Skip to content

Commit 6f09f7a

Browse files
Update configuration.md
1 parent 0f65298 commit 6f09f7a

1 file changed

Lines changed: 73 additions & 1 deletion

File tree

docsource/configuration.md

Lines changed: 73 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -149,7 +149,79 @@ The plugin supports the following standard CRL revocation reasons:
149149

150150
## Gateway Registration
151151

152-
TODO Gateway Registration is a required section
152+
### CA Connection Configuration
153+
154+
When registering the HydrantId CA in the AnyCA Gateway, you'll need to provide the following configuration parameters:
155+
156+
| Parameter | Description | Required | Example |
157+
|-----------|-------------|----------|---------|
158+
| **HydrantIdBaseUrl** | Full URL to the HydrantId API endpoint | Yes | `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com` |
159+
| **HydrantIdAuthId** | API Authentication ID provided by HydrantId | Yes | `your-auth-id` |
160+
| **HydrantIdAuthKey** | API Authentication Key provided by HydrantId | Yes | `your-secret-auth-key` |
161+
162+
### Template (Product) Configuration
163+
164+
Each certificate template (policy) discovered from HydrantId requires configuration for enrollment:
165+
166+
| Parameter | Description | Required | Example |
167+
|-----------|-------------|----------|---------|
168+
| **ValidityPeriod** | Time unit for certificate lifetime | Yes | `Days`, `Months`, or `Years` |
169+
| **ValidityUnits** | Numeric value for the validity period | Yes | `365` (for 1 year in days), `12` (for 1 year in months), `2` (for 2 years) |
170+
| **RenewalDays** | Days before expiration to trigger renewal | Yes | `30` (renew within 30 days of expiration) |
171+
172+
**Important Notes:**
173+
- Template names (Product IDs) are automatically discovered from HydrantId using the GET /api/v2/policies endpoint
174+
- The ValidityPeriod and ValidityUnits combine to determine the certificate lifetime
175+
- RenewalDays determines the behavior for certificate renewal:
176+
- Within window: Performs a renewal operation (maintains certificate lineage)
177+
- Outside window: Performs a re-issue operation (new certificate enrollment)
178+
179+
### Gateway Registration Notes
180+
181+
- Each defined Certificate Authority in the AnyCA Gateway REST can support one HydrantId API endpoint
182+
- If you have multiple HydrantId environments or accounts, you must define multiple Certificate Authorities in the AnyCA Gateway
183+
- Each CA configuration will manifest in Command as a separate CA entry
184+
- The plugin uses Hawk authentication protocol for all API communications
185+
- Authentication uses HMAC-SHA256 for secure API access
186+
- The plugin automatically handles:
187+
- Policy/template discovery
188+
- Certificate status mapping
189+
- End-entity certificate extraction from PEM chains
190+
- Enrollment completion polling (30-second timeout)
191+
192+
### Security Considerations
193+
194+
1. **Credential Storage**: Store API credentials securely and restrict access to the Gateway configuration
195+
2. **Secret Management**: Consider using a secrets management system for AuthKey storage
196+
3. **Network Security**: Ensure TLS/SSL is properly configured for all API communications
197+
4. **Least Privilege**: Request API credentials with minimal required permissions
198+
5. **Audit Logging**: Enable comprehensive logging in both the Gateway and HydrantId for security monitoring
199+
6. **Credential Rotation**: Regularly rotate API credentials according to your security policy
200+
201+
* **CA Connection**
202+
203+
Populate using the configuration fields collected in the [requirements](#requirements) section.
204+
205+
* **HydrantIdBaseUrl** - The base URL for the HydrantId API endpoint. For example, `https://acm.hydrantid.com` or `https://acm-stage.hydrantid.com`.
206+
* **HydrantIdAuthId** - The API Authentication ID provided by HydrantId for API access.
207+
* **HydrantIdAuthKey** - The API Authentication Key (secret) provided by HydrantId for API access.
208+
209+
2. **Certificate Template Configuration**
210+
211+
After adding the CA to the Gateway, configure each certificate template:
212+
213+
1. Navigate to the Templates/Products section for the newly added CA
214+
2. For each template (policy) discovered from HydrantId, configure:
215+
- **ValidityPeriod**: Select `Days`, `Months`, or `Years`
216+
- **ValidityUnits**: Enter the numeric value (e.g., `365` for one year in days)
217+
- **RenewalDays**: Enter the renewal window in days (e.g., `30`)
218+
219+
Example configurations:
220+
- **1-Year Certificate (Days)**: ValidityPeriod=`Days`, ValidityUnits=`365`, RenewalDays=`30`
221+
- **2-Year Certificate (Years)**: ValidityPeriod=`Years`, ValidityUnits=`2`, RenewalDays=`60`
222+
- **6-Month Certificate (Months)**: ValidityPeriod=`Months`, ValidityUnits=`6`, RenewalDays=`30`
223+
224+
3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
153225
154226
## Certificate Template Creation Step
155227

0 commit comments

Comments
 (0)