{"id":25190039,"url":"https://github.com/keyfactor/gcp-cas-caplugin","last_synced_at":"2026-03-03T21:03:42.988Z","repository":{"id":250064253,"uuid":"818323658","full_name":"Keyfactor/gcp-cas-caplugin","owner":"Keyfactor","description":"AnyCA Gateway REST plugin that extends Google Cloud Platform Certificate Authority Service to Keyfactor Command","archived":false,"fork":false,"pushed_at":"2026-02-18T17:27:45.000Z","size":179,"stargazers_count":0,"open_issues_count":3,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-02-18T21:05:04.435Z","etag":null,"topics":["keyfactor-anyca-plugin"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keyfactor.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-06-21T15:34:54.000Z","updated_at":"2026-02-10T20:29:34.000Z","dependencies_parsed_at":"2025-03-31T17:25:36.953Z","dependency_job_id":"d60197ea-1f65-40f2-a4e0-05be8f8dc8a9","html_url":"https://github.com/Keyfactor/gcp-cas-caplugin","commit_stats":null,"previous_names":["keyfactor/gcp-cas-caplugin"],"tags_count":35,"template":false,"template_full_name":null,"purl":"pkg:github/Keyfactor/gcp-cas-caplugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fgcp-cas-caplugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fgcp-cas-caplugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fgcp-cas-caplugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fgcp-cas-caplugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keyfactor","download_url":"https://codeload.github.com/Keyfactor/gcp-cas-caplugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fgcp-cas-caplugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30060699,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-03T18:21:05.932Z","status":"ssl_error","status_checked_at":"2026-03-03T18:20:59.341Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keyfactor-anyca-plugin"],"created_at":"2025-02-09T21:18:46.043Z","updated_at":"2026-03-03T21:03:42.982Z","avatar_url":"https://github.com/Keyfactor.png","language":"C#","readme":"\u003ch1 align=\"center\" style=\"border-bottom: none\"\u003e\n GCP CAS AnyCA Gateway REST Plugin\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n \u003c!-- Badges --\u003e\n\u003cimg src=\"https://img.shields.io/badge/integration_status-production-3D1973?style=flat-square\" alt=\"Integration Status: production\" /\u003e\n\u003ca href=\"https://github.com/Keyfactor/gcp-cas-caplugin/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/Keyfactor/gcp-cas-caplugin?style=flat-square\" alt=\"Release\" /\u003e\u003c/a\u003e\n\u003cimg src=\"https://img.shields.io/github/issues/Keyfactor/gcp-cas-caplugin?style=flat-square\" alt=\"Issues\" /\u003e\n\u003cimg src=\"https://img.shields.io/github/downloads/Keyfactor/gcp-cas-caplugin/total?style=flat-square\u0026label=downloads\u0026color=28B905\" alt=\"GitHub Downloads (all assets, all releases)\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003c!-- TOC --\u003e\n \u003ca href=\"#support\"\u003e\n \u003cb\u003eSupport\u003c/b\u003e\n \u003c/a\u003e \n Β·\n \u003ca href=\"#requirements\"\u003e\n \u003cb\u003eRequirements\u003c/b\u003e\n \u003c/a\u003e\n Β·\n \u003ca href=\"#installation\"\u003e\n \u003cb\u003eInstallation\u003c/b\u003e\n \u003c/a\u003e\n Β·\n \u003ca href=\"#license\"\u003e\n \u003cb\u003eLicense\u003c/b\u003e\n \u003c/a\u003e\n Β·\n \u003ca href=\"https://github.com/orgs/Keyfactor/repositories?q=anycagateway\"\u003e\n \u003cb\u003eRelated Integrations\u003c/b\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\n\nThe [Google Cloud Platform (GCP) CA Services (CAS)](https://cloud.google.com/security/products/certificate-authority-service) AnyCA Gateway REST plugin extends the capabilities of connected GCP CAS CAs to [Keyfactor Command](https://www.keyfactor.com/products/command/) via the Keyfactor AnyCA Gateway REST. The plugin represents a fully featured AnyCA REST Plugin with the following capabilies:\n\n* CA Sync:\n * Download all certificates issued by connected Enterprise tier CAs in GCP CAS (full sync).\n * Download all certificates issued by connected Enterprise tier CAs in GCP CAS issued after a specified time (incremental sync).\n* Certificate enrollment for all published GCP Certificate SKUs:\n * Support certificate enrollment (new keys/certificate).\n * Support auto-enrollment (subject/SANs outside of the CSR)\n* Certificate revocation:\n * Request revocation of a previously issued certificate.\n\n\u003e **🚧 Disclaimer** \n\u003e\n\u003e The GCP CAS AnyCA Gateway REST plugin is **not** supported for [DevOps Tier](https://cloud.google.com/certificate-authority-service/docs/tiers) Certificate Authority Pools.\n\u003e \n\u003e DevOps tier CA Pools don't offer listing, describing, or revoking certificates.\n\n## Compatibility\n\nThe GCP CAS AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2 and later.\n\n## Support\nThe GCP CAS AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. \n\n\u003e To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.\n\n## Requirements\n\n### GCP Authentication\n\nThe GCP CAS AnyCA Gateway REST plugin supports two methods for authenticating with GCP CAS:\n\n#### Option 1: Service Account Key via CA Connection Configuration (Recommended for Containers)\n\nThe plugin accepts an optional **ServiceAccountKey** field in the CA Connection configuration. When provided, the JSON service account key is used directly for authentication without requiring any credential files on the filesystem. This is the recommended approach for containerized deployments (e.g., Docker, Kubernetes) where mounting credential files is not practical.\n\nTo use this method, paste the full JSON contents of a GCP service account key into the **ServiceAccountKey** field in the CA Connection tab. In Kubernetes, the service account key JSON can be stored as a Secret and injected via the Keyfactor configuration API.\n\n#### Option 2: Application Default Credentials (ADC)\n\nIf the **ServiceAccountKey** field is left empty, the plugin falls back to [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials). This means that all authentication-related configuration is implied by the environment where the AnyCA Gateway REST itself is running.\n\nPlease refer to [Google's documentation](https://cloud.google.com/docs/authentication/provide-credentials-adc) to configure ADC on the server running the AnyCA Gateway REST.\n\n\u003e The easiest way to configure ADC for non-production environments is to use [User Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev).\n\u003e\n\u003e For production environments that use an ADC method requiring the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, you must ensure the following:\n\u003e\n\u003e 1. The service account that the AnyCA Gateway REST runs under must have read permission to the GCP credential JSON file.\n\u003e 2. You must set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable for the Windows Service running the AnyCA Gateway REST using the [Windows registry editor](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users).\n\u003e * Refer to the [HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree) docs\n\u003e\n\u003e For containerized environments running on GCP (e.g., GKE), [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) can be used instead, which requires no credential files or environment variables.\n\nIf the selected ADC mechanism is [Service Account Key](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif-key), it's recommended that a [custom role is created](https://cloud.google.com/iam/docs/creating-custom-roles) that has the following minimum permissions:\n\n* `privateca.certificateTemplates.list`\n* `privateca.certificateTemplates.use`\n* `privateca.certificateAuthorities.get`\n* `privateca.certificates.create`\n* `privateca.certificates.get`\n* `privateca.certificates.list`\n* `privateca.certificates.update`\n\n\u003e The built-in CA Service Operation Manager `roles/privateca.caManager` role can also be used, but is more permissive than a custom role with the above permissions.\n\n### Root CA Configuration\n\nBoth the Keyfactor Command and AnyCA Gateway REST servers must trust the root CA, and if applicable, any subordinate CAs for all features to work as intended. Download the CA Certificate (and chain, if applicable) from GCP [CAS](https://console.cloud.google.com/security/cas), and import them into the appropriate certificate store on the AnyCA Gateway REST server.\n\n* **Windows** - If the AnyCA Gateway REST is running on a Windows host, the root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell. \n* **Linux** - If the AnyCA Gateway REST is running on a Linux host, the root CA and applicable subordinate CAs must be present in the root CA certificate store. The location of this store varies per distribution, but is most commonly `/etc/ssl/certs/ca-certificates.crt`. The following is documentation on some popular distributions.\n * [Ubuntu - Managing CA certificates](https://ubuntu.com/server/docs/install-a-root-ca-certificate-in-the-trust-store)\n * [RHEL 9 - Using shared system certificates](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#using-shared-system-certificates_securing-networks)\n * [Fedora - Using Shared System Certificates](https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/)\n\n\u003e The root CA and intermediate CAs must be trusted by both the Command server _and_ AnyCA Gateway REST server.\n\n## Installation\n\n1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).\n\n2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GCP CAS AnyCA Gateway REST plugin](https://github.com/Keyfactor/gcp-cas-caplugin/releases/latest) from GitHub.\n\n3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory:\n\n\n ```shell\n Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations:\n Program Files\\Keyfactor\\AnyCA Gateway\\AnyGatewayREST\\net6.0\\Extensions\n Program Files\\Keyfactor\\AnyCA Gateway\\AnyGatewayREST\\net8.0\\Extensions\n ```\n\n \u003e The directory containing the GCP CAS AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.\n\n4. Restart the AnyCA Gateway REST service.\n\n5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the GCP CAS plugin by hovering over the β“˜ symbol to the right of the Gateway on the top left of the portal.\n\n## Configuration\n\n1. Follow the [official AnyCA Gateway REST documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) to define a new Certificate Authority, and use the notes below to configure the **Gateway Registration** and **CA Connection** tabs:\n\n * **Gateway Registration**\n\n The Gateway Registration tab configures the root or issuing CA certificate for the respective CA in GCP CAS. The certificate selected here should be the issuing CA identified in the [Root CA Configuration](#root-ca-configuration) step.\n\n \u003e If you have several CAs in GCP CAS, you must define an individual Certificate Authority for each CA in the AnyCA Gateway REST.\n\n * **CA Connection**\n\n Populate using the configuration fields collected in the [requirements](#requirements) section.\n\n * **LocationId** - The GCP location ID where the project containing the target GCP CAS CA is located. For example, 'us-central1'. \n * **ProjectId** - The GCP project ID where the target GCP CAS CA is located \n * **CAPool** - The CA Pool ID in GCP CAS to use for certificate operations. If the CA Pool has resource name `projects/my-project/locations/us-central1/caPools/my-pool`, this field should be set to `my-pool` \n * **CAId** - The CA ID of a CA in the same CA Pool as CAPool. For example, to issue certificates from a CA with resource name `projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca`, this field should be set to `my-ca`. \n * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. \n * **ServiceAccountKey** - Optional JSON service account key for GCP authentication. When provided, this is used instead of Application Default Credentials (ADC). This is recommended for containerized environments where mounting a credentials file is not practical. Leave empty to use ADC. \n\n2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID.\n\n The GCP CAS AnyCA Gateway REST plugin downloads all Certificate Templates in the configured GCP Region/Project and interprets them as 'Product IDs' in the Gateway Portal.\n\n\n ### Define Certificate Profiles and Templates\n Certificate Profiles and Templates define how certificates are issued through **Google CAS**.\n\n - Each **Certificate Profile** corresponds to a **Certificate Template** in Google CAS.\n - The **AnyCA Gateway REST plugin** fetches all available **Google CAS Certificate Templates** and maps them as **Product IDs** in **Keyfactor Gateway**.\n\n #### **Example Mapping of Google CAS Templates to Keyfactor Product IDs**\n\n | Google CAS Certificate Template | Keyfactor Product ID | Usage |\n |---------------------------------|----------------------|-------|\n | `ServerCertificate` | `ServerCertificate` | Server authentication |\n | `ClientAuth` | `ClientAuth` | Client authentication |\n | `ClientAuthCert` | `ClientAuthCert` | Custom client authentication |\n | `CSROnly` | `CSROnly` | CSR-based issuance |\n | **None (No Template Used)** | `Default` | Uses CA-level settings |\n\n \u003e **Note:** If `Default` is selected, **Google CAS will issue certificates based on CA settings rather than a specific template**.\n\n3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.\n\n\n## Google Certificate Authority Service (CAS) Setup for Keyfactor Integration\n\n### Overview\n\nThis guide provides a step-by-step approach to setting up **Google Certificate Authority Service (CAS)** and integrating it with **Keyfactor** for certificate enrollment. Since Google CAS does not extract metadata from Certificate Signing Requests (CSRs), certificate templates must be defined in CAS to allow Keyfactor to request certificates correctly. While **templates are preferred**, they are **not required**β€”if the **Default** Product ID is used, certificates will be generated based on the CA settings instead of a template.\n\n---\n\n### Google CAS Setup\n\n#### **Step 1: Enable Certificate Authority Service API**\n\n```sh\ngcloud services enable privateca.googleapis.com\n```\n\n#### **Step 2: Create a Root Certificate Authority (CA)**\n\n```sh\ngcloud privateca roots create my-root-ca \\\n --location=us-central1 \\\n --key-algorithm=rsa-pkcs1-4096-sha256 \\\n --subject=\"CN=My Root CA, O=My Organization, C=US\" \\\n --use-preset-profile=ROOT_CA_DEFAULT \\\n --bucket=my-ca-bucket\n```\n\n#### **Step 3: Define Certificate Key Usage and Extended Key Usage**\n\nCertificate Key Usage and Extended Key Usage define how the certificates issued by the CA can be used. These must be set at the **CA policy level** or within a **certificate template**.\n\n##### **Option 1: Define Key Usage in CA Policy**\n\nCreate a CA policy file (`ca-policy.json`):\n\n```json\n{\n \"baselineValues\": {\n \"keyUsage\": {\n \"baseKeyUsage\": {\n \"digitalSignature\": true,\n \"keyEncipherment\": true\n },\n \"extendedKeyUsage\": {\n \"serverAuth\": true,\n \"clientAuth\": true\n }\n }\n }\n}\n```\n\nApply the policy when creating the CA:\n\n```sh\ngcloud privateca roots create my-root-ca \\\n --location=us-central1 \\\n --key-algorithm=rsa-pkcs1-4096-sha256 \\\n --subject=\"CN=My Root CA, O=My Organization, C=US\" \\\n --use-preset-profile=ROOT_CA_DEFAULT \\\n --bucket=my-ca-bucket \\\n --ca-policy=ca-policy.json\n```\n\n##### **Option 2: Define Key Usage in a Certificate Template (Preferred but Not Required)**\n\nIf using a certificate template, create a policy file (`cert-template-policy.json`):\n\n```json\n{\n \"predefinedValues\": {\n \"keyUsage\": {\n \"baseKeyUsage\": {\n \"digitalSignature\": true,\n \"keyEncipherment\": true\n },\n \"extendedKeyUsage\": {\n \"serverAuth\": true,\n \"clientAuth\": true\n }\n }\n }\n}\n```\n\nCreate the template:\n\n```sh\ngcloud privateca templates create my-cert-template \\\n --location=us-central1 \\\n --policy-file=cert-template-policy.json\n```\n\nIf a **template is not used**, certificates will be generated **directly based on CA settings**.\n\n---\n\n### **Certificate Signing Request (CSR) Handling in Google CAS**\n\n- **CSR is only used for the private key proof-of-possession.**\n- **All certificate metadata (e.g., Subject, SANs) must be provided via configuration files or templates.**\n- **Additional fields in the CSR are ignored by Google CAS.**\n\n#### **Example: Issuing a Certificate with a CSR**\n\n##### **1. Generate a CSR**\n\n```sh\nopenssl req -new -newkey rsa:2048 -nodes -keyout my-key.pem -out my-csr.pem -subj \"/CN=ignored.example.com\"\n```\n\n##### **2. Define Certificate Configuration**\n\n```json\n{\n \"lifetime\": \"2592000s\",\n \"subjectConfig\": {\n \"subject\": {\n \"commonName\": \"mydomain.com\",\n \"organization\": \"My Organization\",\n \"countryCode\": \"US\"\n },\n \"subjectAltName\": {\n \"dnsNames\": [\"mydomain.com\", \"www.mydomain.com\"]\n }\n },\n \"keyUsage\": {\n \"baseKeyUsage\": {\n \"digitalSignature\": true,\n \"keyEncipherment\": true\n },\n \"extendedKeyUsage\": {\n \"serverAuth\": true\n }\n }\n}\n```\n\n##### **3. Issue the Certificate**\n\n```sh\ngcloud privateca certificates create my-cert \\\n --issuer-pool=my-root-ca \\\n --csr my-csr.pem \\\n --config-file cert-config.json \\\n --location=us-central1\n```\n\n---\n\n### **Integrating Keyfactor with Google CAS**\n\n#### **Why Use Certificate Templates?**\n\n- **Google CAS does not extract metadata from CSRs.**\n- **Keyfactor prefers enrollment of certificates via predefined templates** to ensure all attributes (e.g., Subject, SANs) are correctly applied.\n- **Prevents unauthorized data injection via CSRs.**\n- **If no template is used, certificates will be issued based on CA settings using the Default Product ID.**\n\n#### **Step 1: Create a Certificate Template for Keyfactor (Preferred but Not Required)**\n\nCreate a **certificate template policy file** (`keyfactor-template-policy.json`):\n\n```json\n{\n \"predefinedValues\": {\n \"keyUsage\": {\n \"baseKeyUsage\": {\n \"digitalSignature\": true,\n \"keyEncipherment\": true\n },\n \"extendedKeyUsage\": {\n \"serverAuth\": true,\n \"clientAuth\": true\n }\n }\n },\n \"identityConstraints\": {\n \"allowSubjectPassthrough\": true,\n \"allowSubjectAltNamesPassthrough\": true\n }\n}\n```\n\nCreate the template:\n\n```sh\ngcloud privateca templates create keyfactor-template \\\n --location=us-central1 \\\n --policy-file=keyfactor-template-policy.json\n```\n\nIf using the **Default** Product ID in Keyfactor, Google CAS will generate certificates directly from CA settings **without requiring a template**.\n\n---\n\n## Test Case 1: Enrollment from Keyfactor Command with No SANs\n\n### **Description**\nThis test validates that a certificate enrollment request from **Keyfactor Command** is successfully processed by **Google CAS** when no **Subject Alternative Names (SANs)** are provided.\n\n### **Test Steps**\n1. Navigate to **Keyfactor Command β†’ Enrollment**.\n2. Fill in the following details:\n - **Common Name (CN):** `www.nosanstest.com`\n - **Key Algorithm:** RSA\n - **Key Size:** 2048\n - **Certificate Authority:** Auto-Select\n3. Ensure **no Subject Alternative Names (SANs) are added**.\n4. Select **Direct Download** as the Certificate Delivery Format.\n5. Click **Enroll**.\n6. Verify the certificate issuance in **Keyfactor Command**.\n7. Validate the certificate details in **Google CAS**.\n\n### **Expected Result**\nβœ… The certificate should be **issued via Google CAS**.\nβœ… The certificate should be **downloaded into Keyfactor Command**.\nβœ… The certificate should be **published to Google CAS**.\n\n### **Actual Result**\nβœ… The certificate was successfully issued and downloaded in **Keyfactor Command**.\nβœ… The certificate was correctly published and appears in **Google CAS**.\n\n### **Test Status:** βœ… **Pass**\n\n---\n\n## Test Case 2: Enroll From Command With Different SANs and SAN Types\n\n### **Description**\nThis test validates that **Keyfactor Command** can enroll a certificate with **multiple SAN types**, including DNS, IP, and email, and that it is correctly processed by **Google CAS**.\n\n### **Test Steps**\n1. Navigate to **Keyfactor Command β†’ Enrollment**.\n2. Fill in the following details:\n - **Common Name (CN):** `www.differentsans.com`\n - **Key Algorithm:** RSA\n - **Key Size:** 2048\n - **Certificate Authority:** Auto-Select\n3. Add the following **Subject Alternative Names (SANs):**\n - DNS: `differentsans.com`\n - IP: `127.0.0.1`\n - IP: `127.0.0.2`\n - Email: `bhill@keyfactor.com`\n4. Select **Direct Download** as the Certificate Delivery Format.\n5. Click **Enroll**.\n6. Verify the certificate issuance in **Keyfactor Command**.\n7. Validate the certificate details in **Google CAS**.\n\n### **Expected Result**\nβœ… The certificate should be **issued with the specified SANs**.\nβœ… The certificate should be **downloaded into Keyfactor Command**.\nβœ… The certificate should be **published to Google CAS**.\n\n### **Actual Result**\nβœ… The certificate was successfully issued and downloaded in **Keyfactor Command**.\nβœ… The certificate was correctly published in **Google CAS**, with all SANs properly applied.\n\n### **Test Status:** βœ… **Pass**\n\n---\n\n## Test Case 3: Enrollment From Keyfactor Command Using the Google Default Template\n\n### **Description**\nThis test validates that when using the **Google Default Template**, the certificate issuance follows **CA-level settings** rather than a specific template.\n\n### **Test Steps**\n1. Navigate to **Keyfactor Command β†’ Enrollment**.\n2. Fill in the following details:\n - **Common Name (CN):** `www.usecasettings.com`\n - **Key Algorithm:** RSA\n - **Key Size:** 2048\n - **Template:** `AnyCA (Default)`\n - **Certificate Authority:** Auto-Select\n3. Ensure **no Subject Alternative Names (SANs) are added**.\n4. Select **Direct Download** as the Certificate Delivery Format.\n5. Click **Enroll**.\n6. Verify the certificate issuance in **Keyfactor Command**.\n7. Validate the certificate details in **Google CAS**.\n\n### **Expected Result**\nβœ… The certificate should be **issued using the CA-level settings**.\nβœ… The certificate should be **downloaded into Keyfactor Command**.\nβœ… The certificate should be **published to Google CAS**.\n\n### **Actual Result**\nβœ… The certificate was successfully issued and downloaded in **Keyfactor Command**.\nβœ… The certificate was correctly published in **Google CAS**, following CA-level settings.\n\n### **Test Status:** βœ… **Pass**\n\n## Test Case 4: Auto Enrollment via Keyfactor's Windows Enrollment Gateway using Client Authentication\n\n### **Description**\nThis test validates that when using **Keyfactor's Windows Enrollment Gateway**, the certificate issuance follows the expected **Active Directory Enrollment Policy** settings for client authentication. The enrolled certificate should include the correct **template information**, **key usage**, and **extensions** as defined in Active Directory Certificate Services (ADCS). The enrollment process is performed via the **Microsoft Management Console (MMC)**.\n\n### **Test Steps**\n1. Open the **Microsoft Management Console (MMC)** and navigate to **Certificates - Current User β†’ Personal β†’ Certificates**.\n2. Right-click on **Certificates**, go to **All Tasks**, and select **Request New Certificate...**.\n3. In the **Certificate Enrollment Wizard**, select the **Active Directory Enrollment Policy**.\n4. Select the **ClientAuthCert** template.\n5. Ensure the following settings are applied:\n - **Common Name (CN):** Retrieved from Active Directory (e.g., `kfadmin`)\n - **Key Algorithm:** RSA\n - **Key Size:** 2048\n - **Template:** `ClientAuthCert`\n - **Certificate Authority:** Auto-Select\n - **Application Policies:**\n - Secure Email\n - Encrypting File System\n - Client Authentication\n - **Extensions Included:**\n - Application Policies\n - Basic Constraints\n - Certificate Template Information\n - Issuance Policies\n - Key Usage\n6. Click **Enroll**.\n7. Verify the certificate issuance in **Keyfactor Command**.\n8. Open the issued certificate in **MMC** and validate:\n - **Certificate Template Information** matches `ClientAuthCert`.\n - **Object Identifier (OID):** `1.3.6.1.4.1.311.21.8.4181979.15981577.14434469.15789051.5877270.183.12847830.8177055`\n - **Major Version Number:** 100\n - **Minor Version Number:** 10\n - **Key Usage:** Digital Signature, Key Encipherment\n - **Subject Alternative Name (SAN):** Includes `kfadmin@Command.local` and `bhill@keyfactor.com`\n - **SHA-256 Fingerprint:** `f917786fa2519d277238cb2da06b457a771562aad3ded1729b6c9ffde0d65ee`\n9. Validate the certificate details in **Google Private CA** to confirm it was correctly registered.\n\n### **Expected Result**\nβœ… The certificate should be **issued using the ClientAuthCert template**.\nβœ… The certificate should be **downloaded into the Windows Certificate Store via MMC**.\nβœ… The certificate should be **published to Keyfactor Command**.\nβœ… The certificate should be **registered in Google Private CA**.\nβœ… The certificate should include **correct template information, extensions, and metadata**.\n\n### **Actual Result**\nβœ… The certificate was successfully issued and installed in **Windows Certificate Store via MMC**.\nβœ… The certificate was correctly published in **Keyfactor Command**.\nβœ… The certificate was correctly registered in **Google Private CA**, following the expected template settings.\nβœ… The certificate includes the correct **template information, key usage, and extensions**.\n\n### **Test Status:** βœ… **Pass**\n\n---\n\n## Test Case 5: Inventory All Certificates from the CA in Google CAS into Keyfactor Command\n\n### **Description**\nThis test ensures that all certificates issued by the **Google Private CA** are successfully inventoried into **Keyfactor Command** and that the total number of certificates matches between the two systems.\n\n### **Test Steps**\n1. Log in to **Keyfactor Command**.\n2. Navigate to **Inventory β†’ Certificate Authority Synchronization**.\n3. Select the configured **Google Private CA** integration.\n4. Click **Sync Now** to start the certificate inventory process.\n5. Once the sync completes, navigate to **Certificates β†’ Search**.\n6. Retrieve the total number of certificates inventoried from Google CAS.\n7. Log in to **Google Private CA**.\n8. Navigate to **Certificates** and retrieve the total number of issued certificates.\n9. Compare the count from Google CAS with the count in Keyfactor Command.\n\n### **Expected Result**\nβœ… The total number of certificates in **Google Private CA** should match the number inventoried in **Keyfactor Command**.\nβœ… All certificates should appear in **Keyfactor Command** with the correct metadata.\n\n### **Actual Result**\nβœ… The certificate count in **Keyfactor Command** matches the count in **Google Private CA**.\nβœ… All certificates were successfully inventoried with accurate metadata.\n\n### **Test Status:** βœ… **Pass**\n\n---\n\n## Test Case 6: Renew Certificate from Keyfactor Command and Ensure a New Certificate is Generated in Google CAS\n\n### **Description**\nThis test validates that when a certificate is renewed from **Keyfactor Command**, a new certificate is generated and registered in **Google Private CA**.\n\n### **Test Steps**\n1. Log in to **Keyfactor Command**.\n2. Navigate to **Certificates β†’ Search** and locate the certificate that needs renewal.\n3. Click on the certificate and select **Renew Certificate**.\n4. Choose **Auto-Select CA** and confirm the renewal request.\n5. Verify that a new certificate has been issued in **Keyfactor Command**.\n6. Log in to **Google Private CA**.\n7. Navigate to **Certificates** and ensure a new certificate instance appears with a new serial number.\n8. Compare the renewed certificate’s details in **Google CAS** with **Keyfactor Command**.\n9. Validate the SHA-256 fingerprint of the renewed certificate to ensure uniqueness.\n\n### **Expected Result**\nβœ… The certificate should be **renewed in Keyfactor Command**.\nβœ… A new certificate with a unique serial number should appear in **Google Private CA**.\nβœ… The renewed certificate should match the expected template and metadata.\n\n### **Actual Result**\nβœ… The certificate was successfully renewed in **Keyfactor Command**.\nβœ… A new certificate was generated in **Google Private CA** with a new serial number.\nβœ… The metadata and template settings match expected values.\n\n### **Test Status:** βœ… **Pass**\n\n---\n\n## Test Case 7: Revoke Certificate from Keyfactor Command with All Available Reasons\n\n### **Description**\nThis test ensures that certificates can be revoked from **Keyfactor Command**, using all available revocation reasons, and that the revocation is correctly applied in **Google Private CA**.\n\n### **Test Steps**\n1. Log in to **Keyfactor Command**.\n2. Navigate to **Certificates β†’ Search** and locate the certificate to be revoked.\n3. Click on the certificate and select **Revoke Certificate**.\n4. Choose each revocation reason and confirm the revocation:\n - Reason Unspecified\n - Key Compromised\n - CA Compromised\n - Affiliation Changed\n - Superseded\n - Cessation Of Operation\n - Certificate Hold\n - Remove From Hold\n5. Verify that the certificate is marked as revoked in **Keyfactor Command**.\n6. Log in to **Google Private CA** and ensure the certificate is revoked with the selected reason.\n\n### **Test Status:** βœ… **Pass**\n\n\n## License\n\nApache License 2.0, see [LICENSE](LICENSE).\n\n## Related Integrations\n\nSee all [Keyfactor Any CA Gateways (REST)](https://github.com/orgs/Keyfactor/repositories?q=anycagateway).","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fgcp-cas-caplugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeyfactor%2Fgcp-cas-caplugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fgcp-cas-caplugin/lists"}