@@ -149,7 +149,79 @@ The plugin supports the following standard CRL revocation reasons:
149149
150150# # Gateway Registration
151151
152- TODO Gateway Registration is a required section
152+ # ## CA Connection Configuration
153+
154+ When registering the HydrantId CA in the AnyCA Gateway, you' ll need to provide the following configuration parameters:
155+
156+ | Parameter | Description | Required | Example |
157+ |-----------|-------------|----------|---------|
158+ | **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` |
159+ | **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` |
160+ | **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` |
161+
162+ ### Template (Product) Configuration
163+
164+ Each certificate template (policy) discovered from HydrantId requires configuration for enrollment:
165+
166+ | Parameter | Description | Required | Example |
167+ |-----------|-------------|----------|---------|
168+ | **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` |
169+ | **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) |
170+ | **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) |
171+
172+ **Important Notes:**
173+ - Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint
174+ - The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime
175+ - RenewalDays determines the behavior for certificate renewal:
176+ - Within window: Performs a renewal operation (maintains certificate lineage)
177+ - Outside window: Performs a re-issue operation (new certificate enrollment)
178+
179+ ### Gateway Registration Notes
180+
181+ - Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint
182+ - If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway
183+ - Each CA configuration will manifest in Command as a separate CA entry
184+ - The plugin uses Hawk authentication protocol for all API communications
185+ - Authentication uses HMAC-SHA256 for secure API access
186+ - The plugin automatically handles:
187+ - Policy/template discovery
188+ - Certificate status mapping
189+ - End-entity certificate extraction from PEM chains
190+ - Enrollment completion polling (30-second timeout)
191+
192+ ### Security Considerations
193+
194+ 1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration
195+ 2. **Secret Management**: Consider using a secrets management system for AuthKey storage
196+ 3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications
197+ 4. **Least Privilege**: Request API credentials with minimal required permissions
198+ 5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring
199+ 6. **Credential Rotation**: Regularly rotate API credentials according to your security policy
200+
201+ * **CA Connection**
202+
203+ Populate using the configuration fields collected in the [requirements](#requirements) section.
204+
205+ * **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`.
206+ * **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access.
207+ * **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access.
208+
209+ 2. **Certificate Template Configuration**
210+
211+ After adding the CA to the Gateway, configure each certificate template:
212+
213+ 1. Navigate to the Templates/Products section for the newly added CA
214+ 2. For each template (policy) discovered from HydrantId, configure:
215+ - **ValidityPeriod**: Select `Days`, `Months`, or `Years`
216+ - **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days)
217+ - **RenewalDays**: Enter the renewal window in days (e.g., `30`)
218+
219+ Example configurations:
220+ - **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30`
221+ - **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60`
222+ - **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30`
223+
224+ 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
153225
154226## Certificate Template Creation Step
155227
0 commit comments