{"id":25190200,"url":"https://github.com/keyfactor/amazon-acmpca-cagateway","last_synced_at":"2025-04-04T11:25:47.166Z","repository":{"id":235656071,"uuid":"546757951","full_name":"Keyfactor/amazon-acmpca-cagateway","owner":"Keyfactor","description":"CA Gateway to Amazon Web Services Certificate Manager Private Certificate Authority (AWS ACM PCA) service","archived":false,"fork":false,"pushed_at":"2023-04-11T19:58:18.000Z","size":63,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-09T21:19:11.344Z","etag":null,"topics":["keyfactor-cagateway"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keyfactor.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-10-06T15:41:14.000Z","updated_at":"2024-06-11T20:25:01.000Z","dependencies_parsed_at":"2024-04-24T06:12:19.195Z","dependency_job_id":"f59d7544-8e55-424c-9f7b-3e8cbb034715","html_url":"https://github.com/Keyfactor/amazon-acmpca-cagateway","commit_stats":null,"previous_names":["keyfactor/amazon-acmpca-cagateway"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Famazon-acmpca-cagateway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Famazon-acmpca-cagateway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Famazon-acmpca-cagateway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Famazon-acmpca-cagateway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keyfactor","download_url":"https://codeload.github.com/Keyfactor/amazon-acmpca-cagateway/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247167934,"owners_count":20895025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keyfactor-cagateway"],"created_at":"2025-02-09T21:19:13.043Z","updated_at":"2025-04-04T11:25:47.143Z","avatar_url":"https://github.com/Keyfactor.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Amazon ACM PCA CA AnyGateway\n\nThis integration allows for the Synchronization, Enrollment, and Revocation of certificates from Amazon Certificate Manager Private CA.\n\n#### Integration status: Production - Ready for use in production environments.\n\n## About the Keyfactor AnyGateway CA Connector\n\nThis repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.\n\n\n\n## Support for Amazon ACM PCA CA AnyGateway\n\nAmazon ACM PCA CA AnyGateway is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.\n\n###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.\n___\n\n\n\n\n# Introduction\nThis AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from Amazon's AWS Certificate Manager Private CA\nNote that this gateway is specific to Private CAs, and will not work against other AWS CAs.\n\n# Prerequisites for Installation\n\n## AnyGateway Platform Minimum Version\nThe ACMPCA AnyGateway requires the Keyfactor AnyGateway v21.5.1 or newer\n\n## Certificate Chain\n\nIn order to enroll for certificates the Keyfactor Command server must trust the trust chain. Once you create your Root and/or Subordinate CA, make sure to import the certificate chain into the AnyGateway and Command Server certificate store\n\n\n# Install\n* Download latest successful build from [GitHub Releases](../../releases/latest)\n\n* Copy AmazonACMPCAGateway.dll to the Program Files\\Keyfactor\\Keyfactor AnyGateway directory\n\n* Copy all of the AWSSDK DLLs to the Program Files\\Keyfactor\\Keyfactor AnyGateway directory\n\n* Update the CAProxyServer.config file\n * Update the CAConnection section to point at the ACMPCAConnector class\n ```xml\n \u003calias alias=\"CAConnector\" type=\"Keyfactor.Extensions.AnyGateway.Amazon.ACMPCA.ACMPCAConnector, AmazonACMPCAGateway\"/\u003e\n ```\n\n# Configuration\nThe following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the AnyGateway.\n\n## Templates\nThe Template section will map the CA's products to an AD template.\n* ```ProductID```\nThis is the ID of the ACM PCA product to map to the specified template.\n\nCurrently supported options:\nEndEntity\nEndEntityClientAuth\nEndEntityServerAuth\n\n* ```LifetimeDays```\nOPTIONAL: The number of days of validity to use when requesting certs. If not provided, default is 365\n\n ```json\n \"Templates\": {\n\t\"WebServer\": {\n \"ProductID\": \"EndEntity\",\n \"Parameters\": {\n\t\t\"LifetimeDays\":\"365\"\n }\n }\n}\n ```\n \n## Security\nThe security section does not change specifically for the ACM PCA Gateway. Refer to the AnyGateway Documentation for more detail.\n```json\n /*Grant permissions on the CA to users or groups in the local domain.\n\tREAD: Enumerate and read contents of certificates.\n\tENROLL: Request certificates from the CA.\n\tOFFICER: Perform certificate functions such as issuance and revocation. This is equivalent to \"Issue and Manage\" permission on the Microsoft CA.\n\tADMINISTRATOR: Configure/reconfigure the gateway.\n\tValid permission settings are \"Allow\", \"None\", and \"Deny\".*/\n \"Security\": {\n \"Keyfactor\\\\Administrator\": {\n \"READ\": \"Allow\",\n \"ENROLL\": \"Allow\",\n \"OFFICER\": \"Allow\",\n \"ADMINISTRATOR\": \"Allow\"\n },\n \"Keyfactor\\\\gateway_test\": {\n \"READ\": \"Allow\",\n \"ENROLL\": \"Allow\",\n \"OFFICER\": \"Allow\",\n \"ADMINISTRATOR\": \"Allow\"\n },\t\t\n \"Keyfactor\\\\SVC_TimerService\": {\n \"READ\": \"Allow\",\n \"ENROLL\": \"Allow\",\n \"OFFICER\": \"Allow\",\n \"ADMINISTRATOR\": \"None\"\n },\n \"Keyfactor\\\\SVC_AppPool\": {\n \"READ\": \"Allow\",\n \"ENROLL\": \"Allow\",\n \"OFFICER\": \"Allow\",\n \"ADMINISTRATOR\": \"Allow\"\n }\n }\n```\n## CerificateManagers\nThe Certificate Managers section is optional.\n\tIf configured, all users or groups granted OFFICER permissions under the Security section\n\tmust be configured for at least one Template and one Requester. \n\tUses \"\u003cAll\u003e\" to specify all templates. Uses \"Everyone\" to specify all requesters.\n\tValid permission values are \"Allow\" and \"Deny\".\n```json\n \"CertificateManagers\":{\n\t\t\"DOMAIN\\\\Username\":{\n\t\t\t\"Templates\":{\n\t\t\t\t\"MyTemplateShortName\":{\n\t\t\t\t\t\"Requesters\":{\n\t\t\t\t\t\t\"Everyone\":\"Allow\",\n\t\t\t\t\t\t\"DOMAIN\\\\Groupname\":\"Deny\"\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\t\"\u003cAll\u003e\":{\n\t\t\t\t\t\"Requesters\":{\n\t\t\t\t\t\t\"Everyone\":\"Allow\"\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n```\n## CAConnection\nThe CA Connection section will determine the API endpoint and configuration data used to connect to the ACM PCA. \n* ```AccessKey```\nThis is the access key to use to connect to the ACM API.\n* ```AccessSecret```\nThis is the secret to use with the corresponding access key to connect to the ACM API\n* ```CAARN```\nThis is the Amazon Resource Name (ARN) of the CA in AWS. This can be found in the list of private CAs in your Amazon account.\nThe ARN will be of a form similar to: \"arn:aws:acm-pca:region:account:certificate-authority/GUID\"\n* ```S3Bucket```\nSince the ACM PCA API does not have direct inventory capabilities, the gateway performs an inventory by generating an audit report and then parsing that report.\nThe audit reports themselves need to be stored in an S3 Bucket in the Amazon account. The name of the bucket you wish to use should go here.\nNote: Make sure that the account being used with the accesskey/secret has read/write permissions to that S3 bucket.\n\n```json\n \"CAConnection\": {\n\t\"AccessKey\" : \"ACM Access Key\",\n \"AccessSecret\": \"ACM Access Secret\",\n \"CAARN\": \"arn:aws:acm-pca:region:account:certificate-authority/GUID\",\n \"S3Bucket\": \"bucketname\"\n },\n```\n## GatewayRegistration\nThere are no specific Changes for the GatewayRegistration section. Refer to the AnyGateway Documentation for more detail.\n```json\n \"GatewayRegistration\": {\n \"LogicalName\": \"ACMPCASandbox\",\n \"GatewayCertificate\": {\n \"StoreName\": \"CA\",\n \"StoreLocation\": \"LocalMachine\",\n \"Thumbprint\": \"0123456789abcdef\"\n }\n }\n```\n\n## ServiceSettings\n\nAmazon ACM PCA places a limit on inventory requests of once per 30 minutes, so do not set your scans to less than 30 minutes.\nRefer to the AnyGateway Documentation for more detail.\n```json\n \"ServiceSettings\": {\n \"ViewIdleMinutes\": 8,\n \"FullScanPeriodHours\": 24,\n\t\"PartialScanPeriodMinutes\": 240 \n }\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Famazon-acmpca-cagateway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeyfactor%2Famazon-acmpca-cagateway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Famazon-acmpca-cagateway/lists"}