{"id":25190042,"url":"https://github.com/keyfactor/k8s-orchestrator","last_synced_at":"2026-04-16T18:06:05.788Z","repository":{"id":167021863,"uuid":"567465249","full_name":"Keyfactor/k8s-orchestrator","owner":"Keyfactor","description":"The Kubernetes Orchestrator allows for remote management of Kubernetes secret types `Opaque` and `kubernetes.io/tls` as well as `certificates.k8s.io/v1` resources. ","archived":false,"fork":false,"pushed_at":"2026-03-26T17:10:01.000Z","size":11999,"stargazers_count":1,"open_issues_count":4,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-03-26T20:45:37.789Z","etag":null,"topics":["aks","eks","gke","k8s","keyfactor-orchestrator","keyfactor-universal-orchestrator","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keyfactor.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-11-17T21:11:08.000Z","updated_at":"2026-01-26T17:18:14.000Z","dependencies_parsed_at":"2024-05-16T05:17:50.743Z","dependency_job_id":"6de1a099-4a03-40ab-9c61-b9a8749484d0","html_url":"https://github.com/Keyfactor/k8s-orchestrator","commit_stats":null,"previous_names":["keyfactor/k8s-orchestrator"],"tags_count":256,"template":false,"template_full_name":null,"purl":"pkg:github/Keyfactor/k8s-orchestrator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-orchestrator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-orchestrator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-orchestrator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-orchestrator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keyfactor","download_url":"https://codeload.github.com/Keyfactor/k8s-orchestrator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-orchestrator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31307171,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aks","eks","gke","k8s","keyfactor-orchestrator","keyfactor-universal-orchestrator","kubernetes"],"created_at":"2025-02-09T21:18:46.203Z","updated_at":"2026-04-16T18:06:05.777Z","avatar_url":"https://github.com/Keyfactor.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\" style=\"border-bottom: none\"\u003e\n Kubernetes Universal Orchestrator Extension\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n \u003c!-- Badges --\u003e\n\u003cimg src=\"https://img.shields.io/badge/integration_status-production-3D1973?style=flat-square\" alt=\"Integration Status: production\" /\u003e\n\u003ca href=\"https://github.com/Keyfactor/k8s-orchestrator/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/Keyfactor/k8s-orchestrator?style=flat-square\" alt=\"Release\" /\u003e\u003c/a\u003e\n\u003cimg src=\"https://img.shields.io/github/issues/Keyfactor/k8s-orchestrator?style=flat-square\" alt=\"Issues\" /\u003e\n\u003cimg src=\"https://img.shields.io/github/downloads/Keyfactor/k8s-orchestrator/total?style=flat-square\u0026label=downloads\u0026color=28B905\" alt=\"GitHub Downloads (all assets, all releases)\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003c!-- TOC --\u003e\n \u003ca href=\"#support\"\u003e\n \u003cb\u003eSupport\u003c/b\u003e\n \u003c/a\u003e\n ยท\n \u003ca href=\"#installation\"\u003e\n \u003cb\u003eInstallation\u003c/b\u003e\n \u003c/a\u003e\n ยท\n \u003ca href=\"#license\"\u003e\n \u003cb\u003eLicense\u003c/b\u003e\n \u003c/a\u003e\n ยท\n \u003ca href=\"https://github.com/orgs/Keyfactor/repositories?q=orchestrator\"\u003e\n \u003cb\u003eRelated Integrations\u003c/b\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\n## Overview\n\nThe Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster.\nThe following types of Kubernetes resources are supported: Kubernetes secrets of type `kubernetes.io/tls` or `Opaque`, and\nKubernetes certificates of type `certificates.k8s.io/v1`.\n\nThe certificate store types that can be managed in the current version are:\n- `K8SCert` - Kubernetes certificates of type `certificates.k8s.io/v1`\n- `K8SSecret` - Kubernetes secrets of type `Opaque`\n- `K8STLSSecr` - Kubernetes secrets of type `kubernetes.io/tls`\n- `K8SCluster` - This allows for a single store to manage a Kubernetes cluster's secrets of type `Opaque` and `kubernetes.io/tls`.\n This can be thought of as a container of `K8SSecret` and `K8STLSSecr` stores across all Kubernetes namespaces.\n- `K8SNS` - This allows for a single store to manage a Kubernetes namespace's secrets of type `Opaque` and `kubernetes.io/tls`.\n This can be thought of as a container of `K8SSecret` and `K8STLSSecr` stores for a single Kubernetes namespace.\n- `K8SJKS` - Kubernetes secrets of type `Opaque` that contain one or more Java Keystore(s). These cannot be managed at the\n cluster or namespace level as they should all require unique credentials.\n- `K8SPKCS12` - Kubernetes secrets of type `Opaque` that contain one or more PKCS12(s). These cannot be managed at the\n cluster or namespace level as they should all require unique credentials.\n\nThis orchestrator extension makes use of the Kubernetes API by using a service account\nto communicate remotely with certificate stores. The service account must have the correct permissions\nin order to perform the desired operations. For more information on the required permissions, see the\n[service account setup guide](#service-account-setup).\n\nThe Kubernetes Universal Orchestrator extension implements 7 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.\n\n- [K8SCert](#K8SCert)\n\n- [K8SCluster](#K8SCluster)\n\n- [K8SJKS](#K8SJKS)\n\n- [K8SNS](#K8SNS)\n\n- [K8SPKCS12](#K8SPKCS12)\n\n- [K8SSecret](#K8SSecret)\n\n- [K8STLSSecr](#K8STLSSecr)\n\n\n## Compatibility\n\nThis integration is compatible with Keyfactor Universal Orchestrator version 12.4 and later.\n\n## Support\nThe Kubernetes Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.\n\n\u003e If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab.\n\n## Requirements \u0026 Prerequisites\n\nBefore installing the Kubernetes Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.\n\n\n### Kubernetes API Access\n\nThis orchestrator extension makes use of the Kubernetes API by using a service account\nto communicate remotely with certificate stores. The service account must exist and have the appropriate permissions.\nThe service account token can be provided to the extension in one of two ways:\n- As a raw JSON file that contains the service account credentials\n- As a base64 encoded string that contains the service account credentials\n\n#### Service Account Setup\n\nTo set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension. For full \ninformation on the required permissions, see the [service account setup guide](./scripts/kubernetes/README.md).\n\n\n## Certificate Store Types\n\nTo use the Kubernetes Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.\n\nThe Kubernetes Universal Orchestrator extension implements 7 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types.\n\n### K8SCert\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `K8SCert` store type is used to manage Kubernetes Certificate Signing Requests (CSRs) of type `certificates.k8s.io/v1`.\n\n**NOTE**: Only `inventory` and `discovery` of these resources is supported with this extension. CSRs are read-only - to provision certificates through CSRs, use the [k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer).\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | ๐Ÿ”ฒ Unchecked |\n| Remove | ๐Ÿ”ฒ Unchecked |\n| Discovery | โœ… Checked |\n| Reenrollment | ๐Ÿ”ฒ Unchecked |\n| Create | ๐Ÿ”ฒ Unchecked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand K8SCert kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # K8SCert\n kfutil store-types create K8SCert\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the K8SCert store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual K8SCert details\u003c/summary\u003e\n\n Create a store type called `K8SCert` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | K8SCert | Display name for the store type (may be customized) |\n | Short Name | K8SCert | Short display name for the store type |\n | Capability | K8SCert | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Management Add |\n | Supports Remove | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Management Remove |\n | Supports Discovery | โœ… Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports store creation |\n | Needs Server | โœ… Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | ๐Ÿ”ฒ Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | ๐Ÿ”ฒ Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ๐Ÿ”ฒ Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | ๐Ÿ”ฒ Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![K8SCert Basic Tab](docsource/images/K8SCert-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![K8SCert Advanced Tab](docsource/images/K8SCert-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked |\n | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | โœ… Checked |\n | KubeSecretName | KubeSecretName | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. | String | | ๐Ÿ”ฒ Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![K8SCert Custom Fields Tab](docsource/images/K8SCert-custom-fields-store-type-dialog.png)\n\n\n ###### Server Username\n This should be no value or `kubeconfig`\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### KubeSecretName\n The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster.\n\n ![K8SCert Custom Field - KubeSecretName](docsource/images/K8SCert-custom-field-KubeSecretName-dialog.png)\n ![K8SCert Custom Field - KubeSecretName](docsource/images/K8SCert-custom-field-KubeSecretName-validation-options-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### K8SCluster\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `K8SCluster` store type allows for a single store to manage a Kubernetes cluster's secrets of type `Opaque` and `kubernetes.io/tls`.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | โœ… Checked |\n| Remove | โœ… Checked |\n| Discovery | ๐Ÿ”ฒ Unchecked |\n| Reenrollment | ๐Ÿ”ฒ Unchecked |\n| Create | โœ… Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand K8SCluster kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # K8SCluster\n kfutil store-types create K8SCluster\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the K8SCluster store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual K8SCluster details\u003c/summary\u003e\n\n Create a store type called `K8SCluster` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | K8SCluster | Display name for the store type (may be customized) |\n | Short Name | K8SCluster | Short display name for the store type |\n | Capability | K8SCluster | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | โœ… Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | โœ… Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | โœ… Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | โœ… Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | ๐Ÿ”ฒ Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | ๐Ÿ”ฒ Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ๐Ÿ”ฒ Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | ๐Ÿ”ฒ Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![K8SCluster Basic Tab](docsource/images/K8SCluster-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![K8SCluster Advanced Tab](docsource/images/K8SCluster-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked |\n | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked |\n | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked |\n | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![K8SCluster Custom Fields Tab](docsource/images/K8SCluster-custom-fields-store-type-dialog.png)\n\n\n ###### Include Certificate Chain\n Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting.\n\n ![K8SCluster Custom Field - IncludeCertChain](docsource/images/K8SCluster-custom-field-IncludeCertChain-dialog.png)\n ![K8SCluster Custom Field - IncludeCertChain](docsource/images/K8SCluster-custom-field-IncludeCertChain-validation-options-dialog.png)\n\n\n\n ###### Separate Chain\n Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets.\n\n ![K8SCluster Custom Field - SeparateChain](docsource/images/K8SCluster-custom-field-SeparateChain-dialog.png)\n ![K8SCluster Custom Field - SeparateChain](docsource/images/K8SCluster-custom-field-SeparateChain-validation-options-dialog.png)\n\n\n\n ###### Server Username\n This should be no value or `kubeconfig`\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### K8SJKS\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `K8SJKS` store type is used to manage Kubernetes secrets of type `Opaque`. These secrets\nmust have a field that ends in `.jks`. The orchestrator will inventory and manage using a *custom alias* of the following\npattern: `\u003ck8s_secret_field_name\u003e/\u003ckeystore_alias\u003e`. For example, if the secret has a field named `mykeystore.jks` and\nthe keystore contains a certificate with an alias of `mycert`, the orchestrator will manage the certificate using the\nalias `mykeystore.jks/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they\nshould all require unique credentials.*\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | โœ… Checked |\n| Remove | โœ… Checked |\n| Discovery | โœ… Checked |\n| Reenrollment | ๐Ÿ”ฒ Unchecked |\n| Create | โœ… Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand K8SJKS kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # K8SJKS\n kfutil store-types create K8SJKS\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the K8SJKS store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual K8SJKS details\u003c/summary\u003e\n\n Create a store type called `K8SJKS` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | K8SJKS | Display name for the store type (may be customized) |\n | Short Name | K8SJKS | Short display name for the store type |\n | Capability | K8SJKS | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | โœ… Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | โœ… Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | โœ… Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | โœ… Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | โœ… Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | ๐Ÿ”ฒ Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | ๐Ÿ”ฒ Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | โœ… Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | ๐Ÿ”ฒ Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![K8SJKS Basic Tab](docsource/images/K8SJKS-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![K8SJKS Advanced Tab](docsource/images/K8SJKS-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | KubeNamespace | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | String | default | ๐Ÿ”ฒ Unchecked |\n | KubeSecretName | KubeSecretName | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked |\n | KubeSecretType | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. | String | jks | ๐Ÿ”ฒ Unchecked |\n | CertificateDataFieldName | CertificateDataFieldName | The field name to use when looking for certificate data in the K8S secret. | String | None | ๐Ÿ”ฒ Unchecked |\n | PasswordFieldName | PasswordFieldName | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | String | password | ๐Ÿ”ฒ Unchecked |\n | PasswordIsK8SSecret | PasswordIsK8SSecret | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. | Bool | false | ๐Ÿ”ฒ Unchecked |\n | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked |\n | StorePasswordPath | StorePasswordPath | The path to the K8S secret object to use as the password to the JKS keystore. Example: `\u003cnamespace\u003e/\u003csecret_name\u003e` | String | None | ๐Ÿ”ฒ Unchecked |\n | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked |\n | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![K8SJKS Custom Fields Tab](docsource/images/K8SJKS-custom-fields-store-type-dialog.png)\n\n\n ###### KubeNamespace\n The K8S namespace to use to manage the K8S secret object.\n\n ![K8SJKS Custom Field - KubeNamespace](docsource/images/K8SJKS-custom-field-KubeNamespace-dialog.png)\n ![K8SJKS Custom Field - KubeNamespace](docsource/images/K8SJKS-custom-field-KubeNamespace-validation-options-dialog.png)\n\n\n\n ###### KubeSecretName\n The name of the K8S secret object.\n\n ![K8SJKS Custom Field - KubeSecretName](docsource/images/K8SJKS-custom-field-KubeSecretName-dialog.png)\n ![K8SJKS Custom Field - KubeSecretName](docsource/images/K8SJKS-custom-field-KubeSecretName-validation-options-dialog.png)\n\n\n\n ###### KubeSecretType\n DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`.\n\n ![K8SJKS Custom Field - KubeSecretType](docsource/images/K8SJKS-custom-field-KubeSecretType-dialog.png)\n ![K8SJKS Custom Field - KubeSecretType](docsource/images/K8SJKS-custom-field-KubeSecretType-validation-options-dialog.png)\n\n\n\n ###### CertificateDataFieldName\n The field name to use when looking for certificate data in the K8S secret.\n\n ![K8SJKS Custom Field - CertificateDataFieldName](docsource/images/K8SJKS-custom-field-CertificateDataFieldName-dialog.png)\n ![K8SJKS Custom Field - CertificateDataFieldName](docsource/images/K8SJKS-custom-field-CertificateDataFieldName-validation-options-dialog.png)\n\n\n\n ###### PasswordFieldName\n The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.\n\n ![K8SJKS Custom Field - PasswordFieldName](docsource/images/K8SJKS-custom-field-PasswordFieldName-dialog.png)\n ![K8SJKS Custom Field - PasswordFieldName](docsource/images/K8SJKS-custom-field-PasswordFieldName-validation-options-dialog.png)\n\n\n\n ###### PasswordIsK8SSecret\n Indicates whether the password to the JKS keystore is stored in a separate K8S secret.\n\n ![K8SJKS Custom Field - PasswordIsK8SSecret](docsource/images/K8SJKS-custom-field-PasswordIsK8SSecret-dialog.png)\n ![K8SJKS Custom Field - PasswordIsK8SSecret](docsource/images/K8SJKS-custom-field-PasswordIsK8SSecret-validation-options-dialog.png)\n\n\n\n ###### Include Certificate Chain\n Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting.\n\n ![K8SJKS Custom Field - IncludeCertChain](docsource/images/K8SJKS-custom-field-IncludeCertChain-dialog.png)\n ![K8SJKS Custom Field - IncludeCertChain](docsource/images/K8SJKS-custom-field-IncludeCertChain-validation-options-dialog.png)\n\n\n\n ###### StorePasswordPath\n The path to the K8S secret object to use as the password to the JKS keystore. Example: `\u003cnamespace\u003e/\u003csecret_name\u003e`\n\n ![K8SJKS Custom Field - StorePasswordPath](docsource/images/K8SJKS-custom-field-StorePasswordPath-dialog.png)\n ![K8SJKS Custom Field - StorePasswordPath](docsource/images/K8SJKS-custom-field-StorePasswordPath-validation-options-dialog.png)\n\n\n\n ###### Server Username\n This should be no value or `kubeconfig`\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### K8SNS\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `K8SNS` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` and/or type `Opaque` in a single\nKeyfactor Command certificate store. This store type manages all secrets within a specific Kubernetes namespace.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | โœ… Checked |\n| Remove | โœ… Checked |\n| Discovery | โœ… Checked |\n| Reenrollment | ๐Ÿ”ฒ Unchecked |\n| Create | โœ… Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand K8SNS kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # K8SNS\n kfutil store-types create K8SNS\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the K8SNS store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual K8SNS details\u003c/summary\u003e\n\n Create a store type called `K8SNS` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | K8SNS | Display name for the store type (may be customized) |\n | Short Name | K8SNS | Short display name for the store type |\n | Capability | K8SNS | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | โœ… Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | โœ… Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | โœ… Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | โœ… Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | โœ… Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | ๐Ÿ”ฒ Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | ๐Ÿ”ฒ Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ๐Ÿ”ฒ Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | ๐Ÿ”ฒ Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![K8SNS Basic Tab](docsource/images/K8SNS-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![K8SNS Advanced Tab](docsource/images/K8SNS-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | KubeNamespace | Kube Namespace | The K8S namespace to use to manage the K8S secret object. | String | default | ๐Ÿ”ฒ Unchecked |\n | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked |\n | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked |\n | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked |\n | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![K8SNS Custom Fields Tab](docsource/images/K8SNS-custom-fields-store-type-dialog.png)\n\n\n ###### Kube Namespace\n The K8S namespace to use to manage the K8S secret object.\n\n ![K8SNS Custom Field - KubeNamespace](docsource/images/K8SNS-custom-field-KubeNamespace-dialog.png)\n ![K8SNS Custom Field - KubeNamespace](docsource/images/K8SNS-custom-field-KubeNamespace-validation-options-dialog.png)\n\n\n\n ###### Include Certificate Chain\n Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting.\n\n ![K8SNS Custom Field - IncludeCertChain](docsource/images/K8SNS-custom-field-IncludeCertChain-dialog.png)\n ![K8SNS Custom Field - IncludeCertChain](docsource/images/K8SNS-custom-field-IncludeCertChain-validation-options-dialog.png)\n\n\n\n ###### Separate Chain\n Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets.\n\n ![K8SNS Custom Field - SeparateChain](docsource/images/K8SNS-custom-field-SeparateChain-dialog.png)\n ![K8SNS Custom Field - SeparateChain](docsource/images/K8SNS-custom-field-SeparateChain-validation-options-dialog.png)\n\n\n\n ###### Server Username\n This should be no value or `kubeconfig`\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### K8SPKCS12\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `K8SPKCS12` store type is used to manage Kubernetes secrets of type `Opaque`. These secrets\nmust have a field that ends in `.pkcs12`. The orchestrator will inventory and manage using a *custom alias* of the following\npattern: `\u003ck8s_secret_field_name\u003e/\u003ckeystore_alias\u003e`. For example, if the secret has a field named `mykeystore.pkcs12` and\nthe keystore contains a certificate with an alias of `mycert`, the orchestrator will manage the certificate using the\nalias `mykeystore.pkcs12/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they\nshould all require unique credentials.*\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | โœ… Checked |\n| Remove | โœ… Checked |\n| Discovery | โœ… Checked |\n| Reenrollment | ๐Ÿ”ฒ Unchecked |\n| Create | โœ… Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand K8SPKCS12 kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # K8SPKCS12\n kfutil store-types create K8SPKCS12\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the K8SPKCS12 store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual K8SPKCS12 details\u003c/summary\u003e\n\n Create a store type called `K8SPKCS12` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | K8SPKCS12 | Display name for the store type (may be customized) |\n | Short Name | K8SPKCS12 | Short display name for the store type |\n | Capability | K8SPKCS12 | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | โœ… Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | โœ… Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | โœ… Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | โœ… Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | โœ… Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | ๐Ÿ”ฒ Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | ๐Ÿ”ฒ Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | โœ… Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | ๐Ÿ”ฒ Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![K8SPKCS12 Basic Tab](docsource/images/K8SPKCS12-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![K8SPKCS12 Advanced Tab](docsource/images/K8SPKCS12-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked |\n | CertificateDataFieldName | CertificateDataFieldName | | String | .p12 | โœ… Checked |\n | PasswordFieldName | Password Field Name | The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | String | password | ๐Ÿ”ฒ Unchecked |\n | PasswordIsK8SSecret | Password Is K8S Secret | Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object. | Bool | false | ๐Ÿ”ฒ Unchecked |\n | KubeNamespace | Kube Namespace | The K8S namespace to use to manage the K8S secret object. | String | default | ๐Ÿ”ฒ Unchecked |\n | KubeSecretName | Kube Secret Name | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked |\n | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked |\n | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked |\n | KubeSecretType | Kube Secret Type | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`. | String | pkcs12 | ๐Ÿ”ฒ Unchecked |\n | StorePasswordPath | StorePasswordPath | The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `\u003cnamespace\u003e/\u003csecret_name\u003e` | String | None | ๐Ÿ”ฒ Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![K8SPKCS12 Custom Fields Tab](docsource/images/K8SPKCS12-custom-fields-store-type-dialog.png)\n\n\n ###### Include Certificate Chain\n Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting.\n\n ![K8SPKCS12 Custom Field - IncludeCertChain](docsource/images/K8SPKCS12-custom-field-IncludeCertChain-dialog.png)\n ![K8SPKCS12 Custom Field - IncludeCertChain](docsource/images/K8SPKCS12-custom-field-IncludeCertChain-validation-options-dialog.png)\n\n\n\n ###### CertificateDataFieldName\n\n\n ![K8SPKCS12 Custom Field - CertificateDataFieldName](docsource/images/K8SPKCS12-custom-field-CertificateDataFieldName-dialog.png)\n ![K8SPKCS12 Custom Field - CertificateDataFieldName](docsource/images/K8SPKCS12-custom-field-CertificateDataFieldName-validation-options-dialog.png)\n\n\n\n ###### Password Field Name\n The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.\n\n ![K8SPKCS12 Custom Field - PasswordFieldName](docsource/images/K8SPKCS12-custom-field-PasswordFieldName-dialog.png)\n ![K8SPKCS12 Custom Field - PasswordFieldName](docsource/images/K8SPKCS12-custom-field-PasswordFieldName-validation-options-dialog.png)\n\n\n\n ###### Password Is K8S Secret\n Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object.\n\n ![K8SPKCS12 Custom Field - PasswordIsK8SSecret](docsource/images/K8SPKCS12-custom-field-PasswordIsK8SSecret-dialog.png)\n ![K8SPKCS12 Custom Field - PasswordIsK8SSecret](docsource/images/K8SPKCS12-custom-field-PasswordIsK8SSecret-validation-options-dialog.png)\n\n\n\n ###### Kube Namespace\n The K8S namespace to use to manage the K8S secret object.\n\n ![K8SPKCS12 Custom Field - KubeNamespace](docsource/images/K8SPKCS12-custom-field-KubeNamespace-dialog.png)\n ![K8SPKCS12 Custom Field - KubeNamespace](docsource/images/K8SPKCS12-custom-field-KubeNamespace-validation-options-dialog.png)\n\n\n\n ###### Kube Secret Name\n The name of the K8S secret object.\n\n ![K8SPKCS12 Custom Field - KubeSecretName](docsource/images/K8SPKCS12-custom-field-KubeSecretName-dialog.png)\n ![K8SPKCS12 Custom Field - KubeSecretName](docsource/images/K8SPKCS12-custom-field-KubeSecretName-validation-options-dialog.png)\n\n\n\n ###### Server Username\n This should be no value or `kubeconfig`\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Kube Secret Type\n DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`.\n\n ![K8SPKCS12 Custom Field - KubeSecretType](docsource/images/K8SPKCS12-custom-field-KubeSecretType-dialog.png)\n ![K8SPKCS12 Custom Field - KubeSecretType](docsource/images/K8SPKCS12-custom-field-KubeSecretType-validation-options-dialog.png)\n\n\n\n ###### StorePasswordPath\n The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `\u003cnamespace\u003e/\u003csecret_name\u003e`\n\n ![K8SPKCS12 Custom Field - StorePasswordPath](docsource/images/K8SPKCS12-custom-field-StorePasswordPath-dialog.png)\n ![K8SPKCS12 Custom Field - StorePasswordPath](docsource/images/K8SPKCS12-custom-field-StorePasswordPath-validation-options-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### K8SSecret\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `K8SSecret` store type is used to manage Kubernetes secrets of type `Opaque`.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | โœ… Checked |\n| Remove | โœ… Checked |\n| Discovery | โœ… Checked |\n| Reenrollment | ๐Ÿ”ฒ Unchecked |\n| Create | โœ… Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand K8SSecret kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # K8SSecret\n kfutil store-types create K8SSecret\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the K8SSecret store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual K8SSecret details\u003c/summary\u003e\n\n Create a store type called `K8SSecret` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | K8SSecret | Display name for the store type (may be customized) |\n | Short Name | K8SSecret | Short display name for the store type |\n | Capability | K8SSecret | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | โœ… Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | โœ… Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | โœ… Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | โœ… Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | โœ… Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | ๐Ÿ”ฒ Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | ๐Ÿ”ฒ Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ๐Ÿ”ฒ Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | ๐Ÿ”ฒ Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![K8SSecret Basic Tab](docsource/images/K8SSecret-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![K8SSecret Advanced Tab](docsource/images/K8SSecret-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | KubeNamespace | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked |\n | KubeSecretName | KubeSecretName | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked |\n | KubeSecretType | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`. | String | secret | ๐Ÿ”ฒ Unchecked |\n | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked |\n | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked |\n | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked |\n | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![K8SSecret Custom Fields Tab](docsource/images/K8SSecret-custom-fields-store-type-dialog.png)\n\n\n ###### KubeNamespace\n The K8S namespace to use to manage the K8S secret object.\n\n ![K8SSecret Custom Field - KubeNamespace](docsource/images/K8SSecret-custom-field-KubeNamespace-dialog.png)\n ![K8SSecret Custom Field - KubeNamespace](docsource/images/K8SSecret-custom-field-KubeNamespace-validation-options-dialog.png)\n\n\n\n ###### KubeSecretName\n The name of the K8S secret object.\n\n ![K8SSecret Custom Field - KubeSecretName](docsource/images/K8SSecret-custom-field-KubeSecretName-dialog.png)\n ![K8SSecret Custom Field - KubeSecretName](docsource/images/K8SSecret-custom-field-KubeSecretName-validation-options-dialog.png)\n\n\n\n ###### KubeSecretType\n DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`.\n\n ![K8SSecret Custom Field - KubeSecretType](docsource/images/K8SSecret-custom-field-KubeSecretType-dialog.png)\n ![K8SSecret Custom Field - KubeSecretType](docsource/images/K8SSecret-custom-field-KubeSecretType-validation-options-dialog.png)\n\n\n\n ###### Include Certificate Chain\n Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting.\n\n ![K8SSecret Custom Field - IncludeCertChain](docsource/images/K8SSecret-custom-field-IncludeCertChain-dialog.png)\n ![K8SSecret Custom Field - IncludeCertChain](docsource/images/K8SSecret-custom-field-IncludeCertChain-validation-options-dialog.png)\n\n\n\n ###### Separate Chain\n Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets.\n\n ![K8SSecret Custom Field - SeparateChain](docsource/images/K8SSecret-custom-field-SeparateChain-dialog.png)\n ![K8SSecret Custom Field - SeparateChain](docsource/images/K8SSecret-custom-field-SeparateChain-validation-options-dialog.png)\n\n\n\n ###### Server Username\n This should be no value or `kubeconfig`\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### K8STLSSecr\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `K8STLSSecr` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls`.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | โœ… Checked |\n| Remove | โœ… Checked |\n| Discovery | โœ… Checked |\n| Reenrollment | ๐Ÿ”ฒ Unchecked |\n| Create | โœ… Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand K8STLSSecr kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # K8STLSSecr\n kfutil store-types create K8STLSSecr\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the K8STLSSecr store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual K8STLSSecr details\u003c/summary\u003e\n\n Create a store type called `K8STLSSecr` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | K8STLSSecr | Display name for the store type (may be customized) |\n | Short Name | K8STLSSecr | Short display name for the store type |\n | Capability | K8STLSSecr | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | โœ… Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | โœ… Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | โœ… Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ๐Ÿ”ฒ Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | โœ… Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | โœ… Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | ๐Ÿ”ฒ Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | ๐Ÿ”ฒ Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ๐Ÿ”ฒ Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | ๐Ÿ”ฒ Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![K8STLSSecr Basic Tab](docsource/images/K8STLSSecr-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![K8STLSSecr Advanced Tab](docsource/images/K8STLSSecr-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | KubeNamespace | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked |\n | KubeSecretName | KubeSecretName | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked |\n | KubeSecretType | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`. | String | tls_secret | ๐Ÿ”ฒ Unchecked |\n | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked |\n | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked |\n | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked |\n | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![K8STLSSecr Custom Fields Tab](docsource/images/K8STLSSecr-custom-fields-store-type-dialog.png)\n\n\n ###### KubeNamespace\n The K8S namespace to use to manage the K8S secret object.\n\n ![K8STLSSecr Custom Field - KubeNamespace](docsource/images/K8STLSSecr-custom-field-KubeNamespace-dialog.png)\n ![K8STLSSecr Custom Field - KubeNamespace](docsource/images/K8STLSSecr-custom-field-KubeNamespace-validation-options-dialog.png)\n\n\n\n ###### KubeSecretName\n The name of the K8S secret object.\n\n ![K8STLSSecr Custom Field - KubeSecretName](docsource/images/K8STLSSecr-custom-field-KubeSecretName-dialog.png)\n ![K8STLSSecr Custom Field - KubeSecretName](docsource/images/K8STLSSecr-custom-field-KubeSecretName-validation-options-dialog.png)\n\n\n\n ###### KubeSecretType\n DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`.\n\n ![K8STLSSecr Custom Field - KubeSecretType](docsource/images/K8STLSSecr-custom-field-KubeSecretType-dialog.png)\n ![K8STLSSecr Custom Field - KubeSecretType](docsource/images/K8STLSSecr-custom-field-KubeSecretType-validation-options-dialog.png)\n\n\n\n ###### Include Certificate Chain\n Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting.\n\n ![K8STLSSecr Custom Field - IncludeCertChain](docsource/images/K8STLSSecr-custom-field-IncludeCertChain-dialog.png)\n ![K8STLSSecr Custom Field - IncludeCertChain](docsource/images/K8STLSSecr-custom-field-IncludeCertChain-validation-options-dialog.png)\n\n\n\n ###### Separate Chain\n Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets.\n\n ![K8STLSSecr Custom Field - SeparateChain](docsource/images/K8STLSSecr-custom-field-SeparateChain-dialog.png)\n ![K8STLSSecr Custom Field - SeparateChain](docsource/images/K8STLSSecr-custom-field-SeparateChain-validation-options-dialog.png)\n\n\n\n ###### Server Username\n This should be no value or `kubeconfig`\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n\n## Installation\n\n1. **Download the latest Kubernetes Universal Orchestrator extension from GitHub.**\n\n Navigate to the [Kubernetes Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive.\n\n | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `k8s-orchestrator` .NET version to download |\n | --------- | ----------- | ----------- | ----------- |\n | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` |\n | `11.6` _and_ newer | `net8.0` | | `net8.0` | \n\n Unzip the archive containing extension assemblies to a known location.\n\n \u003e **Note** If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for `net8.0`.\n\n2. **Locate the Universal Orchestrator extensions directory.**\n\n * **Default on Windows** - `C:\\Program Files\\Keyfactor\\Keyfactor Orchestrator\\extensions`\n * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions`\n\n3. **Create a new directory for the Kubernetes Universal Orchestrator extension inside the extensions directory.**\n\n Create a new directory called `k8s-orchestrator`.\n \u003e The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.\n\n4. **Copy the contents of the downloaded and unzipped assemblies from __step 2__ to the `k8s-orchestrator` directory.**\n\n5. **Restart the Universal Orchestrator service.**\n\n Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm).\n\n\n6. **(optional) PAM Integration**\n\n The Kubernetes Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.\n\n To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).\n\n\n\u003e The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions).\n\n\n\n## Defining Certificate Stores\n\nThe Kubernetes Universal Orchestrator extension implements 7 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.\n\n\u003cdetails\u003e\u003csummary\u003eK8SCert (K8SCert)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"K8SCert\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Kubernetes cluster name or identifier. |\n | Store Path | |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SCert` certificates. Specifically, one with the `K8SCert` capability. |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n | KubeSecretName | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the K8SCert certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name K8SCert --outpath K8SCert.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"K8SCert\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Kubernetes cluster name or identifier. |\n | Store Path | |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SCert` certificates. Specifically, one with the `K8SCert` capability. |\n | Properties.ServerUsername | This should be no value or `kubeconfig` |\n | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n | Properties.KubeSecretName | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name K8SCert --file K8SCert.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n### Inventory Modes\n\nK8SCert supports two inventory modes:\n\n#### Single CSR Mode (Legacy)\n\nWhen `KubeSecretName` is set to a specific CSR name, the store inventories only that single CSR. This is useful when you want to track a specific certificate issued through a CSR.\n\n**Configuration:**\n- `KubeSecretName`: The name of the specific CSR to inventory (e.g., `my-app-csr`)\n\n#### Cluster-Wide Mode\n\nWhen `KubeSecretName` is left empty or set to `*`, the store inventories ALL issued CSRs in the cluster. This provides a single-pane view of all certificates issued through Kubernetes CSRs.\n\n**Configuration:**\n- `KubeSecretName`: Leave empty or set to `*`\n\n**Note:** Only CSRs that have been approved AND have an issued certificate are included in the inventory. Pending or denied CSRs are skipped.\n\n### Store Configuration\n\n| Property | Description | Required |\n|----------|-------------|----------|\n| **Client Machine** | A descriptive name for the Kubernetes cluster | Yes |\n| **Store Path** | Can be any value (not used for CSR inventory) | Yes |\n| **Server Username** | Leave empty or set to `kubeconfig` | No |\n| **Server Password** | The kubeconfig JSON for connecting to the cluster | Yes |\n| **KubeSecretName** | CSR name for single mode, or empty/`*` for cluster-wide mode | No |\n\n### Discovery\n\nDiscovery will find all CSRs in the cluster that have issued certificates and return them as potential store locations. Each discovered CSR can be added as a separate K8SCert store (single CSR mode).\n\n### Example Use Cases\n\n#### Track All Cluster Certificates\n\nCreate a single K8SCert store with `KubeSecretName` empty to get visibility into all certificates issued through Kubernetes CSRs:\n\n1. Create a K8SCert store\n2. Set `Client Machine` to your cluster name\n3. Leave `KubeSecretName` empty\n4. Run inventory to see all issued CSR certificates\n\n#### Track a Specific Application Certificate\n\nCreate a K8SCert store for a specific CSR:\n\n1. Create a K8SCert store\n2. Set `Client Machine` to your cluster name\n3. Set `KubeSecretName` to the CSR name (e.g., `my-app-client-cert`)\n4. Run inventory to track that specific certificate\n\n### Limitations\n\n- **Read-Only**: K8SCert does not support Add or Remove operations. CSRs must be created and approved through Kubernetes APIs or kubectl.\n- **No Private Keys**: CSR certificates do not include private keys in Kubernetes (the private key stays with the requestor).\n- **Cluster-Scoped**: CSRs are cluster-scoped resources (not namespaced).\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eK8SCluster (K8SCluster)\u003c/summary\u003e\n\nIn order for certificates of type `Opaque` and/or `kubernetes.io/tls` to be inventoried in `K8SCluster` store types, they must\nhave specific keys in the Kubernetes secret.\n- Required keys: `tls.crt` or `ca.crt`\n- Additional keys: `tls.key`\n\n### Storepath Patterns\n- `\u003ccluster_name\u003e`\n\n### Alias Patterns\n- `\u003cnamespace_name\u003e/secrets/\u003ctls|opaque\u003e/\u003csecret_name\u003e`\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"K8SCluster\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. |\n | Store Path | |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SCluster` certificates. Specifically, one with the `K8SCluster` capability. |\n | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |\n | SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the K8SCluster certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name K8SCluster --outpath K8SCluster.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"K8SCluster\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. |\n | Store Path | |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SCluster` certificates. Specifically, one with the `K8SCluster` capability. |\n | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |\n | Properties.SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |\n | Properties.ServerUsername | This should be no value or `kubeconfig` |\n | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name K8SCluster --file K8SCluster.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eK8SJKS (K8SJKS)\u003c/summary\u003e\n\nIn order for certificates of type `Opaque` to be inventoried as `K8SJKS` store types, they must have specific keys in\nthe Kubernetes secret.\n- Valid Keys: `*.jks`\n\n### Storepath Patterns\n- `\u003cnamespace_name\u003e/\u003csecret_name\u003e`\n- `\u003cnamespace_name\u003e/secrets/\u003csecret_name\u003e`\n- `\u003ccluster_name\u003e/\u003cnamespace_name\u003e/secrets/\u003csecret_name\u003e`\n\n### Alias Patterns\n- `\u003ck8s_secret_field_name\u003e/\u003ckeystore_alias\u003e`\n\nExample: `test.jks/load_balancer` where `test.jks` is the field name on the `Opaque` secret and `load_balancer` is\nthe certificate alias in the `jks` data store.\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"K8SJKS\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. |\n | Store Path | |\n | Store Password | Password to use when reading/writing to store |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SJKS` certificates. Specifically, one with the `K8SJKS` capability. |\n | KubeNamespace | The K8S namespace to use to manage the K8S secret object. |\n | KubeSecretName | The name of the K8S secret object. |\n | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. |\n | CertificateDataFieldName | The field name to use when looking for certificate data in the K8S secret. |\n | PasswordFieldName | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. |\n | PasswordIsK8SSecret | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. |\n | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |\n | StorePasswordPath | The path to the K8S secret object to use as the password to the JKS keystore. Example: `\u003cnamespace\u003e/\u003csecret_name\u003e` |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the K8SJKS certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name K8SJKS --outpath K8SJKS.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"K8SJKS\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. |\n | Store Path | |\n | Store Password | Password to use when reading/writing to store |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SJKS` certificates. Specifically, one with the `K8SJKS` capability. |\n | Properties.KubeNamespace | The K8S namespace to use to manage the K8S secret object. |\n | Properties.KubeSecretName | The name of the K8S secret object. |\n | Properties.KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. |\n | Properties.CertificateDataFieldName | The field name to use when looking for certificate data in the K8S secret. |\n | Properties.PasswordFieldName | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. |\n | Properties.PasswordIsK8SSecret | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. |\n | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |\n | Properties.StorePasswordPath | The path to the K8S secret object to use as the password to the JKS keystore. Example: `\u003cnamespace\u003e/\u003csecret_name\u003e` |\n | Properties.ServerUsername | This should be no value or `kubeconfig` |\n | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name K8SJKS --file K8SJKS.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n | StorePassword | Password to use when reading/writing to store |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n### Supported Key Types\n\nThe K8SJKS store type supports certificates with the following key algorithms:\n\n| Key Type | Supported |\n|----------|-----------|\n| RSA (1024, 2048, 4096, 8192 bit) | Yes |\n| ECDSA (P-256, P-384, P-521) | Yes |\n| DSA (1024, 2048 bit) | Yes |\n| Ed25519 | Yes |\n| Ed448 | Yes |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eK8SNS (K8SNS)\u003c/summary\u003e\n\nIn order for certificates of type `Opaque` and/or `kubernetes.io/tls` to be inventoried in `K8SNS` store types, they must \nhave specific keys in the Kubernetes secret.\n- Required keys: `tls.crt` or `ca.crt`\n- Additional keys: `tls.key`\n\n### Storepath Patterns\n\n- `\u003cnamespace_name\u003e`\n- `\u003ccluster_name\u003e/\u003cnamespace_name\u003e`\n\n### Alias Patterns\n\n- `secrets/\u003ctls|opaque\u003e/\u003csecret_name\u003e`\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"K8SNS\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. |\n | Store Path | |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SNS` certificates. Specifically, one with the `K8SNS` capability. |\n | KubeNamespace | The K8S namespace to use to manage the K8S secret object. |\n | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |\n | SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the K8SNS certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name K8SNS --outpath K8SNS.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"K8SNS\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. |\n | Store Path | |\n | Orchestrator | Select an approved orchestrator capable of managing `K8SNS` certificates. Specifically, one with the `K8SNS` capability. |\n | Properties.KubeNamespace | The K8S namespace to use to manage the K8S secret object. |\n | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |\n | Properties.SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |\n | Properties.ServerUsername | This should be no value or `kubeconfig` |\n | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name K8SNS --file K8SNS.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | This should be no value or `kubeconfig` |\n | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |\n\nPlease refer to the **Universal Orchestra","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fk8s-orchestrator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeyfactor%2Fk8s-orchestrator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fk8s-orchestrator/lists"}