@@ -196,7 +196,79 @@ The plugin supports the following standard CRL revocation reasons:
196196
197197 * ** Gateway Registration**
198198
199- TODO Gateway Registration is a required section
199+ # ## CA Connection Configuration
200+
201+ When registering the HydrantId CA in the AnyCA Gateway, you' ll need to provide the following configuration parameters:
202+
203+ | Parameter | Description | Required | Example |
204+ |-----------|-------------|----------|---------|
205+ | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` |
206+ | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` |
207+ | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` |
208+
209+ ### Template (Product) Configuration
210+
211+ Each certificate template (policy) discovered from HydrantId requires configuration for enrollment:
212+
213+ | Parameter | Description | Required | Example |
214+ |-----------|-------------|----------|---------|
215+ | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` |
216+ | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) |
217+ | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) |
218+
219+ **Important Notes:**
220+ - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint
221+ - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime
222+ - RenewalDays determines the behavior for certificate renewal:
223+ - Within window: Performs a renewal operation (maintains certificate lineage)
224+ - Outside window: Performs a re-issue operation (new certificate enrollment)
225+
226+ ### Gateway Registration Notes
227+
228+ - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint
229+ - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway
230+ - Each CA configuration will manifest in Command as a separate CA entry
231+ - The plugin uses Hawk authentication protocol for all API communications
232+ - Authentication uses HMAC-SHA256 for secure API access
233+ - The plugin automatically handles:
234+ - Policy/template discovery
235+ - Certificate status mapping
236+ - End-entity certificate extraction from PEM chains
237+ - Enrollment completion polling (30-second timeout)
238+
239+ ### Security Considerations
240+
241+ 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration
242+ 2. **Secret Management**: Consider using a secrets management system for AuthKey storage
243+ 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications
244+ 4. **Least Privilege**: Request API credentials with minimal required permissions
245+ 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring
246+ 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy
247+
248+ * **CA Connection**
249+
250+ Populate using the configuration fields collected in the [requirements](#requirements) section.
251+
252+ * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`.
253+ * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access.
254+ * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access.
255+
256+ 2. **Certificate Template Configuration**
257+
258+ After adding the CA to the Gateway, configure each certificate template:
259+
260+ 1. Navigate to the Templates/Products section for the newly added CA
261+ 2. For each template (policy) discovered from HydrantId, configure:
262+ - **ValidityPeriod**: Select `Days`, `Months`, or `Years`
263+ - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days)
264+ - **RenewalDays**: Enter the renewal window in days (e.g., `30`)
265+
266+ Example configurations:
267+ - **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30`
268+ - **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60`
269+ - **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30`
270+
271+ 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
200272
201273 * **CA Connection**
202274
0 commit comments