed448" policy. Match this `key_algs` shape on
40+
new profiles to avoid Command's misleading `0xA0110004` "Key type
41+
disallowed by policy" error.
42+
43+
The profiles **don't** carry CA-binding information; they're top-level
44+
gateway resources. The CA configuration's `Templates[].CertificateProfile`
45+
field is what binds a product to its profile by name.
46+
47+
## `gateway/claims.json`
48+
49+
The gateway authorisation table. Each row maps an OIDC subject (token
50+
`sub`) to a gateway role. The lab seeds these on every
51+
`init-gateway`:
52+
53+
- Two for the gateway's own machine client (admin + user — defensive)
54+
- One for `akadmin` (the Authentik admin's `nameClaimType=sub`)
55+
56+
Production deployments add per-operator entries here. There are no
57+
secrets in this file.
58+
59+
## `command/certificate-authority.json`
60+
61+
The single `LogicalName=certinext-caplugin` CA record after Command's
62+
own redaction of the OAuth client secret (`ClientSecret.SecretValue` is
63+
masked by Command on read). Useful as a shape reference for the
64+
`POST /KeyfactorAPI/CertificateAuthorities` request body in
65+
[QUICKSTART step 4](../../QUICKSTART.md#step-4--register-the-ca-in-command).
66+
Read-only fields populated by Command (e.g. `Id`, `LastSyncTime`,
67+
`SyncStatus`) are present but should not be set on create.
68+
69+
## `command/templates-certinext.json`
70+
71+
The eight Command templates created by `POST /KeyfactorAPI/Templates/Import`
72+
(`ConfigurationTenant=certinext-caplugin`). Each is a 1-to-1 mapping
73+
of a CERTInext sandbox product → a Command template named
74+
`AnyCA_<ProductID>` and tied back to the CA by `ConfigurationTenant`.
75+
Useful as a sanity check after running step 5 of the quickstart: the
76+
template count and `CommonName` set should match this file (modulo
77+
`Id` churn).
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"Agent": null,
3+
"AgentName": null,
4+
"AgentUsername": null,
5+
"AllowOneClickRenewals": true,
6+
"AllowedEnrollmentTypes": 3,
7+
"AllowedRequesters": [],
8+
"Audience": null,
9+
"AuthCertificate": null,
10+
"CAType": 1,
11+
"CertificateCleanupEnabled": null,
12+
"ClientId": "anygateway-gateway-certinext-client",
13+
"ClientSecret": {
14+
"Parameters": {},
15+
"Provider": null,
16+
"SecretValue": "********************"
17+
},
18+
"ConfigurationTenant": "certinext-caplugin",
19+
"ConnectorPool": null,
20+
"Delegate": false,
21+
"DelegateEnrollment": false,
22+
"DeleteWithArchivedKey": null,
23+
"DenialMax": 0,
24+
"EnforceUniqueDN": false,
25+
"ExplicitCredentials": false,
26+
"ExplicitPassword": null,
27+
"ExplicitUser": null,
28+
"FailureMax": null,
29+
"ForestRoot": "certinext-caplugin",
30+
"FullScan": {
31+
"Interval": {
32+
"Minutes": 720
33+
}
34+
},
35+
"HostName": "https://gateway-gateway-certinext.127.0.0.1.nip.io/AnyGatewayREST/ejbca",
36+
"Id": 4,
37+
"IncrementalScan": {
38+
"Interval": {
39+
"Minutes": 5
40+
}
41+
},
42+
"IssuanceMax": null,
43+
"IssuanceMin": null,
44+
"KeyRetention": 1,
45+
"KeyRetentionDays": null,
46+
"LastScan": "2026-05-22T19:20:01.2730000",
47+
"LogicalName": "certinext-caplugin",
48+
"MonitorThresholds": false,
49+
"NewEndEntityOnRenewAndReissue": true,
50+
"Properties": "{}",
51+
"RFCEnforcement": false,
52+
"Remote": false,
53+
"Scope": "keyfactor-anyca-gateway",
54+
"Standalone": false,
55+
"SubscriberTerms": false,
56+
"ThresholdCheck": null,
57+
"TimeAfterExpiration": null,
58+
"TimeAfterExpirationUnits": null,
59+
"TokenURL": "https://auth.127.0.0.1.nip.io/application/o/token/",
60+
"UseAllowedRequesters": false,
61+
"UseCAConnector": false,
62+
"UseForEnrollment": true
63+
}
Lines changed: 243 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,243 @@
1+
[
2+
{
3+
"AllowOneClickRenewals": true,
4+
"AllowedEnrollmentTypes": 3,
5+
"AllowedRequesters": [
6+
"InstanceAdmin"
7+
],
8+
"CommonName": "AnyCA_DV SSL",
9+
"ConfigurationTenant": "certinext-caplugin",
10+
"DisplayName": "AnyCA (DV SSL)",
11+
"EnrollmentFields": [],
12+
"ExtendedKeyUsages": [
13+
{
14+
"DisplayName": "Client Authentication",
15+
"Id": 2,
16+
"Oid": "1.3.6.1.5.5.7.3.2"
17+
},
18+
{
19+
"DisplayName": "Secure Email",
20+
"Id": 4,
21+
"Oid": "1.3.6.1.5.5.7.3.4"
22+
}
23+
],
24+
"ForestRoot": "certinext-caplugin",
25+
"FriendlyName": null,
26+
"Id": 8,
27+
"KeyArchival": false,
28+
"KeyRetention": "Indefinite",
29+
"KeyRetentionDays": 0,
30+
"KeySize": "2048",
31+
"KeyType": "RSA",
32+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
33+
"KeyUsage": 0,
34+
"Manageability": 0,
35+
"Oid": "1.1",
36+
"RequiresApproval": false,
37+
"TemplateName": "AnyCA (DV SSL)",
38+
"TemplateRegexes": [],
39+
"UseAllowedRequesters": true
40+
},
41+
{
42+
"AllowOneClickRenewals": true,
43+
"AllowedEnrollmentTypes": 3,
44+
"AllowedRequesters": [
45+
"InstanceAdmin"
46+
],
47+
"CommonName": "AnyCA_DV SSL Multi-Domain (UCC)",
48+
"ConfigurationTenant": "certinext-caplugin",
49+
"DisplayName": "AnyCA (DV SSL Multi-Domain (UCC))",
50+
"EnrollmentFields": [],
51+
"ExtendedKeyUsages": [],
52+
"ForestRoot": "certinext-caplugin",
53+
"FriendlyName": null,
54+
"Id": 10,
55+
"KeyArchival": false,
56+
"KeyRetention": "Indefinite",
57+
"KeyRetentionDays": 0,
58+
"KeySize": "2048",
59+
"KeyType": "RSA",
60+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
61+
"KeyUsage": 0,
62+
"Manageability": 0,
63+
"Oid": "1.3",
64+
"RequiresApproval": false,
65+
"TemplateName": "AnyCA (DV SSL Multi-Domain (UCC))",
66+
"TemplateRegexes": [],
67+
"UseAllowedRequesters": true
68+
},
69+
{
70+
"AllowOneClickRenewals": true,
71+
"AllowedEnrollmentTypes": 3,
72+
"AllowedRequesters": [
73+
"InstanceAdmin"
74+
],
75+
"CommonName": "AnyCA_DV SSL Wildcard",
76+
"ConfigurationTenant": "certinext-caplugin",
77+
"DisplayName": "AnyCA (DV SSL Wildcard)",
78+
"EnrollmentFields": [],
79+
"ExtendedKeyUsages": [],
80+
"ForestRoot": "certinext-caplugin",
81+
"FriendlyName": null,
82+
"Id": 9,
83+
"KeyArchival": false,
84+
"KeyRetention": "Indefinite",
85+
"KeyRetentionDays": 0,
86+
"KeySize": "2048",
87+
"KeyType": "RSA",
88+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
89+
"KeyUsage": 0,
90+
"Manageability": 0,
91+
"Oid": "1.2",
92+
"RequiresApproval": false,
93+
"TemplateName": "AnyCA (DV SSL Wildcard)",
94+
"TemplateRegexes": [],
95+
"UseAllowedRequesters": true
96+
},
97+
{
98+
"AllowOneClickRenewals": true,
99+
"AllowedEnrollmentTypes": 3,
100+
"AllowedRequesters": [
101+
"InstanceAdmin"
102+
],
103+
"CommonName": "AnyCA_DV SSL Wildcard Multi-Domain (UCC)",
104+
"ConfigurationTenant": "certinext-caplugin",
105+
"DisplayName": "AnyCA (DV SSL Wildcard Multi-Domain (UCC))",
106+
"EnrollmentFields": [],
107+
"ExtendedKeyUsages": [
108+
{
109+
"DisplayName": "OCSP Signing",
110+
"Id": 9,
111+
"Oid": "1.3.6.1.5.5.7.3.9"
112+
}
113+
],
114+
"ForestRoot": "certinext-caplugin",
115+
"FriendlyName": null,
116+
"Id": 11,
117+
"KeyArchival": false,
118+
"KeyRetention": "Indefinite",
119+
"KeyRetentionDays": 0,
120+
"KeySize": "2048",
121+
"KeyType": "RSA",
122+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
123+
"KeyUsage": 0,
124+
"Manageability": 0,
125+
"Oid": "1.4",
126+
"RequiresApproval": false,
127+
"TemplateName": "AnyCA (DV SSL Wildcard Multi-Domain (UCC))",
128+
"TemplateRegexes": [],
129+
"UseAllowedRequesters": true
130+
},
131+
{
132+
"AllowOneClickRenewals": true,
133+
"AllowedEnrollmentTypes": 3,
134+
"AllowedRequesters": [
135+
"InstanceAdmin"
136+
],
137+
"CommonName": "AnyCA_OV SSL",
138+
"ConfigurationTenant": "certinext-caplugin",
139+
"DisplayName": "AnyCA (OV SSL)",
140+
"EnrollmentFields": [],
141+
"ExtendedKeyUsages": [],
142+
"ForestRoot": "certinext-caplugin",
143+
"FriendlyName": null,
144+
"Id": 12,
145+
"KeyArchival": false,
146+
"KeyRetention": "Indefinite",
147+
"KeyRetentionDays": 0,
148+
"KeySize": "2048",
149+
"KeyType": "RSA",
150+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
151+
"KeyUsage": 0,
152+
"Manageability": 0,
153+
"Oid": "1.5",
154+
"RequiresApproval": false,
155+
"TemplateName": "AnyCA (OV SSL)",
156+
"TemplateRegexes": [],
157+
"UseAllowedRequesters": true
158+
},
159+
{
160+
"AllowOneClickRenewals": true,
161+
"AllowedEnrollmentTypes": 3,
162+
"AllowedRequesters": [
163+
"InstanceAdmin"
164+
],
165+
"CommonName": "AnyCA_OV SSL Multi-Domain (UCC)",
166+
"ConfigurationTenant": "certinext-caplugin",
167+
"DisplayName": "AnyCA (OV SSL Multi-Domain (UCC))",
168+
"EnrollmentFields": [],
169+
"ExtendedKeyUsages": [],
170+
"ForestRoot": "certinext-caplugin",
171+
"FriendlyName": null,
172+
"Id": 14,
173+
"KeyArchival": false,
174+
"KeyRetention": "Indefinite",
175+
"KeyRetentionDays": 0,
176+
"KeySize": "2048",
177+
"KeyType": "RSA",
178+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
179+
"KeyUsage": 0,
180+
"Manageability": 0,
181+
"Oid": "1.7",
182+
"RequiresApproval": false,
183+
"TemplateName": "AnyCA (OV SSL Multi-Domain (UCC))",
184+
"TemplateRegexes": [],
185+
"UseAllowedRequesters": true
186+
},
187+
{
188+
"AllowOneClickRenewals": true,
189+
"AllowedEnrollmentTypes": 3,
190+
"AllowedRequesters": [
191+
"InstanceAdmin"
192+
],
193+
"CommonName": "AnyCA_OV SSL Wildcard",
194+
"ConfigurationTenant": "certinext-caplugin",
195+
"DisplayName": "AnyCA (OV SSL Wildcard)",
196+
"EnrollmentFields": [],
197+
"ExtendedKeyUsages": [],
198+
"ForestRoot": "certinext-caplugin",
199+
"FriendlyName": null,
200+
"Id": 13,
201+
"KeyArchival": false,
202+
"KeyRetention": "Indefinite",
203+
"KeyRetentionDays": 0,
204+
"KeySize": "2048",
205+
"KeyType": "RSA",
206+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
207+
"KeyUsage": 0,
208+
"Manageability": 0,
209+
"Oid": "1.6",
210+
"RequiresApproval": false,
211+
"TemplateName": "AnyCA (OV SSL Wildcard)",
212+
"TemplateRegexes": [],
213+
"UseAllowedRequesters": true
214+
},
215+
{
216+
"AllowOneClickRenewals": true,
217+
"AllowedEnrollmentTypes": 3,
218+
"AllowedRequesters": [
219+
"InstanceAdmin"
220+
],
221+
"CommonName": "AnyCA_OV SSL Wildcard Multi-Domain (UCC)",
222+
"ConfigurationTenant": "certinext-caplugin",
223+
"DisplayName": "AnyCA (OV SSL Wildcard Multi-Domain (UCC))",
224+
"EnrollmentFields": [],
225+
"ExtendedKeyUsages": [],
226+
"ForestRoot": "certinext-caplugin",
227+
"FriendlyName": null,
228+
"Id": 15,
229+
"KeyArchival": false,
230+
"KeyRetention": "Indefinite",
231+
"KeyRetentionDays": 0,
232+
"KeySize": "2048",
233+
"KeyType": "RSA",
234+
"KeyTypes": "ECC P-256/prime256v1/secp256r1, ECC P-384/secp384r1, ECC P-521/secp521r1, RSA 2048, RSA 3072, RSA 4096, RSA 6144, RSA 8192, Ed448, Ed25519",
235+
"KeyUsage": 0,
236+
"Manageability": 0,
237+
"Oid": "1.8",
238+
"RequiresApproval": false,
239+
"TemplateName": "AnyCA (OV SSL Wildcard Multi-Domain (UCC))",
240+
"TemplateRegexes": [],
241+
"UseAllowedRequesters": true
242+
}
243+
]

0 commit comments

Comments
 (0)