Keyfactor
diff --git a/‎AxisIPCamera/AxisIPCamera.csproj‎
Lines changed: 42 additions & 35 deletions b/‎AxisIPCamera/AxisIPCamera.csproj‎
Lines changed: 42 additions & 35 deletions
diff --git a/‎AxisIPCamera/Client/AxisHttpClient.cs‎
Lines changed: 31 additions & 11 deletions b/‎AxisIPCamera/Client/AxisHttpClient.cs‎
Lines changed: 31 additions & 11 deletions
diff --git a/‎AxisIPCamera/Helpers/DeviceCertValidator.cs‎
Lines changed: 14 additions & 2 deletions b/‎AxisIPCamera/Helpers/DeviceCertValidator.cs‎
Lines changed: 14 additions & 2 deletions
diff --git a/‎AxisIPCamera/Helpers/SANBuilder.cs‎
Lines changed: 64 additions & 0 deletions b/‎AxisIPCamera/Helpers/SANBuilder.cs‎
Lines changed: 64 additions & 0 deletions
@@ -2,47 +2,54 @@
 
   <PropertyGroup>
 	<AppendTargetFrameworkToOutputPath>true</AppendTargetFrameworkToOutputPath>
-    <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+    <TargetFramework>net8.0</TargetFramework>
 	<CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
 	<ImplicitUsings>disable</ImplicitUsings>
 	<RootNamespace>Keyfactor.Extensions.Orchestrator.AxisIPCamera</RootNamespace>
+    <FileVersion>1.1.0</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="BouncyCastle.NetCore" Version="2.2.1" />
-    <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
-	
-	<None Update="manifest.json">
-		<CopyToOutputDirectory>Always</CopyToOutputDirectory>
-	</None>
-	
-	<PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="1.0.0" />
-	
-	<PackageReference Include="RestSharp" Version="112.1.0" />
-	
-	<None Update="Files\SetHttpsBinding.xml">
-	  <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-	</None>
-	
-	<None Update="Files\SetIEEEBinding.xml">
-	  <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-	</None>
-	
-	<None Update="Files\SetMQTTBinding.json">
-	  <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-	</None>
-	
-	<None Update="Files\GetHttpsBinding.xml">
-	  <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-	</None>
-	
-	<None Update="Files\GetIEEEBinding.xml">
-	  <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-	</None>
-	
-	<None Update="Files\GetMQTTBinding.json">
-	  <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-	</None>
+    
+    <PackageReference Include="BouncyCastle.Cryptography" Version="2.6.1" />
+    
+    <PackageReference Include="Keyfactor.Logging" Version="1.3.0" />
+    
+    <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="1.0.0" />
+    
+    <PackageReference Include="Keyfactor.PKI" Version="8.3.1" />
+    
+    <PackageReference Include="RestSharp" Version="112.1.0" />
+    
+    <PackageReference Include="System.Formats.Asn1" Version="8.0.1" />
+    
+    <None Update="manifest.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+
+    <None Update="Files\SetHttpsBinding.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+    
+    <None Update="Files\SetIEEEBinding.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+    
+    <None Update="Files\SetMQTTBinding.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+    
+    <None Update="Files\GetHttpsBinding.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+    
+    <None Update="Files\GetIEEEBinding.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+    
+    <None Update="Files\GetMQTTBinding.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
 
 </Project>
@@ -1,11 +1,12 @@
-// Copyright 2025 Keyfactor
+// Copyright 2026 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
 using System;
+using System.Collections.Generic;
 using System.Reflection;
 using System.IO;
 using System.Linq;
@@ -285,8 +286,7 @@ public Constants.Keystore GetDefaultKeystore()
         /// <param name="keyType">Combination of key algorithm and key size</param>
         /// <param name="keystore">Default keystore for the device</param>
         /// <param name="subject">Subject provided for the certificate</param>
-        /// <param name="sans">Subject Alternative Names</param>
-        public void CreateSelfSignedCert(string alias, string keyType, string keystore, string subject, string[] sans)
+        public void CreateSelfSignedCert(string alias, string keyType, string keystore, string subject)
         {
             try
             {
@@ -303,7 +303,7 @@ public void CreateSelfSignedCert(string alias, string keyType, string keystore,
                         KeyType = keyType,
                         Keystore = keystore,
                         Subject = subject,
-                        SANS = sans,
+                        SANS = [],
                         ValidFrom = 0, // Cert validity period will be determined by the template
                         ValidTo = 0 // Cert validity period will be determined by the template
                     }
@@ -347,25 +347,45 @@ public void CreateSelfSignedCert(string alias, string keyType, string keystore,
         }
 
         /// <summary>
-        /// Obtains a CSR for the self-signed certificate with private key on the device.
-        /// Fields from the self-signed certificate will be copied into the CSR. 
+        /// Obtains a CSR for the self-signed or existing certificate with private key on the device.
+        /// Fields from the certificate will be copied into the CSR.
+        /// SANs will be added to the CSR.
         /// </summary>
         /// <param name="alias">Unique identifier for the cert to be generated from the CSR</param>
+        /// <param name="subject">Subject provided for the certificate</param>
+        /// <param name="sans">Subject Alternative Names</param>
         /// <returns>CSR string</returns>
-        public string ObtainCSR(string alias)
+        public string ObtainCSR(string alias, string subject, List<string> sans)
         {
             try
             {
                 Logger.MethodEntry();
 
                 var postCSRResource = $"{Constants.RestApiEntryPoint}/certificates/{alias}/get_csr";
 
-                // Compose the body --- This is required, but leaving the contents blank.
-                // All information obtained in the self-signed cert will be used to create the CSR.
+                // Compose the body --- This is required.
+                // All information obtained in the self-signed or existing cert will be used to create the CSR.
                 // If there are attributes assigned by the CA, those will override the attributes that end up
                 // in the certificate signed by the CA. 
-                string jsonBody = @"{""data"":{}}";
-                var httpResponse = ExecuteHttp(postCSRResource, Method.Post, Constants.ApiType.Rest, jsonBody);
+                // 1. If a field is filled out, that value will be used in the CSR
+                // 2. If a field is NOT filled out, the existing value from the existing certificate will be copied into the CSR
+                // 3. If a field is filled out with a blank value, that field is not copied from the existing certificate nor added to the CSR
+                var jsonBody = new StringBuilder(@"{""data"":{");
+
+                if (sans.Count == 0)
+                {
+                    jsonBody.Append(@"""subject"":""").Append(subject).Append("}}");
+                }
+                else
+                {
+                    jsonBody.Append(@"""subject"":""").Append(subject).Append(@""",""subject_alt_names"": [");
+                    string result = string.Join(",", sans);
+                    jsonBody.Append(result).Append("]}}");
+                }
+                
+                Logger.LogDebug($"POST Request Body: {jsonBody}");
+                
+                var httpResponse = ExecuteHttp(postCSRResource, Method.Post, Constants.ApiType.Rest, jsonBody.ToString());
 
                 // Decode the HTTP response if failed
                 if (httpResponse is {IsSuccessful:false})
 
@@ -73,6 +73,12 @@ public static class DeviceCertValidator
 
                 // Add TLS cert as leaf certificate to the end of the custom chain
                 customChain.Add(parser.ReadCertificate(cert.RawData));
+
+                if (!File.Exists(trustedIntCertPath))
+                {
+                    logger.LogError($"{trustedIntCertPath} does not exist.");
+                    return false;
+                }
 
                 logger.LogTrace($"Loading Trusted Intermediate Certs from {trustedIntCertPath}");
                 var trustedIntCerts = parser.ReadCertificates(File.ReadAllBytes(trustedIntCertPath));
@@ -92,6 +98,12 @@ public static class DeviceCertValidator
 
                 logger.LogTrace($"{trustedIntCerts.Count} Trusted Intermediate Certs found");
 
+                if (!File.Exists(trustedRootCertPath))
+                {
+                    logger.LogError($"{trustedRootCertPath} does not exist.");
+                    return false;
+                }
+                
                 logger.LogTrace($"Loading Trusted Root Cert from {trustedRootCertPath}");
                 var trustedRootCerts = parser.ReadCertificates(File.ReadAllBytes(trustedRootCertPath));
 
@@ -214,8 +226,8 @@ private static bool VerifyAkiSkiChain(List<X509Certificate> customChain, ILogger
         {
             logger.MethodEntry();
 
-            logger.LogTrace("Custom chain being validated includes: (1) Leaf cert from TLS session, (2) n-Intermediate certs from custom trust, &" +
-                            "n-Root certs from custom trust");
+            logger.LogTrace("Custom chain being validated includes: (1) Leaf cert from TLS session, (2) n-Intermediate certs from custom trust, & " +
+                            "(3) n-Root certs from custom trust");
 
             for (int i = 0; i < customChain.Count - 1; i++)
             {
 
@@ -0,0 +1,64 @@
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.Extensions.Logging;
+
+namespace Keyfactor.Extensions.Orchestrator.AxisIPCamera.Helpers
+{
+    public static class SANBuilder
+    {
+        public static List<string> BuildSANString(Dictionary<string, string[]> sans, ILogger logger)
+        {
+            var parts = new List<string>();
+            
+            if (sans == null || sans.Count == 0)
+            {
+                logger.LogTrace($"SANs is null or empty");
+                return parts;
+            }
+
+            foreach (var entry in sans)
+            {
+                string key = NormalizeSanKey(entry.Key);
+                
+                // The Axis API only supports the addition of 'dns' and 'ip' SAN type keys
+                if (key is not ("DNS" or "IP"))
+                    continue;
+                
+                if (entry.Value == null || entry.Value.Length == 0)
+                        continue;
+                
+                // NOTE: We are separating the key and value pairs with a colon because this is the format
+                // required to send SANs to the Axis API endpoint
+                parts.AddRange(
+                    entry.Value
+                        .Where(v => !string.IsNullOrWhiteSpace(v))
+                        .Select(v => $@"""{key}:{v.Trim()}""")
+                    );
+            }
+
+            return parts;
+        }
+
+        /// <summary>
+        /// Normalize SAN type keys to RFC-compliant names.
+        /// **NOTE: The Axis API only supports the addition of 'dns' and 'ip' SAN types.
+        /// Courtesy of B.Pokorny.
+        /// </summary>
+        private static string NormalizeSanKey(string key)
+        {
+            return key.Trim().ToLower() switch
+            {
+                "dns" => "DNS",
+                "ip" or "ip4" or "ip6" => "IP",
+                _ => key.ToLower() // default
+            };
+        }
+    }
+}