Keyfactor
diff --git a/‎cmd/store_types.json‎
Lines changed: 123 additions & 32 deletions b/‎cmd/store_types.json‎
Lines changed: 123 additions & 32 deletions
@@ -447,6 +447,34 @@
     "ClientMachineDescription": "This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.",
     "StorePathDescription": "A single specified AWS Region the store will operate in. Additional regions should get their own store defined."
   },
+  {
+    "Name": "Airlock Application Firewall Certificate",
+    "ShortName": "AirlockWAF",
+    "Capability": "AirlockWAF",
+    "LocalStore": false,
+    "SupportedOperations": {
+      "Add": false,
+      "Create": false,
+      "Discovery": true,
+      "Enrollment": false,
+      "Remove": false
+    },
+    "Properties": [],
+    "EntryParameters": [],
+    "PasswordOptions": {
+      "EntrySupported": false,
+      "StoreRequired": true,
+      "Style": "Default"
+    },
+    "StorePathType": "",
+    "StorePathValue": "",
+    "PrivateKeyAllowed": "Required",
+    "JobProperties": [],
+    "ServerRequired": true,
+    "PowerShell": false,
+    "BlueprintAllowed": false,
+    "CustomAliasAllowed": "Allowed"
+  },
   {
     "Name": "Akamai Certificate Provisioning Service",
     "ShortName": "Akamai",
@@ -999,7 +1027,22 @@
     "PrivateKeyAllowed": "Optional",
     "JobProperties": [],
     "Properties": [],
-    "EntryParameters": []
+    "EntryParameters": [
+      {
+        "Name": "VirtualServiceBindings",
+        "DisplayName": "Virtual Service Bindings",
+        "Type": "String",
+        "DefaultValue": "",
+        "DependsOn": "",
+        "RequiredWhen": {
+          "HasPrivateKey": false,
+          "OnAdd": false,
+          "OnRemove": false,
+          "OnReenrollment": false
+        },
+        "Description": "Comma-separated list of virtual service bindings in 'virtId:servicePort' format. Each binding identifies the virtual server ID and the service port to which the certificate should be bound. Example: '1:443' for a single binding, or '1:443,2:443,my-virt:8443' for multiple bindings. Returned during inventory to show which virtual services each certificate is currently bound to."
+      }
+    ]
   },
   {
     "Name": "Azure Application Gateway Certificate Binding",
@@ -1271,14 +1314,6 @@
         "DefaultValue": "public,china,germany,government",
         "Description": "Specifies the Azure Cloud instance used by the organization.",
         "Required": false
-      },
-      {
-        "Name": "ServerUseSsl",
-        "DisplayName": "Use SSL",
-        "Type": "Bool",
-        "DefaultValue": "true",
-        "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.",
-        "Required": true
       }
     ],
     "PasswordOptions": {
@@ -1465,14 +1500,6 @@
         "DefaultValue": "public,china,germany,government",
         "Description": "Specifies the Azure Cloud instance used by the organization.",
         "Required": false
-      },
-      {
-        "Name": "ServerUseSsl",
-        "DisplayName": "Use SSL",
-        "Type": "Bool",
-        "DefaultValue": "true",
-        "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.",
-        "Required": true
       }
     ],
     "PasswordOptions": {
@@ -2054,7 +2081,7 @@
     "SupportedOperations": {
       "Add": true,
       "Create": false,
-      "Discovery": false,
+      "Discovery": true,
       "Enrollment": false,
       "Remove": false
     },
@@ -2131,7 +2158,7 @@
     ],
     "EntryParameters": [],
     "ClientMachineDescription": "The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access.  For SSH Access, Port 22 will be used.",
-    "StorePathDescription": "The Store Path field should always be / unless we later determine there are alternate locations needed.",
+    "StorePathDescription": "The store path uses the format domain\\directory (e.g., default\\pubcert, production-api\\cert). The Discovery job can automatically find all valid store paths on an appliance.",
     "PasswordOptions": {
       "EntrySupported": false,
       "StoreRequired": false,
@@ -2772,7 +2799,55 @@
         "Name": "tags",
         "DisplayName": "Tags",
         "Type": "String",
-        "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN",
+        "Description": "An optional list of one-to-many comma delimited Organization level tag Key:Value combinations.  Values should be entered as tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN",
+        "RequiredWhen": {
+          "HasPrivateKey": false,
+          "OnAdd": false,
+          "OnRemove": false,
+          "OnReenrollment": false
+        }
+      },
+      {
+        "Name": "labels",
+        "DisplayName": "Labels",
+        "Type": "String",
+        "Description": "An optional list of one-to-many comma delimited label key:value pairs to assign to the secret.  Values should be entered as key1:value1,key2:value2,...,keyN:valueN.",
+        "RequiredWhen": {
+          "HasPrivateKey": false,
+          "OnAdd": false,
+          "OnRemove": false,
+          "OnReenrollment": false
+        }
+      },
+      {
+        "Name": "replicationRegions",
+        "DisplayName": "Replication Regions",
+        "Type": "String",
+        "Description": "An optional list of valid comma delimited GCP regions to replicate secrets to (user managed replication).  If left blank, GCP default behavior (automatic replication) will be executed.  Values can also be entered as region1:path1,region2:path2,...,regionN:pathN if providing a kmsKeyName path for each region is desired.",
+        "RequiredWhen": {
+          "HasPrivateKey": false,
+          "OnAdd": false,
+          "OnRemove": false,
+          "OnReenrollment": false
+        }
+      },
+      {
+        "Name": "ttlDuration",
+        "DisplayName": "TTL Duration",
+        "Type": "String",
+        "Description": "An optional number of days to provide after which a secret will be deleted.  If not provided, secret will stay around until explicitly deleted.",
+        "RequiredWhen": {
+          "HasPrivateKey": false,
+          "OnAdd": false,
+          "OnRemove": false,
+          "OnReenrollment": false
+        }
+      },
+      {
+        "Name": "versionDestroyTtlDuration",
+        "DisplayName": "Version Destroy TTL Duration",
+        "Type": "String",
+        "Description": "An optional number of days to provide after a secret is destroyed that its versions will stay around.  If not provided, versions will be permanently destroyed when the secret is destroyed.",
         "RequiredWhen": {
           "HasPrivateKey": false,
           "OnAdd": false,
@@ -2841,10 +2916,10 @@
     "PowerShell": false,
     "PrivateKeyAllowed": "Required",
     "StorePathType": "",
-    "StorePathValue": "n/a",
+    "StorePathValue": "",
     "SupportedOperations": {
       "Add": true,
-      "Create": true,
+      "Create": false,
       "Discovery": true,
       "Enrollment": false,
       "Remove": true
@@ -2857,28 +2932,44 @@
     "Properties": [
       {
         "Name": "Location",
-        "DisplayName": "Location",
+        "DisplayName": "Location (deprecated)",
         "Type": "String",
         "DependsOn": "",
-        "DefaultValue": "global",
-        "Required": true,
+        "DefaultValue": "",
+        "Required": false,
         "IsPAMEligible": false,
-        "Description": "The GCP region used for this Certificate Manager instance.  **global** is the default but could be another region based on the project."
+        "Description": "**Deprecated in v1.2.** The GCP location is parsed from Store Path. Leave blank for new stores. v1.1-shape stores (where Store Path is blank or `n/a`) still read this value as a fallback; expect a deprecation warning in the orchestrator log when that path is used."
       },
       {
         "Name": "ServiceAccountKey",
-        "DisplayName": "Service Account Key File Path",
+        "DisplayName": "Service Account Key File Path (deprecated)",
         "Type": "String",
         "DependsOn": "",
         "DefaultValue": "",
         "Required": false,
         "IsPAMEligible": false,
-        "Description": "The file name of the Google Cloud Service Account Key File installed in the same folder as the orchestrator extension. Empty if the orchestrator server resides in GCP and you are not using a service account key."
+        "Description": "**Deprecated in v1.2.** Leave blank. Authenticate via Application Default Credentials instead (set `GOOGLE_APPLICATION_CREDENTIALS` as a machine-level environment variable on the orchestrator host pointing at the JSON key, or run on a GCE VM / GKE pod with workload identity). The Discovery job has no way to surface this custom property in Keyfactor Command's discovery-job UI, so ADC is the only mechanism that works uniformly across all four job types. v1.1 stores that have this populated continue to work via a deprecation-logged fallback; the field is scheduled for removal in v2.0."
       }
     ],
-    "ClientMachineDescription": "GCP Project ID for your account.",
-    "StorePathDescription": "This is not used and should be defaulted to n/a per the certificate store type set up.",
-    "EntryParameters": []
+    "ClientMachineDescription": "Display label for grouping certificate stores in Keyfactor Command. Recommended value is the GCP Organization ID (e.g. `1005564431893`); the orchestrator does not parse a project ID out of this field. The actual GCP project + location are read from Store Path.",
+    "StorePathDescription": "Canonical GCP resource path in the form `projects/{projectId}/locations/{location}` (e.g. `projects/edgecerts/locations/global`). This is the single source of truth for which Certificate Manager instance the store targets. For Discovery-approved stores Keyfactor Command auto-fills this from the discovered candidate; for manually-created stores the operator types it directly.",
+    "EntryParameters": [
+      {
+        "Name": "Scope",
+        "DisplayName": "Certificate Scope",
+        "Type": "MultipleChoice",
+        "DependsOn": "",
+        "DefaultValue": "DEFAULT",
+        "Options": "DEFAULT,ALL_REGIONS,EDGE_CACHE,CLIENT_AUTH",
+        "RequiredWhen": {
+          "HasPrivateKey": false,
+          "OnAdd": false,
+          "OnRemove": false,
+          "OnReenrollment": false
+        },
+        "Description": "GCP Certificate Manager `scope` for this certificate entry. Allowed: `DEFAULT` (global external Application Load Balancers), `ALL_REGIONS` (cross-region internal Application Load Balancers), `EDGE_CACHE` (Media CDN), `CLIENT_AUTH` (mTLS trust configs / authorized client server certs). **Immutable in GCP** - once a certificate is created with a given scope, GCP refuses to change it. Inventory persists the existing scope back from GCP so renewals carry it forward automatically. A single store can hold certs at different scopes (the field is per-entry, not store-wide)."
+      }
+    ]
   },
   {
     "Name": "Hashicorp Vault Key-Value",
@@ -3657,7 +3748,7 @@
         "Description": "This should be no value or `kubeconfig`",
         "Type": "Secret",
         "DependsOn": "",
-        "DefaultValue": "",
+        "DefaultValue": null,
         "Required": false
       },
       {