From a0e9c68da50d40db4d629721fc2c21f704061fcd Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Wed, 11 Dec 2024 21:52:39 +0000 Subject: [PATCH] ab#17762 --- docsource/content.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docsource/content.md b/docsource/content.md index 2202336..c93966d 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -17,9 +17,10 @@ The GCP project and account being used to access Secret Manager must have access ## Certificate Encryption Details -For GCP Secret Manager secrets containing encrypted private keys, the GCP Secret Manager Orchestrator Extension provides two ways to manage the encryption password: +For GCP Secret Manager secrets containing private keys, the GCP Secret Manager Orchestrator Extension provides three ways to manage the certificate private key: 1. Using the Keyfactor Command Store Password on the certificate store definition to store the password that will be used to encrypt ALL private keys for the GCP Secret Manager project. 2. Using the Password Secret Location Suffix field on the certificate store definition to store a "suffix" that will be used in conjunction with the secret alias (name) to create a second secret in Secret Manager to store the encryption password. +3. If no Store Password is set and the Password Secret Location Suffix is either missing or blank, the private key will not be encrypted. If the Store Password has a value, this will be used to encrypt the private key during a Management Add job. If no value is set for the Store Password, the one time password that Keyfactor Command generates when triggering a Management-Add job will be used to encrypt the private key and this password will be stored as a secret in GCP Secret Manager with a name of Alias + Password Secret Location Suffix. For example, if the certificate alias is set as "Alias1" and the Password Secret Location Suffix is set as "_Key", the certificate and encrypted private key will be stored in a secret named "Alias1" and the password for the key encryption will be stored in a secret named "Alias1_Key". Please note that if using the generated password Keyfactor Command provides and storing the password in Secret Manager, each renewal/replacement of a certificate will encrypt the private key with a new generated password, which will then be stored as a new version of the password secret.