Skip to content

Commit 64b2312

Browse files
author
Keyfactor
committed
Update generated docs
1 parent 5863e7b commit 64b2312

1 file changed

Lines changed: 73 additions & 1 deletion

File tree

README.md

Lines changed: 73 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,79 @@ The plugin supports the following standard CRL revocation reasons:
196196

197197
* **Gateway Registration**
198198

199-
TODO Gateway Registration is a required section
199+
### CA Connection Configuration
200+
201+
When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters:
202+
203+
| Parameter | Description | Required | Example |
204+
|-----------|-------------|----------|---------|
205+
| **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` |
206+
| **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` |
207+
| **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` |
208+
209+
### Template (Product) Configuration
210+
211+
Each certificate template (policy) discovered from HydrantId requires configuration for enrollment:
212+
213+
| Parameter | Description | Required | Example |
214+
|-----------|-------------|----------|---------|
215+
| **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` |
216+
| **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) |
217+
| **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) |
218+
219+
**Important Notes:**
220+
- Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint
221+
- The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime
222+
- RenewalDays determines the behavior for certificate renewal:
223+
- Within window: Performs a renewal operation (maintains certificate lineage)
224+
- Outside window: Performs a re-issue operation (new certificate enrollment)
225+
226+
### Gateway Registration Notes
227+
228+
- Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint
229+
- If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway
230+
- Each CA configuration will manifest in Command as a separate CA entry
231+
- The plugin uses Hawk authentication protocol for all API communications
232+
- Authentication uses HMAC-SHA256 for secure API access
233+
- The plugin automatically handles:
234+
- Policy/template discovery
235+
- Certificate status mapping
236+
- End-entity certificate extraction from PEM chains
237+
- Enrollment completion polling (30-second timeout)
238+
239+
### Security Considerations
240+
241+
1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration
242+
2. **Secret Management**: Consider using a secrets management system for AuthKey storage
243+
3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications
244+
4. **Least Privilege**: Request API credentials with minimal required permissions
245+
5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring
246+
6. **Credential Rotation**: Regularly rotate API credentials according to your security policy
247+
248+
* **CA Connection**
249+
250+
Populate using the configuration fields collected in the [requirements](#requirements) section.
251+
252+
* **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`.
253+
* **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access.
254+
* **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access.
255+
256+
2. **Certificate Template Configuration**
257+
258+
After adding the CA to the Gateway, configure each certificate template:
259+
260+
1. Navigate to the Templates/Products section for the newly added CA
261+
2. For each template (policy) discovered from HydrantId, configure:
262+
- **ValidityPeriod**: Select `Days`, `Months`, or `Years`
263+
- **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days)
264+
- **RenewalDays**: Enter the renewal window in days (e.g., `30`)
265+
266+
Example configurations:
267+
- **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30`
268+
- **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60`
269+
- **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30`
270+
271+
3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
200272
201273
* **CA Connection**
202274

0 commit comments

Comments
 (0)