Template Fixes

.gitignore

@@ -361,3 +361,6 @@ MigrationBackup/
 
 # Fody - auto-generated XML schema
 FodyWeavers.xsd
+/.claude
+/issue.txt
+/README.md

CHANGELOG.md

@@ -1,3 +1,8 @@
+v.1.0.1
+
+- Added support for the AWS Code Signing Template
+- Fixed template passthrough to final certificate
+
 v1.0
 
 - Initial Release.

README.md

@@ -1,5 +1,5 @@
 <h1 align="center" style="border-bottom: none">
-    AWSPCA CA  Gateway AnyCA Gateway REST Plugin
+    AWSPCA CAPlugin AnyCA Gateway REST Plugin
 </h1>
 
 <p align="center">
@@ -38,10 +38,10 @@ This integration allows for the Synchronization, Enrollment, and Revocation of c
 
 ## Compatibility
 
-The AWSPCA CA  Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 25.4.0 and later.
+The AWSPCA CAPlugin AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 25.4.0 and later.
 
 ## Support
-The AWSPCA CA  Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
+The AWSPCA CAPlugin AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
 
 > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -53,7 +53,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 
 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
 
-2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [AWSPCA CA  Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/aws-pca-caplugin/releases/latest) from GitHub.
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [AWSPCA CAPlugin AnyCA Gateway REST plugin](https://github.com/Keyfactor/aws-pca-caplugin/releases/latest) from GitHub.
 
 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory:
 
@@ -64,11 +64,11 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
     Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions
     ```
 
-    > The directory containing the AWSPCA CA  Gateway AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
+    > The directory containing the AWSPCA CAPlugin AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
 
 4. Restart the AnyCA Gateway REST service.
 
-5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the AWSPCA CA  Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
+5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the AWSPCA CAPlugin plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
 
 ## Configuration
 
@@ -100,11 +100,12 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
         * **ExternalId** - Optional sts:ExternalId to supply on AssumeRole calls. 
         * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. 
 
-2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The AWSPCA CA  Gateway plugin supports the following product IDs:
+2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The AWSPCA CAPlugin plugin supports the following product IDs:
 
     * **EndEntity**
     * **EndEntityClientAuth**
     * **EndEntityServerAuth**
+    * **CodeSigning**
 
 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
 
@@ -119,11 +120,6 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 The CAPlugin currently supports **one** authentication method: **AWS Access Key ID + Secret Access Key**.  
 **OAuth** and **Default SDK authentication** will be enabled in later updates. There is functionality present via the **Keyfactor AWS Authentication** library, but these alternate methods are currently ***untested***.
 
-### Known Issues
-
-At present, a fresh install of Keyfactor Command 24.4 used in conjuction with Keyfactor Gateway REST 25.4.0.0 is confirmed as working.  A fresh install of Command 25.3 used with REST 25.4.0.0 is also confirmed as working.
-Latest version of Command 25.4 may run into issues, investigation into compatibility issues is ongoing.
-
 ### What you need ready
 
 Before configuring the CAPlugin, have the following prepared:

aws-pca-caplugin/AWSPCACAPlugin.cs

@@ -28,7 +28,7 @@
     private readonly ILogger Logger;
     private ICertificateDataReader _certificateDataReader;
 
     public AWSPCACAPlugin()
     {
         Logger = LogHandler.GetClassLogger<AWSPCACAPlugin>();
     }
@@ -287,7 +287,7 @@
                 {
                     CARequestID = caRequestId,
                     // For REVOKED: this will now be populated when ARN exists + GetCertificate succeeds; otherwise null (status-only).
                     Certificate = GetEndEntityCertificate(certPayload),
                     Status = newStatus,
                     ProductID = productId
                 };
@@ -415,60 +415,60 @@
             switch (enrollmentType)
             {
                 case EnrollmentType.New:
-                    {
-                        return await IssueAndFetchAsync(
-                                csr,
-                                productInfo.ProductID,
-                                days,
-                                signingAlgorithm,
-                                "Certificate Issued")
-                            .ConfigureAwait(false);
-                    }
+                {
+                    return await IssueAndFetchAsync(
+                            csr,
+                            productInfo.ProductID,
+                            days,
+                            signingAlgorithm,
+                            "Certificate Issued")
+                        .ConfigureAwait(false);
+                }
 
                 case EnrollmentType.RenewOrReissue:
-                    {
-                        if (productInfo.ProductParameters == null ||
-                            !TryGetProductParam(productInfo.ProductParameters, "PriorCertSN", out var priorSn) ||
-                            string.IsNullOrWhiteSpace(priorSn))
-                            return new EnrollmentResult
-                            {
-                                Status = (int)EndEntityStatus.FAILED,
-                                StatusMessage =
-                                    "Renew/Reissue requires ProductParameters['PriorCertSN'] (hex serial number)."
-                            };
-
-                        string priorRequestId;
-                        try
-                        {
-                            priorRequestId = await _certificateDataReader
-                                .GetRequestIDBySerialNumber(priorSn)
-                                .ConfigureAwait(false);
-                        }
-                        catch (Exception ex)
+                {
+                    if (productInfo.ProductParameters == null ||
+                        !TryGetProductParam(productInfo.ProductParameters, "PriorCertSN", out var priorSn) ||
+                        string.IsNullOrWhiteSpace(priorSn))
+                        return new EnrollmentResult
                         {
-                            return new EnrollmentResult
-                            {
-                                Status = (int)EndEntityStatus.FAILED,
-                                StatusMessage = $"Could not resolve PriorCertSN to request id: {ex.Message}"
-                            };
-                        }
-
-                        var expiration = _certificateDataReader.GetExpirationDateByRequestId(priorRequestId);
-                        var isRenewal = expiration.HasValue && expiration.Value.ToUniversalTime() <= DateTime.UtcNow;
+                            Status = (int)EndEntityStatus.FAILED,
+                            StatusMessage =
+                                "Renew/Reissue requires ProductParameters['PriorCertSN'] (hex serial number)."
+                        };
 
-                        var msg = isRenewal ? "Certificate Renewed" : "Certificate Reissued";
-                        var token = BuildIdempotencyToken(isRenewal ? "renew" : "reissue", priorRequestId, csr);
-
-                        // Still "IssueCertificate" under the hood; PCA doesn't have first-class renew/reissue.
-                        return await IssueAndFetchAsync(
-                                csr,
-                                productInfo.ProductID,
-                                days,
-                                msg,
-                                // Optional: stable-ish idempotency (helps avoid duplicates if caller retries quickly)
-                                token)
+                    string priorRequestId;
+                    try
+                    {
+                        priorRequestId = await _certificateDataReader
+                            .GetRequestIDBySerialNumber(priorSn)
                             .ConfigureAwait(false);
                     }
+                    catch (Exception ex)
+                    {
+                        return new EnrollmentResult
+                        {
+                            Status = (int)EndEntityStatus.FAILED,
+                            StatusMessage = $"Could not resolve PriorCertSN to request id: {ex.Message}"
+                        };
+                    }
+
+                    var expiration = _certificateDataReader.GetExpirationDateByRequestId(priorRequestId);
+                    var isRenewal = expiration.HasValue && expiration.Value.ToUniversalTime() <= DateTime.UtcNow;
+
+                    var msg = isRenewal ? "Certificate Renewed" : "Certificate Reissued";
+                    var token = BuildIdempotencyToken(isRenewal ? "renew" : "reissue", priorRequestId, csr);
+
+                    // Still "IssueCertificate" under the hood; PCA doesn't have first-class renew/reissue.
+                    return await IssueAndFetchAsync(
+                            csr,
+                            productInfo.ProductID,
+                            days,
+                            msg,
+                            // Optional: stable-ish idempotency (helps avoid duplicates if caller retries quickly)
+                            token)
+                        .ConfigureAwait(false);
+                }
 
                 default:
                     return new EnrollmentResult
@@ -685,7 +685,7 @@
                 DefaultValue = "",
                 Type = "String"
             },
-            [Constants.Enabled] = new()
+            [Constants.Enabled] = new ()
             {
                 Comments = "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available.",
                 Hidden = false,

aws-pca-caplugin/AWSPCACAPlugin.csproj

@@ -3,7 +3,7 @@
 
 	<PropertyGroup>
 		<AppendTargetFrameworkToOutputPath>true</AppendTargetFrameworkToOutputPath>
-		<TargetFrameworks>net8.0</TargetFrameworks>
+		<TargetFrameworks>net8.0;net10.0</TargetFrameworks>
 		<RootNamespace>Keyfactor.Extensions.CAPlugin.AWS</RootNamespace>
 		<CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
 		<ImplicitUsings>enable</ImplicitUsings>
@@ -13,16 +13,11 @@
 
 
 	<Target Name="CustomPostBuild" AfterTargets="PostBuildEvent">
-		<Exec Condition="'$(Configuration)'=='DebugAndPush'"
-		      Command="PowerShell -ExecutionPolicy Bypass -File &quot;C:\Users\mkachkaev\source\repos\scripts\SyncScriptAWS_GT.ps1&quot;&#xA;" />
+		<Exec Condition="'$(Configuration)'=='DebugAndPush'" Command="PowerShell -ExecutionPolicy Bypass -File &quot;C:\Users\mkachkaev\source\scripts\SyncScriptAWS_GT.ps1&quot;&#xA;" />
 	</Target>
 
 
-	<ItemGroup Condition="'$(TargetFramework)' == 'net8.0'">
-		<PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.1.0" />
-		<PackageReference Include="Keyfactor.PKI" Version="8.2.2" />
-		<PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
-	</ItemGroup>
+
 
 	<ItemGroup>
 		<None Update="manifest.json">
@@ -31,13 +26,17 @@
 	</ItemGroup>
 
 
+
 	<ItemGroup>
-		<PackageReference Include="AWSSDK.ACMPCA" Version="4.0.3.11" />
-		<PackageReference Include="AWSSDK.Core" Version="4.0.3.12" />
-		<PackageReference Include="AWSSDK.S3" Version="4.0.18.3" />
-		<PackageReference Include="Keyfactor.Common" Version="2.9.0" />
-		<PackageReference Include="Keyfactor.Extensions.Aws.Auth" Version="0.5.1" />
+		<PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.2.0" />
+		<PackageReference Include="Keyfactor.PKI" Version="8.3.1" />
+		<PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
+		<PackageReference Include="AWSSDK.ACMPCA" Version="4.0.4.9" />
+		<PackageReference Include="AWSSDK.S3" Version="4.0.25" />
+		<PackageReference Include="Keyfactor.Common" Version="2.11.0" />
+		<PackageReference Include="Keyfactor.Extensions.Aws.Auth" Version="0.5.2" />
 		<PackageReference Include="Keyfactor.Logging" Version="1.3.0" />
-	</ItemGroup>
+	</ItemGroup>		
+
 
 </Project>

aws-pca-caplugin/Client/ACMPCAClient.cs

@@ -39,6 +39,7 @@
     private const string ENHANCED_KEY_USAGE_OID = "2.5.29.37";
     private const string SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
     private const string CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
+    private const string CODE_SIGNING_OID = "1.3.6.1.5.5.7.3.3";
 
     private readonly SemaphoreSlim _caInfoLock = new(1, 1);
     private readonly AWSCredentials AwsCredentials;
@@ -52,7 +53,7 @@
     private string? _caKeyAlgorithmName;
     private IAmazonS3? S3Client;
 
     public AwsPcaClient(IAnyCAPluginConfigProvider configProvider)
     {
         Logger = LogHandler.GetClassLogger<AwsPcaClient>();
 
@@ -60,7 +61,6 @@
             throw new ArgumentNullException(nameof(configProvider),
                 "Config provider and CAConnectionData are required.");
 
-
         var enabled = bool.Parse(GetRequiredString(configProvider, "Enabled"));
         if (!enabled)
         {
@@ -145,12 +145,29 @@
             if (signingAlgoRes.Error != null)
                 return new IssueCertificateResponse { RegistrationError = signingAlgoRes.Error };
 
+            // Map the requested ProductId to its AWS PCA template ARN. Without this,
+            // PCA falls back to EndEntityCertificate/V1 and every cert gets the default
+            // Server+Client Auth EKU combination regardless of the selected product.
+            if (string.IsNullOrWhiteSpace(request.ProductId) ||
+                !Constants.TemplateARNs.TryGetValue(request.ProductId, out var templateArn))
+                return new IssueCertificateResponse
+                {
+                    RegistrationError = new RegistrationError
+                    {
+                        Description = string.IsNullOrWhiteSpace(request.ProductId)
+                            ? "ProductId is required to resolve the AWS PCA template ARN."
+                            : $"Unsupported ProductId '{request.ProductId}'. Supported: {string.Join(", ", Constants.TemplateARNs.Keys)}",
+                        ErrorCode = "InvalidRequest"
+                    }
+                };
+
             var signingAlgorithm = signingAlgoRes.Value!;
             var issueReq = new Amazon.ACMPCA.Model.IssueCertificateRequest
             {
                 CertificateAuthorityArn = CaArn,
                 Csr = new MemoryStream(Encoding.ASCII.GetBytes(csrBytes)),
                 SigningAlgorithm = signingAlgorithm,
+                TemplateArn = templateArn,
                 IdempotencyToken = request.IdempotencyToken ?? Guid.NewGuid().ToString("N"),
                 Validity = new Validity
                 {
@@ -554,14 +571,14 @@
 
     /// <summary>
     ///     Infers one of the supported template type keys:
-    ///     EndEntity, EndEntityClientAuth, EndEntityServerAuth.
+    ///     EndEntity, EndEntityClientAuth, EndEntityServerAuth, CodeSigning.
     ///     Returns "Unknown" if certificate parsing/inspection fails.
     /// </summary>
     public static string InferTemplateTypeKey(X509Certificate2 cert)
     {
         try
         {
-            bool server = false, client = false;
+            bool server = false, client = false, codeSigning = false;
 
             // Find EKU extension (do not rely on indexer throwing)
             var eku = cert.Extensions
@@ -574,8 +591,11 @@
                         server = true;
                     else if (string.Equals(usage.Value, CLIENT_AUTH_OID, StringComparison.Ordinal))
                         client = true;
+                    else if (string.Equals(usage.Value, CODE_SIGNING_OID, StringComparison.Ordinal))
+                        codeSigning = true;
 
             // Map to your known keys
+            if (codeSigning && !server && !client) return "CodeSigning";
             if (server && !client) return "EndEntityServerAuth";
             if (client && !server) return "EndEntityClientAuth";
 
@@ -640,7 +660,7 @@
                 _caKeyAlgorithmName = val.Trim();
                 return (_caKeyAlgorithmName, null);
             }
             catch (Exception ex)
             {
                 return (null,
                     new RegistrationError
@@ -761,4 +781,4 @@
         public const string Region = "Region";
         public const string S3Bucket = "S3Bucket";
     }
-}
+}

aws-pca-caplugin/Constants.cs

@@ -22,6 +22,10 @@ public static class Constants
         {
             "EndEntityServerAuth",
             "arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1"
+        },
+        {
+            "CodeSigning",
+            "arn:aws:acm-pca:::template/CodeSigningCertificate/V1"
         }
     };
 

docsource/configuration.md

@@ -13,11 +13,6 @@ Download the **PCA root certificate** from AWS and have it ready to import into
 The CAPlugin currently supports **one** authentication method: **AWS Access Key ID + Secret Access Key**.  
 **OAuth** and **Default SDK authentication** will be enabled in later updates. There is functionality present via the **Keyfactor AWS Authentication** library, but these alternate methods are currently ***untested***.
 
-### Known Issues
-
-At present, a fresh install of Keyfactor Command 24.4 used in conjuction with Keyfactor Gateway REST 25.4.0.0 is confirmed as working.  A fresh install of Command 25.3 used with REST 25.4.0.0 is also confirmed as working.
-Latest version of Command 25.4 may run into issues, investigation into compatibility issues is ongoing. 
-
 ### What you need ready
 
 Before configuring the CAPlugin, have the following prepared:

integration-manifest.json

@@ -95,7 +95,8 @@
             "product_ids": [
                 "EndEntity",
                 "EndEntityClientAuth",
-                "EndEntityServerAuth"
+                "EndEntityServerAuth",
+                "CodeSigning"
             ]
         }
     }