Keyfactor
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 2 additions & 10 deletions b/‎CHANGELOG.md‎
Lines changed: 2 additions & 10 deletions
diff --git a/‎README.md‎
Lines changed: 59 additions & 2 deletions b/‎README.md‎
Lines changed: 59 additions & 2 deletions
@@ -360,4 +360,4 @@ MigrationBackup/
 .ionide/
 
 # Fody - auto-generated XML schema
-FodyWeavers.xsd
+FodyWeavers.xsd
@@ -1,11 +1,3 @@
-v.1.0.2
-- Warning: enrollment field/template parameter with the name "CN DCV Email (admin@boingy.com)" has been renamed to "CN DCV Email" to make it compatible with the REST gateway. "Aplicant Pgone (+nn.nnnnnnnn)" has also been renamed to "Applicant Phone".
-- Updated dependencies.
-- Added support for default values via enrollment parameters configured in the AnyGateway REST certificate template.
-- Fixed issue with non-ASCII characters breaking the gateway.
-
-v1.0.1 
-- Fixed issue with SANs not being read correctly.
-
 v1.0
-- Initial Release.
+
+- Initial Release.
@@ -76,7 +76,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 
     * **Gateway Registration**
 
-        TODO Gateway Registration is a required section
+        Download the **PCA root certificate** from AWS and have it ready to import into the Gateway **in `.pem` format**.
 
     * **CA Connection**
 
@@ -98,6 +98,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
         * **IAMUserAccessKey** - IAM user access key (secret). 
         * **IAMUserAccessSecret** - IAM user access secret (secret). 
         * **ExternalId** - Optional sts:ExternalId to supply on AssumeRole calls. 
+        * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. 
 
 2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The AWSPCA CA  Gateway plugin supports the following product IDs:
 
@@ -107,12 +108,22 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 
 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
 
+4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters:
+
+    * **LifetimeDays** - OPTIONAL: The number of days of validity to use when requesting certs. If not provided, default is 365 
+    * **SigningAlgorithm** - Required: AWS ACM PCA certificate signature algorithm to use when issuing certificates. Value is an AWS PCA SigningAlgorithm enum name (case-insensitive), e.g. SHA256WITHRSA, SHA384WITHRSA, SHA256WITHECDSA. If omitted, the plugin selects a default compatible with the CA key algorithm. 
+
 
 ## Authentication (Access Key + Secret)
 
 The CAPlugin currently supports **one** authentication method: **AWS Access Key ID + Secret Access Key**.  
 **OAuth** and **Default SDK authentication** will be enabled in later updates. There is functionality present via the **Keyfactor AWS Authentication** library, but these alternate methods are currently ***untested***.
 
+### Known Issues
+
+At present, a fresh install of Keyfactor Command 24.4 used in conjuction with Keyfactor Gateway REST 25.4.0.0 is confirmed as working.  A fresh install of Command 25.3 used with REST 25.4.0.0 is also confirmed as working.
+Latest version of Command 25.4 may run into issues, investigation into compatibility issues is ongoing.
+
 ### What you need ready
 
 Before configuring the CAPlugin, have the following prepared:
@@ -121,7 +132,7 @@ Before configuring the CAPlugin, have the following prepared:
 - **Access Key ID** (example format: `AKIAIOSFODNN7EXAMPLE`)
 - **Secret Access Key** (example format: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`)
 
-#### 2) A target IAM Role the connector will run as (recommended)
+#### 2) A target IAM Role the Gateway will run as (recommended)
 Example:
 - `arn:aws:iam::123456789012:role/Keyfactor-AnyGateway-AcmPcaRole`
 
@@ -292,6 +303,52 @@ The following examples are intended as **copy/adapt templates**.
 }
 ```
 
+---
+
+## Signing algorithm selection (ACM PCA)
+
+The connector supports an optional **template / product parameter** named `SigningAlgorithm` that controls the **certificate signature algorithm**
+passed to AWS ACM PCA `IssueCertificate`.
+
+- If **not set**, the plugin will **auto-select** a compatible default based on the CA `KeyAlgorithm` returned by
+  `DescribeCertificateAuthority`.
+- If **set**, the plugin validates the value and **rejects incompatible combinations** before calling AWS.
+
+### Where to configure
+
+Set `SigningAlgorithm` on the **AnyGateway template** (product parameters), alongside `LifetimeDays`.
+
+### Valid `SigningAlgorithm` values (AWS PCA)
+
+- RSA family: `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA`
+- ECDSA family: `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA`
+- SM2: `SM3WITHSM2`
+- ML-DSA (post-quantum): `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`
+
+### Allowed CA key algorithm <-> signing algorithm combinations
+
+The CA key algorithm is the PCA CA **KeyAlgorithm** (not the subject key in the CSR). The signing algorithm must match the CA key family.
+
+| CA KeyAlgorithm | Allowed SigningAlgorithm values |
+|---|---|
+| `RSA_2048`, `RSA_3072`, `RSA_4096` | `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA` |
+| `EC_prime256v1`, `EC_secp384r1`, `EC_secp521r1` | `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA` |
+| `SM2` | `SM3WITHSM2` |
+| `ML_DSA_44` | `ML_DSA_44` |
+| `ML_DSA_65` | `ML_DSA_65` |
+| `ML_DSA_87` | `ML_DSA_87` |
+
+### Auto-selection defaults
+
+When `SigningAlgorithm` is omitted, the plugin selects:
+
+- RSA CAs -> `SHA256WITHRSA`
+- EC P-256 -> `SHA256WITHECDSA`
+- EC P-384 -> `SHA384WITHECDSA`
+- EC P-521 -> `SHA512WITHECDSA`
+- SM2 -> `SM3WITHSM2`
+- ML-DSA -> exact-match (`ML_DSA_44/65/87`)
+
 
 ## License