Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces the initial implementation of an Idnomic PKI AnyCA Gateway Plugin for Keyfactor Command. The plugin enables certificate lifecycle management through SOAP-based integration with Idnomic PKI systems (formerly OpenTrust PKI), supporting certificate enrollment, synchronization, and revocation.
Key changes:
- Added integration manifest with plugin configuration schema
- Created comprehensive documentation for requirements, installation, and troubleshooting
- Added multi-target framework support (.NET 6.0 and 8.0)
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| integration-manifest.json | Defines plugin metadata, configuration parameters, and integration schema |
| docsource/configuration.md | Provides detailed technical documentation for plugin configuration and testing |
| README.md | User-facing documentation with installation guide and test cases |
| IdomicCAPlugin.cs | Removed placeholder class file |
| Idnomic/Idnomic.csproj | Updated to support both .NET 6.0 and .NET 8.0 target frameworks |
| CHANGELOG.md | Added initial version entry |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | 1 | Key Compromise | Private key has been compromised | | ||
| | 2 | CA Compromise | Certificate Authority has been compromised | | ||
| | 3 | Affiliation Changed | Subject's affiliation has changed | | ||
| | 4 | Superseded | Certificate has been superseded by a new certificate | |
There was a problem hiding this comment.
The Supported Revocation Reasons table is incomplete. The original version includes reason codes 5, 6, 9, and 10 (Cessation of Operation, Certificate Hold, Privilege Withdrawn, and AA Compromise), but they have been removed in this version. If these revocation reasons are not supported, the documentation should explicitly state why they were removed. If they are supported, they should be included in the table.
| | 4 | Superseded | Certificate has been superseded by a new certificate | | |
| | 4 | Superseded | Certificate has been superseded by a new certificate | | |
| | 5 | Cessation of Operation | Certificate is no longer needed due to the end of operations | | |
| | 6 | Certificate Hold | Certificate is temporarily suspended | | |
| | 9 | Privilege Withdrawn | Privileges associated with the certificate have been withdrawn | | |
| | 10 | AA Compromise | Attribute Authority has been compromised | |
docsource/configuration.md
Outdated
| TODO Certificate Template Creation Step is a required section | ||
|
|
There was a problem hiding this comment.
The documentation contains an incomplete TODO section. The 'Certificate Template Creation Step' is marked as required but has no content. This section should be completed before merging, or removed if it's not applicable to this plugin.
| TODO Certificate Template Creation Step is a required section | |
| The Idnomic PKI Gateway plugin relies on certificate templates (also known as profiles) defined in Idnomic PKI to control certificate issuance parameters such as key size, validity period, and subject attributes. Follow these steps to create and configure certificate templates: | |
| **Prerequisites**: | |
| - Administrative access to Idnomic PKI Management Console | |
| - Understanding of organizational certificate requirements (key types, usages, validity, etc.) | |
| **Steps**: | |
| 1. Log in to the Idnomic PKI Management Console. | |
| 2. Navigate to the "Profiles" or "Certificate Templates" section. | |
| 3. Click "Create New Profile" or equivalent action. | |
| 4. Specify the following parameters: | |
| - **Profile Name**: A unique name for the template. | |
| - **Key Type and Size**: (e.g., RSA 2048, ECC P-256) | |
| - **Validity Period**: (e.g., 1 year) | |
| - **Subject Attributes**: Define required/optional fields (CN, OU, etc.) | |
| - **Extensions**: Configure certificate extensions as needed (Key Usage, Extended Key Usage, etc.) | |
| - **Enrollment Constraints**: Set any restrictions (e.g., allowed zones, approval workflow) | |
| 5. Save the profile. | |
| 6. Repeat for each required certificate type. | |
| **Integration Notes**: | |
| - The plugin will automatically discover available profiles during zone configuration. | |
| - Ensure that profile names and settings match the requirements of your Keyfactor Command zones. | |
| - Changes to profiles in Idnomic PKI may require a Gateway restart or zone resynchronization. | |
| **Verification**: | |
| - After profile creation, verify that the new templates appear in the Gateway zone configuration UI. | |
| - Test certificate enrollment using the new profile to confirm correct behavior. |
| | Reason Code | Reason Name | Description | | ||
| |-------------|-------------|-------------| | ||
| | 0 | Unspecified | No specific reason provided | | ||
| | 1 | Key Compromise | Private key has been compromised | | ||
| | 2 | CA Compromise | Certificate Authority has been compromised | | ||
| | 3 | Affiliation Changed | Subject's affiliation has changed | | ||
| | 4 | Superseded | Certificate has been superseded by a new certificate | | ||
|
|
There was a problem hiding this comment.
The Supported Revocation Reasons table is incomplete compared to the original documentation. The original version included reason codes 5, 6, 9, and 10, but they have been removed. This creates an inconsistency where the note refers to 'all revocation reasons' but only shows 5 out of 9 standard CRL reason codes. Either restore the complete table or update the note to clarify which specific reasons are supported.
| | Reason Code | Reason Name | Description | | |
| |-------------|-------------|-------------| | |
| | 0 | Unspecified | No specific reason provided | | |
| | 1 | Key Compromise | Private key has been compromised | | |
| | 2 | CA Compromise | Certificate Authority has been compromised | | |
| | 3 | Affiliation Changed | Subject's affiliation has changed | | |
| | 4 | Superseded | Certificate has been superseded by a new certificate | | |
| | Reason Code | Reason Name | Description | | |
| |-------------|---------------------|-------------| | |
| | 0 | Unspecified | No specific reason provided | | |
| | 1 | Key Compromise | Private key has been compromised | | |
| | 2 | CA Compromise | Certificate Authority has been compromised | | |
| | 3 | Affiliation Changed | Subject's affiliation has changed | | |
| | 4 | Superseded | Certificate has been superseded by a new certificate | | |
| | 5 | Cessation of Operation | Certificate is no longer needed (end of operation) | | |
| | 6 | Certificate Hold | Certificate is temporarily on hold | | |
| | 9 | Privilege Withdrawn | Privilege associated with the certificate has been withdrawn | | |
| | 10 | AA Compromise | Attribute Authority has been compromised | |
README.md
Outdated
| 2. TODO Certificate Template Creation Step is a required section | ||
|
|
There was a problem hiding this comment.
The installation instructions contain an incomplete TODO section at step 2. The 'Certificate Template Creation Step' is marked as required but has no content. This critical installation step should be documented before merging, or the TODO should be removed if the step is not actually required.
| 2. TODO Certificate Template Creation Step is a required section | |
| 2. Create Certificate Templates in Idnomic | |
| * In the Idnomic administration console, create or identify the certificate templates (profiles) that should be available for issuance via Keyfactor Command. | |
| * Ensure each template is published and accessible to the RA connector user configured in the previous step. | |
| * Note the template/profile names and any required parameters, as these will be discovered and mapped in Keyfactor Command. | |
| * If template mapping or custom attributes are required, refer to the Idnomic documentation for details on template configuration. |
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 13 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met on your Idnomic PKI system: | ||
|
|
||
| 1. **Idnomic PKI Installation**: | ||
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. |
There was a problem hiding this comment.
Spacing issue: there should be only one space after the first sentence period, not two. The word 'version' should have an article before it: 'the 4.9.2 version' or 'version 4.9.2'. The word 'version' in the last sentence should be pluralized: 'Other versions may or may not work.'
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. | |
| - Idnomic PKI server must be installed and operational. Only tested with version 4.9.2 of IDNOMIC. Other versions may or may not work. |
| Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met on your Idnomic PKI system: | ||
|
|
||
| 1. **Idnomic PKI Installation**: | ||
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. |
There was a problem hiding this comment.
Inconsistent capitalization of product name: 'Idnomic' vs 'IDNOMIC'. The product name should be consistently capitalized throughout the documentation.
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. | |
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of Idnomic. Other version may or may not work. |
| Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met on your Idnomic PKI system: | ||
|
|
||
| 1. **Idnomic PKI Installation**: | ||
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. |
There was a problem hiding this comment.
Spacing issue: there should be only one space after the first sentence period, not two. The word 'version' should have an article before it: 'the 4.9.2 version' or 'version 4.9.2'. The word 'version' in the last sentence should be pluralized: 'Other versions may or may not work.'
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. | |
| - Idnomic PKI server must be installed and operational. Only tested with the 4.9.2 version of IDNOMIC. Other versions may or may not work. |
| Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met on your Idnomic PKI system: | ||
|
|
||
| 1. **Idnomic PKI Installation**: | ||
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. |
There was a problem hiding this comment.
Inconsistent capitalization of product name: 'Idnomic' vs 'IDNOMIC'. The product name should be consistently capitalized throughout the documentation.
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. | |
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of Idnomic. Other version may or may not work. |
| @@ -0,0 +1,495 @@ | |||
| <h1 align="center" style="border-bottom: none"> | |||
| Idnomic PKI Gateway AnyCA Gateway REST Plugin | |||
There was a problem hiding this comment.
Extra space between 'PKI' and 'Gateway': should be 'Idnomic PKI Gateway AnyCA Gateway REST Plugin' with only one space.
| Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met on your Idnomic PKI system: | ||
|
|
||
| 1. **Idnomic PKI Installation**: | ||
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. |
There was a problem hiding this comment.
Spacing issue: there should be only one space after the first sentence period, not two. The word 'version' should have an article before it: 'the 4.9.2 version' or 'version 4.9.2'. The word 'version' in the last sentence should be pluralized: 'Other versions may or may not work.'
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. | |
| - Idnomic PKI server must be installed and operational. Only tested with version 4.9.2 of IDNOMIC. Other versions may or may not work. |
| Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met on your Idnomic PKI system: | ||
|
|
||
| 1. **Idnomic PKI Installation**: | ||
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. |
There was a problem hiding this comment.
Inconsistent capitalization of product name: 'Idnomic' vs 'IDNOMIC'. The product name should be consistently capitalized throughout the documentation.
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of IDNOMIC. Other version may or may not work. | |
| - Idnomic PKI server must be installed and operational. Only tested with 4.9.2 version of Idnomic. Other version may or may not work. |
|
|
||
| 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). | ||
|
|
||
| 2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [Idnomic PKI Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/idnomic-caplugin/releases/latest) from GitHub. |
There was a problem hiding this comment.
Extra space between 'PKI' and 'Gateway' in the link text: should be 'Idnomic PKI Gateway' with only one space.
| Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions | ||
| ``` | ||
|
|
||
| > The directory containing the Idnomic PKI Gateway AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. |
There was a problem hiding this comment.
Extra space between 'PKI' and 'Gateway': should be 'Idnomic PKI Gateway' with only one space.
|
|
||
| 4. Restart the AnyCA Gateway REST service. | ||
|
|
||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the Idnomic PKI Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. |
There was a problem hiding this comment.
Extra space between 'PKI' and 'Gateway': should be 'Idnomic PKI Gateway' with only one space.
No description provided.