76022 iis orchestrator 3.0.0 merged #174
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command, and will no longer use the SAN Entry Parameter. This version, we are removing the Entry Parameter "SAN" from the integration-manifest.json, but will still support previous versions of Command in the event the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter. * Added WinADFS Store Type for rotating certificates in ADFS environments. Please note, only the service-communications certificate is rotated throughout your farm. * Internal only: Added Integration Tests to aid in future development and testing. * Improved messaging in the event an Entry Parameter is missing (or does not meet the casing requirements) * Fixed the SNI/SSL flag being returned during inventory, now returns extended SSL flags * Fixed the SNI/SSL flag when binding the certificate to allow for extended SSL flags * Added SSL Flag validation to make sure the bit flag is correct. These are the current SSL Flags (NOTE: Values greater than 4 are only supported in IIS 10 version 1809 and higher. The default value is 0): * 0 No SNI * 1 Use SNI * 2 Use Centralized SSL certificate store. * 4 Disable HTTP/2. * 8 Disable OCSP Stapling. * 16 Disable QUIC. * 32 Disable TLS 1.3 over TCP. * 64 Disable Legacy TLS. --------- Co-authored-by: Bob Pokorny <[email protected]> Co-authored-by: Keyfactor <[email protected]> Signed-off-by: Morgan Gangwere <[email protected]>
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
spbsoluble
changed the base branch from
76022-IIS_Orchestrator-3.0.0
to
release-3.0
…estrator-3.0.0-merged # Conflicts: # CHANGELOG.md # IISU/PSHelper.cs # IISU/PowerShellScripts/WinCertScripts.ps1 # README.md # docsource/images/IISU-entry-parameters-store-type-dialog-IPAddress.png # docsource/images/WinCert-entry-parameters-store-type-dialog-ProviderName.png # docsource/images/WinCert-entry-parameters-store-type-dialog.png # integration-manifest.json
spbsoluble
force-pushed
the
76022-IIS_Orchestrator-3.0.0-merged
branch
from
57080bd to
9759b08
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 53 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (3)
docsource/content.md:1
- Corrected spelling of 'AFDS' to 'ADFS'.
WindowsCertStore.UnitTests/AdfsUnitTests.cs:1 - Hardcoded credentials should not be committed to test files. Use environment variables or test configuration to provide these values securely.
WindowsCertStore.UnitTests/AdfsUnitTests.cs:1 - Hardcoded credentials should not be committed to test files. Use environment variables or test configuration to provide these values securely.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## Overview | ||
|
|
||
| The Windows Certificate Orchestrator Extension is a multi-purpose integration that can remotely manage certificates on a Windows Server's Local Machine Store. This extension currently manages certificates for the current store types: | ||
| * WinADFS - Rotates the Service-Communications certificate on the primary and secondary AFDS nodes |
There was a problem hiding this comment.
Corrected spelling of 'AFDS' to 'ADFS'.
Suggested change
| * WinADFS - Rotates the Service-Communications certificate on the primary and secondary AFDS nodes | |
| * WinADFS - Rotates the Service-Communications certificate on the primary and secondary ADFS nodes |
| # 11/21/25 Renamed Set-KFCertificateBinding to Set-KFSQLCertificateBinding | ||
| # Fixed the Set-KFSQLCertificateBinding function to correctly bind and set the ACL permissions on the private key when using Windows-to-Windows and SSH-based remote connections. | ||
| # Updated the Set-KFSQLCertificateBinding to handle both CNG (modern) and CAPI (legacy) certificate key storage providers when setting ACLs on private keys. | ||
| # 10/08/25 3.0 Updated the Get-KFIISBoundCertificates function to fixed the SSL flag not returning the correct value when reading IIS bindings |
There was a problem hiding this comment.
Incorrect grammar: 'to fixed' should be 'to fix'.
Suggested change
| # 10/08/25 3.0 Updated the Get-KFIISBoundCertificates function to fixed the SSL flag not returning the correct value when reading IIS bindings | |
| # 10/08/25 3.0 Updated the Get-KFIISBoundCertificates function to fix the SSL flag not returning the correct value when reading IIS bindings |
| @@ -1,3 +1,19 @@ | |||
| 3.0.0 | |||
| * As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command, and will no longer use the SAN Entry Parameter. This version, we are removing the Entry Parameter "SAN" from the integration-manifest.json, but will still support previous versions of Command in the event the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter. | |||
There was a problem hiding this comment.
This is a very long sentence that could be split into multiple sentences for better readability. Consider breaking it into: 'As of this version, SANs will be handled through the ODKG Enrollment page in Command and will no longer use the SAN Entry Parameter. We are removing the Entry Parameter "SAN" from the integration-manifest.json. Previous versions of Command will still be supported when the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter.'
Suggested change
| * As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command, and will no longer use the SAN Entry Parameter. This version, we are removing the Entry Parameter "SAN" from the integration-manifest.json, but will still support previous versions of Command in the event the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter. | |
| * As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command and will no longer use the SAN Entry Parameter. We are removing the Entry Parameter "SAN" from the integration-manifest.json. Previous versions of Command will still be supported when the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter. |
Comment on lines
+87
to
+91
| // Define test inputs (machine, username, and password) | ||
| var testCases = new[] | ||
| { | ||
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" }, | ||
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" } |
There was a problem hiding this comment.
Hardcoded credentials and file paths should not be committed to source control. These test configuration values should be externalized to environment variables or a secure configuration source.
Suggested change
| // Define test inputs (machine, username, and password) | |
| var testCases = new[] | |
| { | |
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" }, | |
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" } | |
| // Define test inputs (machine, username, and password) via environment variables | |
| var machine = Environment.GetEnvironmentVariable("INVENTORY_TEST_MACHINE"); | |
| var username = Environment.GetEnvironmentVariable("INVENTORY_TEST_USERNAME"); | |
| var password = Environment.GetEnvironmentVariable("INVENTORY_TEST_PASSWORD"); | |
| var testCases = new[] | |
| { | |
| new { Machine = machine, Username = username, Password = password }, | |
| new { Machine = machine, Username = username, Password = password } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.