Updated the readme-source documentation

Keyfactor · Mar 27, 2024 · 5384f6d · 5384f6d
1 parent 316e4ec
commit 5384f6d
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/readme_source.md b/readme_source.md
@@ -45,7 +45,7 @@ For customers wishing to use something other than the local administrator accoun
     -	Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding.
 
 ## Creating New Certificate Store Types
-Currently this orchestrator handles two extensions: IISU for IIS servers with bound certificates and WinCert for general Windows Certificates.
+Currently this orchestrator handles three types of extensions: IISU for IIS servers with bound certificates, WinCert for general Windows Certificates and WinSql for managing certificates for SQL Server.
 Below describes how each of these certificate store types are created and configured.
 <details>
 	<summary>IISU Extension</summary>
@@ -134,7 +134,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION
 Name | Windows SQL Server Certificate| Display name for the store type (may be customized)
 Short Name| WinSql | Short display name for the store type
 Custom Capability | Leave Unchecked | Store type name orchestrator will register with. Check the box to allow entry of value
-Supported Job Types | Inventory, Add, Remove | Job types the extension supports
+Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports
 Needs Server | Checked | Determines if a target server name is required when creating store
 Blueprint Allowed | Checked | Determines if store type may be included in an Orchestrator blueprint
 Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
@@ -185,6 +185,7 @@ Name|Display Name| Type|Default Value|Required When|Description
 ---|---|---|---|---|---
 InstanceName | Instance Name|String||Not required | When enrolling leave blank or use MSSQLServer for the Default Instance, Instance Name for an Instance or MSSQLServer,Instance Name if enrolling to multiple instances plus the default instance.
 ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server.
+SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of <san_type>=<san_value> entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA.
 
 ![](images/SQLServerEntryParams.png)
 
@@ -262,6 +263,8 @@ Click Save to save the Certificate Store Type.
 
 ## Creating New Certificate Stores
 Once the Certificate Store Types have been created, you need to create the Certificate Stores prior to using the extension.
+
+**Note:**  A new naming convention for the Client Machine allows for multiple stores on the same server with different cert store path and cert store types. This convention is \{MachineName\}\|\{[optional]localmachine\}. If the optional value is 'localmachine' (legacy 'localhost' is still supported) is supplied, a local PowerShell runspace executing in the context of the Orchestrator service account will be used to access the certificate store.
 Here are the settings required for each Store Type previously configured.
 
 <details>
@@ -274,7 +277,7 @@ CONFIG ELEMENT	|DESCRIPTION
 ----------------|---------------
 Category | Select IIS Bound Certificate or the customized certificate store display name from above.
 Container | Optional container to associate certificate store with.
-Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is 'localhost', a local PowerShell runspace executing in the context of the Orchestrator service account will be used to access the certificate store and perform IIS binding operations. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields.
+Client Machine | Contains the Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields.
 Store Path | Windows certificate store to manage. Choose "My" for the Personal Store or "WebHosting" for the Web Hosting Store. 
 Orchestrator | Select an approved orchestrator capable of managing IIS Bound Certificates (one that has declared the IISU capability)
 WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.)
@@ -326,7 +329,7 @@ CONFIG ELEMENT	|DESCRIPTION
 ----------------|---------------
 Category | Select Windows Certificate or the customized certificate store display name from above.
 Container | Optional container to associate certificate store with.
-Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is 'localhost', a local PowerShell runspace executing in the context of the Orchestrator service account will be used to access the certificate store. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields.
+Client Machine | Hostname of the Windows Server containing the certificate store to be managed.  If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields.
 Store Path | Windows certificate store to manage. Store must exist in the Local Machine store on the target server. 
 Orchestrator | Select an approved orchestrator capable of managing Windows Certificates (one that has declared the WinCert capability)
 WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.)