(fileContent);
+ }
+ }
+}
diff --git a/A10vThunderTestConsole/RunTest.bat b/A10vThunderTestConsole/RunTest.bat
new file mode 100644
index 0000000..64e0616
--- /dev/null
+++ b/A10vThunderTestConsole/RunTest.bat
@@ -0,0 +1,271 @@
+@echo off
+
+cd C:\Users\bhill\source\repos\a10vthunder-orchestrator\A10vThunderTestConsole\bin\Debug\net8.0
+set ClientMachine=
+set A10ApiUser=admin
+set A10ApiPassword=
+set ScpUserName=ec2-user
+set ScpPassword=
+set ScpPort=22
+set OrchToScpServerIp=
+set A10ToScpServerIp=
+
+set clientmachine=%ClientMachine%
+set password=%A10ApiPassword%
+set user=%A10ApiUser%
+set storepath=shared
+
+
+
+echo ***********************************
+echo Starting Ssl StoreType Test Cases
+echo ***********************************
+
+
+echo ***********************************
+echo Starting Management Test Cases
+echo ***********************************
+set casename=Management
+
+
+set cert=%random%
+set casename=Management
+set mgt=add
+set overwrite=false
+
+
+echo ************************************************************************************************************************
+echo TC1 %mgt%. Should do the %mgt% and add anything in the chain
+echo ************************************************************************************************************************
+echo overwrite: %overwrite%
+echo cert name: %cert%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+set mgt=remove
+set overwrite=false
+
+echo:
+echo *******************************************************************************************************
+echo TC2 %mgt% unbound Cert. Should %mgt% the cert since there are no dependencies
+echo *******************************************************************************************************
+echo overwrite: %overwrite%
+echo cert name: %cert%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+set mgt=add
+set overwrite=false
+set storepath=keyfactor2
+
+echo:
+echo *******************************************************************************************************
+echo TC3 %mgt% unbound Cert to New Different Partition. Should %mgt% the cert to Partition
+echo *******************************************************************************************************
+echo overwrite: %overwrite%
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+set mgt=remove
+
+echo:
+echo *******************************************************************************************************
+echo TC4 %mgt% unbound Cert in Different Partition. Should %mgt% the cert from Partition
+echo *******************************************************************************************************
+echo overwrite: %overwrite%
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+set mgt=add
+set overwrite=false
+set storepath=shared
+set cert=%random%
+
+echo:
+echo *******************************************************************************************************
+echo TC5 Setup Unbound Renew Scenario Unbound Certificate
+echo *******************************************************************************************************
+echo overwrite: %overwrite%
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+set overwrite=false
+set storepath=shared
+
+echo:
+echo *******************************************************************************************************
+echo TC5a Unbound Renew certificate with no overwrite, should warn user that overwrite flag is required
+echo *******************************************************************************************************
+echo overwrite: %overwrite%
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+set mgt=add
+set storepath=shared
+set overwrite=true
+
+echo:
+echo *******************************************************************************************************
+echo TC5b Unbound Renew certificate with overwrite, should overwrite since flag is used
+echo *******************************************************************************************************
+echo overwrite: %overwrite%
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+
+
+set mgt=add
+set storepath=shared
+set overwrite=true
+
+echo:
+echo *******************************************************************************************************
+echo TC5c Bound Renew certificate with overwrite, should re-name cert and rebind it to all locations
+echo *******************************************************************************************************
+echo overwrite: %overwrite%
+set /p cert=Please enter bound cert name:
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+set mgt=add
+set storepath=keyfactor2
+set overwrite=true
+
+echo:
+echo ******************************************************************************************************************
+echo TC6 Bound Renew Different Partition certificate with overwrite, should re-name cert and rebind it to all locations
+echo ******************************************************************************************************************
+echo overwrite: %overwrite%
+set /p cert=Please enter bound cert name:
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+
+set mgt=remove
+set storepath=keyfactor2
+set overwrite=true
+
+echo:
+echo ******************************************************************************************************************
+echo TC7 Remove Bound certificate - This should not be allowed and should error out
+echo ******************************************************************************************************************
+echo overwrite: %overwrite%
+set /p cert=Please enter bound cert name:
+echo cert name: %cert%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+
+set casename=Inventory
+set storepath=keyfactor2
+
+
+echo:
+echo ******************************************************************************************************************
+echo TC8 Inventory from a Partition
+echo ******************************************************************************************************************
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+:TC8
+
+set casename=Inventory
+set storepath=shared
+
+
+echo:
+echo ******************************************************************************************************************
+echo TC9 Inventory from shared location
+echo ******************************************************************************************************************
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=ssl
+
+echo ***********************************
+echo Starting mgmt StoreType Test Cases
+echo ***********************************
+
+:TC10
+
+echo ***********************************
+echo Starting Management Test Cases
+echo ***********************************
+set casename=Management
+
+set mgt=add
+set storepath=/home/ec2-user
+set overwrite=true
+set cert=%random%
+
+echo:
+echo ******************************************************************************************************************
+echo TC10 Add New Certificate to Location and Bind to Management Port
+echo ******************************************************************************************************************
+echo overwrite: %overwrite%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=mgmt -orchtoscpserverip=%OrchToScpServerIp% -a10toscpserverip=%A10ToScpServerIp% -scpusername=%ScpUserName% -scppassword=%ScpPassword% -scpport=%ScpPort%
+
+
+echo:
+echo ******************************************************************************************************************
+echo TC11 Renew certificate bound to Management Port should rep and bind to mgmt port
+echo ******************************************************************************************************************
+echo overwrite: %overwrite%
+echo storepath: %storepath%
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=mgmt -orchtoscpserverip=%OrchToScpServerIp% -a10toscpserverip=%A10ToScpServerIp% -scpusername=%ScpUserName% -scppassword=%ScpPassword% -scpport=%ScpPort%
+
+
+echo:
+echo ******************************************************************************************************************
+echo TC12 Renew/Repl certificate bound to Management Port with out overwrite, should fail and warn user
+echo ******************************************************************************************************************
+set overwrite=false
+echo overwrite: %overwrite%
+echo storepath: %storepath%
+
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=mgmt -orchtoscpserverip=%OrchToScpServerIp% -a10toscpserverip=%A10ToScpServerIp% -scpusername=%ScpUserName% -scppassword=%ScpPassword% -scpport=%ScpPort%
+
+
+echo:
+echo ******************************************************************************************************************
+echo TC13 Remove certificate bound to Management Port should remove the cert and leave the binding in place
+echo ******************************************************************************************************************
+echo overwrite: %overwrite%
+echo storepath: %storepath%
+set mgt=remove
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=mgmt -orchtoscpserverip=%OrchToScpServerIp% -a10toscpserverip=%A10ToScpServerIp% -scpusername=%ScpUserName% -scppassword=%ScpPassword% -scpport=%ScpPort%
+
+:TC14
+
+echo:
+echo ******************************************************************************************************************
+echo TC14 Inventory Management Certificates from SCP Location
+echo ******************************************************************************************************************
+echo overwrite: %overwrite%
+set storepath=/home/ec2-user
+echo storepath: %storepath%
+set casename=Inventory
+
+A10vThunderTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -storetype=mgmt -orchtoscpserverip=%OrchToScpServerIp% -a10toscpserverip=%A10ToScpServerIp% -scpusername=%ScpUserName% -scppassword=%ScpPassword% -scpport=%ScpPort%
+
+@pause
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..ddd5211
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,8 @@
+# v3.0.0
+* Support for Partitions
+* Support for Bindings
+* Support for Management Certs
+* Support for A10 V4,V6 and V7 Devices
+
+# v1.0.0
+* Initial Release
diff --git a/Media/Images/AddPubCert.gif b/Media/Images/AddPubCert.gif
deleted file mode 100644
index e6e3db1..0000000
Binary files a/Media/Images/AddPubCert.gif and /dev/null differ
diff --git a/Media/Images/CertStore1.gif b/Media/Images/CertStore1.gif
deleted file mode 100644
index 01f7b69..0000000
Binary files a/Media/Images/CertStore1.gif and /dev/null differ
diff --git a/Media/Images/CertStore2.gif b/Media/Images/CertStore2.gif
deleted file mode 100644
index e52ddbe..0000000
Binary files a/Media/Images/CertStore2.gif and /dev/null differ
diff --git a/Media/Images/CertStoreType-Advanced.gif b/Media/Images/CertStoreType-Advanced.gif
deleted file mode 100644
index 077fa44..0000000
Binary files a/Media/Images/CertStoreType-Advanced.gif and /dev/null differ
diff --git a/Media/Images/CertStoreType-Basic.gif b/Media/Images/CertStoreType-Basic.gif
deleted file mode 100644
index 3a21c8a..0000000
Binary files a/Media/Images/CertStoreType-Basic.gif and /dev/null differ
diff --git a/Media/Images/CertStoreType-CustomFields.gif b/Media/Images/CertStoreType-CustomFields.gif
deleted file mode 100644
index 9e0cd8f..0000000
Binary files a/Media/Images/CertStoreType-CustomFields.gif and /dev/null differ
diff --git a/Media/Images/CertStoreType-EntryParameters.gif b/Media/Images/CertStoreType-EntryParameters.gif
deleted file mode 100644
index 277e052..0000000
Binary files a/Media/Images/CertStoreType-EntryParameters.gif and /dev/null differ
diff --git a/Media/Images/CertificateInventory.gif b/Media/Images/CertificateInventory.gif
deleted file mode 100644
index 6544ffc..0000000
Binary files a/Media/Images/CertificateInventory.gif and /dev/null differ
diff --git a/Media/Images/NewCertNewAlias.gif b/Media/Images/NewCertNewAlias.gif
deleted file mode 100644
index 201db47..0000000
Binary files a/Media/Images/NewCertNewAlias.gif and /dev/null differ
diff --git a/Media/Images/PubCertReplace.gif b/Media/Images/PubCertReplace.gif
deleted file mode 100644
index a10a42d..0000000
Binary files a/Media/Images/PubCertReplace.gif and /dev/null differ
diff --git a/Media/Images/RemoveCertAndKey.gif b/Media/Images/RemoveCertAndKey.gif
deleted file mode 100644
index b8203ba..0000000
Binary files a/Media/Images/RemoveCertAndKey.gif and /dev/null differ
diff --git a/Media/Images/RemovePubCert.gif b/Media/Images/RemovePubCert.gif
deleted file mode 100644
index e50bc45..0000000
Binary files a/Media/Images/RemovePubCert.gif and /dev/null differ
diff --git a/Media/Images/ReplaceCertSameAlias.gif b/Media/Images/ReplaceCertSameAlias.gif
deleted file mode 100644
index 9253a82..0000000
Binary files a/Media/Images/ReplaceCertSameAlias.gif and /dev/null differ
diff --git a/README.md b/README.md
index 784bfcd..7796f14 100644
--- a/README.md
+++ b/README.md
@@ -1,193 +1,1045 @@
-# a10vThunder
+
+ a10vThunder Universal Orchestrator Extension
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Support
+
+ ·
+
+ Installation
+
+ ·
+
+ License
+
+ ·
+
+ Related Integrations
+
+
+
+## Overview
+
+A Keyfactor Universal Orchestrator extension for managing SSL/TLS certificates on A10 Networks vThunder load balancers through direct API integration and SCP-based management interface certificate deployment.
+
+The A10 vThunder Orchestrator provides automated certificate lifecycle management for A10 Networks vThunder appliances. It implements two distinct certificate store types:
+
+1. **ThunderSsl**: Direct API-based management of SSL certificates for load balancing and application delivery
+2. **ThunderMgmt**: SCP-based management of certificates for the A10 management interface (GUI/API access)
+
+### Architecture
+
+The A10 vThunder Orchestrator implements two distinct certificate store types with different architectural approaches:
+```mermaid
+graph TB
+ subgraph "Keyfactor Environment"
+ KF[Keyfactor Command]
+ UO[Universal Orchestrator
with A10 Extension]
+ end
+
+ subgraph "ThunderSsl Store Type - Direct API Management"
+ A10_SSL[A10 vThunder Appliance
API Endpoint]
+ SSL_STORE[(SSL Certificate Store
Certificates & Keys)]
+ SSL_TEMPLATES[SSL Templates
server-ssl / client-ssl]
+ VIRTUAL_SERVICES[Virtual Services
Load Balancer Config]
+ end
+
+ subgraph "ThunderMgmt Store Type - SCP-Based Management"
+ SCP[SCP Server
Intermediate Storage]
+ A10_MGMT[A10 vThunder Appliance
Management Interface]
+ MGMT_STORE[(Management Certs
.crt / .key files)]
+ end
-A10 vThunder AnyAgent allows an organization to inventory and deploy certificates in any domain that the appliance services. The AnyAgent deploys the appropriate files (.cer, .pem) within the defined directories and also performs and Inventory on the Items.
+ KF -->|Certificate Lifecycle Jobs| UO
-#### Integration status: Production - Ready for use in production environments.
+ UO -->|"1. AXAPI REST Calls
(HTTPS - v4/v6)
Auth, Upload, Template Updates"| A10_SSL
+ A10_SSL -->|Manages| SSL_STORE
+ A10_SSL -->|Updates Bindings| SSL_TEMPLATES
+ SSL_TEMPLATES -->|Bound To| VIRTUAL_SERVICES
-## About the Keyfactor Universal Orchestrator Capability
+ UO -->|"2a. SCP Upload
(SSH/SCP)
cert.crt + cert.key"| SCP
+ SCP -->|"2b. A10 Retrieves
(SCP/SSH)"| A10_MGMT
+ UO -->|"2c. AXAPI Install Command
(HTTPS)"| A10_MGMT
+ A10_MGMT -->|Installs| MGMT_STORE
-This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
+ style UO fill:#4CAF50,stroke:#2E7D32,color:#fff
+ style A10_SSL fill:#2196F3,stroke:#1565C0,color:#fff
+ style A10_MGMT fill:#2196F3,stroke:#1565C0,color:#fff
+ style SCP fill:#FF9800,stroke:#E65100,color:#fff
+ style SSL_STORE fill:#9C27B0,stroke:#6A1B9A,color:#fff
+ style MGMT_STORE fill:#9C27B0,stroke:#6A1B9A,color:#fff
+```
-The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme.
+#### ThunderSsl Store Type (Direct API Management)
-The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
+The ThunderSsl store type provides direct, API-based certificate management:
+- **Single-hop architecture**: Orchestrator connects directly to A10 AXAPI (REST API) via HTTPS
+- **Automatic template management**: Detects and updates SSL template bindings (server-ssl/client-ssl)
+- **Zero-downtime replacements**: Creates timestamped certificates and atomically rebinds templates
+- **Multi-tenant support**: Full partition support for isolated certificate operations
+- **API version flexibility**: Automatically detects and supports both AXAPI v4 and v6
+#### ThunderMgmt Store Type (SCP-Based Management)
-## Support for a10vThunder
+The ThunderMgmt store type uses an intermediate SCP server for management interface certificates:
-a10vThunder is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.
+- **Three-party architecture**: Orchestrator → SCP Server → A10 Device
+- **Network flexibility**: Supports different network paths between orchestrator and A10 device
+- **File-based deployment**: Uploads .crt and .key files to SCP server for A10 retrieval
+- **Management interface specific**: Used exclusively for A10 GUI/API access certificates
+- **Coordinated installation**: AXAPI commands trigger certificate installation after file transfer
-###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
-___
+Both store types support PAM integration for secure credential management and require appropriate A10 device permissions.
+#### ThunderSsl Store Type
+Uses A10's native REST API (AXAPI) for direct certificate management:
+- Certificates are uploaded directly to the A10 appliance
+- Supports both certificate-only and certificate-with-private-key operations
+- Automatically detects and handles template bindings and virtual service configurations
+- Implements intelligent certificate replacement to avoid service disruption
+#### A10 vThunder Requirements
+- A10 vThunder appliance with AXAPI support
+- API versions 4.x or 6.x supported (automatically detected)
+- Valid user account with certificate management privileges
+- For ThunderMgmt: SSH/SCP access enabled
+
+#### Required A10 Permissions
+The orchestrator requires an A10 user account with permissions to:
+- Access AXAPI (REST API)
+- Manage SSL certificates and private keys
+- Read/write SSL templates (server-ssl and client-ssl)
+- Query and modify virtual services
+- Write configuration to memory
+- Set active partitions
+- For ThunderMgmt: SSH/SCP file operations
+
+### Key Features
+
+- **Direct SSL Certificate Management**: Native A10 API integration for SSL certificate deployment and management
+- **Template-Aware Operations**: Intelligent handling of certificates bound to SSL templates and virtual services
+- **Multi-API Version Support**: Automatic detection and support for A10 API v4 and v6
+- **Partition Support**: Full support for A10 partitions for multi-tenant deployments
+- **Certificate Inventory**: Comprehensive discovery and inventory of existing certificates
+- **Management Interface Certificates**: SCP-based deployment for A10 management interface certificates
+- **PAM Integration**: Support for Privileged Access Management systems
+- **Advanced Certificate Replacement**: Zero-downtime certificate replacement with automatic template rebinding
+
+The a10vThunder Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to use one, or both of these Certificate Store Types. Descriptions of each are provided below.
+
+- [A10 Thunder Ssl Certificates](#ThunderSsl)
+
+- [A10 Thunder Management Certificates](#ThunderMgmt)
+
+
+## Compatibility
+
+This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.
+
+## Support
+The a10vThunder Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.
+
+> If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab.
+
+## Requirements & Prerequisites
+
+Before installing the a10vThunder Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
+
+
+
+## Certificate Store Types
+
+To use the a10vThunder Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.
+
+The a10vThunder Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to use one, or both of these Certificate Store Types.
+
+### ThunderSsl
+
+Click to expand details
+
+
+#### 🔒 SSL Certificates
+
+**Purpose:**
+Used for securing traffic that passes through the device (i.e., traffic handled by SLB/ADC features).
+
+**Usage Context:**
+- SSL Offloading
+- SSL Intercept (Decryption/Encryption)
+- Reverse proxy configurations
+
+**Configured In:**
+- **GUI:** `ADC → Ssl Management
+
+
+**Example:**
+If the A10 is acting as an SSL offloader for a backend web server, the **SSL Certificate** is used to terminate client HTTPS sessions.
+
+
+
+
+#### A10 Thunder Ssl Certificates Requirements
+
+#### Creating a User for API Access on A10 vThunder
+
+This guide explains how to create a user on A10 vThunder for API (AXAPI) access with appropriate privileges.
+
+##### Step-by-Step Instructions
+
+1. **Enter configuration mode:**
+ ```bash
+ configure terminal
+ ```
+
+2. **Create the user and set a password:**
+ ```bash
+ admin apiuser password yourStrongPassword
+ ```
+
+ Replace `apiuser` with the desired username, and `yourStrongPassword` with a secure password.
+
+3. **Assign necessary privileges:**
+ ```bash
+ privilege read
+ privilege write
+ privilege partition-enable-disable
+ privilege partition-read
+ privilege partition-write
+ ```
+
+ These privileges grant the user:
+ - Global read and write access
+ - Per-partition read and write access
+ - Permission to enable or disable partitions
+
+4. **(Optional) Enable external health monitor privilege (if needed):**
+ ```bash
+ privilege hm
+ ```
+
+5. **Exit user configuration:**
+ ```bash
+ exit
+ ```
+
+##### ThunderSsl Aliases
+
+In the ThunderSsl store type, the **alias** directly corresponds to the certificate and private key names stored on the A10 appliance:
+
+- **Certificate Name**: The alias becomes the SSL certificate identifier in A10's certificate store
+- **Private Key Name**: The same alias is used for the associated private key
+- **Template References**: SSL templates reference certificates by this exact alias name
+- **API Operations**: All A10 API calls use this alias to identify the certificate/key pair
+
+###### Example ThunderSsl Usage
+```
+Alias: "webserver-prod-2025"
+→ A10 Certificate: "webserver-prod-2025"
+→ A10 Private Key: "webserver-prod-2025"
+→ Template Reference: server-ssl template uses cert "webserver-prod-2025"
+```
+
+###### Alias Renaming for Template-Bound Certificates
+
+When replacing a certificate that's bound to SSL templates, the orchestrator uses an intelligent renaming strategy:
+
+1. **Timestamp Generation**: Creates a Unix timestamp (10 digits)
+2. **Alias Pattern Matching**:
+ - If alias contains existing timestamp: `webserver-prod_1640995200` → `webserver-prod_1672531200`
+ - If no timestamp found: `webserver-prod` → `webserver-prod_1672531200`
+3. **Length Validation**: Ensures final alias stays within A10's 240-character limit
+4. **Template Updates**: All SSL templates are updated to reference the new timestamped alias
+5. **Cleanup**: Original certificate is removed after successful template updates
+
+###### Replacement Workflow Example
+```
+Original: "api-gateway-cert"
+Step 1: Generate new alias → "api-gateway-cert_1672531200"
+Step 2: Upload certificate with new alias
+Step 3: Update server-ssl templates: cert "api-gateway-cert" → "api-gateway-cert_1672531200"
+Step 4: Update client-ssl templates: cert "api-gateway-cert" → "api-gateway-cert_1672531200"
+Step 5: Remove old certificate "api-gateway-cert"
+Step 6: Rebind templates to virtual services
+```
+
+###### Alias Best Practices
+- Use descriptive names that indicate purpose: `web-frontend-ssl`, `api-backend-tls`
+- Avoid special characters that might conflict with A10 naming rules
+- Consider including environment indicators: `prod-web-cert`, `stage-api-cert`
+- Remember that renaming will append timestamps for template-bound certificates
+
+###### Character Limitations
+- **Maximum Length**: 240 characters (enforced by orchestrator)
+- **Recommended Characters**: Letters, numbers, hyphens, underscores
+- **Avoid**: Special characters that might cause issues in API calls or file operations
+
+##### Troubleshooting Alias Issues
+
+###### ThunderSsl Common Issues
+- **Template Update Failures**: Verify templates exist and are accessible
+- **Long Alias Names**: Orchestrator will truncate to fit timestamp if needed
+- **Special Characters**: May cause API call failures
+
+##### Notes
+
+- This user will now be able to authenticate and perform actions via A10's AXAPI (v2/v3) interface.
+- Role-Based Access (RBA) and partition assignment can further fine-tune access control.
+
+##### Example Login via AXAPI
+
+Example using `curl` for AXAPI v3 login:
+```bash
+curl -X POST https:///axapi/v3/auth \
+ -d '{"credentials":{"username":"apiuser","password":"yourStrongPassword"}}' \
+ -H "Content-Type: application/json"
+```
+
+
+
+#### Supported Operations
+
+| Operation | Is Supported |
+|--------------|------------------------------------------------------------------------------------------------------------------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | 🔲 Unchecked |
+| Reenrollment | 🔲 Unchecked |
+| Create | 🔲 Unchecked |
+
+#### Store Type Creation
+
+##### Using kfutil:
+`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
+For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+ Click to expand ThunderSsl kfutil details
+
+ ##### Using online definition from GitHub:
+ This will reach out to GitHub and pull the latest store-type definition
+ ```shell
+ # A10 Thunder Ssl Certificates
+ kfutil store-types create ThunderSsl
+ ```
+
+ ##### Offline creation using integration-manifest file:
+ If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.
+ You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command
+ in your offline environment.
+ ```shell
+ kfutil store-types create --from-file integration-manifest.json
+ ```
+ Click to expand manual ThunderSsl details
+
+ Create a store type called `ThunderSsl` with the attributes in the tables below:
+
+ ##### Basic Tab
+ | Attribute | Value | Description |
+ | --------- | ----- | ----- |
+ | Name | A10 Thunder Ssl Certificates | Display name for the store type (may be customized) |
+ | Short Name | ThunderSsl | Short display name for the store type |
+ | Capability | ThunderSsl | Store type name orchestrator will register with. Check the box to allow entry of value |
+ | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation |
+ | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
+ | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
+ | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
+ | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
+ | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |
+
+ The Basic tab should look like this:
+
+ 
+
+ ##### Advanced Tab
+ | Attribute | Value | Description |
+ | --------- | ----- | ----- |
+ | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
+ | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
+
+ The Advanced tab should look like this:
+
+ 
+
+ > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
+
+ ##### Custom Fields Tab
+ Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
+
+ | Name | Display Name | Description | Type | Default Value/Options | Required |
+ | ---- | ------------ | ---- | --------------------- | -------- | ----------- |
+ | allowInvalidCert | Allow Invalid Cert on A10 Management API | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections. | Bool | true | ✅ Checked |
+
+ The Custom Fields tab should look like this:
+
+ 
+
+
+ ###### Allow Invalid Cert on A10 Management API
+ Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections.
+
+ 
+
+
+
+
+
+ Click to expand details
+
+
+#### 🔐 Management Certificates
+
+**Purpose:**
+Used to secure HTTPS access to the A10 management interface (GUI/API).
+
+**Usage Context:**
+- AXAPI (API access over HTTPS)
+- Web GUI login
+- Any administrative HTTPS session
+
+**Configured In:**
+- **GUI:** `System → Settings → Certificate`
+
+**Example:**
+When a user logs into the GUI via `https://`, the certificate presented is the **Management Certificate**.
+
+
+
+
+#### A10 Thunder Management Certificates Requirements
+
+#### A10 Certificate Management Orchestrator Extension
+
+This orchestrator extension automates the process of uploading, inventorying, and deploying SSL certificates from a Linux SCP server to an A10 vThunder device. Due to A10 API limitations, certificates must be pulled from the SCP server directly by the A10 device itself.
+
+---
+
+##### 📌 How It Works
+
+1. **The orchestrator** connects to a Linux server via SCP to inventory available certificates.
+2. It stores relevant metadata and pushes new certificates and keys to the SCP server.
+3. It then instructs the **A10 device** to retrieve the certificate and private key from the Linux server using API calls.
+4. The A10 device loads the certificate and key directly from the SCP server for use on its **management interface**.
+
+---
+
+##### 📡 API Call Example (From A10 Device)
+
+```http
+POST /axapi/v3/web-service/secure/certificate
+```
+
+**Payload:**
+```json
+{
+ "certificate": {
+ "load": 1,
+ "file-url": "scp://ec2-user:dda@172.31.93.107:/home/ec2-user/26125.crt"
+ }
+}
+```
+
+> A similar call is made for loading the private key onto the A10 device using a separate AXAPI endpoint.
+
+- The A10 device **must have access** to the SCP server via the specified IP (`A10ToScpServerIp`).
+- Ensure the certificate and key file paths are correct and accessible to the SCP user.
---
+##### 🔐 Linux Server Requirements
+
+###### User Access
+- The SCP user (`ScpUserName`, e.g., `ec2-user`) must:
+ - Have SSH/SCP access.
+ - Authenticate with a password.
+ - Have **read and write** permissions in the SCP location.
+> New certificates and **private keys** are generated by Keyfactor and uploaded to this location by the orchestrator. Therefore, write access is essential.
+###### SCP Directory Permissions
+- Ensure the directory (e.g., `/home/ec2-user/`) is:
+ - Writable by the orchestrator (to upload new certs/keys).
+ - Readable by both the orchestrator and the A10 device (via SCP).
+
+---
-## Platform Specific Notes
+##### 🔄 Alternate Design Consideration
-The minimum version of the Universal Orchestrator Framework needed to run this version of the extension is
+It may be possible to use the A10 device itself as the SCP target location if it supports read/write SCP operations **outside the CLI context**. However, A10 devices typically restrict file access through CLI or API mechanisms only, and not through standard SCP server operations. This limitation is why a separate Linux SCP server is currently required.
-The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
-| Operation | Win | Linux |
-|-----|-----|------|
-|Supports Management Add|✓ |✓ |
-|Supports Management Remove|✓ |✓ |
-|Supports Create Store| | |
-|Supports Discovery| | |
-|Supports Renrollment| | |
-|Supports Inventory|✓ |✓ |
+---
+##### 🔓 Network and Port Requirements
+| Source | Destination | Port | Protocol | Purpose |
+|--------------------|---------------------|------|----------|-------------------------------|
+| Orchestrator | Linux SCP Server | 22 | TCP | Inventory and upload via SCP |
+| A10 Device | Linux SCP Server | 22 | TCP | Cert and key retrieval via SCP|
+| Orchestrator/Admin | A10 Device (API) | 443 | HTTPS | API calls to load certificate |
---
+##### ThunderMgmt Aliases
+
+In the ThunderMgmt store type, the **alias** determines the filename for certificates stored on the SCP server:
+
+- **Certificate File**: `{alias}.crt` on the SCP server
+- **Private Key File**: `{alias}.key` on the SCP server
+- **A10 API Reference**: The A10 management interface loads certificates using SCP URLs pointing to these files
+
+###### Example ThunderMgmt Usage
+```
+Alias: "mgmt-interface-cert"
+→ SCP Server Files:
+ - /home/scpuser/mgmt-interface-cert.crt
+ - /home/scpuser/mgmt-interface-cert.key
+→ A10 API Call:
+ - Certificate URL: scp://scpuser:pass@192.168.1.100:/home/scpuser/mgmt-interface-cert.crt
+ - Key URL: scp://scpuser:pass@192.168.1.100:/home/scpuser/mgmt-interface-cert.key
+```
+
+###### For Alias Names
+- Use names that clearly identify the management purpose: `mgmt-interface-2025`
+- Ensure filenames are valid for both SCP server filesystem and A10 API calls
+- Consider including renewal dates: `mgmt-cert-jan2025`
+
+###### ThunderMgmt File Management
+
+The orchestrator handles file operations as follows:
+
+1. **Add Operation**:
+ - Uploads `{alias}.crt` and `{alias}.key` to SCP server
+ - Calls A10 API to load certificate from SCP URLs
+ - A10 device pulls files directly from SCP server
+
+2. **Remove Operation**:
+ - Deletes `{alias}.crt` and `{alias}.key` from SCP server
+ - Does not modify A10 management interface configuration
+
+3. **Replace Operation** (with Overwrite=true):
+ - Overwrites existing `{alias}.crt` and `{alias}.key` files
+ - Calls A10 API to reload certificate from same SCP URLs
+
+###### Character Limitations
+- **Maximum Length**: 240 characters (enforced by orchestrator)
+- **Recommended Characters**: Letters, numbers, hyphens, underscores
+- **Avoid**: Special characters that might cause issues in API calls or file operations
+
+###### ThunderMgmt Common Issues
+- **File Path Issues**: Ensure SCP user has access to the target directory
+- **Invalid Filenames**: Some characters may not be valid for filesystem operations
+- **URL Encoding**: Special characters in aliases may require URL encoding in SCP URLs
+
+##### ✅ Summary
+
+This extension coordinates certificate and private key delivery by using SCP as a bridge between orchestrator logic and A10's strict API requirements. It ensures secure and automated deployment for the management interface certificates with minimal manual intervention.
+
+
+
+#### Supported Operations
+
+| Operation | Is Supported |
+|--------------|------------------------------------------------------------------------------------------------------------------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | 🔲 Unchecked |
+| Reenrollment | 🔲 Unchecked |
+| Create | 🔲 Unchecked |
+
+#### Store Type Creation
+
+##### Using kfutil:
+`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
+For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+ Click to expand ThunderMgmt kfutil details
+
+ ##### Using online definition from GitHub:
+ This will reach out to GitHub and pull the latest store-type definition
+ ```shell
+ # A10 Thunder Management Certificates
+ kfutil store-types create ThunderMgmt
+ ```
+
+ ##### Offline creation using integration-manifest file:
+ If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.
+ You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command
+ in your offline environment.
+ ```shell
+ kfutil store-types create --from-file integration-manifest.json
+ ```
+ Click to expand manual ThunderMgmt details
+
+ Create a store type called `ThunderMgmt` with the attributes in the tables below:
+
+ ##### Basic Tab
+ | Attribute | Value | Description |
+ | --------- | ----- | ----- |
+ | Name | A10 Thunder Management Certificates | Display name for the store type (may be customized) |
+ | Short Name | ThunderMgmt | Short display name for the store type |
+ | Capability | ThunderMgmt | Store type name orchestrator will register with. Check the box to allow entry of value |
+ | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation |
+ | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
+ | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
+ | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
+ | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
+ | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |
+
+ The Basic tab should look like this:
+
+ 
+
+ ##### Advanced Tab
+ | Attribute | Value | Description |
+ | --------- | ----- | ----- |
+ | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
+ | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
+
+ The Advanced tab should look like this:
+
+ 
+
+ > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
+
+ ##### Custom Fields Tab
+ Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
+
+ | Name | Display Name | Description | Type | Default Value/Options | Required |
+ | ---- | ------------ | ---- | --------------------- | -------- | ----------- |
+ | OrchToScpServerIp | Orch To Scp Server Ip | IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates. | String | | ✅ Checked |
+ | ScpPort | Port Used For Scp | TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations. | String | | ✅ Checked |
+ | ScpUserName | UserName Used For Scp | Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval. | Secret | | ✅ Checked |
+ | ScpPassword | Password Used For Scp | Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval. | Secret | | ✅ Checked |
+ | A10ToScpServerIp | A10 Device To Scp Server Ip | IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths. | String | | ✅ Checked |
+ | allowInvalidCert | Allow Invalid Cert on A10 Management API | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process. | Bool | true | ✅ Checked |
+
+ The Custom Fields tab should look like this:
+
+ 
+
+
+ ###### Orch To Scp Server Ip
+ IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates.
+
+ 
+
+
+
+ ###### Port Used For Scp
+ TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations.
+
+ 
+
+
+
+ ###### UserName Used For Scp
+ Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval.
+
+ 
+
+
+
+ ###### Password Used For Scp
+ Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval.
+
+ 
+
+
+
+ ###### A10 Device To Scp Server Ip
+ IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths.
+
+ 
+
+
+
+ ###### Allow Invalid Cert on A10 Management API
+ Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process.
+
+ 
+
+
+
+
+
+ A10 Thunder Ssl Certificates (ThunderSsl)
+
+### ⚙️ Configuration Fields
+
+| Name | Display Name | Description | Type | Required |
+|-------------------|-------------------------------|--------------------------------------------------------------|--------|----------|
+| allowInvalidCert | Allow Invalid Cert on A10 API | If true, allows self-signed/untrusted certs for A10 API access | Bool | ✅ (default: true) |
+
+
+### Store Creation
+
+#### Manually with the Command UI
+
+Click to expand details
+
+1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**
+
+ Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.
+
+2. **Add a Certificate Store.**
+
+ Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
+
+ | Attribute | Description |
+ | --------- |---------------------------------------------------------|
+ | Category | Select "A10 Thunder Ssl Certificates" or the customized certificate store name from the previous step. |
+ | Container | Optional container to associate certificate store with. |
+ | Client Machine | Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device. |
+ | Store Path | A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition. |
+ | Orchestrator | Select an approved orchestrator capable of managing `ThunderSsl` certificates. Specifically, one with the `ThunderSsl` capability. |
+ | allowInvalidCert | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections. |
+
+Click to expand details
+
+1. **Generate a CSV template for the ThunderSsl certificate store**
+
+ ```shell
+ kfutil stores import generate-template --store-type-name ThunderSsl --outpath ThunderSsl.csv
+ ```
+2. **Populate the generated CSV file**
+
+ Open the CSV file, and reference the table below to populate parameters for each **Attribute**.
+
+ | Attribute | Description |
+ | --------- | ----------- |
+ | Category | Select "A10 Thunder Ssl Certificates" or the customized certificate store name from the previous step. |
+ | Container | Optional container to associate certificate store with. |
+ | Client Machine | Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device. |
+ | Store Path | A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition. |
+ | Orchestrator | Select an approved orchestrator capable of managing `ThunderSsl` certificates. Specifically, one with the `ThunderSsl` capability. |
+ | Properties.allowInvalidCert | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections. |
+
+3. **Import the CSV file to create the certificate stores**
+
+ ```shell
+ kfutil stores import csv --store-type-name ThunderSsl --file ThunderSsl.csv
+ ```
+
+Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
+
+If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.
+
+ | Attribute | Description |
+ | --------- | ----------- |
+ | ServerUsername | Username to use when connecting to server |
+ | ServerPassword | Password to use when connecting to server |
+
+Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
+> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
+
+A10 Thunder Management Certificates (ThunderMgmt)
+
+
+### Store Creation
+
+#### Manually with the Command UI
+
+Click to expand details
+
+1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**
+
+ Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.
+
+2. **Add a Certificate Store.**
+
+ Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
+
+ | Attribute | Description |
+ | --------- |---------------------------------------------------------|
+ | Category | Select "A10 Thunder Management Certificates" or the customized certificate store name from the previous step. |
+ | Container | Optional container to associate certificate store with. |
+ | Client Machine | Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP. |
+ | Store Path | Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory. |
+ | Orchestrator | Select an approved orchestrator capable of managing `ThunderMgmt` certificates. Specifically, one with the `ThunderMgmt` capability. |
+ | OrchToScpServerIp | IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates. |
+ | ScpPort | TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations. |
+ | ScpUserName | Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval. |
+ | ScpPassword | Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval. |
+ | A10ToScpServerIp | IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths. |
+ | allowInvalidCert | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process. |
+
+Click to expand details
-**A10 Networks vThunder Orchestrator**
+1. **Generate a CSV template for the ThunderMgmt certificate store**
-**Overview**
+ ```shell
+ kfutil stores import generate-template --store-type-name ThunderMgmt --outpath ThunderMgmt.csv
+ ```
+2. **Populate the generated CSV file**
-A10 vThunder AnyAgent allows an organization to inventory and deploy certificates in any domain that the appliance services. The AnyAgent deploys the appropriate files (.cer, .pem) within the defined directories and also performs and Inventory on the Items.
+ Open the CSV file, and reference the table below to populate parameters for each **Attribute**.
-This agent implements three job types – Inventory, Management Add, and Management Remove. Below are the steps necessary to configure this AnyAgent. It supports adding certificates with or without private keys.
+ | Attribute | Description |
+ | --------- | ----------- |
+ | Category | Select "A10 Thunder Management Certificates" or the customized certificate store name from the previous step. |
+ | Container | Optional container to associate certificate store with. |
+ | Client Machine | Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP. |
+ | Store Path | Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory. |
+ | Orchestrator | Select an approved orchestrator capable of managing `ThunderMgmt` certificates. Specifically, one with the `ThunderMgmt` capability. |
+ | Properties.OrchToScpServerIp | IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates. |
+ | Properties.ScpPort | TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations. |
+ | Properties.ScpUserName | Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval. |
+ | Properties.ScpPassword | Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval. |
+ | Properties.A10ToScpServerIp | IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths. |
+ | Properties.allowInvalidCert | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process. |
+3. **Import the CSV file to create the certificate stores**
-**A10 vThunder Configuration**
+ ```shell
+ kfutil stores import csv --store-type-name ThunderMgmt --file ThunderMgmt.csv
+ ```
-1. Read up on [A10 Networks ADC](https://a10networks.optrics.com/downloads/datasheets/Thunder-Application-Delivery-Controller-ADC.pdf) and how it works.
-2. A user account is needed with the appropriate permissions on vThunder to manage certificates.
+Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
-#### STORE TYPE CONFIGURATION
-SETTING TAB | CONFIG ELEMENT | DESCRIPTION
-------|-----------|------------------
-Basic |Name |Descriptive name for the Store Type. A10 vThunder can be used.
-Basic |Short Name |The short name that identifies the registered functionality of the orchestrator. Must be vThunderU
-Basic |Custom Capability|Unchecked
-Basic |Job Types |Inventory, Add, and Remove are the supported job types.
-Basic |Needs Server |Must be checked
-Basic |Blueprint Allowed |checked
-Basic |Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
-Basic |Supports Entry Password |Determined if an individual entry within a store can have a password. This must be unchecked.
-Advanced |Store Path Type| Determines how the user will enter the store path when setting up the cert store. Freeform
-Advanced |Supports Custom Alias |Determines if an individual entry within a store can have a custom Alias. This must be Required
-Advanced |Private Key Handling |Determines how the orchestrator deals with private keys. Optional
-Advanced |PFX Password Style |Determines password style for the PFX Password. Default
-Custom Fields|protocol|Name:protocol Display Name:Protocol Type:Multiple Choice (http,https) Default Value:https Required:True
-Custom Fields|allowInvalidCert|Name:allowInvalidCert Display Name:Allow Invalid Cert Type:Bool Default Value:false Required:True
-Entry Parameters|N/A| There are no Entry Parameters
+If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.
-**Basic Settings:**
+ | Attribute | Description |
+ | --------- | ----------- |
+ | ServerUsername | Username to use when connecting to server |
+ | ServerPassword | Password to use when connecting to server |
+ | ScpUserName | Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval. |
+ | ScpPassword | Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval. |
-
+Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
+> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-**Advanced Settings:**
+
with A10 Extension]
+ end
+
+ subgraph "ThunderSsl Store Type - Direct API Management"
+ A10_SSL[A10 vThunder Appliance
API Endpoint]
+ SSL_STORE[(SSL Certificate Store
Certificates & Keys)]
+ SSL_TEMPLATES[SSL Templates
server-ssl / client-ssl]
+ VIRTUAL_SERVICES[Virtual Services
Load Balancer Config]
+ end
+
+ subgraph "ThunderMgmt Store Type - SCP-Based Management"
+ SCP[SCP Server
Intermediate Storage]
+ A10_MGMT[A10 vThunder Appliance
Management Interface]
+ MGMT_STORE[(Management Certs
.crt / .key files)]
+ end
+
+ KF -->|Certificate Lifecycle Jobs| UO
+
+ UO -->|"1. AXAPI REST Calls
(HTTPS - v4/v6)
Auth, Upload, Template Updates"| A10_SSL
+ A10_SSL -->|Manages| SSL_STORE
+ A10_SSL -->|Updates Bindings| SSL_TEMPLATES
+ SSL_TEMPLATES -->|Bound To| VIRTUAL_SERVICES
+
+ UO -->|"2a. SCP Upload
(SSH/SCP)
cert.crt + cert.key"| SCP
+ SCP -->|"2b. A10 Retrieves
(SCP/SSH)"| A10_MGMT
+ UO -->|"2c. AXAPI Install Command
(HTTPS)"| A10_MGMT
+ A10_MGMT -->|Installs| MGMT_STORE
+
+ style UO fill:#4CAF50,stroke:#2E7D32,color:#fff
+ style A10_SSL fill:#2196F3,stroke:#1565C0,color:#fff
+ style A10_MGMT fill:#2196F3,stroke:#1565C0,color:#fff
+ style SCP fill:#FF9800,stroke:#E65100,color:#fff
+ style SSL_STORE fill:#9C27B0,stroke:#6A1B9A,color:#fff
+ style MGMT_STORE fill:#9C27B0,stroke:#6A1B9A,color:#fff
+```
+
+#### ThunderSsl Store Type (Direct API Management)
+
+The ThunderSsl store type provides direct, API-based certificate management:
+
+- **Single-hop architecture**: Orchestrator connects directly to A10 AXAPI (REST API) via HTTPS
+- **Automatic template management**: Detects and updates SSL template bindings (server-ssl/client-ssl)
+- **Zero-downtime replacements**: Creates timestamped certificates and atomically rebinds templates
+- **Multi-tenant support**: Full partition support for isolated certificate operations
+- **API version flexibility**: Automatically detects and supports both AXAPI v4 and v6
+
+#### ThunderMgmt Store Type (SCP-Based Management)
+
+The ThunderMgmt store type uses an intermediate SCP server for management interface certificates:
+
+- **Three-party architecture**: Orchestrator → SCP Server → A10 Device
+- **Network flexibility**: Supports different network paths between orchestrator and A10 device
+- **File-based deployment**: Uploads .crt and .key files to SCP server for A10 retrieval
+- **Management interface specific**: Used exclusively for A10 GUI/API access certificates
+- **Coordinated installation**: AXAPI commands trigger certificate installation after file transfer
+
+Both store types support PAM integration for secure credential management and require appropriate A10 device permissions.
+
+#### ThunderSsl Store Type
+Uses A10's native REST API (AXAPI) for direct certificate management:
+- Certificates are uploaded directly to the A10 appliance
+- Supports both certificate-only and certificate-with-private-key operations
+- Automatically detects and handles template bindings and virtual service configurations
+- Implements intelligent certificate replacement to avoid service disruption
+
+#### A10 vThunder Requirements
+- A10 vThunder appliance with AXAPI support
+- API versions 4.x or 6.x supported (automatically detected)
+- Valid user account with certificate management privileges
+- For ThunderMgmt: SSH/SCP access enabled
+
+#### Required A10 Permissions
+The orchestrator requires an A10 user account with permissions to:
+- Access AXAPI (REST API)
+- Manage SSL certificates and private keys
+- Read/write SSL templates (server-ssl and client-ssl)
+- Query and modify virtual services
+- Write configuration to memory
+- Set active partitions
+- For ThunderMgmt: SSH/SCP file operations
+
+### Key Features
+
+- **Direct SSL Certificate Management**: Native A10 API integration for SSL certificate deployment and management
+- **Template-Aware Operations**: Intelligent handling of certificates bound to SSL templates and virtual services
+- **Multi-API Version Support**: Automatic detection and support for A10 API v4 and v6
+- **Partition Support**: Full support for A10 partitions for multi-tenant deployments
+- **Certificate Inventory**: Comprehensive discovery and inventory of existing certificates
+- **Management Interface Certificates**: SCP-based deployment for A10 management interface certificates
+- **PAM Integration**: Support for Privileged Access Management systems
+- **Advanced Certificate Replacement**: Zero-downtime certificate replacement with automatic template rebinding
+
+## API Integration Details
+
+### AXAPI Endpoints Used
+
+- **Authentication**: `/axapi/v3/auth` or `/axapi/v4/auth`
+- **SSL Certificates**: `/axapi/v3/slb/ssl-cert` or `/axapi/v4/slb/ssl-cert`
+- **Private Keys**: `/axapi/v3/slb/ssl-key` or `/axapi/v4/slb/ssl-key`
+- **SSL Templates**: `/axapi/v3/slb/template/server-ssl` and `/axapi/v3/slb/template/client-ssl`
+- **Virtual Services**: `/axapi/v3/slb/virtual-server`
+- **Partitions**: `/axapi/v3/active-partition`
+- **Memory Operations**: `/axapi/v3/write/memory`
+
+### Advanced Features
+
+#### Partition Support
+
+The orchestrator fully supports A10 partitions:
+- Set active partition before operations
+- Isolate certificate operations to specific partitions
+- Support multi-tenant deployments
+
+#### Template Management
+
+Intelligent SSL template handling:
+- Detection of server-ssl and client-ssl template usage
+- Atomic template updates during certificate replacement
+- Preservation of template configurations
+
+#### Virtual Service Coordination
+
+Advanced virtual service management:
+- Mapping of templates to virtual service ports
+- Coordinated unbinding and rebinding operations
+- Support for multiple template types on single ports
+
+### TEST CASES
+
+Case Number|Case Name|Case Description|Store Path|Overwrite Flag|Alias Name|Expected Results|Passed
+-----------|---------|----------------|----------|--------------|----------|----------------|--------------
+1|Fresh Add SSL Certificate With Private Key|Will create new SSL certificate and private key on the vThunder appliance in shared partition|shared|true|WebServerSSL|The new WebServerSSL certificate and private key will be created in SSL certificate store on vThunder|True
+1a|Replace SSL Cert with no overwrite flag|Should warn user that a cert cannot be replaced with the same name without overwrite flag|shared|false|WebServerSSL|Error message indicating overwrite flag must be used|True
+1b|Replace SSL Cert with overwrite flag (unbound)|Will replace certificate and private key on vThunder for unbound certificate|shared|true|WebServerSSL|Certificate will be removed and re-added because it's not bound to templates|True
+2|Add SSL Cert Without Private Key|This will create a certificate with no private key on vThunder|shared|false|PublicCertOnly|Only certificate will be added to vThunder SSL store with no private key|True
+2a|Replace SSL Cert Without Private Key|This will replace a certificate with no private key on vThunder|shared|true|PublicCertOnly|Only certificate will be replaced on vThunder with no private key|True
+2b|Replace SSL Cert Without Private Key no overwrite flag|Should warn user that a cert cannot be replaced with the same name without overwrite flag|shared|false|PublicCertOnly|Error message indicating overwrite flag must be used|True
+3|Remove Unbound SSL Certificate and Private Key|Certificate and Private Key will be removed from A10|shared|N/A|WebServerSSL|Certificate and key will be removed from vThunder SSL store|True
+3a|Remove SSL Certificate without Private Key|Certificate will be removed from A10|shared|N/A|PublicCertOnly|Certificate will be removed from vThunder SSL store|True
+
+### Template-Bound Certificate Operations
+
+Case Number|Case Name|Case Description|Store Path|Overwrite Flag|Alias Name|Expected Results|Passed
+-----------|---------|----------------|----------|--------------|----------|----------------|--------------
+4|Replace Server-SSL Template-Bound Certificate|Will create new timestamped certificate and update server-ssl templates|shared|true|APIGatewayCert|New certificate created with timestamp alias (APIGatewayCert_1672531200), server-ssl templates updated, virtual services rebound, old cert removed|True
+4a|Replace Client-SSL Template-Bound Certificate|Will create new timestamped certificate and update client-ssl templates|shared|true|ClientAuthCert|New certificate created with timestamp alias (ClientAuthCert_1672531200), client-ssl templates updated, virtual services rebound, old cert removed|True
+4b|Replace Multi-Template-Bound Certificate|Will create new timestamped certificate and update both server-ssl and client-ssl templates|shared|true|DualPurposeCert|New certificate created with timestamp, both template types updated with consistent alias, all virtual services rebound|True
+4c|Attempt to Remove Template-Bound Certificate|Should fail with informative error about certificate being in use|shared|N/A|BoundServerCert|Error indicating certificate is bound to SSL templates and cannot be removed|True
+
+### Partition Operations
+
+Case Number|Case Name|Case Description|Store Path|Overwrite Flag|Alias Name|Expected Results|Passed
+-----------|---------|----------------|----------|--------------|----------|----------------|--------------
+5|Add SSL Certificate to Custom Partition|Certificate will be added to specified partition instead of shared|tenant-prod|false|TenantWebCert|Certificate added to "tenant-prod" partition, isolated from shared partition|True
+5a|Remove SSL Certificate from Custom Partition|Certificate will be removed from specified partition|tenant-prod|N/A|TenantWebCert|Certificate removed from "tenant-prod" partition, shared partition unaffected|True
+5b|Replace Certificate in Custom Partition with Template Binding|Certificate replacement with template updates in specific partition|tenant-prod|true|TenantAPICert|New timestamped certificate created in partition, partition-specific templates updated|True
+
+### Inventory Operations
+
+Case Number|Case Name|Case Description|Store Path|Overwrite Flag|Alias Name|Expected Results|Passed
+-----------|---------|----------------|----------|--------------|----------|----------------|--------------
+6|Inventory SSL Certificates from Shared Partition|Inventory of SSL certificates will be pulled from shared partition|shared|N/A|N/A|All SSL certificates in shared partition inventoried with private key flags and metadata|True
+6a|Inventory SSL Certificates from Custom Partition|Inventory of SSL certificates will be pulled from specified partition|tenant-prod|N/A|N/A|All SSL certificates in "tenant-prod" partition inventoried, isolated from other partitions|True
+6b|Inventory Mixed Certificate Types|Inventory should handle certificates with and without private keys|shared|N/A|N/A|Certificates with private keys marked as PrivateKeyEntry=true, certificates without marked as false|True
+
+### API Version Compatibility
+
+Case Number|Case Name|Case Description|Store Path|Overwrite Flag|Alias Name|Expected Results|Passed
+-----------|---------|----------------|----------|--------------|----------|----------------|--------------
+7|API v4 Detection and Template Operations|System should detect A10 software version 4.x and use appropriate API format for template updates|shared|true|V4TestCert|API v4 format detected and used for template updates, version info logged showing 4.x software|True
+7a|API v6 Detection and Template Operations|System should detect A10 software version 6.x and use appropriate API format for template updates|shared|true|V6TestCert|API v6 format detected and used for template updates (default), version info logged|True
+
+## ThunderMgmt Store Type Test Cases
+
+### SCP Certificate Operations
+
+Case Number|Case Name|Case Description|Store Path|Overwrite Flag|Alias Name|Expected Results|Passed
+-----------|---------|----------------|----------|--------------|----------|----------------|--------------
+8|Fresh Add Management Certificate via SCP|Will upload certificate files to SCP server and install on A10 management interface|/home/certuser|true|MgmtInterface2025|Files MgmtInterface2025.crt and MgmtInterface2025.key created on SCP server, A10 loads certificate via API|True
+8a|Replace Management Certificate with overwrite flag|Will replace existing certificate files and reload on A10 management interface|/home/certuser|true|MgmtInterface2025|Existing files overwritten, A10 reloads certificate, 60-second delay observed, memory written|True
+8b|Replace Management Certificate without overwrite flag|Should warn user that files cannot be replaced without overwrite flag|/home/certuser|false|MgmtInterface2025|Error indicating files exist and overwrite flag must be used|True
+9|Add Management Cert Without Private Key|This will create certificate file only on SCP server|/home/certuser|false|MgmtCertOnly|Only .crt file will be created on SCP server, no .key file, A10 API called for certificate only|True
+10|Remove Management Certificate Files|Certificate files will be removed from SCP server|/home/certuser|N/A|MgmtInterface2025|Both .crt and .key files deleted from SCP server, A10 management configuration unchanged|True
+
+### SCP Server Connectivity and Error Handling
+
+Case Number|Case Name|Case Description|Store Path|Overwrite Flag|Alias Name|Expected Results|Passed
+-----------|---------|----------------|----------|--------------|----------|----------------|--------------
+11|Inventory Management Certificates from SCP|Inventory of certificate files will be retrieved from SCP server directory|/home/certuser|N/A|N/A|All valid PEM certificates in SCP directory inventoried, invalid files skipped gracefully|True
+11a|SCP Authentication Failure|Should handle SCP authentication errors gracefully|/home/certuser|N/A|TestCert|Clear authentication error message, operation fails safely, security not compromised|True
+11b|SCP Network Connectivity Issues|Should handle network connectivity issues to SCP server|/home/unreachable|N/A|TestCert|Network timeout error captured, distinguishes from authentication errors, provides troubleshooting guidance|True
+11c|Remote File Already Exists Check|Should properly detect existing files on SCP server before upload|/home/certuser|false|ExistingCert|File existence check works correctly, appropriate error when overwrite=false and file exists|True
diff --git a/docsource/images/ThunderMgmt-advanced-store-type-dialog.png b/docsource/images/ThunderMgmt-advanced-store-type-dialog.png
new file mode 100644
index 0000000..7ce7813
Binary files /dev/null and b/docsource/images/ThunderMgmt-advanced-store-type-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-basic-store-type-dialog.png b/docsource/images/ThunderMgmt-basic-store-type-dialog.png
new file mode 100644
index 0000000..fb61d69
Binary files /dev/null and b/docsource/images/ThunderMgmt-basic-store-type-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-custom-field-A10ToScpServerIp-dialog.png b/docsource/images/ThunderMgmt-custom-field-A10ToScpServerIp-dialog.png
new file mode 100644
index 0000000..71903fd
Binary files /dev/null and b/docsource/images/ThunderMgmt-custom-field-A10ToScpServerIp-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-custom-field-OrchToScpServerIp-dialog.png b/docsource/images/ThunderMgmt-custom-field-OrchToScpServerIp-dialog.png
new file mode 100644
index 0000000..46540bd
Binary files /dev/null and b/docsource/images/ThunderMgmt-custom-field-OrchToScpServerIp-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-custom-field-ScpPassword-dialog.png b/docsource/images/ThunderMgmt-custom-field-ScpPassword-dialog.png
new file mode 100644
index 0000000..8fffc7f
Binary files /dev/null and b/docsource/images/ThunderMgmt-custom-field-ScpPassword-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-custom-field-ScpPort-dialog.png b/docsource/images/ThunderMgmt-custom-field-ScpPort-dialog.png
new file mode 100644
index 0000000..0f42859
Binary files /dev/null and b/docsource/images/ThunderMgmt-custom-field-ScpPort-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-custom-field-ScpUserName-dialog.png b/docsource/images/ThunderMgmt-custom-field-ScpUserName-dialog.png
new file mode 100644
index 0000000..578f7c9
Binary files /dev/null and b/docsource/images/ThunderMgmt-custom-field-ScpUserName-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-custom-field-allowInvalidCert-dialog.png b/docsource/images/ThunderMgmt-custom-field-allowInvalidCert-dialog.png
new file mode 100644
index 0000000..74bd63a
Binary files /dev/null and b/docsource/images/ThunderMgmt-custom-field-allowInvalidCert-dialog.png differ
diff --git a/docsource/images/ThunderMgmt-custom-fields-store-type-dialog.png b/docsource/images/ThunderMgmt-custom-fields-store-type-dialog.png
new file mode 100644
index 0000000..9b9976a
Binary files /dev/null and b/docsource/images/ThunderMgmt-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/ThunderSsl-advanced-store-type-dialog.png b/docsource/images/ThunderSsl-advanced-store-type-dialog.png
new file mode 100644
index 0000000..4827627
Binary files /dev/null and b/docsource/images/ThunderSsl-advanced-store-type-dialog.png differ
diff --git a/docsource/images/ThunderSsl-basic-store-type-dialog.png b/docsource/images/ThunderSsl-basic-store-type-dialog.png
new file mode 100644
index 0000000..73f1e80
Binary files /dev/null and b/docsource/images/ThunderSsl-basic-store-type-dialog.png differ
diff --git a/docsource/images/ThunderSsl-custom-field-allowInvalidCert-dialog.png b/docsource/images/ThunderSsl-custom-field-allowInvalidCert-dialog.png
new file mode 100644
index 0000000..048930a
Binary files /dev/null and b/docsource/images/ThunderSsl-custom-field-allowInvalidCert-dialog.png differ
diff --git a/docsource/images/ThunderSsl-custom-fields-store-type-dialog.png b/docsource/images/ThunderSsl-custom-fields-store-type-dialog.png
new file mode 100644
index 0000000..a1faa77
Binary files /dev/null and b/docsource/images/ThunderSsl-custom-fields-store-type-dialog.png differ
diff --git a/docsource/thundermgmt.md b/docsource/thundermgmt.md
new file mode 100644
index 0000000..2f5b117
--- /dev/null
+++ b/docsource/thundermgmt.md
@@ -0,0 +1,149 @@
+## Overview
+
+### 🔐 Management Certificates
+
+**Purpose:**
+Used to secure HTTPS access to the A10 management interface (GUI/API).
+
+**Usage Context:**
+- AXAPI (API access over HTTPS)
+- Web GUI login
+- Any administrative HTTPS session
+
+**Configured In:**
+- **GUI:** `System → Settings → Certificate`
+
+**Example:**
+When a user logs into the GUI via `https://`, the certificate presented is the **Management Certificate**.
+
+## Requirements
+
+
+### A10 Certificate Management Orchestrator Extension
+
+This orchestrator extension automates the process of uploading, inventorying, and deploying SSL certificates from a Linux SCP server to an A10 vThunder device. Due to A10 API limitations, certificates must be pulled from the SCP server directly by the A10 device itself.
+
+---
+
+#### 📌 How It Works
+
+1. **The orchestrator** connects to a Linux server via SCP to inventory available certificates.
+2. It stores relevant metadata and pushes new certificates and keys to the SCP server.
+3. It then instructs the **A10 device** to retrieve the certificate and private key from the Linux server using API calls.
+4. The A10 device loads the certificate and key directly from the SCP server for use on its **management interface**.
+
+---
+
+#### 📡 API Call Example (From A10 Device)
+
+```http
+POST /axapi/v3/web-service/secure/certificate
+```
+
+**Payload:**
+```json
+{
+ "certificate": {
+ "load": 1,
+ "file-url": "scp://ec2-user:dda@172.31.93.107:/home/ec2-user/26125.crt"
+ }
+}
+```
+
+> A similar call is made for loading the private key onto the A10 device using a separate AXAPI endpoint.
+
+- The A10 device **must have access** to the SCP server via the specified IP (`A10ToScpServerIp`).
+- Ensure the certificate and key file paths are correct and accessible to the SCP user.
+
+---
+
+#### 🔐 Linux Server Requirements
+
+##### User Access
+- The SCP user (`ScpUserName`, e.g., `ec2-user`) must:
+ - Have SSH/SCP access.
+ - Authenticate with a password.
+ - Have **read and write** permissions in the SCP location.
+
+> New certificates and **private keys** are generated by Keyfactor and uploaded to this location by the orchestrator. Therefore, write access is essential.
+
+##### SCP Directory Permissions
+- Ensure the directory (e.g., `/home/ec2-user/`) is:
+ - Writable by the orchestrator (to upload new certs/keys).
+ - Readable by both the orchestrator and the A10 device (via SCP).
+
+---
+
+#### 🔄 Alternate Design Consideration
+
+It may be possible to use the A10 device itself as the SCP target location if it supports read/write SCP operations **outside the CLI context**. However, A10 devices typically restrict file access through CLI or API mechanisms only, and not through standard SCP server operations. This limitation is why a separate Linux SCP server is currently required.
+
+---
+
+#### 🔓 Network and Port Requirements
+
+| Source | Destination | Port | Protocol | Purpose |
+|--------------------|---------------------|------|----------|-------------------------------|
+| Orchestrator | Linux SCP Server | 22 | TCP | Inventory and upload via SCP |
+| A10 Device | Linux SCP Server | 22 | TCP | Cert and key retrieval via SCP|
+| Orchestrator/Admin | A10 Device (API) | 443 | HTTPS | API calls to load certificate |
+
+---
+
+#### ThunderMgmt Aliases
+
+In the ThunderMgmt store type, the **alias** determines the filename for certificates stored on the SCP server:
+
+- **Certificate File**: `{alias}.crt` on the SCP server
+- **Private Key File**: `{alias}.key` on the SCP server
+- **A10 API Reference**: The A10 management interface loads certificates using SCP URLs pointing to these files
+
+##### Example ThunderMgmt Usage
+```
+Alias: "mgmt-interface-cert"
+→ SCP Server Files:
+ - /home/scpuser/mgmt-interface-cert.crt
+ - /home/scpuser/mgmt-interface-cert.key
+→ A10 API Call:
+ - Certificate URL: scp://scpuser:pass@192.168.1.100:/home/scpuser/mgmt-interface-cert.crt
+ - Key URL: scp://scpuser:pass@192.168.1.100:/home/scpuser/mgmt-interface-cert.key
+```
+##### For Alias Names
+- Use names that clearly identify the management purpose: `mgmt-interface-2025`
+- Ensure filenames are valid for both SCP server filesystem and A10 API calls
+- Consider including renewal dates: `mgmt-cert-jan2025`
+
+##### ThunderMgmt File Management
+
+The orchestrator handles file operations as follows:
+
+1. **Add Operation**:
+ - Uploads `{alias}.crt` and `{alias}.key` to SCP server
+ - Calls A10 API to load certificate from SCP URLs
+ - A10 device pulls files directly from SCP server
+
+2. **Remove Operation**:
+ - Deletes `{alias}.crt` and `{alias}.key` from SCP server
+ - Does not modify A10 management interface configuration
+
+3. **Replace Operation** (with Overwrite=true):
+ - Overwrites existing `{alias}.crt` and `{alias}.key` files
+ - Calls A10 API to reload certificate from same SCP URLs
+
+##### Character Limitations
+- **Maximum Length**: 240 characters (enforced by orchestrator)
+- **Recommended Characters**: Letters, numbers, hyphens, underscores
+- **Avoid**: Special characters that might cause issues in API calls or file operations
+
+##### ThunderMgmt Common Issues
+- **File Path Issues**: Ensure SCP user has access to the target directory
+- **Invalid Filenames**: Some characters may not be valid for filesystem operations
+- **URL Encoding**: Special characters in aliases may require URL encoding in SCP URLs
+
+#### ✅ Summary
+
+This extension coordinates certificate and private key delivery by using SCP as a bridge between orchestrator logic and A10's strict API requirements. It ensures secure and automated deployment for the management interface certificates with minimal manual intervention.
+
+
+
+
diff --git a/docsource/thunderssl.md b/docsource/thunderssl.md
new file mode 100644
index 0000000..9701ba2
--- /dev/null
+++ b/docsource/thunderssl.md
@@ -0,0 +1,149 @@
+## Overview
+
+### 🔒 SSL Certificates
+
+**Purpose:**
+Used for securing traffic that passes through the device (i.e., traffic handled by SLB/ADC features).
+
+**Usage Context:**
+- SSL Offloading
+- SSL Intercept (Decryption/Encryption)
+- Reverse proxy configurations
+
+**Configured In:**
+- **GUI:** `ADC → Ssl Management
+
+
+**Example:**
+If the A10 is acting as an SSL offloader for a backend web server, the **SSL Certificate** is used to terminate client HTTPS sessions.
+
+
+## Requirements
+
+### Creating a User for API Access on A10 vThunder
+
+This guide explains how to create a user on A10 vThunder for API (AXAPI) access with appropriate privileges.
+
+#### Step-by-Step Instructions
+
+1. **Enter configuration mode:**
+ ```bash
+ configure terminal
+ ```
+
+2. **Create the user and set a password:**
+ ```bash
+ admin apiuser password yourStrongPassword
+ ```
+
+ Replace `apiuser` with the desired username, and `yourStrongPassword` with a secure password.
+
+3. **Assign necessary privileges:**
+ ```bash
+ privilege read
+ privilege write
+ privilege partition-enable-disable
+ privilege partition-read
+ privilege partition-write
+ ```
+
+ These privileges grant the user:
+ - Global read and write access
+ - Per-partition read and write access
+ - Permission to enable or disable partitions
+
+4. **(Optional) Enable external health monitor privilege (if needed):**
+ ```bash
+ privilege hm
+ ```
+
+5. **Exit user configuration:**
+ ```bash
+ exit
+ ```
+
+#### ThunderSsl Aliases
+
+In the ThunderSsl store type, the **alias** directly corresponds to the certificate and private key names stored on the A10 appliance:
+
+- **Certificate Name**: The alias becomes the SSL certificate identifier in A10's certificate store
+- **Private Key Name**: The same alias is used for the associated private key
+- **Template References**: SSL templates reference certificates by this exact alias name
+- **API Operations**: All A10 API calls use this alias to identify the certificate/key pair
+
+##### Example ThunderSsl Usage
+```
+Alias: "webserver-prod-2025"
+→ A10 Certificate: "webserver-prod-2025"
+→ A10 Private Key: "webserver-prod-2025"
+→ Template Reference: server-ssl template uses cert "webserver-prod-2025"
+```
+
+##### Alias Renaming for Template-Bound Certificates
+
+When replacing a certificate that's bound to SSL templates, the orchestrator uses an intelligent renaming strategy:
+
+1. **Timestamp Generation**: Creates a Unix timestamp (10 digits)
+2. **Alias Pattern Matching**:
+ - If alias contains existing timestamp: `webserver-prod_1640995200` → `webserver-prod_1672531200`
+ - If no timestamp found: `webserver-prod` → `webserver-prod_1672531200`
+3. **Length Validation**: Ensures final alias stays within A10's 240-character limit
+4. **Template Updates**: All SSL templates are updated to reference the new timestamped alias
+5. **Cleanup**: Original certificate is removed after successful template updates
+
+##### Replacement Workflow Example
+```
+Original: "api-gateway-cert"
+Step 1: Generate new alias → "api-gateway-cert_1672531200"
+Step 2: Upload certificate with new alias
+Step 3: Update server-ssl templates: cert "api-gateway-cert" → "api-gateway-cert_1672531200"
+Step 4: Update client-ssl templates: cert "api-gateway-cert" → "api-gateway-cert_1672531200"
+Step 5: Remove old certificate "api-gateway-cert"
+Step 6: Rebind templates to virtual services
+```
+
+
+
+##### Alias Best Practices
+- Use descriptive names that indicate purpose: `web-frontend-ssl`, `api-backend-tls`
+- Avoid special characters that might conflict with A10 naming rules
+- Consider including environment indicators: `prod-web-cert`, `stage-api-cert`
+- Remember that renaming will append timestamps for template-bound certificates
+
+
+
+##### Character Limitations
+- **Maximum Length**: 240 characters (enforced by orchestrator)
+- **Recommended Characters**: Letters, numbers, hyphens, underscores
+- **Avoid**: Special characters that might cause issues in API calls or file operations
+
+#### Troubleshooting Alias Issues
+
+##### ThunderSsl Common Issues
+- **Template Update Failures**: Verify templates exist and are accessible
+- **Long Alias Names**: Orchestrator will truncate to fit timestamp if needed
+- **Special Characters**: May cause API call failures
+
+
+#### Notes
+
+- This user will now be able to authenticate and perform actions via A10's AXAPI (v2/v3) interface.
+- Role-Based Access (RBA) and partition assignment can further fine-tune access control.
+
+#### Example Login via AXAPI
+
+Example using `curl` for AXAPI v3 login:
+```bash
+curl -X POST https:///axapi/v3/auth \
+ -d '{"credentials":{"username":"apiuser","password":"yourStrongPassword"}}' \
+ -H "Content-Type: application/json"
+```
+
+## Certificate Store Configuration
+
+### ⚙️ Configuration Fields
+
+| Name | Display Name | Description | Type | Required |
+|-------------------|-------------------------------|--------------------------------------------------------------|--------|----------|
+| allowInvalidCert | Allow Invalid Cert on A10 API | If true, allows self-signed/untrusted certs for A10 API access | Bool | ✅ (default: true) |
+
diff --git a/images/TC1.gif b/images/TC1.gif
new file mode 100644
index 0000000..1373f5e
Binary files /dev/null and b/images/TC1.gif differ
diff --git a/images/TC10.gif b/images/TC10.gif
new file mode 100644
index 0000000..75dc77a
Binary files /dev/null and b/images/TC10.gif differ
diff --git a/images/TC11.gif b/images/TC11.gif
new file mode 100644
index 0000000..d43c293
Binary files /dev/null and b/images/TC11.gif differ
diff --git a/images/TC13.gif b/images/TC13.gif
new file mode 100644
index 0000000..4ec2b50
Binary files /dev/null and b/images/TC13.gif differ
diff --git a/images/TC14.gif b/images/TC14.gif
new file mode 100644
index 0000000..847a5c2
Binary files /dev/null and b/images/TC14.gif differ
diff --git a/images/TC2.gif b/images/TC2.gif
new file mode 100644
index 0000000..80a12cc
Binary files /dev/null and b/images/TC2.gif differ
diff --git a/images/TC3.gif b/images/TC3.gif
new file mode 100644
index 0000000..a4e2132
Binary files /dev/null and b/images/TC3.gif differ
diff --git a/images/TC4.gif b/images/TC4.gif
new file mode 100644
index 0000000..8c9e271
Binary files /dev/null and b/images/TC4.gif differ
diff --git a/images/TC5.gif b/images/TC5.gif
new file mode 100644
index 0000000..9b8a52e
Binary files /dev/null and b/images/TC5.gif differ
diff --git a/images/TC6.gif b/images/TC6.gif
new file mode 100644
index 0000000..38c498c
Binary files /dev/null and b/images/TC6.gif differ
diff --git a/images/TC7.gif b/images/TC7.gif
new file mode 100644
index 0000000..ce91a87
Binary files /dev/null and b/images/TC7.gif differ
diff --git a/images/TC8.gif b/images/TC8.gif
new file mode 100644
index 0000000..ba84fb4
Binary files /dev/null and b/images/TC8.gif differ
diff --git a/images/TC9.gif b/images/TC9.gif
new file mode 100644
index 0000000..09b657b
Binary files /dev/null and b/images/TC9.gif differ
diff --git a/integration-manifest.json b/integration-manifest.json
index 57cf9cf..d0466f4 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -1,32 +1,142 @@
{
- "$schema": "https://keyfactor.github.io/integration-manifest-schema.json",
- "integration_type": "orchestrator",
- "name": "a10vThunder",
- "status": "production",
- "update_catalog": true,
- "link_github": true,
- "support_level": "kf-supported",
- "description": "A10 vThunder AnyAgent allows an organization to inventory and deploy certificates in any domain that the appliance services. The AnyAgent deploys the appropriate files (.cer, .pem) within the defined directories and also performs and Inventory on the Items.",
- "about": {
- "orchestrator": {
- "win": {
- "supportsCreateStore": false,
- "supportsDiscovery": false,
- "supportsManagementAdd": true,
- "supportsManagementRemove": true,
- "supportsReenrollment": false,
- "supportsInventory": true,
- "platformSupport": "Unused"
- },
- "linux": {
- "supportsCreateStore": false,
- "supportsDiscovery": false,
- "supportsManagementAdd": true,
- "supportsManagementRemove": true,
- "supportsReenrollment": false,
- "supportsInventory": true,
- "platformSupport": "Unused"
- }
- }
- }
+"$schema": "https://keyfactor.github.io/integration-manifest-schema.json",
+"integration_type": "orchestrator",
+"name": "a10vThunder Orchestrator",
+"status": "production",
+"link_github": true,
+"release_project": "a10vthunder-orchestrator/A10vThunder.csproj",
+"release_dir": "a10vthunder-orchestrator/bin/Release",
+"update_catalog": true,
+"support_level": "kf-supported",
+"description": "A10 vThunder AnyAgent allows an organization to inventory and deploy certificates in any domain that the appliance services. The AnyAgent deploys the appropriate files (.cer, .pem) within the defined directories and also performs and Inventory on the Items.",
+"about": {
+"orchestrator": {
+"UOFramework": "10.4",
+"pam_support": true,
+"keyfactor_platform_version": "11.0",
+"store_types": [
+{
+"Name": "A10 Thunder Ssl Certificates",
+"ShortName": "ThunderSsl",
+"Capability": "ThunderSsl",
+"LocalStore": false,
+"SupportedOperations": {
+"Add": true,
+"Create": false,
+"Discovery": false,
+"Enrollment": false,
+"Remove": true
+},
+"Properties": [
+{
+ "Name": "allowInvalidCert",
+ "DisplayName": "Allow Invalid Cert on A10 Management API",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "true",
+ "Required": true,
+ "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections."
+}
+],
+"EntryParameters": [],
+"PasswordOptions": {
+"EntrySupported": false,
+"StoreRequired": false,
+"Style": "Default"
+},
+"StorePathValue": "",
+"ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device.",
+"StorePathDescription": "A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition.",
+"PrivateKeyAllowed": "Optional",
+"ServerRequired": true,
+"PowerShell": false,
+"BlueprintAllowed": false,
+"CustomAliasAllowed": "Required"
+},
+{
+"Name": "A10 Thunder Management Certificates",
+"ShortName": "ThunderMgmt",
+"Capability": "ThunderMgmt",
+"LocalStore": false,
+"SupportedOperations": {
+"Add": true,
+"Create": false,
+"Discovery": false,
+"Enrollment": false,
+"Remove": true
+},
+"Properties": [
+{
+ "Name": "OrchToScpServerIp",
+ "DisplayName": "Orch To Scp Server Ip",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates."
+},
+{
+ "Name": "ScpPort",
+ "DisplayName": "Port Used For Scp",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations."
+},
+{
+ "Name": "ScpUserName",
+ "DisplayName": "UserName Used For Scp",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval."
+},
+{
+ "Name": "ScpPassword",
+ "DisplayName": "Password Used For Scp",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval."
+},
+{
+ "Name": "A10ToScpServerIp",
+ "DisplayName": "A10 Device To Scp Server Ip",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths."
+},
+{
+ "Name": "allowInvalidCert",
+ "DisplayName": "Allow Invalid Cert on A10 Management API",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "true",
+ "Required": true,
+ "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process."
+}
+],
+"EntryParameters": [],
+"PasswordOptions": {
+"EntrySupported": false,
+"StoreRequired": false,
+"Style": "Default"
+},
+"StorePathValue": "",
+"ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP.",
+"StorePathDescription": "Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory.",
+"PrivateKeyAllowed": "Required",
+"ServerRequired": true,
+"PowerShell": false,
+"BlueprintAllowed": false,
+"CustomAliasAllowed": "Required"
+}
+]
+}
+}
}
diff --git a/readme_source.md b/readme_source.md
index bf7b66b..2350458 100644
--- a/readme_source.md
+++ b/readme_source.md
@@ -82,62 +82,4 @@ Use SSL |This should be checked.
User |This is the user name for the vThunder api to access the certficate management functionality.
Password |This is the password for the vThunder api to access the certficate management functionality.
-***
-
-#### Usage
-
-**Adding New Certificate New Alias**
-
-
-
-***
-
-**Replace Cert With Same Alias**
-
-
-
-***
-
-**Add Cert No Private Key**
-
-
-
-***
-
-**Replace Cert No Private Key**
-
-
-
-***
-
-**Remove Cert No Private Key**
-
-
-
-***
-
-**Remove Cert and Private Key**
-
-
-
-***
-
-**Certificate Inventory**
-
-
-
-#### TEST CASES
-Case Number|Case Name|Case Description|Overwrite Flag|Alias Name|Expected Results|Passed
-------------|---------|----------------|--------------|----------|----------------|--------------
-1|Fresh Add With Alias|Will create new certificate and private key on the vThunder appliance|true|KeyAndCertBTest|The new KeyAndCertBTest certificate and private key will be created in the ADC/SSL Cerificates area on vThunder.|True
-1a|Replace Alias with no overwrite flag|Should warn user that a cert cannot be replaced with the same name without overwrite flag|false|KeyAndCertBTest|Error Saying Overwrite Flag Needs To Be Used|True
-1b|Replace Alias with overwrite flag|Will create new certificate and private key on the vThunder appliance|true|KeyAndCertBTest|Cert will be replaced because overwrite flag was used|True
-2|Add Cert Without Private Key|This will create a cert with no private key on vThunder|false|NewCertNoPk|Only Cert will be added to vThunder with no private key|True
-2a|Replace Cert Without Private Key|This will Replace a cert with no private key on vThunder|true|NewCertNoPk|Only Cert will be replaced on vThunder with no private key|True
-2b|Replace Cert Without Private Key no overwrite flag|Should warn user that a cert cannot be replaced with the same name without overwrite flag|false|NewCertNoPk|Error Saying Overwrite Flag Needs To Be Used|True
-3|Remove Certificate and Private Key|Certificate and Private Key Will Be Removed from A10|N/A|KeyAndCertBTest|Cert and Key will be removed from vThunder and Keyfactor Store|True
-3a|Remove Certificate without Private Key|Certificate Will Be Removed from A10|N/A|KeyAndCertBTest|Cert will be removed from vThunder and Keyfactor Store|True
-4|Inventory Certificates with Private Key|Inventory of Certificates with private keys will be pulled from vThunder up to 125 tested|N/A|N/A|125 Certs will be inventoried, more should be supported but there is no paging in the API so limits apply|True
-4a|Inventory Certificates without Private Key|Inventory of Certificates without private keys will be pulled from vThunder up to 125 tested|N/A|N/A|125 Certs will be inventoried, more should be supported but there is no paging in the API so limits apply|True
-