Merge pull request #5 from Keyfactor/ab#69420

spbsoluble · web-flow · commit 808415a764f3 · 2025-06-02T07:53:24.000-07:00
Ab#69420
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+v1.2.0
+- Allow for the management (renew/replace) of bound certificates
+
 v1.1.0
 - Modified Fortigate authentication to use Authorization Bearer Token header rather than query string
 - Logging improvements
diff --git a/Fortigate/FortigateStore.cs b/Fortigate/FortigateStore.cs
@@ -14,7 +14,6 @@
 
 using System;
 using System.Collections.Generic;
-using System.Threading.Tasks;
 
 using Newtonsoft.Json;
 
@@ -29,11 +28,7 @@
 using System.Web;
 using System.Text;
 using System.Net.Http.Headers;
-using Keyfactor.Orchestrators.Extensions;
 using Microsoft.Extensions.Logging;
-using Keyfactor.Orchestrators.Common.Enums;
-using System.Reflection.Metadata;
-using System.Linq.Expressions;
 
 namespace Keyfactor.Extensions.Orchestrator.Fortigate
 {
@@ -98,27 +93,6 @@ public void Delete(string alias)
             }
         }
 
-        public bool Exists(string alias)
-        {
-            logger.MethodEntry(LogLevel.Debug);
-
-            try
-            {
-                var result = GetResource(get_certificate_api + alias);
-                var response = JsonConvert.DeserializeObject<FortigateResponse<Certificate[]>>(result);
-
-                return (response.results != null && response.results.Length > 0);
-            } 
-            catch(Exception)
-            {
-                return false;
-            }
-            finally
-            {
-                logger.MethodExit(LogLevel.Debug);
-            }
-        }
-
         public void UpdateUsage(string alias, string path, string name, string attribute)
         {
             logger.MethodEntry(LogLevel.Debug);
@@ -148,15 +122,15 @@ public void UpdateUsage(string alias, string path, string name, string attribute
             }
         }
 
-        public Usage Usage(string alias)
+        public Usage Usage(string alias, int qtype)
         {
             logger.MethodEntry(LogLevel.Debug);
 
             var parameters = new Dictionary<String, String>();
             parameters.Add("vdom", "root");
             parameters.Add("scope", "global");
             parameters.Add("mkey", alias);
-            parameters.Add("qtypes", "[160]");
+            parameters.Add("qtypes", $"[{qtype.ToString()}]");
 
             try
             {
@@ -181,64 +155,66 @@ public void Insert(string alias, string cert, string privateKey, bool overwrite,
 
             try
             {
+                Certificate[] byAlias = List(alias);
+
                 if (overwrite)
                 {
-                    var tmpAlias = alias + "_kftmp";
-                    var existing = Exists(alias);
-                    var tmpExisting = Exists(tmpAlias);
+                    var newAlias = CreateNewAlias(alias);
+                    Certificate[] byNewAlias = List(newAlias);
+                    Usage existingUsage = null;
 
                     //if there is an existing record
-                    if (existing)
+                    if (byAlias.Length > 0)
                     {
+                        Certificate certItem = byAlias[0];
+
                         //check to see if it's in use
-                        var existingUsage = Usage(alias);
+                        existingUsage = Usage(alias, certItem.q_type);
 
                         //if it's currently in use
-                        if (existingUsage.currently_using.Length > 0)
+                        if (existingUsage != null && existingUsage.currently_using != null && existingUsage.currently_using.Length > 0)
                         {
-                            //if we don't have a tmp create a temp
-                            if (!tmpExisting)
+                            //if newAlias exists, end with error
+                            if (byNewAlias.Length > 0)
                             {
-                                //create tmp
-                                Insert(tmpAlias, cert, privateKey);
-
-                                tmpExisting = true;
+                                throw new Exception($"Error inserting certificate {alias}.  New alias {newAlias} already exists, so certificate {alias} that is bound to one or more objects, cannot be replaced and rebound.  Please remove {newAlias}, and try again.");
                             }
 
+                            //create newAlias entry
+                            logger.LogDebug("Inserting alias:" + newAlias);
+                            Insert(newAlias, cert, privateKey, password);
+
                             foreach (var existingUsing in existingUsage.currently_using)
                             {
-                                UpdateUsage(tmpAlias, existingUsing.path, existingUsing.name, existingUsing.attribute);
+                                logger.LogDebug($"Update binding for path/name/attribute {existingUsing.path}/{existingUsing.name}/{existingUsing.attribute} for new alias {newAlias}");
+                                UpdateUsage(newAlias, existingUsing.path, existingUsing.name, existingUsing.attribute);
                             }
+
+                            logger.LogDebug("Deleting alias:" + alias);
+                            Delete(alias);
                         }
+                        else
+                        {
+                            logger.LogDebug("Deleting alias:" + alias);
+                            Delete(alias);
 
-                        logger.LogDebug("Deleting alias:" + alias);
-                        Delete(alias);
+                            logger.LogDebug("Inserting alias:" + alias);
+                            Insert(alias, cert, privateKey, password);
+                        }
                     }
-
-                    logger.LogDebug("Inserting alias:" + alias);
-                    Insert(alias, cert, privateKey, password);
-
-                    //if we have an existing temp record
-                    if (tmpExisting)
+                    else
                     {
-                        //check to see if it has any binds
-                        var tmpUsage = Usage(tmpAlias);
-                        if (tmpUsage.currently_using.Length > 0)
-                        {
-                            //transfer binds back to original
-                            foreach (var tmpUsing in tmpUsage.currently_using)
-                            {
-                                UpdateUsage(alias, tmpUsing.path, tmpUsing.name, tmpUsing.attribute);
-                            }
-                        }
-                        logger.LogDebug("Deleting alias:" + tmpExisting);
-                        Delete(tmpAlias);
+                        logger.LogDebug("Inserting alias:" + alias);
+                        Insert(alias, cert, privateKey, password);
                     }
                 }
                 else
                 {
+                    if (byAlias.Length > 0)
+                        throw new Exception($"Certificate {alias} already exists, but overwrite is set to false.  Try rescheduling job with overwrite set to true if you wish to replace this certificate.");
+
                     //no overwrite so we just try to insert
-                    logger.LogDebug("Inserting certificate with alias: " + alias);
+                    logger.LogDebug("Inserting alias: " + alias);
                     Insert(alias, cert, privateKey, password);
                 }
             }
@@ -284,50 +260,35 @@ private void Insert(string alias, string cert, string privateKey, string passwor
             }
         }
 
-        public List<CurrentInventoryItem> List()
+        public Certificate[] List(string mkey)
         {
             logger.MethodEntry(LogLevel.Debug);
-
-            List<CurrentInventoryItem> items = new List<CurrentInventoryItem>();
+            Certificate[] certificates = new List<Certificate>().ToArray();
 
             try
-            { 
-                var result = GetResource(available_certificates);
-                var response = JsonConvert.DeserializeObject<FortigateResponse<Certificate[]>>(result);
-
-                foreach( var cert in response.results)
-                {
-                    if (cert.type == "local-cer")
-                    {
-                        var certFile = DownloadFileAsString(cert.name, cert.type);
-
-                        var item = new CurrentInventoryItem()
-                        {
-                            Alias = cert.name,
-                            Certificates = new string[] { certFile },
-                            ItemStatus = OrchestratorInventoryItemStatus.Unknown,
-                            PrivateKeyEntry = true,
-                            UseChainLevel = false
-                        };
-
-                        items.Add(item);
-                    }
-                }
-
-                return items;
+            {
+                string endpoint = string.IsNullOrEmpty(mkey) ? available_certificates : available_certificates;
+                Dictionary<String, String> parameters = mkey == null ? null : new Dictionary<string, string> { { "mkey", mkey } };
+                var result = GetResource(endpoint, parameters);
+                certificates = JsonConvert.DeserializeObject<FortigateResponse<Certificate[]>>(result).results;
             }
             catch (Exception ex)
             {
-                logger.LogError(FortigateException.FlattenExceptionMessages(ex, "Error retrieving certificate list: "));
-                throw;
+                if (ex.GetType() != typeof(HttpRequestException) || ((HttpRequestException)ex).StatusCode != System.Net.HttpStatusCode.NotFound)
+                {
+                    logger.LogError(FortigateException.FlattenExceptionMessages(ex, "Error retrieving certificate list: "));
+                    throw;
+                }
             }
             finally
             {
                 logger.MethodExit(LogLevel.Debug);
             }
+
+            return certificates;
         }
 
-        private string DownloadFileAsString(string mkey, string type)
+        public string DownloadFileAsString(string mkey, string type)
         {
             logger.MethodEntry(LogLevel.Debug);
 
@@ -476,5 +437,21 @@ private string GetResource(string endpoint, Dictionary<String, String> additiona
                 logger.MethodExit(LogLevel.Debug);
             }
         }
+
+        private string CreateNewAlias(string alias)
+        {
+            string suffix = $"--{DateTime.Now.Ticks.ToString("X8")}";
+            int suffixIdx = alias.IndexOf("--");
+            string newAlias = suffixIdx == -1 ? alias : alias.Substring(0, suffixIdx);
+
+            int aliasLengthOver = alias.Length + suffix.Length - 25;
+            if (aliasLengthOver > 0)
+            {
+                alias = alias.Substring(0, alias.Length - aliasLengthOver);
+            }
+            string rtnAlias = alias + suffix;
+
+            return rtnAlias;
+        }
     }
 }
diff --git a/Fortigate/Inventory.cs b/Fortigate/Inventory.cs
@@ -44,7 +44,25 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
             try
             {
-                inventoryItems = store.List();
+                Api.Certificate[] certificates = store.List(null);
+                foreach (var cert in certificates)
+                {
+                    if (cert.type == "local-cer")
+                    {
+                        var certFile = store.DownloadFileAsString(cert.name, cert.type);
+
+                        var item = new CurrentInventoryItem()
+                        {
+                            Alias = cert.name,
+                            Certificates = new string[] { certFile },
+                            ItemStatus = OrchestratorInventoryItemStatus.Unknown,
+                            PrivateKeyEntry = true,
+                            UseChainLevel = false
+                        };
+
+                        inventoryItems.Add(item);
+                    }
+                }
             }
             catch (Exception ex)
             {
diff --git a/README.md b/README.md
@@ -34,23 +34,25 @@
 The Fortigate Orchestrator Extension supports the following use cases:
 1. Inventory of local user and factory cerificates
 2. Ability to add new local certificates
-3. Ability to renew **unbound** local user certificates
+3. Ability to replace bound* and unbound local user certificates (usually after renewal in Keyfactor Command)
 4. Ability to delete **unbound** local user certificates
 
 The Fortigate Orchestrator Extension DOES NOT support the following use cases:
 1. The renewal or removal of certificates enrolled through the internal Fortigate CA
 2. The renewal or removal of factory certificates
-3. The renewal or removal of ANY certificate bound to a Fortigate object
+3. The removal of ANY certificate bound to a Fortigate object
 4. Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case)
 
+\* Because the Fortigate API does not allow for updating certificates in place, and to avoid temporary outages, when replacing local certificates that are bound, it is necessary to create a new name (alias) for the certificate.  The new name is created using the first 8 characters of the previous name (larger names truncated due to Fortigate name length constraints) allong with a suffix comprised of "--" and a 15 character hash of the current date/time.  The replaced certificate with the old name is then removed from the Fortigate instance.  For example, a bound certificate with the name "CertName" would be replaced and the name would then be "CertName--8DD76A97A98E4C1".  The existing bindings would remain in place with the new name.  At no point during the management job would any of the bound objects be left without a valid certificate binding.
+
 
 
 ## Compatibility
 
 This integration is compatible with Keyfactor Universal Orchestrator version 10.1 and later.
 
 ## Support
-The Fortigate Universal Orchestrator extension is open source and community supported, meaning that there is **no SLA** applicable. 
+The Fortigate Universal Orchestrator extension is open source and there is **no SLA**. Keyfactor will address issues as resources become available. Keyfactor customers may request escalation by opening up a support ticket through their Keyfactor representative. 
  
 > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -112,6 +114,8 @@ To use the Fortigate Universal Orchestrator extension, you **must** create the F
 
     ![Fortigate Advanced Tab](docsource/images/Fortigate-advanced-store-type-dialog.png)
 
+    > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
+
     #### Custom Fields Tab
     Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
 
diff --git a/docsource/content.md b/docsource/content.md
@@ -3,15 +3,17 @@
 The Fortigate Orchestrator Extension supports the following use cases:
 1. Inventory of local user and factory cerificates
 2. Ability to add new local certificates
-3. Ability to renew **unbound** local user certificates
+3. Ability to replace bound* and unbound local user certificates (usually after renewal in Keyfactor Command)
 4. Ability to delete **unbound** local user certificates
 
 The Fortigate Orchestrator Extension DOES NOT support the following use cases:
 1. The renewal or removal of certificates enrolled through the internal Fortigate CA
 2. The renewal or removal of factory certificates
-3. The renewal or removal of ANY certificate bound to a Fortigate object
+3. The removal of ANY certificate bound to a Fortigate object
 4. Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case)
 
+\* Because the Fortigate API does not allow for updating certificates in place, and to avoid temporary outages, when replacing local certificates that are bound, it is necessary to create a new name (alias) for the certificate.  The new name is created using the first 8 characters of the previous name (larger names truncated due to Fortigate name length constraints) allong with a suffix comprised of "--" and a 15 character hash of the current date/time.  The replaced certificate with the old name is then removed from the Fortigate instance.  For example, a bound certificate with the name "CertName" would be replaced and the name would then be "CertName--8DD76A97A98E4C1".  The existing bindings would remain in place with the new name.  At no point during the management job would any of the bound objects be left without a valid certificate binding.
+
 
 ## Requirements
 
