Merge 89e39ae into 0b2d104

Author: rcpokorny

.github/workflows/keyfactor-starter-workflow.yml

@@ -11,10 +11,17 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2
+    uses: keyfactor/actions/.github/workflows/starter.yml@v4
+    with:
+      command_token_url: ${{ vars.COMMAND_TOKEN_URL }} # Only required for doctool generated screenshots
+      command_hostname: ${{ vars.COMMAND_HOSTNAME }} # Only required for doctool generated screenshots
+      command_base_api_path: ${{ vars.COMMAND_API_PATH }} # Only required for doctool generated screenshots
     secrets:
-      token: ${{ secrets.V2BUILDTOKEN}}
-      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
-      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
-      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
-      scan_token: ${{ secrets.SAST_TOKEN }}
+      token: ${{ secrets.V2BUILDTOKEN}} # REQUIRED
+      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} # Only required for golang builds
+      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} # Only required for golang builds
+      scan_token: ${{ secrets.SAST_TOKEN }} # REQUIRED
+      entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} # Only required for doctool generated screenshots
+      entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} # Only required for doctool generated screenshots
+      command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} # Only required for doctool generated screenshots
+      command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} # Only required for doctool generated screenshots

CHANGELOG.md

@@ -1,3 +1,13 @@
+2.6.3
+* Fixed re-enrollment or ODKG job when RDN Components contained escaped commas.
+* Updated renewal job for IIS Certs to delete the old cert if not bound or used by other web sites.
+* Improved Inventory reporting of CSP when cert uses newer CNG Keys.
+* Fixed an issue with complex PFX passwords that contained special characters such as '@' or '$', etc.
+* Fixed an issue when adding certificate to store, sometimes the wrong thumbprint was returned, thus breaking web site binding.
+* Removed the IIS bindings check.  Now bindings are handled similar to IIS - if you bind a cert to a site using the same bindings, you risk the possibility of one of the duplicate sites to stop working and the certificate being bound to either site.  Refer to IIS Documentation pertaining to HTTPS binding.
+* Fixed an issue with (remote) ODKG jobs that caused an error when the CSP was not specified that included bindings.
+* Fixed an issue with (remote) ODKG jobs that caused an error when the CSP was not specified that did not require binding.
+
 2.6.2
 * Fixed error when attempting to connect to remote computer using UO service account
 * Fixed error when connecting to remote computer using HTTPS; was defaulting to HTTP

IISU/ClientPSCertStoreReEnrollment.cs

@@ -208,6 +208,17 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit
                                         FailureMessage = ""
                                     };
 
+                                    break;
+
+                                case CertStoreBindingTypeENUM.None:
+                                    
+                                    jobResult = new JobResult
+                                    {
+                                        Result = OrchestratorJobStatusJobResult.Success,
+                                        JobHistoryId = config.JobHistoryId,
+                                        FailureMessage = ""
+                                    };
+
                                     break;
                             }
                         }

IISU/ImplementedStoreTypes/Win/Inventory.cs

@@ -93,7 +93,7 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
                     {
                         Result = OrchestratorJobStatusJobResult.Success,
                         JobHistoryId = jobConfiguration.JobHistoryId,
-                        FailureMessage = ""
+                        FailureMessage = $"Inventory completed returning {inventoryItems.Count} Items."
                     };
                 }
 

IISU/ImplementedStoreTypes/WinIIS/Inventory.cs

@@ -95,7 +95,7 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
                     {
                         Result = OrchestratorJobStatusJobResult.Success,
                         JobHistoryId = jobConfiguration.JobHistoryId,
-                        FailureMessage = ""
+                        FailureMessage = $"Inventory completed returning {inventoryItems.Count} Items."
                     };
                 }
 

IISU/ImplementedStoreTypes/WinIIS/Management.cs

@@ -16,6 +16,7 @@
 using System;
 using System.Collections.Generic;
 using System.Collections.ObjectModel;
+using System.Linq;
 using System.Management.Automation;
 using Keyfactor.Extensions.Orchestrator.WindowsCertStore.Models;
 using Keyfactor.Logging;
@@ -89,6 +90,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                 string protocol = jobProperties?.WinRmProtocol;
                 string port = jobProperties?.WinRmPort;
                 bool includePortInSPN = (bool)jobProperties?.SpnPortFlag;
+                string alias = config.JobCertificate?.Alias?.Split(':').FirstOrDefault() ?? string.Empty;  // Thumbprint is first part of the alias
 
                 _psHelper = new(protocol, port, includePortInSPN, _clientMachineName, serverUserName, serverPassword);
 
@@ -171,6 +173,14 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                             psResult = OrchestratorJobStatusJobResult.Unknown;
                                         }
 
+                                        // Only is the binding returns successful, check of original cert is still bound to any site, if not remove it from the store
+                                        if (psResult == OrchestratorJobStatusJobResult.Success && !string.IsNullOrEmpty(alias))
+                                        {
+                                            _logger.LogTrace("Attempting to remove original certificate from store if it is no longer bound to any site.");
+                                            RemoveIISCertificate(alias);
+                                            _logger.LogTrace("Returned from removing cert if not used.");
+                                        }
+
                                         complete = new JobResult
                                         {
                                             Result = psResult,

IISU/ImplementedStoreTypes/WinSQL/Inventory.cs

@@ -93,7 +93,7 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
                     {
                         Result = OrchestratorJobStatusJobResult.Success,
                         JobHistoryId = jobConfiguration.JobHistoryId,
-                        FailureMessage = ""
+                        FailureMessage = $"Inventory completed returning {inventoryItems.Count} Items."
                     };
                 }
 

IISU/PSHelper.cs

@@ -386,7 +386,7 @@ public Collection<PSObject> ExecutePowerShellScript(string script)
                 }
 
                 // Add Parameters if provided
-                if (parameters != null)
+                if (parameters != null && parameters.Count > 0)
                 {
                     if (isLocalMachine || isScript)
                     {
@@ -398,13 +398,18 @@ public Collection<PSObject> ExecutePowerShellScript(string script)
                     else
                     {
                         // Remote execution: Use ArgumentList for parameters
-                        var paramBlock = string.Join(", ", parameters.Select(p => $"[{p.Value.GetType().Name}] ${p.Key}"));
+                        var paramBlock = string.Join(", ", parameters.Select(p =>
+                        {
+                            string typeName = p.Value?.GetType().Name ?? "object";
+                            return $"[{typeName}] ${p.Key}";
+                        }));
+
                         var paramUsage = string.Join(" ", parameters.Select(p => $"-{p.Key} ${p.Key}"));
 
                         string scriptBlockWithParams = $@"
-                    param({paramBlock})
-                    {commandOrScript} {paramUsage}
-                ";
+                            param({paramBlock})
+                            {commandOrScript} {paramUsage}
+                        ";
 
                         PS.Commands.Clear(); // Clear previous commands
                         PS.AddCommand("Invoke-Command")