From 0ddfa92dbaeddcf5db3246ec5ed450dd1cca7040 Mon Sep 17 00:00:00 2001
From: spbsoluble <1661003+spbsoluble@users.noreply.github.com>
Date: Mon, 15 Jun 2026 16:36:43 -0700
Subject: [PATCH 1/2] docs: remove SOX audit compliance claim from architecture
docs
We describe what the plugin does (pre-intent logging) without asserting
compliance with any audit standard we are not certified against.
---
README.md | 2 +-
docsource/architecture.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index ff91ab1..260684c 100644
--- a/README.md
+++ b/README.md
@@ -544,7 +544,7 @@ sequenceDiagram
**Idempotency:** If Command retries a revocation request (for example, after a timeout), the plugin detects that the certificate is already revoked and returns success without submitting a duplicate request to CERTInext.
-**Audit trail:** The revocation intent is written to the gateway log *before* the API call is made. This ensures that the intent is captured even if the API call subsequently fails, satisfying SOX audit requirements.
+**Audit trail:** The revocation intent is written to the gateway log *before* the API call is made. This ensures that the intent is captured even if the API call subsequently fails.
---
diff --git a/docsource/architecture.md b/docsource/architecture.md
index 93ac459..e0af630 100644
--- a/docsource/architecture.md
+++ b/docsource/architecture.md
@@ -204,7 +204,7 @@ sequenceDiagram
**Idempotency:** If Command retries a revocation request (for example, after a timeout), the plugin detects that the certificate is already revoked and returns success without submitting a duplicate request to CERTInext.
-**Audit trail:** The revocation intent is written to the gateway log *before* the API call is made. This ensures that the intent is captured even if the API call subsequently fails, satisfying SOX audit requirements.
+**Audit trail:** The revocation intent is written to the gateway log *before* the API call is made. This ensures that the intent is captured even if the API call subsequently fails.
---
From d397fedbca6b67d58186ac6ad3a4c671812bc295 Mon Sep 17 00:00:00 2001
From: spbsoluble <1661003+spbsoluble@users.noreply.github.com>
Date: Mon, 15 Jun 2026 16:40:38 -0700
Subject: [PATCH 2/2] =?UTF-8?q?docs:=20fix=20Mermaid=20diagram=20\n=20sequ?=
=?UTF-8?q?ences=20=E2=80=94=20use=20
=20for=20line=20breaks?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Mermaid renders literal \n in diagram labels as text. Replace with
throughout all sequence and flowchart diagrams. Also quote
flowchart node labels that use HTML entities, and collapse edge labels
that had embedded newlines to single-line text.
---
README.md | 58 +++++++++++++++++++--------------------
docsource/architecture.md | 58 +++++++++++++++++++--------------------
2 files changed, 58 insertions(+), 58 deletions(-)
diff --git a/README.md b/README.md
index 260684c..d15656d 100644
--- a/README.md
+++ b/README.md
@@ -406,9 +406,9 @@ sequenceDiagram
participant API as CERTInext API
GW->>Plugin: Load CA connector configuration
- Plugin->>Plugin: Validate required fields\n(API URL, account number, credentials)
- Plugin->>Plugin: Initialize API client\nwith configured auth mode
- Plugin->>Plugin: Record which credential fields are populated\n(values are never logged)
+ Plugin->>Plugin: Validate required fields
(API URL, account number, credentials)
+ Plugin->>Plugin: Initialize API client
with configured auth mode
+ Plugin->>Plugin: Record which credential fields are populated
(values are never logged)
GW->>Plugin: Test connection
Plugin->>API: Verify credentials
API-->>Plugin: Credentials accepted
@@ -427,11 +427,11 @@ sequenceDiagram
participant Plugin as CERTInext Plugin
participant API as CERTInext API
- CMD->>Plugin: Start synchronization\n(full refresh or incremental since last sync)
- Plugin->>Plugin: Determine date filter\n(none for full sync, last sync date for incremental)
+ CMD->>Plugin: Start synchronization
(full refresh or incremental since last sync)
+ Plugin->>Plugin: Determine date filter
(none for full sync, last sync date for incremental)
loop Retrieve one page at a time
- Plugin->>API: Request next page of orders\n(filtered by date if incremental)
+ Plugin->>API: Request next page of orders
(filtered by date if incremental)
API-->>Plugin: Page of order records
loop For each order on the page
@@ -467,11 +467,11 @@ sequenceDiagram
participant Plugin as CERTInext Plugin
participant API as CERTInext API
- CMD->>Plugin: Request new certificate\n(CSR, subject, SANs, product code, requester details)
+ CMD->>Plugin: Request new certificate
(CSR, subject, SANs, product code, requester details)
Plugin->>Plugin: Validate product code is present
- Plugin->>Plugin: Record enrollment intent in audit log\n(subject, SANs, product, requester — before any API call)
+ Plugin->>Plugin: Record enrollment intent in audit log
(subject, SANs, product, requester — before any API call)
- Plugin->>API: Place certificate order\n(CSR, domain, organization details,\nsubscriber agreement, requestor info)
+ Plugin->>API: Place certificate order
(CSR, domain, organization details,
subscriber agreement, requestor info)
API-->>Plugin: Order accepted — order number assigned
Plugin->>API: Check order status
@@ -480,12 +480,12 @@ sequenceDiagram
alt Certificate issued immediately
Plugin-->>CMD: Certificate ready — PEM returned
else Certificate pending approval
- Plugin-->>CMD: Pending — Command will pick it up\nduring the next synchronization
+ Plugin-->>CMD: Pending — Command will pick it up
during the next synchronization
else Order rejected by CERTInext
Plugin-->>CMD: Enrollment failed — see gateway logs
end
- Plugin->>Plugin: Record enrollment outcome in audit log\n(order number, serial number, status)
+ Plugin->>Plugin: Record enrollment outcome in audit log
(order number, serial number, status)
```
### Renewal
@@ -496,15 +496,15 @@ When Command initiates a renewal, the plugin checks whether the existing certifi
```mermaid
flowchart TD
- A([Renewal requested]) --> B{Prior certificate\nserial number\nprovided?}
+ A([Renewal requested]) --> B{"Prior certificate
serial number
provided?"}
B -- No --> C[Issue new certificate]
- B -- Yes --> D[Look up prior order\nin Command database]
- D --> E{Prior order\nfound?}
+ B -- Yes --> D["Look up prior order
in Command database"]
+ D --> E{"Prior order
found?"}
E -- No --> C
- E -- Yes --> F[Check certificate\nexpiry date]
- F --> G{Within renewal\nwindow?}
- G -- Yes\nwithin window --> H[Submit new order\nlinked to prior record]
- G -- No\noutside window --> C
+ E -- Yes --> F["Check certificate
expiry date"]
+ F --> G{"Within renewal
window?"}
+ G -- Yes, within window --> H["Submit new order
linked to prior record"]
+ G -- No, outside window --> C
H --> I([Certificate issued or pending])
C --> I
```
@@ -521,8 +521,8 @@ sequenceDiagram
participant Plugin as CERTInext Plugin
participant API as CERTInext API
- CMD->>Plugin: Revoke certificate\n(order number, serial number, reason code)
- Plugin->>Plugin: Record revocation intent in audit log\n(order number, serial, reason — before any API call)
+ CMD->>Plugin: Revoke certificate
(order number, serial number, reason code)
+ Plugin->>Plugin: Record revocation intent in audit log
(order number, serial, reason — before any API call)
Plugin->>API: Retrieve current certificate status
API-->>Plugin: Current status and details
@@ -534,10 +534,10 @@ sequenceDiagram
Plugin->>Plugin: Log error — cannot revoke
Plugin-->>CMD: Error — certificate is not revocable
else Certificate is issued and active
- Plugin->>API: Submit revocation request\n(order number, reason, remarks)
+ Plugin->>API: Submit revocation request
(order number, reason, remarks)
API-->>Plugin: Revocation confirmed
- Plugin->>Plugin: Record revocation outcome in audit log\n(order number, serial, subject, reason)
+ Plugin->>Plugin: Record revocation outcome in audit log
(order number, serial, subject, reason)
Plugin-->>CMD: Certificate revoked
end
```
@@ -554,14 +554,14 @@ When an administrator saves or edits a CERTInext CA connector in the Keyfactor C
```mermaid
flowchart TD
- A([Save connector configuration]) --> B{Connector\nmarked as disabled?}
- B -- Yes --> C([Saved without validation\nConnector will not process requests])
- B -- No --> D{Required fields\npresent and valid?\nAPI URL · Account Number · Credentials}
+ A([Save connector configuration]) --> B{"Connector
marked as disabled?"}
+ B -- Yes --> C(["Saved without validation
Connector will not process requests"])
+ B -- No --> D{"Required fields
present and valid?
API URL · Account Number · Credentials"}
D -- Missing or invalid --> E([Validation error shown to administrator])
- D -- Valid --> F[Build temporary API client\nfrom supplied settings]
- F --> G[Send test request\nto CERTInext]
- G --> H{API accepted\nthe credentials?}
- H -- No --> I([Connection test failed\nCheck credentials and API URL])
+ D -- Valid --> F["Build temporary API client
from supplied settings"]
+ F --> G[Send test request to CERTInext]
+ G --> H{"API accepted
the credentials?"}
+ H -- No --> I(["Connection test failed
Check credentials and API URL"])
H -- Yes --> J([Connector saved and active])
```
diff --git a/docsource/architecture.md b/docsource/architecture.md
index e0af630..f051475 100644
--- a/docsource/architecture.md
+++ b/docsource/architecture.md
@@ -66,9 +66,9 @@ sequenceDiagram
participant API as CERTInext API
GW->>Plugin: Load CA connector configuration
- Plugin->>Plugin: Validate required fields\n(API URL, account number, credentials)
- Plugin->>Plugin: Initialize API client\nwith configured auth mode
- Plugin->>Plugin: Record which credential fields are populated\n(values are never logged)
+ Plugin->>Plugin: Validate required fields
(API URL, account number, credentials)
+ Plugin->>Plugin: Initialize API client
with configured auth mode
+ Plugin->>Plugin: Record which credential fields are populated
(values are never logged)
GW->>Plugin: Test connection
Plugin->>API: Verify credentials
API-->>Plugin: Credentials accepted
@@ -87,11 +87,11 @@ sequenceDiagram
participant Plugin as CERTInext Plugin
participant API as CERTInext API
- CMD->>Plugin: Start synchronization\n(full refresh or incremental since last sync)
- Plugin->>Plugin: Determine date filter\n(none for full sync, last sync date for incremental)
+ CMD->>Plugin: Start synchronization
(full refresh or incremental since last sync)
+ Plugin->>Plugin: Determine date filter
(none for full sync, last sync date for incremental)
loop Retrieve one page at a time
- Plugin->>API: Request next page of orders\n(filtered by date if incremental)
+ Plugin->>API: Request next page of orders
(filtered by date if incremental)
API-->>Plugin: Page of order records
loop For each order on the page
@@ -127,11 +127,11 @@ sequenceDiagram
participant Plugin as CERTInext Plugin
participant API as CERTInext API
- CMD->>Plugin: Request new certificate\n(CSR, subject, SANs, product code, requester details)
+ CMD->>Plugin: Request new certificate
(CSR, subject, SANs, product code, requester details)
Plugin->>Plugin: Validate product code is present
- Plugin->>Plugin: Record enrollment intent in audit log\n(subject, SANs, product, requester — before any API call)
+ Plugin->>Plugin: Record enrollment intent in audit log
(subject, SANs, product, requester — before any API call)
- Plugin->>API: Place certificate order\n(CSR, domain, organization details,\nsubscriber agreement, requestor info)
+ Plugin->>API: Place certificate order
(CSR, domain, organization details,
subscriber agreement, requestor info)
API-->>Plugin: Order accepted — order number assigned
Plugin->>API: Check order status
@@ -140,12 +140,12 @@ sequenceDiagram
alt Certificate issued immediately
Plugin-->>CMD: Certificate ready — PEM returned
else Certificate pending approval
- Plugin-->>CMD: Pending — Command will pick it up\nduring the next synchronization
+ Plugin-->>CMD: Pending — Command will pick it up
during the next synchronization
else Order rejected by CERTInext
Plugin-->>CMD: Enrollment failed — see gateway logs
end
- Plugin->>Plugin: Record enrollment outcome in audit log\n(order number, serial number, status)
+ Plugin->>Plugin: Record enrollment outcome in audit log
(order number, serial number, status)
```
### Renewal
@@ -156,15 +156,15 @@ When Command initiates a renewal, the plugin checks whether the existing certifi
```mermaid
flowchart TD
- A([Renewal requested]) --> B{Prior certificate\nserial number\nprovided?}
+ A([Renewal requested]) --> B{"Prior certificate
serial number
provided?"}
B -- No --> C[Issue new certificate]
- B -- Yes --> D[Look up prior order\nin Command database]
- D --> E{Prior order\nfound?}
+ B -- Yes --> D["Look up prior order
in Command database"]
+ D --> E{"Prior order
found?"}
E -- No --> C
- E -- Yes --> F[Check certificate\nexpiry date]
- F --> G{Within renewal\nwindow?}
- G -- Yes\nwithin window --> H[Submit new order\nlinked to prior record]
- G -- No\noutside window --> C
+ E -- Yes --> F["Check certificate
expiry date"]
+ F --> G{"Within renewal
window?"}
+ G -- Yes, within window --> H["Submit new order
linked to prior record"]
+ G -- No, outside window --> C
H --> I([Certificate issued or pending])
C --> I
```
@@ -181,8 +181,8 @@ sequenceDiagram
participant Plugin as CERTInext Plugin
participant API as CERTInext API
- CMD->>Plugin: Revoke certificate\n(order number, serial number, reason code)
- Plugin->>Plugin: Record revocation intent in audit log\n(order number, serial, reason — before any API call)
+ CMD->>Plugin: Revoke certificate
(order number, serial number, reason code)
+ Plugin->>Plugin: Record revocation intent in audit log
(order number, serial, reason — before any API call)
Plugin->>API: Retrieve current certificate status
API-->>Plugin: Current status and details
@@ -194,10 +194,10 @@ sequenceDiagram
Plugin->>Plugin: Log error — cannot revoke
Plugin-->>CMD: Error — certificate is not revocable
else Certificate is issued and active
- Plugin->>API: Submit revocation request\n(order number, reason, remarks)
+ Plugin->>API: Submit revocation request
(order number, reason, remarks)
API-->>Plugin: Revocation confirmed
- Plugin->>Plugin: Record revocation outcome in audit log\n(order number, serial, subject, reason)
+ Plugin->>Plugin: Record revocation outcome in audit log
(order number, serial, subject, reason)
Plugin-->>CMD: Certificate revoked
end
```
@@ -214,14 +214,14 @@ When an administrator saves or edits a CERTInext CA connector in the Keyfactor C
```mermaid
flowchart TD
- A([Save connector configuration]) --> B{Connector\nmarked as disabled?}
- B -- Yes --> C([Saved without validation\nConnector will not process requests])
- B -- No --> D{Required fields\npresent and valid?\nAPI URL · Account Number · Credentials}
+ A([Save connector configuration]) --> B{"Connector
marked as disabled?"}
+ B -- Yes --> C(["Saved without validation
Connector will not process requests"])
+ B -- No --> D{"Required fields
present and valid?
API URL · Account Number · Credentials"}
D -- Missing or invalid --> E([Validation error shown to administrator])
- D -- Valid --> F[Build temporary API client\nfrom supplied settings]
- F --> G[Send test request\nto CERTInext]
- G --> H{API accepted\nthe credentials?}
- H -- No --> I([Connection test failed\nCheck credentials and API URL])
+ D -- Valid --> F["Build temporary API client
from supplied settings"]
+ F --> G[Send test request to CERTInext]
+ G --> H{"API accepted
the credentials?"}
+ H -- No --> I(["Connection test failed
Check credentials and API URL"])
H -- Yes --> J([Connector saved and active])
```