Closed
Conversation
Completed adding Integration Tests
…r SNI retrieval. - Enhanced `New-KFIISSiteBinding` to robustly handle SSL flags, including checks for managed API range and updating extended flags via `appcmd.exe`. - Improved comments and verbose logging for better clarity and debugging.
…rrectly 76938 sni flag not reporting correctly
…N_Entry_Parameter 76023 eliminate but support san entry parameter
…ocal and remote sessions.
… additional "housekeeping" for ADFS.
…tor/iis-orchestrator into 60764_Adding_ADFS_Support
60764 adding adfs support
Updated SAN handling in integration-manifest.json and clarified support for previous versions. Added new features and improvements.
Updated changelog to reflect changes in version 3.0.0, including SAN handling and new WinADFS Store Type.
Added SSL Flag validation details and improved messaging.
Updated SSL Flag descriptions for clarity and accuracy.
Fixed an issue with SSL flags
…he Windows Server.
…ng_Issues Fixed SSH Formatting issue
…Using_SSH Update generated docs
…e automatically added via Command.
There was a problem hiding this comment.
Pull request overview
This PR introduces version 3.0.0 of the Windows Certificate Orchestrator Extension, adding ADFS certificate rotation capabilities and transitioning from entry parameter-based SANs to ODKG enrollment-based SANs. The changes support backward compatibility while preparing for a future major version that will remove legacy SAN handling.
Changes:
- Added WinADFS store type for automated ADFS Service-Communications certificate rotation across primary and secondary farm nodes
- Transitioned SAN handling from entry parameters to ODKG enrollment with backward compatibility
- Enhanced IIS SSL flag handling with validation and extended flag support
- Added comprehensive unit and integration test infrastructure
Reviewed changes
Copilot reviewed 38 out of 51 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| integration-manifest.json | Removed legacy SAN entry parameters and added WinAdfs store type configuration |
| docsource/winadfs.md | Added documentation for WinADFS store type requirements and configuration |
| docsource/content.md | Updated overview to include WinADFS functionality |
| WindowsCertStore.sln | Added unit and integration test projects to solution |
| WindowsCertStore.UnitTests/*.cs | Added unit test files for SANs, PowerShell helpers, certificates, and ADFS |
| WindowsCertStore.IntegrationTests/*.cs | Added integration test infrastructure and end-to-end tests |
| IISU/SANBuilder.cs | New utility class for building SAN strings from dictionary format |
| IISU/PowerShellScripts/WinCertScripts.ps1 | Enhanced PowerShell scripts with ADFS support and improved IIS SSL flag handling |
| IISU/PowerShellScripts/WinADFSScripts.ps1 | New PowerShell script containing ADFS-specific management functions |
| IISU/PSHelper.cs | Enhanced to support ADFS stores, improved script loading, and better error handling |
| IISU/ImplementedStoreTypes/WinAdfs/*.cs | New ADFS store type implementation with rotation manager and inventory |
| IISU/ClientPSCertStoreReEnrollment.cs | Updated to support new SAN resolution with backward compatibility |
| IISU/Certificate.cs | Added utility methods for temporary PFX file handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| using System.Collections.ObjectModel; | ||
| using System.Diagnostics; | ||
| using System.IO; | ||
| using System.IO.Ports; |
There was a problem hiding this comment.
The System.IO.Ports namespace is imported but doesn't appear to be used anywhere in the code. This unused import should be removed to keep the code clean.
Suggested change
| using System.IO.Ports; |
| # 11/21/25 Renamed Set-KFCertificateBinding to Set-KFSQLCertificateBinding | ||
| # Fixed the Set-KFSQLCertificateBinding function to correctly bind and set the ACL permissions on the private key when using Windows-to-Windows and SSH-based remote connections. | ||
| # Updated the Set-KFSQLCertificateBinding to handle both CNG (modern) and CAPI (legacy) certificate key storage providers when setting ACLs on private keys. | ||
| # 10/08/25 3.0 Updated the Get-KFIISBoundCertificates function to fixed the SSL flag not returning the correct value when reading IIS bindings |
There was a problem hiding this comment.
Corrected spelling of 'fixed' to 'fix'.
Suggested change
| # 10/08/25 3.0 Updated the Get-KFIISBoundCertificates function to fixed the SSL flag not returning the correct value when reading IIS bindings | |
| # 10/08/25 3.0 Updated the Get-KFIISBoundCertificates function to fix the SSL flag not returning the correct value when reading IIS bindings |
Comment on lines
+13
to
+16
| // limitations under the License.using Keyfactor.Logging; | ||
| using Keyfactor.Extensions.Orchestrator.WindowsCertStore.ImplementedStoreTypes.WinAdfs; | ||
| using Keyfactor.Logging; | ||
| using Keyfactor.Orchestrators.Common.Enums; |
There was a problem hiding this comment.
Missing newline between the license comment and the using statement. The comment should end, followed by a blank line before the using directive.
Suggested change
| // limitations under the License.using Keyfactor.Logging; | |
| using Keyfactor.Extensions.Orchestrator.WindowsCertStore.ImplementedStoreTypes.WinAdfs; | |
| using Keyfactor.Logging; | |
| using Keyfactor.Orchestrators.Common.Enums; | |
| // limitations under the License. | |
| using Keyfactor.Extensions.Orchestrator.WindowsCertStore.ImplementedStoreTypes.WinAdfs; | |
| using Keyfactor.Logging; |
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License.using Keyfactor.Logging; |
There was a problem hiding this comment.
Missing newline between the license comment and the using statement. The comment should end, followed by a blank line before the using directive.
Suggested change
| // limitations under the License.using Keyfactor.Logging; | |
| // limitations under the License. | |
| using Keyfactor.Logging; |
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License.using Keyfactor.Logging; |
There was a problem hiding this comment.
Missing newline between the license comment and the using statement. The comment should end, followed by a blank line before the using directive.
Suggested change
| // limitations under the License.using Keyfactor.Logging; | |
| // limitations under the License. | |
| using Keyfactor.Logging; |
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License.using Keyfactor.Logging; |
There was a problem hiding this comment.
Missing newline between the license comment and the using statement. The comment should end, followed by a blank line before the using directive.
Suggested change
| // limitations under the License.using Keyfactor.Logging; | |
| // limitations under the License. |
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License.using Keyfactor.Logging; |
There was a problem hiding this comment.
Missing newline between the license comment and the using statement. The comment should end, followed by a blank line before the using directive.
Suggested change
| // limitations under the License.using Keyfactor.Logging; | |
| // limitations under the License. |
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License.using Keyfactor.Logging; |
There was a problem hiding this comment.
Missing newline between the license comment and the using statement. The comment should end, followed by a blank line before the using directive.
Suggested change
| // limitations under the License.using Keyfactor.Logging; | |
| // limitations under the License. | |
| using Keyfactor.Logging; |
Comment on lines
+87
to
+91
| // Define test inputs (machine, username, and password) | ||
| var testCases = new[] | ||
| { | ||
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" }, | ||
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" } |
There was a problem hiding this comment.
Hardcoded credentials and file paths should not be committed to the repository. These should be externalized to configuration files or environment variables that are not checked into source control.
Suggested change
| // Define test inputs (machine, username, and password) | |
| var testCases = new[] | |
| { | |
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" }, | |
| new { Machine = "192.168.230.137", Username = "ad\\administrator", Password = "C:\\Users\\bpokorny\\.ssh\\my_rsa" } | |
| // Define test inputs (machine, username, and password) via environment variables | |
| var machine = Environment.GetEnvironmentVariable("WINDOWS_CERT_STORE_TEST_MACHINE"); | |
| var username = Environment.GetEnvironmentVariable("WINDOWS_CERT_STORE_TEST_USERNAME"); | |
| var password = Environment.GetEnvironmentVariable("WINDOWS_CERT_STORE_TEST_KEYPATH"); | |
| var testCases = new[] | |
| { | |
| new { Machine = machine, Username = username, Password = password }, | |
| new { Machine = machine, Username = username, Password = password } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge 76022-IIS_Orchestrator-3.0.0 to main - Automated PR