Keyfactor
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 12 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 12 deletions
diff --git a/‎HydrantCAProxy/HydrantIdCAPlugin.csproj‎
Lines changed: 2 additions & 2 deletions b/‎HydrantCAProxy/HydrantIdCAPlugin.csproj‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 135 additions & 68 deletions b/‎README.md‎
Lines changed: 135 additions & 68 deletions
@@ -1,13 +1,2 @@
-# v2.0.0
-* Migrate `packages.config` to `PackageReference` format
-* Upgrade packages to support Keyfactor AnyCA Gateway DCOM v24.2
-    * Upgrade `Keyfactor.AnyGateway.SDK` to `24.2.0-PRERELEASE-47446`
-* Add support for [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls)
-* Enable configuration of CA Pool-based or CA-specific certificate enrollment. If the `CAId` is specified, certificates are enrolled with the CA specified by `CAId`. Otherwise, GCP CAS selects a CA in the CA Pool based on policy.
-
-# v1.1.0 
-  - Remove template references from README
-  - Small bug fixes  
-
 # v1.0.0
-* Initial Release. Support for Google GA CA Service.  Sync, Enroll, and Revocation. 
+* Initial Release.  Sync, Enroll, and Revocation. 
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFrameworks>net6.0;net8.0</TargetFrameworks>
 		<ImplicitUsings>disable</ImplicitUsings>
 		<CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
@@ -18,4 +18,4 @@
 			<CopyToOutputDirectory>Always</CopyToOutputDirectory>
 		</None>
 	</ItemGroup>
-</Project>
+</Project>
@@ -1,13 +1,13 @@
 <h1 align="center" style="border-bottom: none">
-    HydrantId AnyCA Gateway REST Plugin
+    HID Global AnyCA Gateway REST Plugin
 </h1>
 
 <p align="center">
   <!-- Badges -->
 <img src="https://img.shields.io/badge/integration_status-production-3D1973?style=flat-square" alt="Integration Status: production" />
-<a href="https://github.com/Keyfactor/hydrantid-cagateway/releases"><img src="https://img.shields.io/github/v/release/Keyfactor/hydrantid-cagateway?style=flat-square" alt="Release" /></a>
-<img src="https://img.shields.io/github/issues/Keyfactor/hydrantid-cagateway?style=flat-square" alt="Issues" />
-<img src="https://img.shields.io/github/downloads/Keyfactor/hydrantid-cagateway/total?style=flat-square&label=downloads&color=28B905" alt="GitHub Downloads (all assets, all releases)" />
+<a href="https://github.com/Keyfactor/hydrantid-caplugin/releases"><img src="https://img.shields.io/github/v/release/Keyfactor/hydrantid-caplugin?style=flat-square" alt="Release" /></a>
+<img src="https://img.shields.io/github/issues/Keyfactor/hydrantid-caplugin?style=flat-square" alt="Issues" />
+<img src="https://img.shields.io/github/downloads/Keyfactor/hydrantid-caplugin/total?style=flat-square&label=downloads&color=28B905" alt="GitHub Downloads (all assets, all releases)" />
 </p>
 
 <p align="center">
@@ -34,105 +34,169 @@
 </p>
 
 
-HydrantId operates a PKI as a service platform for customers around the globe. The AnyGateway solution for HydrantId is designed to allow Keyfactor Command:
+The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities:
 
-* CA Sync:
-    * Download all certificates issued by connected Enterprise tier CAs in HydrantId (full sync).
-* Certificate enrollment for all published HydrantId Certificate SKUs:
-    * Support certificate enrollment (new keys/certificate).
-* Certificate revocation:
-    * Request revocation of a previously issued certificate.
+* **CA Sync**:
+    * Download all certificates issued by the HydrantId CA
+    * Support for incremental and full synchronization
+    * Automatic extraction of end-entity certificates from PEM chains
+* **Certificate Enrollment**:
+    * Support certificate enrollment with new key pairs
+    * Dynamic policy (profile) discovery from the CA
+    * Intelligent renewal vs. re-issue logic based on certificate expiration
+    * Support for PKCS#10 CSR format
+    * Configurable certificate validity periods
+* **Certificate Revocation**:
+    * Request revocation of previously issued certificates
+    * Support for standard CRL revocation reasons
 
 ## Compatibility
 
-The HydrantId AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2 and later.
+The HID Global AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2 and later.
 
 ## Support
-The HydrantId AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
+The HID Global AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
 
 > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
 ## Requirements
 
-### 🔐 HydrantID API Key Setup Guide
+### HydrantId System Prerequisites
 
-This guide explains how to generate and use an API Key ID and Secret in HydrantID for authenticated API access.
+Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met:
 
----
+1. **HydrantId Account**:
+   - Active HydrantId account with API access enabled
+   - Access to the HydrantId management portal
+   - HydrantId Certificate Authority Service configured and operational
 
-#### 📍 Where to Find API Key Management
+2. **API Credentials**:
+   - HydrantId API Authentication ID (AuthId)
+   - HydrantId API Authentication Key (AuthKey)
+   - These credentials must have permissions for:
+     - Certificate enrollment (CSR submission)
+     - Certificate retrieval
+     - Certificate revocation
+     - Policy/profile listing
 
-1. **Log in** to your HydrantID instance.
-   - Example: https://acm-stage.hydrantid.com
+3. **Network Connectivity**:
+   - Gateway server must have HTTPS access to the HydrantId API endpoint
+   - Default endpoint format: `https://<environment>.hydrantid.com`
+   - Example: `https://acm-stage.hydrantid.com` or `https://acm.hydrantid.com`
+   - TLS 1.2 or higher must be supported
 
-2. Click your **user profile icon** (top right) and select **"Profile"**.
+### Obtaining Required Configuration Information
 
-3. In the **Profile** page, scroll to the section labeled `API Keys`.
+#### 1. HydrantId Base URL
 
----
+The HydrantId Base URL is the root endpoint for the HydrantId API.
 
-#### ➕ Add a New API Key
+**Common HydrantId environments:**
+- Production: `https://acm.hydrantid.com`
+- Staging: `https://acm-stage.hydrantid.com`
+- Custom instances may have different URLs
 
-1. Click **"ADD API KEY"** (top right of the API Keys section).
-2. A new API Key will be generated with:
-   - A unique **API ID**
-   - A **Secret API Key** — copy it immediately as it is only shown once.
+**To obtain your Base URL:**
+1. Contact your HydrantId account representative
+2. Check your HydrantId account documentation
+3. Verify the URL is accessible from the Gateway server
 
----
+#### 2. API Authentication Credentials
 
-#### 🧾 Notes on API Keys
+The Gateway authenticates to HydrantId using Hawk authentication protocol with an AuthId and AuthKey pair.
 
-- **ID** = what you'll pass in the HAWK `id` field
-- **Key** = secret used to generate HAWK signature
-- Each key shows `Created` and `Last Used` timestamps for traceability
+**Steps to obtain API credentials:**
 
----
+1. **Access HydrantId Portal**:
+   - Log in to your HydrantId management portal
+   - Navigate to API or Integration settings
 
-#### 🔐 Using the API ID and Key with HAWK
+2. **Generate API Credentials**:
+   - Request API credentials from your HydrantId administrator
+   - You will receive:
+     - **AuthId**: A unique identifier for your API client
+     - **AuthKey**: A secret key used for HMAC-based authentication
+   - Store these credentials securely
 
-HydrantID uses [HAWK Authentication](https://github.com/hueniverse/hawk) to secure its API.
+3. **Verify Permissions**:
+   - Ensure the API credentials have the following permissions:
+     - Certificate enrollment (POST /api/v2/csr)
+     - Certificate renewal (POST /api/v2/certificates/{id}/renew)
+     - Certificate retrieval (GET /api/v2/certificates)
+     - Certificate revocation (PATCH /api/v2/certificates/{id})
+     - Policy listing (GET /api/v2/policies)
 
-##### Required Fields in Authorization Header:
-```text
-Hawk id="API_ID", ts="TIMESTAMP", nonce="RANDOM", mac="HMAC_SIGNATURE"
+#### 3. Certificate Policies
 
-### Root CA Configuration
+Certificate policies define the types of certificates that can be issued. The plugin automatically discovers available policies from the HydrantId system.
 
-Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA, and if applicable, any subordinate CAs for all features to work as intended. Download the CA Certificate (and chain, if applicable) from HydrantId, and import them into the appropriate certificate store on the AnyCA Gateway REST server.
+**Policy discovery:**
+- Policies are automatically retrieved when the CA is configured
+- Policies appear in Keyfactor Command as "Product IDs" after CA registration
+- Each policy represents a certificate template configured in HydrantId
 
-* **Windows** - If the AnyCA Gateway REST is running on a Windows host, the root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell. 
-* **Linux** - If the AnyCA Gateway REST is running on a Linux host, the root CA and applicable subordinate CAs must be present in the root CA certificate store. The location of this store varies per distribution, but is most commonly `/etc/ssl/certs/ca-certificates.crt`. The following is documentation on some popular distributions.
-    * [Ubuntu - Managing CA certificates](https://ubuntu.com/server/docs/install-a-root-ca-certificate-in-the-trust-store)
-    * [RHEL 9 - Using shared system certificates](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#using-shared-system-certificates_securing-networks)
-    * [Fedora - Using Shared System Certificates](https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/)
+**To view available policies:**
+1. Policies are retrieved automatically using the GET /api/v2/policies endpoint
+2. Ensure the API credentials have permissions to list policies
+3. Policies will be displayed during CA configuration in the Gateway
 
-> The root CA and intermediate CAs must be trusted by both the Command server _and_ AnyCA Gateway REST server.
+#### 4. Certificate Validity Configuration
+
+For each certificate template, you can configure:
+
+| Parameter | Description | Example Values |
+|-----------|-------------|----------------|
+| **ValidityPeriod** | Time unit for certificate lifetime | `Days`, `Months`, `Years` |
+| **ValidityUnits** | Numeric value for the validity period | `365` (for days), `12` (for months), `2` (for years) |
+| **RenewalDays** | Days before expiration to trigger renewal vs. re-issue | `30`, `60`, `90` |
+
+**Renewal vs. Re-issue Logic:**
+- If a certificate is within the RenewalDays window before expiration, the plugin performs a **renewal**
+- If a certificate is outside the RenewalDays window, the plugin performs a **re-issue** (new enrollment)
+
+### Supported Revocation Reasons
+
+The plugin supports the following standard CRL revocation reasons:
+
+| Reason Code | Reason Name | HydrantId API Value |
+|-------------|-------------|---------------------|
+| 0 | Unspecified | `Unspecified` |
+| 1 | Key Compromise | `KeyCompromise` |
+| 2 | CA Compromise | `CaCompromise` |
+| 3 | Affiliation Changed | `AffiliationChanged` |
+| 4 | Superseded | `Superseded` |
+| 5 | Cessation of Operation | `CessationOfOperation` |
+
+**Note**: Verify with your HydrantId administrator which revocation reasons are supported in your environment.
 
 ## Installation
 
 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
 
-2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-cagateway/releases/latest) from GitHub.
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-caplugin/releases/latest) from GitHub.
+
+3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory:
 
-3. Copy the unzipped directory (usually called `net6.0`) to the Extensions directory:
 
     ```shell
+    Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations:
     Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions
+    Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions
     ```
 
-    > The directory containing the HydrantId AnyCA Gateway REST plugin DLLs (`net6.0`) can be named anything, as long as it is unique within the `Extensions` directory.
+    > The directory containing the HID Global AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
 
 4. Restart the AnyCA Gateway REST service.
 
-5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HydrantId plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
+5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
 
 ## Configuration
 
 1. Follow the [official AnyCA Gateway REST documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) to define a new Certificate Authority, and use the notes below to configure the **Gateway Registration** and **CA Connection** tabs:
 
     * **Gateway Registration**
 
-        The Gateway Registration tab configures the root or issuing CA certificate for the respective CA in HydrantId. The certificate selected here should be the issuing CA identified in the [Root CA Configuration](#root-ca-configuration) step.
+        TODO Gateway Registration is a required section
 
     * **CA Connection**
 
@@ -142,29 +206,32 @@ Both the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA
         * **HydrantIdAuthId** - The AuthId Obtained from HydrantId. 
         * **HydrantIdAuthKey** - The AuthKey Obtained from HydrantId. 
 
-2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID.
+2. TODO Certificate Template Creation Step is a required section
 
-    The GCP CAS AnyCA Gateway REST plugin downloads all Certificate Templates in the configured GCP Region/Project and interprets them as 'Product IDs' in the Gateway Portal.
+3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
 
-    > For example, if the connected GCP project has the following Certificate Templates:
-    > 
-    > * `ServerAuth`
-    > * `ClientAuth`
-    >
-    > The `Edit Templates` > `Product ID` dialog dropdown will show the following available 'ProductIDs':
-    >
-    > * `Default` -> Don't use a certificate template when enrolling certificates with this Template.
-    > * `ServerAuth` -> Use the `ServerAuth` certificate template in GCP when enrolling certificates with this Template.
-    > * `ClientAuth` -> Use the `ClientAuth` certificate template in GCP when enrolling certificates with this Template.
+4. TODO Custom Enrollment Parameter Creation Step is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
 
-3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
 
-4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters:
+## Installation
 
-    * **ValidityPeriod** - The desired lifetime time period could be Days, Months or Years. 
-    * **ValidityUnits** - The desired lifetime time value some number indicating days, months or years. 
-    * **RenewalDays** - The window that determines whether it is a renewal vs a re-issue. 
+1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
+
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [HID Global HydrantId AnyCA Gateway REST plugin](https://github.com/Keyfactor/hydrantid-caplugin/releases/latest) from GitHub.
+
+3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory:
+
+    ```shell
+    Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations:
+    Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions
+    Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions
+    ```
+
+    > The directory containing the HID Global HydrantId AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
+
+4. Restart the AnyCA Gateway REST service.
 
+5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the HID Global HydrantId plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
 
 
 ## License