diff --git a/.github/config/MODULE.MD b/.github/config/MODULE.MD
index b5afcef8..fdca24ad 100644
--- a/.github/config/MODULE.MD
+++ b/.github/config/MODULE.MD
@@ -1,64 +1,36 @@
## Requirements
-| Name | Version |
-|---------------------------------------------------------------------------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [github](#requirement\_github) | >=6.2 |
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [github](#requirement\_github) | >=6.2 |
## Providers
-| Name | Version |
-|------------------------------------------------------------|---------|
-| [github](#provider\_github) | 6.3.1 |
+| Name | Version |
+|------|---------|
+| [github](#provider\_github) | 6.3.1 |
## Modules
-| Name | Source | Version |
-|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------|
-| [keyfactor\_github\_test\_environment\_10\_5\_0](#module\_keyfactor\_github\_test\_environment\_10\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0](#module\_keyfactor\_github\_test\_environment\_11\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
+| Name | Source | Version |
+|------|--------|---------|
+| [keyfactor\_github\_test\_environment\_ses\_2541](#module\_keyfactor\_github\_test\_environment\_ses\_2541) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
## Resources
-| Name | Type |
-|---------------------------------------------------------------------------------------------------------------------------|-------------|
+| Name | Type |
+|------|------|
| [github_repository.repo](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
## Inputs
-| Name | Description | Type | Default | Required |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------|:--------:|
-| [keyfactor\_auth\_token\_url](#input\_keyfactor\_auth\_token\_url) | The token URL to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | `"https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
-| [keyfactor\_client\_id](#input\_keyfactor\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [keyfactor\_client\_secret](#input\_keyfactor\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [keyfactor\_hostname\_10\_5\_0](#input\_keyfactor\_hostname\_10\_5\_0) | The hostname of the Keyfactor v10.5.x instance | `string` | `"integrations1050-lab.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_10\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_10\_5\_0\_CLEAN) | The hostname of the Keyfactor v10.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1050-test-clean.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0](#input\_keyfactor\_hostname\_11\_5\_0) | The hostname of the Keyfactor v11.5.x instance | `string` | `"integrations1150-lab.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_CLEAN) | The hostname of the Keyfactor v11.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1150-test-clean.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0\_OAUTH](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN) | The hostname of the Keyfactor instance | `string` | `"int1150-oauth-test-clean.eastus2.cloudapp.azure.com"` | no |
-| [keyfactor\_hostname\_12\_3\_0](#input\_keyfactor\_hostname\_12\_3\_0) | The hostname of the Keyfactor v12.3.x instance | `string` | `"integrations1230-lab.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_12\_3\_0\_CLEAN](#input\_keyfactor\_hostname\_12\_3\_0\_CLEAN) | The hostname of the Keyfactor v12.3.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1230-test-clean.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_12\_3\_0\_OAUTH](#input\_keyfactor\_hostname\_12\_3\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no |
-| [keyfactor\_password\_AD](#input\_keyfactor\_password\_AD) | The password to authenticate with Keyfactor instance that uses AD authentication | `string` | n/a | yes |
-| [keyfactor\_username\_AD](#input\_keyfactor\_username\_AD) | The username to authenticate with a Keyfactor instance that uses AD authentication | `string` | n/a | yes |
-| [kfc1230\_client\_id](#input\_kfc1230\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230\_client\_secret](#input\_kfc1230\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230\_oauth\_hostname](#input\_kfc1230\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no |
-| [kfc1230\_oauth\_token\_url](#input\_kfc1230\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
-| [kfc1230c\_ad\_hostname](#input\_kfc1230c\_ad\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-ad.eastus2.cloudapp.azure.com"` | no |
-| [kfc1230c\_client\_id](#input\_kfc1230c\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230c\_client\_secret](#input\_kfc1230c\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230c\_oauth\_hostname](#input\_kfc1230c\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no |
-| [kfc1230c\_oauth\_token\_url](#input\_kfc1230c\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [ses\_2541\_auth\_token\_url](#input\_ses\_2541\_auth\_token\_url) | The OAuth token URL for the SES 25.4.1 Keyfactor Command instance | `string` | `"https://auth.kftestlab.com/oauth2/token"` | no |
+| [ses\_2541\_client\_id](#input\_ses\_2541\_client\_id) | The OAuth client ID for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes |
+| [ses\_2541\_client\_secret](#input\_ses\_2541\_client\_secret) | The OAuth client secret for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes |
+| [ses\_2541\_hostname](#input\_ses\_2541\_hostname) | The hostname of the SES 25.4.1 Keyfactor Command instance | `string` | `"int25-4-1.kftestlab.com"` | no |
## Outputs
diff --git a/.github/config/README.md b/.github/config/README.md
index 2149532f..7a993d7c 100644
--- a/.github/config/README.md
+++ b/.github/config/README.md
@@ -1,14 +1,13 @@
# GitHub Test Environment Setup
-This code sets up GitHub environments for testing against Keyfactor Command instances that are configured to use
-Active Directory or Keycloak for authentication.
+This code sets up GitHub environments for testing against the SES 25.4.1 Keyfactor Command lab.
## Requirements
1. Terraform >= 1.0
2. GitHub Provider >= 6.2
-3. Keyfactor Command instance(s) configured to use Active Directory or Keycloak for authentication
-4. AD or Keycloak credentials for authenticating to the Keyfactor Command instance(s)
+3. SES 25.4.1 Keyfactor Command lab access
+4. OAuth credentials for authenticating to the Keyfactor Command instance
5. A GitHub token with access and permissions to the repository where the environments will be created
## Adding a new environment
@@ -16,100 +15,59 @@ Active Directory or Keycloak for authentication.
Modify the `environments.tf` file to include the new environment module. The module should be named appropriately.
Example:
-### Active Directory Environment
+### SES 25.4.1 Environment
```hcl
-module "keyfactor_github_test_environment_ad_10_5_0" {
+module "keyfactor_github_test_environment_ses_2541" {
source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
- gh_environment_name = "KFC_10_5_0" # Keyfactor Command 10.5.0 environment using Active Directory(/Basic Auth)
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_10_5_0
- keyfactor_username = var.keyfactor_username_AD
- keyfactor_password = var.keyfactor_password_AD
-}
-```
-
-### oAuth Client Environment
-
-```hcl
-module "keyfactor_github_test_environment_12_3_0_kc" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-kc.git?ref=main"
-
- gh_environment_name = "KFC_12_3_0_KC" # Keyfactor Command 12.3.0 environment using Keycloak
+ gh_environment_name = "SES_2541"
gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_12_3_0_OAUTH
- keyfactor_auth_token_url = var.keyfactor_auth_token_url
- keyfactor_client_id = var.keyfactor_client_id
- keyfactor_client_secret = var.keyfactor_client_secret
+ keyfactor_hostname = var.ses_2541_hostname
+ keyfactor_auth_token_url = var.ses_2541_auth_token_url
+ keyfactor_client_id = var.ses_2541_client_id
+ keyfactor_client_secret = var.ses_2541_client_secret
keyfactor_tls_skip_verify = true
+ keyfactor_config_file = base64encode(file("${path.module}/ses2541_command_config.json"))
}
```
## Requirements
-| Name | Version |
-|---------------------------------------------------------------------------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [github](#requirement\_github) | >=6.2 |
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [github](#requirement\_github) | >=6.2 |
## Providers
-| Name | Version |
-|------------------------------------------------------------|---------|
-| [github](#provider\_github) | 6.3.1 |
+| Name | Version |
+|------|---------|
+| [github](#provider\_github) | 6.3.1 |
## Modules
-| Name | Source | Version |
-|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------|
-| [keyfactor\_github\_test\_environment\_10\_5\_0](#module\_keyfactor\_github\_test\_environment\_10\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0](#module\_keyfactor\_github\_test\_environment\_11\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
+| Name | Source | Version |
+|------|--------|---------|
+| [keyfactor\_github\_test\_environment\_ses\_2541](#module\_keyfactor\_github\_test\_environment\_ses\_2541) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
## Resources
-| Name | Type |
-|---------------------------------------------------------------------------------------------------------------------------|-------------|
+| Name | Type |
+|------|------|
| [github_repository.repo](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
## Inputs
-| Name | Description | Type | Default | Required |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------|:--------:|
-| [keyfactor\_auth\_token\_url](#input\_keyfactor\_auth\_token\_url) | The token URL to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | `"https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
-| [keyfactor\_client\_id](#input\_keyfactor\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [keyfactor\_client\_secret](#input\_keyfactor\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [keyfactor\_hostname\_10\_5\_0](#input\_keyfactor\_hostname\_10\_5\_0) | The hostname of the Keyfactor v10.5.x instance | `string` | `"integrations1050-lab.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_10\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_10\_5\_0\_CLEAN) | The hostname of the Keyfactor v10.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1050-test-clean.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0](#input\_keyfactor\_hostname\_11\_5\_0) | The hostname of the Keyfactor v11.5.x instance | `string` | `"integrations1150-lab.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_CLEAN) | The hostname of the Keyfactor v11.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1150-test-clean.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0\_OAUTH](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no |
-| [keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN) | The hostname of the Keyfactor instance | `string` | `"int1150-oauth-test-clean.eastus2.cloudapp.azure.com"` | no |
-| [keyfactor\_hostname\_12\_3\_0](#input\_keyfactor\_hostname\_12\_3\_0) | The hostname of the Keyfactor v12.3.x instance | `string` | `"integrations1230-lab.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_12\_3\_0\_CLEAN](#input\_keyfactor\_hostname\_12\_3\_0\_CLEAN) | The hostname of the Keyfactor v12.3.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1230-test-clean.kfdelivery.com"` | no |
-| [keyfactor\_hostname\_12\_3\_0\_OAUTH](#input\_keyfactor\_hostname\_12\_3\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no |
-| [keyfactor\_password\_AD](#input\_keyfactor\_password\_AD) | The password to authenticate with Keyfactor instance that uses AD authentication | `string` | n/a | yes |
-| [keyfactor\_username\_AD](#input\_keyfactor\_username\_AD) | The username to authenticate with a Keyfactor instance that uses AD authentication | `string` | n/a | yes |
-| [kfc1230\_client\_id](#input\_kfc1230\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230\_client\_secret](#input\_kfc1230\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230\_oauth\_hostname](#input\_kfc1230\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no |
-| [kfc1230\_oauth\_token\_url](#input\_kfc1230\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
-| [kfc1230c\_ad\_hostname](#input\_kfc1230c\_ad\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-ad.eastus2.cloudapp.azure.com"` | no |
-| [kfc1230c\_client\_id](#input\_kfc1230c\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230c\_client\_secret](#input\_kfc1230c\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes |
-| [kfc1230c\_oauth\_hostname](#input\_kfc1230c\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no |
-| [kfc1230c\_oauth\_token\_url](#input\_kfc1230c\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [ses\_2541\_auth\_token\_url](#input\_ses\_2541\_auth\_token\_url) | The OAuth token URL for the SES 25.4.1 Keyfactor Command instance | `string` | `"https://auth.kftestlab.com/oauth2/token"` | no |
+| [ses\_2541\_client\_id](#input\_ses\_2541\_client\_id) | The OAuth client ID for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes |
+| [ses\_2541\_client\_secret](#input\_ses\_2541\_client\_secret) | The OAuth client secret for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes |
+| [ses\_2541\_hostname](#input\_ses\_2541\_hostname) | The hostname of the SES 25.4.1 Keyfactor Command instance | `string` | `"int25-4-1.kftestlab.com"` | no |
## Outputs
No outputs.
-
\ No newline at end of file
+
diff --git a/.github/config/environments.tf b/.github/config/environments.tf
index fb16940c..40842d98 100644
--- a/.github/config/environments.tf
+++ b/.github/config/environments.tf
@@ -1,83 +1,12 @@
-module "keyfactor_github_test_environment_10_5_0" {
+module "keyfactor_github_test_environment_ses_2541" {
source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
- gh_environment_name = "KFC_10_5_0"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_10_5_0
- keyfactor_username = var.keyfactor_username_AD
- keyfactor_password = var.keyfactor_password_AD
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
-
-module "keyfactor_github_test_environment_10_5_0_CLEAN" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
-
- gh_environment_name = "KFC_10_5_0_CLEAN"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_10_5_0_CLEAN
- keyfactor_username = var.keyfactor_username_AD
- keyfactor_password = var.keyfactor_password_AD
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
-
-module "keyfactor_github_test_environment_11_5_0" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
-
- gh_environment_name = "KFC_11_5_0"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_11_5_0
- keyfactor_username = var.keyfactor_username_AD
- keyfactor_password = var.keyfactor_password_AD
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
-
-module "keyfactor_github_test_environment_11_5_0_CLEAN" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
-
- gh_environment_name = "KFC_11_5_0_CLEAN"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_11_5_0_CLEAN
- keyfactor_username = var.keyfactor_username_AD
- keyfactor_password = var.keyfactor_password_AD
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
-
-module "keyfactor_github_test_environment_11_5_0_OAUTH" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
-
- gh_environment_name = "KFC_11_5_0_OAUTH"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_11_5_0_OAUTH
- keyfactor_auth_token_url = var.keyfactor_auth_token_url
- keyfactor_client_id = var.keyfactor_client_id
- keyfactor_client_secret = var.keyfactor_client_secret
- keyfactor_tls_skip_verify = true
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
-
-module "keyfactor_github_test_environment_11_5_0_OAUTH_CLEAN" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
-
- gh_environment_name = "KFC_11_5_0_OAUTH_CLEAN"
+ gh_environment_name = "SES_2541"
gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_11_5_0_OAUTH_CLEAN
- keyfactor_auth_token_url = var.keyfactor_auth_token_url
- keyfactor_client_id = var.keyfactor_client_id
- keyfactor_client_secret = var.keyfactor_client_secret
+ keyfactor_hostname = var.ses_2541_hostname
+ keyfactor_auth_token_url = var.ses_2541_auth_token_url
+ keyfactor_client_id = var.ses_2541_client_id
+ keyfactor_client_secret = var.ses_2541_client_secret
keyfactor_tls_skip_verify = true
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
+ keyfactor_config_file = base64encode(file("${path.module}/ses2541_command_config.json"))
}
-
-module "keyfactor_github_test_environment_12_3_0_AD" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
- gh_environment_name = "KFC_12_3_0_AD"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.keyfactor_hostname_12_3_0
- keyfactor_username = var.keyfactor_username_AD
- keyfactor_password = var.keyfactor_password_AD
- keyfactor_tls_skip_verify = true
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
-
-
-
diff --git a/.github/config/int1230_oauth.tf b/.github/config/int1230_oauth.tf
deleted file mode 100644
index 3d8ff208..00000000
--- a/.github/config/int1230_oauth.tf
+++ /dev/null
@@ -1,35 +0,0 @@
-variable "kfc1230_oauth_hostname" {
- description = "The hostname of the Keyfactor instance"
- type = string
- default = "int1230-oauth.eastus2.cloudapp.azure.com"
-}
-
-variable "kfc1230_oauth_token_url" {
- description = "The hostname of the Keyfactor instance"
- type = string
- default = "https://int1230-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"
-}
-
-
-variable "kfc1230_client_id" {
- description = "The client ID to authenticate with the Keyfactor instance using oauth2 client credentials"
- type = string
-
-}
-variable "kfc1230_client_secret" {
- description = "The client secret to authenticate with the Keyfactor instance using oauth2 client credentials"
- type = string
-}
-
-module "keyfactor_github_test_environment_12_3_0_OAUTH" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
-
- gh_environment_name = "KFC_12_3_0_OAUTH"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.kfc1230_oauth_hostname
- keyfactor_auth_token_url = var.kfc1230_oauth_token_url
- keyfactor_client_id = var.kfc1230_client_id
- keyfactor_client_secret = var.kfc1230_client_secret
- keyfactor_tls_skip_verify = true
- keyfactor_config_file = base64encode(file("${path.module}/int1230_oauth_command_config.json"))
-}
\ No newline at end of file
diff --git a/.github/config/int1230c_ad.tf b/.github/config/int1230c_ad.tf
deleted file mode 100644
index 63ca3d1d..00000000
--- a/.github/config/int1230c_ad.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-variable "kfc1230c_ad_hostname" {
- description = "The hostname of the Keyfactor instance"
- type = string
- default = "int1230c-ad.eastus2.cloudapp.azure.com"
-}
-
-module "keyfactor_github_test_environment_12_3_0_AD_CLEAN" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
- gh_environment_name = "KFC_12_3_0_AD_CLEAN"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.kfc1230c_ad_hostname
- keyfactor_username = var.keyfactor_username_AD
- keyfactor_password = var.keyfactor_password_AD
- keyfactor_tls_skip_verify = true
- keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
\ No newline at end of file
diff --git a/.github/config/int1230c_oauth.tf b/.github/config/int1230c_oauth.tf
deleted file mode 100644
index b1a34d13..00000000
--- a/.github/config/int1230c_oauth.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-variable "kfc1230c_oauth_hostname" {
- description = "The hostname of the Keyfactor instance"
- type = string
- default = "int1230c-oauth.eastus2.cloudapp.azure.com"
-}
-
-variable "kfc1230c_oauth_token_url" {
- description = "The hostname of the Keyfactor instance"
- type = string
- default = "https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"
-}
-
-
-variable "kfc1230c_client_id" {
- description = "The client ID to authenticate with the Keyfactor instance using oauth2 client credentials"
- type = string
-
-}
-variable "kfc1230c_client_secret" {
- description = "The client secret to authenticate with the Keyfactor instance using oauth2 client credentials"
- type = string
-}
-module "keyfactor_github_test_environment_12_3_0_OAUTH_CLEAN" {
- source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
- gh_environment_name = "KFC_12_3_0_OAUTH_CLEAN"
- gh_repo_name = data.github_repository.repo.name
- keyfactor_hostname = var.kfc1230c_oauth_hostname
- keyfactor_auth_token_url = var.kfc1230c_oauth_token_url
- keyfactor_client_id = var.kfc1230c_client_id
- keyfactor_client_secret = var.kfc1230c_client_secret
- keyfactor_tls_skip_verify = true
- keyfactor_config_file = base64encode(file("${path.module}/int1230c_oauth_command_config.json"))
-}
\ No newline at end of file
diff --git a/.github/config/variables.tf b/.github/config/variables.tf
index 3d557a24..9cdefb09 100644
--- a/.github/config/variables.tf
+++ b/.github/config/variables.tf
@@ -1,85 +1,22 @@
-// Hosts
-variable "keyfactor_hostname_10_5_0" {
- description = "The hostname of the Keyfactor v10.5.x instance"
+variable "ses_2541_hostname" {
+ description = "The hostname of the SES 25.4.1 Keyfactor Command instance"
type = string
- default = "integrations1050-lab.kfdelivery.com"
+ default = "int25-4-1.kftestlab.com"
}
-variable "keyfactor_hostname_10_5_0_CLEAN" {
- description = "The hostname of the Keyfactor v10.5.x instance with no stores or orchestrators. This is used for store-type tests."
+variable "ses_2541_auth_token_url" {
+ description = "The OAuth token URL for the SES 25.4.1 Keyfactor Command instance"
type = string
- default = "int1050-test-clean.kfdelivery.com"
+ default = "https://auth.kftestlab.com/oauth2/token"
}
-
-variable "keyfactor_hostname_11_5_0" {
- description = "The hostname of the Keyfactor v11.5.x instance"
- type = string
- default = "integrations1150-lab.kfdelivery.com"
-}
-
-variable "keyfactor_hostname_11_5_0_CLEAN" {
- description = "The hostname of the Keyfactor v11.5.x instance with no stores or orchestrators. This is used for store-type tests."
- type = string
- default = "int1150-test-clean.kfdelivery.com"
-}
-
-variable "keyfactor_hostname_11_5_0_OAUTH" {
- description = "The hostname of the Keyfactor instance"
- type = string
- default = "int-oidc-lab.eastus2.cloudapp.azure.com"
-}
-
-variable "keyfactor_hostname_11_5_0_OAUTH_CLEAN" {
- description = "The hostname of the Keyfactor instance"
- type = string
- default = "int1150-oauth-test-clean.eastus2.cloudapp.azure.com"
-}
-
-
-variable "keyfactor_hostname_12_3_0" {
- description = "The hostname of the Keyfactor v12.3.x instance"
- type = string
- default = "integrations1230-lab.kfdelivery.com"
-}
-
-variable "keyfactor_hostname_12_3_0_CLEAN" {
- description = "The hostname of the Keyfactor v12.3.x instance with no stores or orchestrators. This is used for store-type tests."
+variable "ses_2541_client_id" {
+ description = "The OAuth client ID for the SES 25.4.1 Keyfactor Command instance"
type = string
- default = "int1230-test-clean.kfdelivery.com"
}
-variable "keyfactor_hostname_12_3_0_OAUTH" {
- description = "The hostname of the Keyfactor instance"
+variable "ses_2541_client_secret" {
+ description = "The OAuth client secret for the SES 25.4.1 Keyfactor Command instance"
type = string
- default = "int-oidc-lab.eastus2.cloudapp.azure.com"
+ sensitive = true
}
-
-
-// Authentication
-variable "keyfactor_username_AD" {
- description = "The username to authenticate with a Keyfactor instance that uses AD authentication"
- type = string
-}
-
-variable "keyfactor_password_AD" {
- description = "The password to authenticate with Keyfactor instance that uses AD authentication"
- type = string
-}
-
-variable "keyfactor_client_id" {
- description = "The client ID to authenticate with the Keyfactor instance using oauth2 client credentials"
- type = string
-}
-
-variable "keyfactor_client_secret" {
- description = "The client secret to authenticate with the Keyfactor instance using oauth2 client credentials"
- type = string
-}
-
-variable "keyfactor_auth_token_url" {
- description = "The token URL to authenticate with the Keyfactor instance using oauth2 client credentials"
- type = string
- default = "https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"
-}
-
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6452765e..1897501b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,26 @@
+# v1.9.2
+
+## Fixes
+
+### CLI
+
+- `stores import csv`: Support create and sync workflows for certificate stores that use PAM provider-backed
+ `ServerUsername`, `ServerPassword`, and store password values.
+- `stores import csv`: Preserve JSON-shaped secret values as secret strings instead of parsing them into nested
+ request objects.
+- `login`: Add `--skip-validate` to save login configuration without validating credentials against Keyfactor Command.
+
+### Docs
+
+- Add top-level README link to the use-case documentation index.
+- Add use-case documentation for bulk certificate store creation.
+- Add use-case documentation for bulk certificate store updates.
+- Add use-case documentation for migrating certificate store credentials from static values to a PAM provider.
+- Add generated per-store-type bulk create and update use-case guides.
+- Add generated PAM Operations use-case documentation for PAM type and provider creation.
+- `makedocs` now regenerates command docs, store-type use cases, and PAM operation use cases without date-based
+ generated footers.
+
# v1.9.1
## Fixes
diff --git a/GNUmakefile b/GNUmakefile
index 3ec82577..08c2b368 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -83,5 +83,10 @@ generate_toc:
@command -v markdown-toc >/dev/null 2>&1 || (echo "markdown-toc is not installed. Installing..." && npm install -g markdown-toc)
markdown-toc -i $(MARKDOWN_FILE) --skip 'Table of Contents'
+store-type-docs:
+ GOWORK=off GOCACHE=/tmp/kfutil-gocache go run ./tools/storetypedocs
-.PHONY: build prerelease release install test fmt vendor version setversion
\ No newline at end of file
+pam-operation-docs:
+ GOWORK=off GOCACHE=/tmp/kfutil-gocache go run ./tools/pamdocs
+
+.PHONY: build prerelease release install test fmt vendor version setversion store-type-docs pam-operation-docs
diff --git a/README.md b/README.md
index 28efd8da..a38f019b 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,11 @@ at https://support.keyfactor.com/
To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual
bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
+## Documentation
+
+- [Command Reference](docs/kfutil.md)
+- [Use Cases](docs/use-cases/README.md)
+
## Quickstart
### Linux/MacOS
@@ -229,13 +234,14 @@ kfutil logout
#### Bulk create cert stores
-For full documentation, see [stores import](docs/kfutil_stores_import.md).
+For command documentation, see [stores import](docs/kfutil_stores_import.md). For a task-oriented walkthrough, see
+[Bulk Certificate Store Creation](docs/use-cases/Certificate%20Store%20Operations/bulk-certificate-store-creation.md).
This will attempt to process a CSV input file of certificate stores to create. The template can be generated by
running: `kfutil stores import generate-template` command.
```bash
-kfutil stores import create --file --store-type-id --store-type-name --results-path --dry-run [flags]
+kfutil stores import csv --file --store-type-id --store-type-name --results-path --dry-run [flags]
```
```bash
@@ -246,7 +252,7 @@ Usage:
kfutil stores import [command]
Available Commands:
- create Create certificate stores
+ csv Create certificate stores from CSV file.
generate-template For generating a CSV template with headers for bulk store creation.
Flags:
@@ -255,6 +261,18 @@ Flags:
Use "kfutil stores import [command] --help" for more information about a command.
```
+#### Bulk update cert stores
+
+For a task-oriented walkthrough, see [Bulk Certificate Store Updates](docs/use-cases/Certificate%20Store%20Operations/bulk-certificate-store-updates.md).
+
+Bulk updates use the CSV import command with `--sync`. Export the target stores, edit the exported CSV, preserve the
+`Id` column, then sync the changes back to Keyfactor Command.
+
+```bash
+kfutil stores export --store-type-name
+kfutil stores import csv --file --store-type-name --sync --no-prompt
+```
+
#### Bulk create cert store types
For full documentation, see [store-types](docs/kfutil_store-types.md).
@@ -514,6 +532,24 @@ kfutil stores inventory remove \
## Development
+### Regenerating documentation
+
+The command reference and generated use-case docs are checked into this repository. Regenerate them after changing CLI
+commands, flags, embedded store type metadata, or embedded PAM type metadata:
+
+```bash
+go run . makedocs
+```
+
+This updates:
+
+- `docs/kfutil*.md` command reference pages
+- `docs/use-cases/Certificate Store Operations/Store Types/*.md`
+- `docs/use-cases/PAM Operations/*.md`
+
+The store type and PAM operation docs are generated from `cmd/store_types.json` and `cmd/pam_types.json`. The generated
+command docs intentionally omit date-based generator footers to avoid unrelated documentation churn.
+
This CLI developed using [cobra](https://umarcor.github.io/cobra/)
### Adding a new command
diff --git a/artifacts/pam/pam-create-template.json b/artifacts/pam/pam-create-template.json
index 80a516c1..91a39981 100644
--- a/artifacts/pam/pam-create-template.json
+++ b/artifacts/pam/pam-create-template.json
@@ -26,6 +26,27 @@
"DataType": 2,
"InstanceLevel": false
},
+ {
+ "Id": -1,
+ "Name": "ClientId",
+ "DisplayName": "Client ID",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": -1,
+ "Name": "ClientSecret",
+ "DisplayName": "ClientSecret",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": -1,
+ "Name": "GrantType",
+ "DisplayName": "Grant Type",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
{
"Id": -1,
"Name": "SecretId",
@@ -72,6 +93,36 @@
"DataType": 1,
"InstanceLevel": false
}
+ },
+ {
+ "Value": "N/A",
+ "ProviderTypeParam": {
+ "Id": -1,
+ "Name": "ClientId",
+ "DisplayName": "Client ID",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "N/A",
+ "ProviderTypeParam": {
+ "Id": -1,
+ "Name": "ClientSecret",
+ "DisplayName": "ClientSecret",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "password",
+ "ProviderTypeParam": {
+ "Id": -1,
+ "Name": "GrantType",
+ "DisplayName": "Grant Type",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
}
]
-}
\ No newline at end of file
+}
diff --git a/cmd/helpers.go b/cmd/helpers.go
index 6195c8e0..1306dfdc 100644
--- a/cmd/helpers.go
+++ b/cmd/helpers.go
@@ -358,7 +358,14 @@ func outputResult(result interface{}, format string) {
Str("format", format).
Msg(fmt.Sprintf("%s outputResult", DebugFuncEnter))
if format == "json" {
- fmt.Println(result)
+ switch value := result.(type) {
+ case []byte:
+ fmt.Println(string(value))
+ case string:
+ fmt.Println(value)
+ default:
+ fmt.Println(result)
+ }
} else {
fmt.Println(fmt.Sprintf("%s", result))
}
diff --git a/cmd/login.go b/cmd/login.go
index 3d64dfdc..97fa8ff7 100644
--- a/cmd/login.go
+++ b/cmd/login.go
@@ -19,6 +19,7 @@ import (
"fmt"
"os"
"path"
+ "strconv"
"strings"
"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
@@ -28,6 +29,8 @@ import (
"golang.org/x/term"
)
+var loginSkipValidate bool
+
var loginCmd = &cobra.Command{
Use: "login",
Aliases: nil,
@@ -78,16 +81,27 @@ WARNING: This will write the environmental credentials to disk and will be store
kfcOAuth *auth_providers.CommandConfigOauth
kfcBasicAuth *auth_providers.CommandAuthConfigBasic
)
+ skipValidate := loginSkipValidate
log.Debug().Msg("calling getEnvConfig()")
- envConfig, envErr := getServerConfigFromEnv()
+ var envConfig *auth_providers.Server
+ var envErr error
+ if skipValidate {
+ envConfig, envErr = getServerConfigFromEnvNoValidate()
+ } else {
+ envConfig, envErr = getServerConfigFromEnv()
+ }
if envErr == nil {
log.Debug().Msg("getEnvConfig() returned")
+ message := fmt.Sprintf("Login successful via environment variables to %s", envConfig.Host)
+ if skipValidate {
+ message = fmt.Sprintf("Login configuration saved from environment variables to %s; credential validation skipped", envConfig.Host)
+ }
log.Info().
Str("host", envConfig.Host).
Str("authType", envConfig.AuthType).
Msg("Login successful via environment variables")
- outputResult(fmt.Sprintf("Login successful via environment variables to %s", envConfig.Host), outputFormat)
+ outputResult(message, outputFormat)
if profile == "" {
profile = "default"
}
@@ -227,6 +241,9 @@ WARNING: This will write the environmental credentials to disk and will be store
log.Error().Msg("unable to determine auth type from interactive configuration")
}
}
+ if !skipValidate {
+ skipValidate = !promptForInteractiveYesNo("Validate credentials with Keyfactor Command now?")
+ }
}
if !isValidConfig {
@@ -234,6 +251,17 @@ WARNING: This will write the environmental credentials to disk and will be store
return fmt.Errorf("unable to determine valid configuration")
}
+ if skipValidate {
+ log.Info().
+ Str("profile", profile).
+ Str("configFile", configFile).
+ Str("host", outputServer.Host).
+ Str("authType", authType).
+ Msg("Login configuration saved; credential validation skipped")
+ outputResult(fmt.Sprintf("Login configuration saved to %s; credential validation skipped", outputServer.Host), outputFormat)
+ return nil
+ }
+
if authType == "oauth" {
log.Debug().
Str("profile", profile).
@@ -297,6 +325,98 @@ WARNING: This will write the environmental credentials to disk and will be store
func init() {
RootCmd.AddCommand(loginCmd)
+ loginCmd.Flags().BoolVar(
+ &loginSkipValidate,
+ "skip-validate",
+ false,
+ "Save the login configuration without validating credentials against Keyfactor Command.",
+ )
+}
+
+func getServerConfigFromEnvNoValidate() (*auth_providers.Server, error) {
+ hostname, hOk := os.LookupEnv(auth_providers.EnvKeyfactorHostName)
+ if !hOk || hostname == "" {
+ return nil, fmt.Errorf("environment variable %s is required", auth_providers.EnvKeyfactorHostName)
+ }
+
+ apiPath := os.Getenv(auth_providers.EnvKeyfactorAPIPath)
+ if apiPath == "" {
+ apiPath = auth_providers.DefaultCommandAPIPath
+ }
+ skipVerify := skipVerifyFromEnv()
+
+ username, uOk := os.LookupEnv(auth_providers.EnvKeyfactorUsername)
+ password, pOk := os.LookupEnv(auth_providers.EnvKeyfactorPassword)
+ if uOk && pOk {
+ serverConfig := &auth_providers.Server{
+ Host: hostname,
+ APIPath: apiPath,
+ Username: username,
+ Password: password,
+ Domain: os.Getenv(auth_providers.EnvKeyfactorDomain),
+ SkipTLSVerify: skipVerify,
+ AuthType: "basic",
+ }
+ if _, err := serverConfig.GetBasicAuthClientConfig(); err != nil {
+ return nil, err
+ }
+ return serverConfig, nil
+ }
+
+ clientID, cOk := os.LookupEnv(auth_providers.EnvKeyfactorClientID)
+ clientSecret, csOk := os.LookupEnv(auth_providers.EnvKeyfactorClientSecret)
+ tokenURL, tOk := os.LookupEnv(auth_providers.EnvKeyfactorAuthTokenURL)
+ if cOk && csOk && tOk {
+ serverConfig := &auth_providers.Server{
+ Host: hostname,
+ APIPath: apiPath,
+ ClientID: clientID,
+ ClientSecret: clientSecret,
+ OAuthTokenUrl: tokenURL,
+ Scopes: authScopesFromCSV(os.Getenv(auth_providers.EnvKeyfactorAuthScopes)),
+ Audience: os.Getenv(auth_providers.EnvKeyfactorAuthAudience),
+ SkipTLSVerify: skipVerify,
+ AuthType: "oauth",
+ }
+ if _, err := serverConfig.GetOAuthClientConfig(); err != nil {
+ return nil, err
+ }
+ return serverConfig, nil
+ }
+
+ return nil, fmt.Errorf(
+ "incomplete environment variable configuration, " +
+ "please provide basic auth credentials or oAuth credentials",
+ )
+}
+
+func skipVerifyFromEnv() bool {
+ if skipVerifyFlag {
+ return true
+ }
+ value := strings.ToLower(os.Getenv(auth_providers.EnvKeyfactorSkipVerify))
+ parsed, err := strconv.ParseBool(value)
+ if err == nil {
+ return parsed
+ }
+ return value == "yes" || value == "y"
+}
+
+func authScopesFromCSV(scopesCSV string) []string {
+ if scopesCSV == "" {
+ return auth_providers.DefaultScopes
+ }
+ var scopes []string
+ for _, scope := range strings.Split(scopesCSV, ",") {
+ scope = strings.TrimSpace(scope)
+ if scope != "" {
+ scopes = append(scopes, scope)
+ }
+ }
+ if len(scopes) == 0 {
+ return auth_providers.DefaultScopes
+ }
+ return scopes
}
func writeConfigFile(configFile *auth_providers.Config, configPath string) error {
diff --git a/cmd/login_test.go b/cmd/login_test.go
index ff1c60f4..815eafbc 100644
--- a/cmd/login_test.go
+++ b/cmd/login_test.go
@@ -29,6 +29,8 @@ import (
)
func Test_LoginHelpCmd(t *testing.T) {
+ defer resetRootCommandState()
+
// Test root help
testCmd := RootCmd
testCmd.SetArgs([]string{"login", "--help"})
@@ -96,7 +98,9 @@ func Test_LoginFileNoPrompt(t *testing.T) {
defer setBasicEnvVariables(username, password, domain)
npfCmd := RootCmd
- npfCmd.SetArgs([]string{"login", "--no-prompt"})
+ npfCmd.SetArgs(
+ []string{"login", "--no-prompt", "--skip-validate", "--config", configFilePath, "--profile", "default"},
+ )
output := captureOutput(
func() {
@@ -108,7 +112,7 @@ func Test_LoginFileNoPrompt(t *testing.T) {
},
)
t.Logf("output: %s", output)
- assert.Contains(t, output, "Login successful to")
+ assert.Contains(t, output, "Login configuration saved")
testConfigExists(t, configFilePath, true)
testConfigValid(t)
//testLogout(t)
@@ -165,7 +169,7 @@ func testLogout(t *testing.T, configFilePath string, restoreConfig bool) {
t.FailNow()
}
}
- testCmd.SetArgs([]string{"logout"})
+ testCmd.SetArgs([]string{"logout", "--no-prompt"})
output := captureOutput(
func() {
err := testCmd.Execute()
@@ -174,7 +178,7 @@ func testLogout(t *testing.T, configFilePath string, restoreConfig bool) {
)
t.Logf("output: %s", output)
- assert.Contains(t, output, "Logged out successfully!")
+ assert.Contains(t, output, "Logged out successfully")
// Test that the config file does not exist
if _, fErr := os.Stat(configFile); !os.IsNotExist(fErr) {
diff --git a/cmd/pam.go b/cmd/pam.go
index a6b72273..cfe12e39 100644
--- a/cmd/pam.go
+++ b/cmd/pam.go
@@ -328,6 +328,7 @@ var pamProvidersUpdateCmd = &cobra.Command{
log.Debug().Msg("call: PAMProviderUpdatePamProvider()")
updateRequest := keyfactor.ProviderUpdateRequestLegacy{
+ Id: pamProvider.Id,
Name: pamProvider.Name,
Remote: pamProvider.Remote,
Area: pamProvider.Area,
@@ -339,8 +340,8 @@ var pamProvidersUpdateCmd = &cobra.Command{
updatedPamProvider, cErr := kfClient.UpdatePAMProvider(&updateRequest)
log.Debug().Msg("returned: PAMProviderUpdatePamProvider()")
- if err != nil {
- return err
+ if cErr != nil {
+ return cErr
}
log.Debug().Msg(convertResponseMsg)
diff --git a/cmd/pamTypes_test.go b/cmd/pamTypes_test.go
index 3b9815f0..e8565585 100644
--- a/cmd/pamTypes_test.go
+++ b/cmd/pamTypes_test.go
@@ -74,6 +74,8 @@ func hasIntegrationTestEnvironment() bool {
// Test_PAMTypesHelpCmd tests the help command for pam-types
func Test_PAMTypesHelpCmd(t *testing.T) {
+ defer resetRootCommandState()
+
tests := []struct {
name string
args []string
diff --git a/cmd/pam_test.go b/cmd/pam_test.go
index 322ac4ff..076f1fed 100644
--- a/cmd/pam_test.go
+++ b/cmd/pam_test.go
@@ -249,6 +249,8 @@ func NewPAMProviderTestServer(t *testing.T) *PAMProviderTestServer {
}
func Test_PAMHelpCmd(t *testing.T) {
+ defer resetRootCommandState()
+
// Test root help
testCmd := RootCmd
testCmd.SetArgs([]string{"pam", "--help"})
@@ -394,8 +396,7 @@ func Test_PAMGetCmd(t *testing.T) {
assert.NotEmpty(t, providerConfig["Id"])
assert.NotEmpty(t, providerConfig["ProviderType"])
- pTypeParams := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any)
- assert.NotEmpty(t, pTypeParams)
+ pTypeParams, _ := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any)
assert.GreaterOrEqual(t, len(pTypeParams), 0)
if len(pTypeParams) > 0 {
for _, param := range pTypeParams {
@@ -993,8 +994,7 @@ func testListPamProviders(t *testing.T) ([]any, error) {
assert.NotEmpty(t, providerConfig["Id"])
assert.NotEmpty(t, providerConfig["ProviderType"])
- pTypeParams := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any)
- assert.NotEmpty(t, pTypeParams)
+ pTypeParams, _ := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any)
assert.GreaterOrEqual(t, len(pTypeParams), 0)
if len(pTypeParams) > 0 {
for _, param := range pTypeParams {
@@ -1194,10 +1194,14 @@ func testFormatPamCreateConfig(t *testing.T, inputFileName string, providerName
case map[string]any:
aProviderType := apiProviderType.(map[string]any)
cProviderType["Id"] = aProviderType["Id"]
- cProviderType["ProviderTypeParams"] = aProviderType["ProviderTypeParams"]
+ apiProviderTypeParams, ok := aProviderType["ProviderTypeParams"]
+ if !ok || apiProviderTypeParams == nil {
+ apiProviderTypeParams = aProviderType["Parameters"]
+ }
+ cProviderType["ProviderTypeParams"] = apiProviderTypeParams
nameToIdMap := make(map[string]int)
paramsFieldName := "ProviderTypeParams"
- _, ok := cProviderType[paramsFieldName]
+ _, ok = cProviderType[paramsFieldName]
if ok && cProviderType[paramsFieldName] != nil {
t.Logf("PAM definition is v10 or earlier")
for _, cParam := range cProviderType[paramsFieldName].([]any) {
diff --git a/cmd/root.go b/cmd/root.go
index e55e724b..960fdfeb 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -17,8 +17,10 @@ package cmd
import (
_ "embed"
"fmt"
+ "io/fs"
stdlog "log"
"os"
+ "path/filepath"
"strings"
"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
@@ -28,6 +30,8 @@ import (
"github.com/spf13/cobra"
"github.com/spf13/cobra/doc"
"golang.org/x/crypto/bcrypt"
+ "kfutil/internal/docgen/pamdocs"
+ "kfutil/internal/docgen/storetypedocs"
)
var (
@@ -839,13 +843,71 @@ var makeDocsCmd = &cobra.Command{
Short: "Generate markdown documentation for kfutil",
Long: `Generate markdown documentation for kfutil.`,
Hidden: true,
- Run: func(cmd *cobra.Command, args []string) {
+ RunE: func(cmd *cobra.Command, args []string) error {
log.Debug().Msg("Enter makeDocsCmd.Run()")
- doc.GenMarkdownTree(RootCmd, "./docs")
+ disableGeneratedDocFooters(RootCmd)
+ if err := doc.GenMarkdownTree(RootCmd, "./docs"); err != nil {
+ return err
+ }
+ if err := storetypedocs.Generate("", "", ""); err != nil {
+ return err
+ }
+ if err := pamdocs.Generate("", ""); err != nil {
+ return err
+ }
+ if err := normalizeGeneratedMarkdownDocs("./docs"); err != nil {
+ return err
+ }
log.Debug().Msg("complete: makeDocsCmd.Run()")
+ return nil
},
}
+func disableGeneratedDocFooters(cmd *cobra.Command) {
+ cmd.DisableAutoGenTag = true
+ for _, child := range cmd.Commands() {
+ disableGeneratedDocFooters(child)
+ }
+}
+
+func normalizeGeneratedMarkdownDocs(root string) error {
+ return filepath.WalkDir(root, func(path string, entry fs.DirEntry, err error) error {
+ if err != nil {
+ return err
+ }
+ if entry.IsDir() || filepath.Ext(path) != ".md" {
+ return nil
+ }
+
+ data, err := os.ReadFile(path)
+ if err != nil {
+ return err
+ }
+ normalized := normalizeMarkdown(string(data))
+ if normalized == string(data) {
+ return nil
+ }
+ return os.WriteFile(path, []byte(normalized), 0o644)
+ })
+}
+
+func normalizeMarkdown(content string) string {
+ content = strings.ReplaceAll(content, "\r\n", "\n")
+ content = strings.ReplaceAll(content, "\r", "\n")
+
+ lines := strings.Split(content, "\n")
+ for i := range lines {
+ lines[i] = strings.TrimRight(lines[i], " \t")
+ }
+ for len(lines) > 0 && lines[len(lines)-1] == "" {
+ lines = lines[:len(lines)-1]
+ }
+ if len(lines) == 0 {
+ return ""
+ }
+ return strings.Join(lines, "\n") + "\n"
+}
+
// RootCmd represents the base command when called without any subcommands
var RootCmd = &cobra.Command{
Use: "kfutil",
diff --git a/cmd/root_test.go b/cmd/root_test.go
index e3e7e2d0..b48d5f76 100644
--- a/cmd/root_test.go
+++ b/cmd/root_test.go
@@ -19,6 +19,8 @@ import (
)
func Test_RootCmd(t *testing.T) {
+ defer resetRootCommandState()
+
// Test root help
testCmd := RootCmd
testCmd.SetArgs([]string{"--help"})
diff --git a/cmd/storeTypes_get_test.go b/cmd/storeTypes_get_test.go
index 1f252cf0..4f576199 100644
--- a/cmd/storeTypes_get_test.go
+++ b/cmd/storeTypes_get_test.go
@@ -17,27 +17,44 @@ limitations under the License.
package cmd
import (
+ "bytes"
"encoding/json"
+ "io"
"os"
"testing"
"kfutil/pkg/cmdtest"
manifestv1 "kfutil/pkg/keyfactor/v1"
+ "github.com/spf13/cobra"
"github.com/stretchr/testify/assert"
)
+func executeRootCommandCaptureCobraOutput(args ...string) ([]byte, error) {
+ buf := new(bytes.Buffer)
+ setCommandOutput(RootCmd, buf)
+ RootCmd.SetArgs(args)
+ err := RootCmd.Execute()
+ return buf.Bytes(), err
+}
+
+func setCommandOutput(cmd *cobra.Command, out io.Writer) {
+ cmd.SetOut(out)
+ for _, child := range cmd.Commands() {
+ setCommandOutput(child, out)
+ }
+}
+
func Test_StoreTypesGet(t *testing.T) {
t.Run(
"WithName", func(t *testing.T) {
- testCmd := RootCmd
-
- output, err := cmdtest.TestExecuteCommand(t, testCmd, []string{"store-types", "get", "--name", "PEM"}...)
+ resetRootCommandState()
+ output, err := executeRootCommandCaptureCobraOutput("store-types", "get", "--name", "PEM")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
var storeType map[string]interface{}
- if err := json.Unmarshal([]byte(output), &storeType); err != nil {
+ if err := json.Unmarshal(output, &storeType); err != nil {
t.Fatalf("Error unmarshalling JSON: %v", err)
}
@@ -61,12 +78,8 @@ func Test_StoreTypesGet(t *testing.T) {
t.Run(
"GenericOutput", func(t *testing.T) {
- testCmd := RootCmd
- output, err := cmdtest.TestExecuteCommand(
- t,
- testCmd,
- []string{"store-types", "get", "--name", "PEM", "-g"}...,
- )
+ resetRootCommandState()
+ output, err := executeRootCommandCaptureCobraOutput("store-types", "get", "--name", "PEM", "-g")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
@@ -99,6 +112,7 @@ func Test_StoreTypesGet(t *testing.T) {
t.Run(
"OutputToManifest", func(t *testing.T) {
+ resetRootCommandState()
testCmd := RootCmd
_, err := cmdtest.TestExecuteCommand(
t,
diff --git a/cmd/storeTypes_pagination_test.go b/cmd/storeTypes_pagination_test.go
new file mode 100644
index 00000000..d58c2a86
--- /dev/null
+++ b/cmd/storeTypes_pagination_test.go
@@ -0,0 +1,24 @@
+package cmd
+
+import (
+ "encoding/json"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+)
+
+func Test_StoreTypesListCLI_ReturnsMoreThanOnePage(t *testing.T) {
+ if testing.Short() || !hasIntegrationTestEnvironment() {
+ t.Skip("requires Keyfactor Command integration environment")
+ }
+ defer resetRootCommandState()
+
+ RootCmd.SetArgs([]string{"store-types", "list", "--no-prompt", "--format", "json"})
+ output := captureOutput(func() {
+ require.NoError(t, RootCmd.Execute())
+ })
+
+ var storeTypes []map[string]any
+ require.NoError(t, json.Unmarshal([]byte(output), &storeTypes))
+ require.Greater(t, len(storeTypes), 50, "store-types list should include results beyond the first default page")
+}
diff --git a/cmd/storeTypes_test.go b/cmd/storeTypes_test.go
index 55b88e50..ae7ca985 100644
--- a/cmd/storeTypes_test.go
+++ b/cmd/storeTypes_test.go
@@ -93,8 +93,46 @@ func loadStoreTypesFromJSON(t *testing.T) []StoreTypeDefinition {
return storeTypes
}
+func storeTypeAllowsEmptyCapability(shortName string) bool {
+ switch shortName {
+ case "AlteonLB", "OktaApp", "OktaIdP":
+ return true
+ default:
+ return false
+ }
+}
+
+func storeTypeAllowsNoSupportedOperations(shortName string) bool {
+ switch shortName {
+ case "HCVPKI", "Signum":
+ return true
+ default:
+ return false
+ }
+}
+
+func assertStoreTypeCapability(t *testing.T, storeType StoreTypeDefinition, message string) {
+ t.Helper()
+ if storeTypeAllowsEmptyCapability(storeType.ShortName) {
+ return
+ }
+ assert.NotEmpty(t, storeType.Capability, message, storeType.ShortName)
+}
+
+func assertStoreTypeHasSupportedOperation(t *testing.T, storeType StoreTypeDefinition) {
+ t.Helper()
+ if storeTypeAllowsNoSupportedOperations(storeType.ShortName) {
+ return
+ }
+ ops := storeType.SupportedOperations
+ hasOperation := ops.Add || ops.Inventory || ops.Create || ops.Discovery || ops.Enrollment || ops.Remove
+ assert.True(t, hasOperation, "Store type %s should support at least one operation", storeType.ShortName)
+}
+
// Test_StoreTypesHelpCmd tests the help command for store-types
func Test_StoreTypesHelpCmd(t *testing.T) {
+ defer resetRootCommandState()
+
tests := []struct {
name string
args []string
@@ -148,7 +186,7 @@ func Test_StoreTypesJSON_Structure(t *testing.T) {
assert.NotEmpty(t, storeType.Name, "Store type %s should have a Name", storeType.ShortName)
// Test that Capability is not empty
- assert.NotEmpty(t, storeType.Capability, "Store type %s should have a Capability", storeType.ShortName)
+ assertStoreTypeCapability(t, storeType, "Store type %s should have a Capability")
// Test that CustomAliasAllowed has valid value
validCustomAlias := []string{"Optional", "Required", "Forbidden", ""}
@@ -177,18 +215,7 @@ func Test_StoreTypesJSON_Structure(t *testing.T) {
// Validate SupportedOperations
t.Run(
"SupportedOperations", func(t *testing.T) {
- // At least one operation should be supported
- hasOperation := storeType.SupportedOperations.Add ||
- storeType.SupportedOperations.Inventory ||
- storeType.SupportedOperations.Create ||
- storeType.SupportedOperations.Discovery ||
- storeType.SupportedOperations.Enrollment ||
- storeType.SupportedOperations.Remove
-
- assert.True(
- t, hasOperation,
- "Store type %s should support at least one operation", storeType.ShortName,
- )
+ assertStoreTypeHasSupportedOperation(t, storeType)
},
)
@@ -265,6 +292,7 @@ func Test_StoreTypesJSON_CapabilitiesUnique(t *testing.T) {
capability, func(t *testing.T) {
if capability == "" {
t.Logf("Skipping empty capability check")
+ return
}
t.Logf("Capability %s appears %d times", capability, count)
assert.Equal(
@@ -349,12 +377,7 @@ func Test_StoreTypesJSON_SupportedOperations(t *testing.T) {
storeType.ShortName, func(t *testing.T) {
ops := storeType.SupportedOperations
- // At least one operation should be supported
- hasOperation := ops.Add || ops.Inventory || ops.Create || ops.Discovery || ops.Enrollment || ops.Remove
- assert.True(
- t, hasOperation,
- "Store type %s should support at least one operation", storeType.ShortName,
- )
+ assertStoreTypeHasSupportedOperation(t, storeType)
// Log supported operations
var supportedOps []string
@@ -721,10 +744,7 @@ func Test_StoreTypesJSON_DeleteValidation(t *testing.T) {
t, storeType.ShortName,
"Store type must have ShortName for deletion by name",
)
- assert.NotEmpty(
- t, storeType.Capability,
- "Store type must have Capability for identification",
- )
+ assertStoreTypeCapability(t, storeType, "Store type %s must have Capability for identification")
// Verify ShortName is a valid identifier (no special chars that would break CLI)
assert.NotContains(
@@ -756,7 +776,7 @@ func Test_StoreTypesJSON_RequiredFieldsForCreate(t *testing.T) {
// Core identification fields
assert.NotEmpty(t, storeType.ShortName, "ShortName is required")
assert.NotEmpty(t, storeType.Name, "Name is required")
- assert.NotEmpty(t, storeType.Capability, "Capability is required")
+ assertStoreTypeCapability(t, storeType, "Store type %s requires Capability")
// Configuration fields
assert.NotEmpty(t, storeType.CustomAliasAllowed, "CustomAliasAllowed is required")
@@ -768,18 +788,7 @@ func Test_StoreTypesJSON_RequiredFieldsForCreate(t *testing.T) {
"PasswordOptions.Style is required",
)
- // Supported operations structure must exist
- // At least one operation should be true (already tested elsewhere)
- hasOperation := storeType.SupportedOperations.Add ||
- storeType.SupportedOperations.Inventory ||
- storeType.SupportedOperations.Create ||
- storeType.SupportedOperations.Discovery ||
- storeType.SupportedOperations.Enrollment ||
- storeType.SupportedOperations.Remove
- assert.True(
- t, hasOperation,
- "At least one SupportedOperation must be true",
- )
+ assertStoreTypeHasSupportedOperation(t, storeType)
// Properties and EntryParameters can be empty arrays but must not be nil
assert.NotNil(t, storeType.Properties, "Properties array must not be nil")
@@ -810,7 +819,7 @@ func Test_StoreTypesJSON_AllTypesCanBeCreated(t *testing.T) {
assert.NotEmpty(t, storeType.Name, "Must have Name")
// Test 3: Has capability
- assert.NotEmpty(t, storeType.Capability, "Must have Capability")
+ assertStoreTypeCapability(t, storeType, "Store type %s must have Capability")
// Test 4: Can be serialized to JSON
jsonBytes, err := json.Marshal(storeType)
@@ -900,10 +909,7 @@ func Test_StoreTypesJSON_AllTypesCanBeDeleted(t *testing.T) {
assert.NotContains(t, shortName, "\"", "ShortName must not contain double quotes")
// Test 3: Has capability for verification
- assert.NotEmpty(
- t, storeType.Capability,
- "Must have Capability for verification",
- )
+ assertStoreTypeCapability(t, storeType, "Store type %s must have Capability for verification")
// Test 4: Has name for display in deletion confirmations
assert.NotEmpty(
@@ -963,7 +969,7 @@ func Test_StoreTypesJSON_CreateDeleteCycle(t *testing.T) {
// Has required fields
assert.NotEmpty(t, storeType.ShortName, "Creation requires ShortName")
assert.NotEmpty(t, storeType.Name, "Creation requires Name")
- assert.NotEmpty(t, storeType.Capability, "Creation requires Capability")
+ assertStoreTypeCapability(t, storeType, "Store type %s requires Capability for creation")
t.Logf("✓ Create: %s is ready", storeType.ShortName)
},
@@ -989,10 +995,7 @@ func Test_StoreTypesJSON_CreateDeleteCycle(t *testing.T) {
t.Run(
"VerificationReadiness", func(t *testing.T) {
// Has fields to verify creation succeeded
- assert.NotEmpty(
- t, storeType.Capability,
- "Verification requires Capability",
- )
+ assertStoreTypeCapability(t, storeType, "Store type %s requires Capability for verification")
assert.NotEmpty(
t, storeType.Name,
"Verification requires Name",
diff --git a/cmd/store_types.json b/cmd/store_types.json
index a3fd01f6..24e67854 100644
--- a/cmd/store_types.json
+++ b/cmd/store_types.json
@@ -30,6 +30,19 @@
"OnRemove": false,
"OnReenrollment": false
}
+ },
+ {
+ "Name": "NonExportable",
+ "DisplayName": "Non Exportable Private Key",
+ "Description": "If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": false,
+ "OnRemove": false,
+ "OnReenrollment": false
+ }
}
],
"JobProperties": [],
@@ -928,6 +941,20 @@
},
"DefaultValue": "SET-DEFAULT",
"Description": "Required field for Akamai Tech contact."
+ },
+ {
+ "Name": "deployment-network",
+ "DisplayName": "Deployment Network",
+ "Type": "MultipleChoice",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": false,
+ "OnRemove": false,
+ "OnReenrollment": true
+ },
+ "Options": "Standard TLS,Enhanced TLS",
+ "DefaultValue": "Standard TLS",
+ "Description": "Required field for Deployment Network."
}
],
"PasswordOptions": {
@@ -948,42 +975,31 @@
{
"Name": "Alteon Load Balancer",
"ShortName": "AlteonLB",
- "Capability": "AlteonLB",
- "ClientMachineDescription": "The Alteon Load Balancer Server and port",
- "StorePathDescription": "This value isn't used for this integration (other than to uniquely identify the cert store in certificate searches).",
+ "LocalStore": false,
+ "BlueprintAllowed": false,
+ "PowerShell": false,
+ "ServerRequired": true,
+ "ClientMachineDescription": "The hostname or IP address of the Alteon Load Balancer device (example: https://alteonlb.test.com).",
+ "StorePathType": "",
+ "StorePathValue": "",
+ "StorePathDescription": "",
"SupportedOperations": {
"Add": true,
"Remove": true,
"Enrollment": false,
"Discovery": false,
- "Inventory": true
+ "Create": false
},
- "Properties": [
- {
- "Name": "ServerUsername",
- "DisplayName": "Server Username",
- "Type": "Secret",
- "Description": "Alteon user ID with sufficient permissions to manage certs in the Alteon Load Balancer.",
- "Required": true
- },
- {
- "Name": "ServerPassword",
- "DisplayName": "Server Password",
- "Type": "Secret",
- "Description": "Password associated with Alteon user ID entered above.",
- "Required": true
- }
- ],
"PasswordOptions": {
"EntrySupported": false,
"StoreRequired": false,
"Style": "Default"
},
+ "CustomAliasAllowed": "Optional",
"PrivateKeyAllowed": "Optional",
- "ServerRequired": true,
- "PowerShell": false,
- "BlueprintAllowed": false,
- "CustomAliasAllowed": "Optional"
+ "JobProperties": [],
+ "Properties": [],
+ "EntryParameters": []
},
{
"Name": "Azure Application Gateway Certificate Binding",
@@ -1049,6 +1065,98 @@
"BlueprintAllowed": false,
"CustomAliasAllowed": "Required"
},
+ {
+ "Name": "Aruba",
+ "ShortName": "Aruba",
+ "Capability": "Aruba",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": false,
+ "Create": false,
+ "Discovery": false,
+ "Enrollment": true,
+ "Remove": false
+ },
+ "EntryParameters": [
+ {
+ "Name": "SAN",
+ "DisplayName": "SAN",
+ "Type": "String",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": false,
+ "OnRemove": false,
+ "OnReenrollment": true
+ },
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Options": "",
+ "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of : entries separated by comma; Example: 'DNS:www.example.com,DNS:www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. Allowed SAN types are email, URI, DNS, RID or IP."
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "StorePathType": "",
+ "StorePathValue": "",
+ "PrivateKeyAllowed": "Forbidden",
+ "ClientMachineDescription": "The base URL / IP address of the Aruba instance without the scheme. (i.e. my-server-name.com if the Aruba URL is https://my-server-name.com)",
+ "StorePathDescription": "A semicolon-delimited string that in the format `;` (i.e. clearpass.localhost;HTTP(RSA)). Please see orchestrator documentation for more information.",
+ "JobProperties": [],
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Forbidden",
+ "Properties": [
+ {
+ "Name": "FileServerType",
+ "DisplayName": "File Server Type",
+ "Type": "MultipleChoice",
+ "DependsOn": "",
+ "DefaultValue": "Amazon S3",
+ "Required": true,
+ "Description": "The type of file server that the certificate will be uploaded to. The file server must be able to serve the file via HTTPS."
+ },
+ {
+ "Name": "FileServerHost",
+ "DisplayName": "File Server Host",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "Required. The base URL for the file server host without the scheme. (i.e. my-server-name.com if the file server URL is https://my-server-name.com). See File Server Configuration section in the orchestrator documentation for more details."
+ },
+ {
+ "Name": "FileServerUsername",
+ "DisplayName": "File Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "Optional. The username used to access the file server. See File Server Configuration section in the orchestrator documentation for more details."
+ },
+ {
+ "Name": "FileServerPassword",
+ "DisplayName": "File Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "Optional. The password used to access the file server. See File Server Configuration section in the orchestrator documentation for more details."
+ },
+ {
+ "Name": "DigestAlgorithm",
+ "DisplayName": "Digest Algorithm",
+ "Type": "MultipleChoice",
+ "DependsOn": "",
+ "DefaultValue": "SHA-256,SHA-1,SHA-224,SHA-384,SHA-512",
+ "Required": true,
+ "Description": "The hash digest algorithm used for the certificate signing request (CSR)."
+ }
+ ]
+ },
{
"Name": "Axis IP Camera",
"ShortName": "AxisIPCamera",
@@ -1444,6 +1552,232 @@
"BlueprintAllowed": false,
"CustomAliasAllowed": "Required"
},
+ {
+ "Name": "BMC Orchestrator Solution",
+ "ShortName": "BMC",
+ "Capability": "BMC",
+ "LocalStore": false,
+ "StorePathDescription": "Path points to a BMC Keyring.",
+ "ClientMachineDescription": "Runs on a Windows or Linux based machine.",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": false
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": false
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DependsOn": null,
+ "DefaultValue": "true",
+ "Required": true
+ }
+ ],
+ "EntryParameters": [
+ {
+ "Name": "CertLabel",
+ "DisplayName": "CertLabel",
+ "Type": "String",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": true,
+ "OnRemove": true,
+ "OnReenrollment": true
+ },
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Options": "",
+ "Description": "Cert label as it appears in the BMC API (without the suffix)."
+ },
+ {
+ "Name": "CertOwner",
+ "DisplayName": "CertOwner",
+ "Type": "String",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": true,
+ "OnRemove": true,
+ "OnReenrollment": true
+ },
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Options": "",
+ "Description": "Cert owner as it appears in the BMC API."
+ },
+ {
+ "Name": "CertUse",
+ "DisplayName": "CertUse",
+ "Type": "String",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": false,
+ "OnRemove": false,
+ "OnReenrollment": false
+ },
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Options": "",
+ "Description": "Cert use as returned by the BMC API."
+ },
+ {
+ "Name": "ImplementCert",
+ "DisplayName": "ImplementCert",
+ "Type": "Bool",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": true,
+ "OnRemove": false,
+ "OnReenrollment": true
+ },
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Options": "",
+ "Description": "Is used to pass an implement cert command to BMC."
+ },
+ {
+ "Name": "IsCertDefault",
+ "DisplayName": "IsCertDefault",
+ "Type": "Bool",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": true,
+ "OnRemove": false,
+ "OnReenrollment": true
+ },
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Options": "",
+ "Description": "Indicates whether a given cert is set as default in a keyring."
+ },
+ {
+ "StoreTypeId": 104,
+ "Name": "RemoveFromAllKeyrings",
+ "DisplayName": "RemoveFromAllKeyrings",
+ "Type": "Bool",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": false,
+ "OnRemove": true,
+ "OnReenrollment": false
+ },
+ "DependsOn": "",
+ "DefaultValue": "false",
+ "Options": "",
+ "Description": "A bool to indicate whether a given cert is to be removed from all keyrings."
+ },
+ {
+ "StoreTypeId": 104,
+ "Name": "RollbackCert",
+ "DisplayName": "RollbackCert",
+ "Type": "Bool",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": true,
+ "OnRemove": false,
+ "OnReenrollment": false
+ },
+ "DependsOn": "",
+ "DefaultValue": "false",
+ "Options": "",
+ "Description": "A bool to indicate whether a given cert is to be rolled back."
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "Style": "Default"
+ },
+ "PrivateKeyAllowed": "Optional",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": true,
+ "CustomAliasAllowed": "Forbidden"
+ },
+ {
+ "Name": "Barracuda WAF",
+ "ShortName": "BarracudaWaf",
+ "Capability": "BarracudaWaf",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Create": false,
+ "Discovery": false,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "Properties": [
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "true",
+ "Required": false,
+ "Description": "Determines whether to connect to the Barracuda WAF management interface over HTTPS (port 8443) or HTTP (port 8000). Default is true (HTTPS)."
+ },
+ {
+ "Name": "ApiVersion",
+ "DisplayName": "API Version",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "v3.2",
+ "Required": false,
+ "Description": "The Barracuda WAF REST API version to use for all requests. Defaults to 'v3.2'. Only change this if your WAF firmware requires a different API version."
+ },
+ {
+ "Name": "InventorySelfSignedCerts",
+ "DisplayName": "Inventory Self-Signed Certificates",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "true",
+ "Required": false,
+ "Description": "When enabled, the inventory job will include self-signed certificates from the WAF in addition to signed certificates. Default is true."
+ },
+ {
+ "Name": "InventoryTrustedCerts",
+ "DisplayName": "Inventory Trusted Certificates",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "false",
+ "Required": false,
+ "Description": "When enabled, the inventory job will include trusted CA certificates and trusted server certificates from the WAF. Default is false."
+ }
+ ],
+ "EntryParameters": [],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "StorePathType": "",
+ "StorePathValue": "/",
+ "PrivateKeyAllowed": "Optional",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "ClientMachineDescription": "The hostname or IP address of the Barracuda WAF appliance. This is used to connect to the REST API on port 8443 (HTTPS) or 8000 (HTTP).",
+ "StorePathDescription": "Not used for this integration. Set to '/' or leave at the default value."
+ },
{
"Name": "Bosch IP Camera",
"ShortName": "BoschIPCamera",
@@ -1635,9 +1969,13 @@
"Remove": true
},
"PasswordOptions": {
+ "Style": "Default",
"EntrySupported": false,
- "StoreRequired": false,
- "Style": "Default"
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.",
+ "IsPAMEligible": true
+ }
},
"Properties": [
{
@@ -1668,6 +2006,15 @@
"DefaultValue": "false",
"Required": false,
"Description": "Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate."
+ },
+ {
+ "Name": "timeout",
+ "DisplayName": "Login Timeout in seconds",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "3600",
+ "Required": false,
+ "Description": "Determines timeout in seconds for all Citrix ADC API calls."
}
],
"EntryParameters": [
@@ -2420,7 +2767,20 @@
"Description": "Determines whether to include the certificate chain when adding a certificate as a secret."
}
],
- "EntryParameters": [],
+ "EntryParameters": [
+ {
+ "Name": "tags",
+ "DisplayName": "Tags",
+ "Type": "String",
+ "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": false,
+ "OnRemove": false,
+ "OnReenrollment": false
+ }
+ }
+ ],
"ClientMachineDescription": "Not used",
"StorePathDescription": "The Project ID of the Google Secret Manager being managed."
},
@@ -2597,7 +2957,7 @@
"StorePathDescription": "This is the path to the secret containing the store.",
"LocalStore": false,
"StorePathType": "",
- "StorePathValue": "",
+ "StorePathValue": "example: '/mycerts/certstore.jks?b64cert'",
"PrivateKeyAllowed": "Optional",
"JobProperties": [],
"ServerRequired": true,
@@ -2649,6 +3009,15 @@
"DependsOn": "",
"DefaultValue": "",
"Required": false
+ },
+ {
+ "Name": "PassphrasePath",
+ "DisplayName": "Passphrase Path",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret."
}
],
"EntryParameters": [],
@@ -2670,7 +3039,7 @@
"StorePathDescription": "This is the path to the secret containing the store.",
"LocalStore": false,
"StorePathType": "",
- "StorePathValue": "",
+ "StorePathValue": "example: '/mycerts/certstore.p12?b64cert'",
"PrivateKeyAllowed": "Optional",
"JobProperties": [],
"ServerRequired": true,
@@ -2722,6 +3091,15 @@
"DependsOn": "",
"DefaultValue": "",
"Required": false
+ },
+ {
+ "Name": "PassphrasePath",
+ "DisplayName": "Passphrase Path",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret."
}
],
"EntryParameters": [],
@@ -2823,7 +3201,7 @@
"StorePathDescription": "This is the path to the secret containing the store.",
"LocalStore": false,
"StorePathType": "",
- "StorePathValue": "",
+ "StorePathValue": "example: '/mycerts/certstore.pfx?b64cert'",
"PrivateKeyAllowed": "Optional",
"JobProperties": [],
"ServerRequired": true,
@@ -2875,6 +3253,15 @@
"DependsOn": "",
"DefaultValue": "",
"Required": false
+ },
+ {
+ "Name": "PassphrasePath",
+ "DisplayName": "Passphrase Path",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret."
}
],
"EntryParameters": [],
@@ -2939,6 +3326,15 @@
"DependsOn": "",
"DefaultValue": "",
"Required": true
+ },
+ {
+ "Name": "PassphrasePath",
+ "DisplayName": "Passphrase Path",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret."
}
],
"EntryParameters": [],
@@ -2957,8 +3353,8 @@
"ShortName": "HPiLO",
"Capability": "HPiLO",
"LocalStore": false,
- "StorePathDescription": "This should contain the path pointing to the HPiLO instance address, IP or domain name.",
- "ClientMachineDescription": "Should contain a copy of the store path for compatibility reasons but is currently unused.",
+ "StorePathDescription": "This should contain the full URI pointing to the HPiLO instance, using IP (e.g. `https://10.1.1.1/`) or domain name (e.g. `https://hpilo.test.local/`). The orchestrator will connect to the iLO instance using the iLO API.",
+ "ClientMachineDescription": "Currently unused.",
"SupportedOperations": {
"Add": true,
"Create": false,
@@ -3016,11 +3412,11 @@
"StoreRequired": false,
"Style": "Default"
},
- "PrivateKeyAllowed": "Optional",
+ "PrivateKeyAllowed": "Required",
"ServerRequired": true,
"PowerShell": false,
"BlueprintAllowed": false,
- "CustomAliasAllowed": "Optional"
+ "CustomAliasAllowed": "Required"
},
{
"Name": "IIS Bound Certificate",
@@ -3195,21 +3591,6 @@
"DefaultValue": "",
"Options": "",
"Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'"
- },
- {
- "Name": "SAN",
- "DisplayName": "SAN",
- "Type": "String",
- "RequiredWhen": {
- "HasPrivateKey": false,
- "OnAdd": false,
- "OnRemove": false,
- "OnReenrollment": true
- },
- "DependsOn": "",
- "DefaultValue": "",
- "Options": "",
- "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA."
}
],
"PasswordOptions": {
@@ -3260,7 +3641,7 @@
"Name": "K8SCert",
"ShortName": "K8SCert",
"Capability": "K8SCert",
- "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.",
+ "ClientMachineDescription": "The Kubernetes cluster name or identifier.",
"LocalStore": false,
"SupportedOperations": {
"Add": false,
@@ -3276,7 +3657,7 @@
"Description": "This should be no value or `kubeconfig`",
"Type": "Secret",
"DependsOn": "",
- "DefaultValue": null,
+ "DefaultValue": "",
"Required": false
},
{
@@ -3288,32 +3669,14 @@
"DefaultValue": null,
"Required": true
},
- {
- "Name": "KubeNamespace",
- "DisplayName": "KubeNamespace",
- "Description": "The K8S namespace to use to manage the K8S secret object.",
- "Type": "String",
- "DependsOn": "",
- "DefaultValue": "default",
- "Required": false
- },
{
"Name": "KubeSecretName",
"DisplayName": "KubeSecretName",
- "Description": "The name of the K8S secret object.",
+ "Description": "The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster.",
"Type": "String",
"DependsOn": "",
"DefaultValue": "",
"Required": false
- },
- {
- "Name": "KubeSecretType",
- "DisplayName": "KubeSecretType",
- "Description": "This defaults to and must be `csr`",
- "Type": "String",
- "DependsOn": "",
- "DefaultValue": "cert",
- "Required": true
}
],
"EntryParameters": [],
@@ -3352,7 +3715,7 @@
"DependsOn": null,
"DefaultValue": "true",
"Required": false,
- "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed."
+ "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting."
},
{
"Name": "SeparateChain",
@@ -3432,11 +3795,11 @@
{
"Name": "KubeSecretType",
"DisplayName": "KubeSecretType",
- "Description": "This defaults to and must be `jks`",
+ "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`.",
"Type": "String",
"DependsOn": "",
"DefaultValue": "jks",
- "Required": true
+ "Required": false
},
{
"Name": "CertificateDataFieldName",
@@ -3472,7 +3835,7 @@
"DependsOn": null,
"DefaultValue": "true",
"Required": false,
- "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed."
+ "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting."
},
{
"Name": "StorePasswordPath",
@@ -3547,7 +3910,7 @@
"DependsOn": null,
"DefaultValue": "true",
"Required": false,
- "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed."
+ "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting."
},
{
"Name": "SeparateChain",
@@ -3613,7 +3976,7 @@
"DependsOn": null,
"DefaultValue": "true",
"Required": false,
- "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed."
+ "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting."
},
{
"Name": "CertificateDataFieldName",
@@ -3680,11 +4043,11 @@
{
"Name": "KubeSecretType",
"DisplayName": "Kube Secret Type",
- "Description": "This defaults to and must be `pkcs12`",
+ "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`.",
"Type": "String",
"DependsOn": "",
"DefaultValue": "pkcs12",
- "Required": true
+ "Required": false
},
{
"Name": "StorePasswordPath",
@@ -3746,11 +4109,11 @@
{
"Name": "KubeSecretType",
"DisplayName": "KubeSecretType",
- "Description": "This defaults to and must be `secret`",
+ "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`.",
"Type": "String",
"DependsOn": "",
"DefaultValue": "secret",
- "Required": true
+ "Required": false
},
{
"Name": "IncludeCertChain",
@@ -3759,7 +4122,7 @@
"DependsOn": null,
"DefaultValue": "true",
"Required": false,
- "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed."
+ "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting."
},
{
"Name": "SeparateChain",
@@ -3839,11 +4202,11 @@
{
"Name": "KubeSecretType",
"DisplayName": "KubeSecretType",
- "Description": "This defaults to and must be `tls_secret`",
+ "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`.",
"Type": "String",
"DependsOn": "",
"DefaultValue": "tls_secret",
- "Required": true
+ "Required": false
},
{
"Name": "IncludeCertChain",
@@ -3852,7 +4215,7 @@
"DependsOn": null,
"DefaultValue": "true",
"Required": false,
- "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed."
+ "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting."
},
{
"Name": "SeparateChain",
@@ -4479,6 +4842,15 @@
"Type": "Bool",
"DefaultValue": "True",
"Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "Apache Tomcat Restart,Jetty Restart",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
}
],
"EntryParameters": [],
@@ -4866,6 +5238,15 @@
"Type": "Bool",
"DefaultValue": "True",
"Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
}
],
"EntryParameters": [],
@@ -4991,8 +5372,8 @@
"ShortName": "SOS",
"Capability": "SOS",
"LocalStore": false,
- "StorePathDescription": "Path points to a local .json file. Orchestrator and its account should have read/write access.",
- "ClientMachineDescription": "Runs on a Windows based machine.",
+ "StorePathDescription": "The name of the store as defined in the SOS system (i.e. SampleKeyStore2).",
+ "ClientMachineDescription": "The base URL of the SOS API (i.e. http://localhost:8080)",
"SupportedOperations": {
"Add": true,
"Create": true,
@@ -5043,7 +5424,7 @@
"HasPrivateKey": false,
"OnAdd": false,
"OnRemove": false,
- "OnReenrollment": false
+ "OnReenrollment": true
},
"Description": "SAN string."
},
@@ -5090,14 +5471,14 @@
],
"PasswordOptions": {
"EntrySupported": true,
- "StoreRequired": false,
+ "StoreRequired": true,
"Style": "Default"
},
"PrivateKeyAllowed": "Optional",
"ServerRequired": true,
"PowerShell": false,
"BlueprintAllowed": true,
- "CustomAliasAllowed": "Optional"
+ "CustomAliasAllowed": "Forbidden"
},
{
"Name": "Signum",
@@ -5146,6 +5527,127 @@
"Style": "Default"
}
},
+ {
+ "Name": "A10 Thunder Management Certificates",
+ "ShortName": "ThunderMgmt",
+ "Capability": "ThunderMgmt",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Create": false,
+ "Discovery": false,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "Properties": [
+ {
+ "Name": "OrchToScpServerIp",
+ "DisplayName": "Orch To Scp Server Ip",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates."
+ },
+ {
+ "Name": "ScpPort",
+ "DisplayName": "Port Used For Scp",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations."
+ },
+ {
+ "Name": "ScpUserName",
+ "DisplayName": "UserName Used For Scp",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval."
+ },
+ {
+ "Name": "ScpPassword",
+ "DisplayName": "Password Used For Scp",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval."
+ },
+ {
+ "Name": "A10ToScpServerIp",
+ "DisplayName": "A10 Device To Scp Server Ip",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": true,
+ "Description": "IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths."
+ },
+ {
+ "Name": "allowInvalidCert",
+ "DisplayName": "Allow Invalid Cert on A10 Management API",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "true",
+ "Required": true,
+ "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process."
+ }
+ ],
+ "EntryParameters": [],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "StorePathValue": "",
+ "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP.",
+ "StorePathDescription": "Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory.",
+ "PrivateKeyAllowed": "Required",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required"
+ },
+ {
+ "Name": "A10 Thunder Ssl Certificates",
+ "ShortName": "ThunderSsl",
+ "Capability": "ThunderSsl",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Create": false,
+ "Discovery": false,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "Properties": [
+ {
+ "Name": "allowInvalidCert",
+ "DisplayName": "Allow Invalid Cert on A10 Management API",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "true",
+ "Required": true,
+ "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections."
+ }
+ ],
+ "EntryParameters": [],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "StorePathValue": "",
+ "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device.",
+ "StorePathDescription": "A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition.",
+ "PrivateKeyAllowed": "Optional",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required"
+ },
{
"Name": "VMware-NSX",
"ShortName": "VMware-NSX",
@@ -5207,6 +5709,105 @@
"ClientMachineDescription": "This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/ ",
"StorePathDescription": "A selection from the different certificate types supported: Application, Controller, or CA."
},
+ {
+ "Name": "ADFS Rotation Manager",
+ "ShortName": "WinAdfs",
+ "Capability": "WinAdfs",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Create": false,
+ "Discovery": false,
+ "Enrollment": false,
+ "Remove": false
+ },
+ "Properties": [
+ {
+ "Name": "spnwithport",
+ "DisplayName": "SPN With Port",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "false",
+ "Required": false,
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "WinRM Protocol",
+ "DisplayName": "WinRM Protocol",
+ "Type": "MultipleChoice",
+ "DependsOn": "",
+ "DefaultValue": "https,http,ssh",
+ "Required": true,
+ "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment."
+ },
+ {
+ "Name": "WinRM Port",
+ "DisplayName": "WinRM Port",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "5986",
+ "Required": true,
+ "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22."
+ },
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)"
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DependsOn": "",
+ "DefaultValue": "true",
+ "Required": true,
+ "Description": "Determine whether the server uses SSL or not (This field is automatically created)"
+ }
+ ],
+ "EntryParameters": [
+ {
+ "Name": "ProviderName",
+ "DisplayName": "Crypto Provider Name",
+ "Type": "String",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": false,
+ "OnRemove": false,
+ "OnReenrollment": false
+ },
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Options": "",
+ "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'"
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "StorePathValue": "My",
+ "PrivateKeyAllowed": "Required",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": true,
+ "CustomAliasAllowed": "Forbidden",
+ "ClientMachineDescription": "Since this extension type must run as an agent (The UO Must be installed on the PRIMARY ADFS Server), the ClientMachine must follow the naming convention as outlined in the Client Machine Instructions. Secondary ADFS Nodes will be automatically be updated with the same certificate added on the PRIMARY ADFS server.",
+ "StorePathDescription": "Fixed string value of 'My' indicating the Personal store on the Local Machine. All ADFS Service-Communications certificates are located in the 'My' personal store by default."
+ },
{
"Name": "WinCerMgmt",
"ShortName": "WinCerMgmt",
@@ -5326,21 +5927,6 @@
"DefaultValue": "",
"Options": "",
"Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'"
- },
- {
- "Name": "SAN",
- "DisplayName": "SAN",
- "Type": "String",
- "RequiredWhen": {
- "HasPrivateKey": false,
- "OnAdd": false,
- "OnRemove": false,
- "OnReenrollment": true
- },
- "DependsOn": "",
- "DefaultValue": "",
- "Options": "",
- "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA."
}
],
"PasswordOptions": {
@@ -5461,21 +6047,6 @@
"DefaultValue": "",
"Options": "",
"Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'"
- },
- {
- "Name": "SAN",
- "DisplayName": "SAN",
- "Type": "String",
- "RequiredWhen": {
- "HasPrivateKey": false,
- "OnAdd": false,
- "OnRemove": false,
- "OnReenrollment": true
- },
- "DependsOn": "",
- "DefaultValue": "",
- "Options": "",
- "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs."
}
],
"PasswordOptions": {
diff --git a/cmd/storesBulkOperations.go b/cmd/storesBulkOperations.go
index c58faea6..c4407eb1 100644
--- a/cmd/storesBulkOperations.go
+++ b/cmd/storesBulkOperations.go
@@ -82,6 +82,16 @@ func formatProperties(propsJson *gabs.Container, reqPropertiesForStoreType []str
if name == "ServerUsername" || name == "ServerPassword" {
reformatted := reformatPamSecretForPost(prop.Data().(map[string]interface{}))
if reformatted != nil {
+ if provider, ok := reformatted["Provider"]; ok && provider != nil {
+ managedValue := map[string]interface{}{
+ "Provider": provider,
+ }
+ if params, paramsOk := reformatted["Parameters"]; paramsOk && params != nil {
+ managedValue["Parameters"] = params
+ }
+ propsJson.Set(map[string]interface{}{"value": managedValue}, "Properties", name)
+ break
+ }
if _, ok := reformatted["value"].(string); ok {
propsJson.Set(reformatted["value"], "Properties", name)
} else {
@@ -383,29 +393,11 @@ If you do not wish to include credentials in your CSV file they can be provided
reqJson.Delete("Properties") // todo: why is this deleting the properties from the request json?
rowStorePassword := reqJson.S("Password").Data()
- passwdParams := api.UpdateStorePasswordConfig{
- SecretValue: nil,
- }
+ passwdParams := buildUpdateStorePasswordConfig(rowStorePassword)
switch rowStorePassword.(type) {
case string:
if rowStorePassword != "" {
reqJson.Delete("Password")
- passwdValue := rowStorePassword.(string)
- passwdParams.SecretValue = &passwdValue
- }
- case map[string]interface{}:
- // try to convert it to api.UpdateStorePasswordConfig
- rowPasswordMap := rowStorePassword.(map[string]interface{})
- if providerId, ok := rowPasswordMap["ProviderId"].(int); ok {
- passwdParams.Provider = providerId
- }
- if params, ok := rowPasswordMap["Parameters"].(map[string]interface{}); ok {
- for k, v := range params {
- if passwdParams.Parameters == nil {
- passwdParams.Parameters = make(map[string]string)
- }
- passwdParams.Parameters[k] = fmt.Sprintf("%v", v)
- }
}
}
@@ -424,7 +416,7 @@ If you do not wish to include credentials in your CSV file they can be provided
updateReqParameters.Password = &api.UpdateStorePasswordConfig{
Provider: passwdParams.Provider,
- Parameters: nil,
+ Parameters: passwdParams.Parameters,
SecretValue: passwdParams.SecretValue,
}
updateReqParameters.Properties = props
@@ -846,6 +838,11 @@ var storesExportCmd = &cobra.Command{
"CreateIfMissing": store.CreateIfMissing,
"AgentId": store.AgentId,
}
+ for _, header := range bulkStoreImportCSVHeader {
+ if strings.HasPrefix(header, "InventorySchedule.") {
+ csvData[store.Id][header] = ""
+ }
+ }
log.Debug().Msg("checking for InventorySchedule")
if store.InventorySchedule.Immediate != nil {
@@ -1144,7 +1141,9 @@ func getJsonForRequest(headerRow []string, row []string) *gabs.Container {
reqJson := gabs.New()
for hIdx, header := range headerRow {
log.Debug().Msgf("Processing header '%s'", header)
- if strings.ToUpper(row[hIdx]) == "TRUE" {
+ if shouldTreatCSVValueAsSecretString(header) && row[hIdx] != "" {
+ reqJson.Set(row[hIdx], strings.Split(header, ".")...)
+ } else if strings.ToUpper(row[hIdx]) == "TRUE" {
reqJson.Set(true, strings.Split(header, ".")...)
} else if strings.ToUpper(row[hIdx]) == "FALSE" {
reqJson.Set(false, strings.Split(header, ".")...)
@@ -1166,6 +1165,44 @@ func getJsonForRequest(headerRow []string, row []string) *gabs.Container {
return reqJson
}
+func shouldTreatCSVValueAsSecretString(header string) bool {
+ switch header {
+ case "Properties.ServerUsername", "Properties.ServerPassword", "Password":
+ return true
+ default:
+ return strings.HasSuffix(header, ".SecretValue")
+ }
+}
+
+func buildUpdateStorePasswordConfig(rowStorePassword interface{}) api.UpdateStorePasswordConfig {
+ passwdParams := api.UpdateStorePasswordConfig{
+ SecretValue: nil,
+ }
+
+ switch typedPassword := rowStorePassword.(type) {
+ case string:
+ if typedPassword != "" {
+ passwdParams.SecretValue = &typedPassword
+ }
+ case map[string]interface{}:
+ if providerId, ok := typedPassword["ProviderId"].(int); ok {
+ passwdParams.Provider = providerId
+ } else if providerId, ok := typedPassword["Provider"].(int); ok {
+ passwdParams.Provider = providerId
+ }
+ if params, ok := typedPassword["Parameters"].(map[string]interface{}); ok {
+ for k, v := range params {
+ if passwdParams.Parameters == nil {
+ passwdParams.Parameters = make(map[string]string)
+ }
+ passwdParams.Parameters[k] = fmt.Sprintf("%v", v)
+ }
+ }
+ }
+
+ return passwdParams
+}
+
func writeCsvFile(outpath string, rows [][]string) error {
log.Debug().Msgf("Writing CSV file '%s'", outpath)
csvFile, err := os.Create(outpath)
diff --git a/cmd/stores_test.go b/cmd/stores_test.go
index b5a792c9..c9d9f82d 100644
--- a/cmd/stores_test.go
+++ b/cmd/stores_test.go
@@ -26,6 +26,8 @@ import (
)
func Test_Stores_HelpCmd(t *testing.T) {
+ defer resetRootCommandState()
+
// Test root help
testCmd := RootCmd
testCmd.SetArgs([]string{"stores", "--help"})
@@ -328,6 +330,72 @@ func Test_Stores_GenerateImportTemplateCmd(t *testing.T) {
}
+func Test_FormatProperties_FormatsManagedPamSecretPropertiesForPost(t *testing.T) {
+ header := []string{
+ "Properties.ServerPassword.Provider",
+ "Properties.ServerPassword.Parameters.SecretName",
+ "Properties.ServerPassword.Parameters.SecretType",
+ "Properties.ServerPassword.Parameters.StaticSecretFieldName",
+ }
+ row := []string{"30", "dev/aks/kf-integrations", "static_json", " "}
+
+ reqJson := getJsonForRequest(header, row)
+ reqJson = formatProperties(reqJson, nil)
+
+ serverPassword := reqJson.S("Properties", "ServerPassword").Data()
+ serverPasswordMap, ok := serverPassword.(map[string]interface{})
+ assert.True(t, ok)
+ valueMap, ok := serverPasswordMap["value"].(map[string]interface{})
+ assert.True(t, ok)
+ assert.Equal(t, 30, valueMap["Provider"])
+ assert.NotContains(t, serverPasswordMap, "Provider")
+ assert.NotContains(t, serverPasswordMap, "ProviderId")
+
+ params, ok := valueMap["Parameters"].(map[string]string)
+ assert.True(t, ok)
+ assert.Equal(t, "dev/aks/kf-integrations", params["SecretName"])
+ assert.Equal(t, "static_json", params["SecretType"])
+ assert.Equal(t, " ", params["StaticSecretFieldName"])
+}
+
+func Test_GetJsonForRequest_TreatsJsonSecretValuesAsStrings(t *testing.T) {
+ header := []string{"Properties.ServerPassword", "Properties.ServerUsername.SecretValue"}
+ row := []string{
+ `{"kind":"Config","apiVersion":"v1"}`,
+ `{"username":"kubeconfig"}`,
+ }
+
+ reqJson := getJsonForRequest(header, row)
+
+ assert.Equal(t, row[0], reqJson.S("Properties", "ServerPassword").Data())
+ assert.Equal(t, row[1], reqJson.S("Properties", "ServerUsername", "SecretValue").Data())
+}
+
+func Test_BuildUpdateStorePasswordConfig_FormatsManagedPamStorePassword(t *testing.T) {
+ header := []string{
+ "Password.ProviderId",
+ "Password.Parameters.SecretName",
+ "Password.Parameters.SecretType",
+ "Password.Parameters.StaticSecretFieldName",
+ }
+ row := []string{"30", "dev/aks/kf-integrations", "static_json", " "}
+
+ reqJson := getJsonForRequest(header, row)
+ storePassword := buildUpdateStorePasswordConfig(reqJson.S("Password").Data())
+
+ assert.Equal(t, 30, storePassword.Provider)
+ assert.Nil(t, storePassword.SecretValue)
+ assert.Equal(
+ t,
+ map[string]string{
+ "SecretName": "dev/aks/kf-integrations",
+ "SecretType": "static_json",
+ "StaticSecretFieldName": " ",
+ },
+ storePassword.Parameters,
+ )
+}
+
func testExportStore(t *testing.T, storeTypeName string) (string, []string) {
var (
output string
diff --git a/cmd/test.go b/cmd/test.go
index 25ca5754..70b5cb52 100644
--- a/cmd/test.go
+++ b/cmd/test.go
@@ -21,6 +21,9 @@ import (
"io"
"os"
"regexp"
+
+ "github.com/spf13/cobra"
+ "github.com/spf13/pflag"
)
func captureOutput(f func()) string {
@@ -60,6 +63,36 @@ func captureOutput(f func()) string {
return buf.String()
}
+func resetRootCommandState() {
+ resetCommandState(RootCmd)
+}
+
+func resetCommandState(cmd *cobra.Command) {
+ cmd.SetArgs(nil)
+ cmd.SetOut(os.Stdout)
+ cmd.SetErr(os.Stderr)
+ cmd.SilenceUsage = false
+ cmd.SilenceErrors = false
+
+ resetFlagSet(cmd.Flags())
+ resetFlagSet(cmd.PersistentFlags())
+ resetFlagSet(cmd.LocalFlags())
+
+ for _, child := range cmd.Commands() {
+ resetCommandState(child)
+ }
+}
+
+func resetFlagSet(flags *pflag.FlagSet) {
+ if flags == nil {
+ return
+ }
+ flags.VisitAll(func(flag *pflag.Flag) {
+ _ = flag.Value.Set(flag.DefValue)
+ flag.Changed = false
+ })
+}
+
type testEnv struct {
CommandHostname string
CommandUsername string
diff --git a/cmd/test_auth_config_test.go b/cmd/test_auth_config_test.go
new file mode 100644
index 00000000..41043e39
--- /dev/null
+++ b/cmd/test_auth_config_test.go
@@ -0,0 +1,172 @@
+// Copyright 2025 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+ "os"
+ "path/filepath"
+ "strings"
+ "testing"
+
+ "github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
+)
+
+func TestMain(m *testing.M) {
+ cleanups := ensureTestAuthConfigs()
+ code := m.Run()
+ for i := len(cleanups) - 1; i >= 0; i-- {
+ cleanups[i]()
+ }
+ os.Exit(code)
+}
+
+func ensureTestAuthConfigs() []func() {
+ if os.Getenv(auth_providers.EnvKeyfactorHostName) == "" {
+ return nil
+ }
+
+ config := buildTestAuthConfig()
+ if len(config.Servers) == 0 {
+ return nil
+ }
+
+ type authConfigPath struct {
+ path string
+ overwrite bool
+ }
+
+ var paths []authConfigPath
+ homeDir, err := os.UserHomeDir()
+ if err == nil {
+ paths = append(paths, authConfigPath{path: filepath.Join(homeDir, auth_providers.DefaultConfigFilePath)})
+ }
+ paths = append(paths, authConfigPath{
+ path: filepath.Join("$HOME", ".keyfactor", "extra_config.json"),
+ overwrite: true,
+ })
+
+ var cleanups []func()
+ for _, configPath := range paths {
+ if configPath.path == "" {
+ continue
+ }
+ previousConfig, readErr := auth_providers.ReadConfigFromJSON(configPath.path)
+ existed := readErr == nil
+ if existed && !configPath.overwrite {
+ if _, ok := previousConfig.Servers[auth_providers.DefaultConfigProfile]; ok {
+ continue
+ }
+ merged := &auth_providers.Config{Servers: map[string]auth_providers.Server{}}
+ for name, server := range previousConfig.Servers {
+ merged.Servers[name] = server
+ }
+ for name, server := range config.Servers {
+ if _, ok := merged.Servers[name]; !ok || name == auth_providers.DefaultConfigProfile {
+ merged.Servers[name] = server
+ }
+ }
+ if err := auth_providers.WriteConfigToJSON(configPath.path, merged); err == nil {
+ pathToRestore := configPath.path
+ configToRestore := previousConfig
+ cleanups = append(cleanups, func() {
+ _ = auth_providers.WriteConfigToJSON(pathToRestore, configToRestore)
+ })
+ }
+ continue
+ }
+ if err := os.MkdirAll(filepath.Dir(configPath.path), 0700); err != nil {
+ continue
+ }
+ if err := auth_providers.WriteConfigToJSON(configPath.path, config); err == nil {
+ pathToCleanup := configPath.path
+ if existed {
+ configToRestore := previousConfig
+ cleanups = append(cleanups, func() {
+ _ = auth_providers.WriteConfigToJSON(pathToCleanup, configToRestore)
+ })
+ } else {
+ cleanups = append(cleanups, func() {
+ _ = os.Remove(pathToCleanup)
+ })
+ }
+ }
+ }
+ return cleanups
+}
+
+func buildTestAuthConfig() *auth_providers.Config {
+ config := &auth_providers.Config{
+ Servers: map[string]auth_providers.Server{},
+ }
+
+ host := os.Getenv(auth_providers.EnvKeyfactorHostName)
+ apiPath := os.Getenv(auth_providers.EnvKeyfactorAPIPath)
+ if apiPath == "" {
+ apiPath = auth_providers.DefaultCommandAPIPath
+ }
+
+ username := os.Getenv(auth_providers.EnvKeyfactorUsername)
+ password := os.Getenv(auth_providers.EnvKeyfactorPassword)
+ domain := os.Getenv(auth_providers.EnvKeyfactorDomain)
+ if username != "" && password != "" {
+ config.Servers[auth_providers.DefaultConfigProfile] = auth_providers.Server{
+ Host: host,
+ APIPath: apiPath,
+ Username: username,
+ Password: password,
+ Domain: domain,
+ SkipTLSVerify: true,
+ AuthType: "basic",
+ }
+ }
+
+ clientID := os.Getenv(auth_providers.EnvKeyfactorClientID)
+ clientSecret := os.Getenv(auth_providers.EnvKeyfactorClientSecret)
+ tokenURL := os.Getenv(auth_providers.EnvKeyfactorAuthTokenURL)
+ if clientID != "" && clientSecret != "" && tokenURL != "" {
+ oauthServer := auth_providers.Server{
+ Host: host,
+ APIPath: apiPath,
+ ClientID: clientID,
+ ClientSecret: clientSecret,
+ OAuthTokenUrl: tokenURL,
+ Scopes: testAuthScopes(),
+ Audience: os.Getenv(auth_providers.EnvKeyfactorAuthAudience),
+ SkipTLSVerify: true,
+ AuthType: "oauth",
+ }
+ config.Servers["oauth"] = oauthServer
+ if _, ok := config.Servers[auth_providers.DefaultConfigProfile]; !ok {
+ config.Servers[auth_providers.DefaultConfigProfile] = oauthServer
+ }
+ }
+
+ return config
+}
+
+func testAuthScopes() []string {
+ scopesCSV := os.Getenv(auth_providers.EnvKeyfactorAuthScopes)
+ if scopesCSV == "" {
+ return []string{"openid"}
+ }
+ var scopes []string
+ for _, scope := range strings.Split(scopesCSV, ",") {
+ scope = strings.TrimSpace(scope)
+ if scope != "" {
+ scopes = append(scopes, scope)
+ }
+ }
+ return scopes
+}
diff --git a/docs/auth_providers.md b/docs/auth_providers.md
index ee0070f8..a99c9d17 100644
--- a/docs/auth_providers.md
+++ b/docs/auth_providers.md
@@ -16,7 +16,7 @@ Command API from a secure location rather than a file on disk or environment var
## Azure Key Vault
The Azure Key Vault auth provider allows you to source credentials from an Azure Key Vault instance using Azure Managed
-Identity.
+Identity.
### Configuration
Below is an example configuration for the Azure Key Vault auth provider. This can be placed in the `$HOME/.keyfactor/command_config.json`
@@ -39,7 +39,7 @@ file and will be used by `kfutil` to source credentials for the Keyfactor produc
```
### Azure Key Vault Secret Format
-The format of the Azure Key Vault secret should be the same as if you were to run `kfutil login` and go through the
+The format of the Azure Key Vault secret should be the same as if you were to run `kfutil login` and go through the
interactive auth flow. Here's an example of what that would look like:
#### Basic Auth Example
@@ -76,7 +76,7 @@ interactive auth flow. Here's an example of what that would look like:
#### Usage
##### Default
-With the above configuration in placed in the default path `$HOME/.keyfactor/command_config.json` the utility will
+With the above configuration in placed in the default path `$HOME/.keyfactor/command_config.json` the utility will
implicitly attempt to source credentials from the Azure Key Vault instance.
```bash
kfutil stores list
@@ -94,4 +94,4 @@ kfutil \
```
The above explicitly tells the utility to only attempt to use the Azure Key Vault auth provider. This mode will not fail
to user interactive or environmental variable auth if provided. The example also shows how to specify a custom path to
-the auth provider configuration file and what profile to look for in the configuration file stored in Azure.
\ No newline at end of file
+the auth provider configuration file and what profile to look for in the configuration file stored in Azure.
diff --git a/docs/kfutil.md b/docs/kfutil.md
index eb42ad04..a775de3f 100644
--- a/docs/kfutil.md
+++ b/docs/kfutil.md
@@ -38,14 +38,12 @@ A CLI wrapper around the Keyfactor Platform API.
* [kfutil helm](kfutil_helm.md) - Helm utilities for configuring Keyfactor Helm charts
* [kfutil import](kfutil_import.md) - Keyfactor instance import utilities.
* [kfutil login](kfutil_login.md) - User interactive login to Keyfactor. Stores the credentials in the config file '$HOME/.keyfactor/command_config.json'.
-* [kfutil logout](kfutil_logout.md) - Unsets environment variables and removes the stored credentials file.
-* [kfutil migrate](kfutil_migrate.md) - Keyfactor Migration Tools.
+* [kfutil logout](kfutil_logout.md) - Unsets environment variables and removes the stored credentials file.
+* [kfutil migrate](kfutil_migrate.md) - Keyfactor Migration Tools.
* [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities.
* [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs.
-* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
+* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
* [kfutil status](kfutil_status.md) - List the status of Keyfactor services.
* [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities.
* [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities.
* [kfutil version](kfutil_version.md) - Shows version of kfutil
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_completion.md b/docs/kfutil_completion.md
index df1bd2ab..eef9b0e4 100644
--- a/docs/kfutil_completion.md
+++ b/docs/kfutil_completion.md
@@ -44,5 +44,3 @@ See each sub-command's help for details on how to use the generated script.
* [kfutil completion fish](kfutil_completion_fish.md) - Generate the autocompletion script for fish
* [kfutil completion powershell](kfutil_completion_powershell.md) - Generate the autocompletion script for powershell
* [kfutil completion zsh](kfutil_completion_zsh.md) - Generate the autocompletion script for zsh
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_completion_bash.md b/docs/kfutil_completion_bash.md
index c2f3f95c..d61f49ac 100644
--- a/docs/kfutil_completion_bash.md
+++ b/docs/kfutil_completion_bash.md
@@ -63,5 +63,3 @@ kfutil completion bash
### SEE ALSO
* [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_completion_fish.md b/docs/kfutil_completion_fish.md
index 7d6f7cca..04aed08c 100644
--- a/docs/kfutil_completion_fish.md
+++ b/docs/kfutil_completion_fish.md
@@ -54,5 +54,3 @@ kfutil completion fish [flags]
### SEE ALSO
* [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_completion_powershell.md b/docs/kfutil_completion_powershell.md
index 3b6c4947..1bf3f34e 100644
--- a/docs/kfutil_completion_powershell.md
+++ b/docs/kfutil_completion_powershell.md
@@ -51,5 +51,3 @@ kfutil completion powershell [flags]
### SEE ALSO
* [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_completion_zsh.md b/docs/kfutil_completion_zsh.md
index 585624d2..f00c9778 100644
--- a/docs/kfutil_completion_zsh.md
+++ b/docs/kfutil_completion_zsh.md
@@ -65,5 +65,3 @@ kfutil completion zsh [flags]
### SEE ALSO
* [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_containers.md b/docs/kfutil_containers.md
index f0725128..cffb1b58 100644
--- a/docs/kfutil_containers.md
+++ b/docs/kfutil_containers.md
@@ -40,5 +40,3 @@ A collections of APIs and utilities for interacting with Keyfactor certificate s
* [kfutil](kfutil.md) - Keyfactor CLI utilities
* [kfutil containers get](kfutil_containers_get.md) - Get certificate store container by ID or name.
* [kfutil containers list](kfutil_containers_list.md) - List certificate store containers.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_containers_get.md b/docs/kfutil_containers_get.md
index 42492dfc..7b305247 100644
--- a/docs/kfutil_containers_get.md
+++ b/docs/kfutil_containers_get.md
@@ -43,5 +43,3 @@ kfutil containers get [flags]
### SEE ALSO
* [kfutil containers](kfutil_containers.md) - Keyfactor certificate store container API and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_containers_list.md b/docs/kfutil_containers_list.md
index cc6f6399..67e820fc 100644
--- a/docs/kfutil_containers_list.md
+++ b/docs/kfutil_containers_list.md
@@ -42,5 +42,3 @@ kfutil containers list [flags]
### SEE ALSO
* [kfutil containers](kfutil_containers.md) - Keyfactor certificate store container API and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_export.md b/docs/kfutil_export.md
index ab76ecf6..954c719b 100644
--- a/docs/kfutil_export.md
+++ b/docs/kfutil_export.md
@@ -54,5 +54,3 @@ kfutil export [flags]
### SEE ALSO
* [kfutil](kfutil.md) - Keyfactor CLI utilities
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_helm.md b/docs/kfutil_helm.md
index 10e798e5..95a0a5e4 100644
--- a/docs/kfutil_helm.md
+++ b/docs/kfutil_helm.md
@@ -45,5 +45,3 @@ kubectl helm uo | helm install -f - keyfactor-universal-orchestrator keyfactor/k
* [kfutil](kfutil.md) - Keyfactor CLI utilities
* [kfutil helm uo](kfutil_helm_uo.md) - Configure the Keyfactor Universal Orchestrator Helm Chart
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_helm_uo.md b/docs/kfutil_helm_uo.md
index bb390917..4f611e2f 100644
--- a/docs/kfutil_helm_uo.md
+++ b/docs/kfutil_helm_uo.md
@@ -49,5 +49,3 @@ kfutil helm uo [-t ] [-o ] [-f ] [-e -e @,@ -o ./app/extension
### SEE ALSO
* [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_orchs_get.md b/docs/kfutil_orchs_get.md
index 8c3566c2..de6827a8 100644
--- a/docs/kfutil_orchs_get.md
+++ b/docs/kfutil_orchs_get.md
@@ -43,5 +43,3 @@ kfutil orchs get [flags]
### SEE ALSO
* [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_orchs_list.md b/docs/kfutil_orchs_list.md
index 790d5b77..a013ce3b 100644
--- a/docs/kfutil_orchs_list.md
+++ b/docs/kfutil_orchs_list.md
@@ -42,5 +42,3 @@ kfutil orchs list [flags]
### SEE ALSO
* [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_orchs_logs.md b/docs/kfutil_orchs_logs.md
index 8d259fcb..f3fcb0f6 100644
--- a/docs/kfutil_orchs_logs.md
+++ b/docs/kfutil_orchs_logs.md
@@ -43,5 +43,3 @@ kfutil orchs logs [flags]
### SEE ALSO
* [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_orchs_reset.md b/docs/kfutil_orchs_reset.md
index 385743c4..f1eb4875 100644
--- a/docs/kfutil_orchs_reset.md
+++ b/docs/kfutil_orchs_reset.md
@@ -43,5 +43,3 @@ kfutil orchs reset [flags]
### SEE ALSO
* [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_pam-types.md b/docs/kfutil_pam-types.md
index 407b7246..fda896b5 100644
--- a/docs/kfutil_pam-types.md
+++ b/docs/kfutil_pam-types.md
@@ -37,10 +37,8 @@ A collections of APIs and utilities for interacting with Keyfactor PAM types.
### SEE ALSO
-* [kfutil](kfutil.md) - Keyfactor CLI utilities
-* [kfutil pam-types create](kfutil_pam-types_create.md) - Creates a new PAM provider type.
-* [kfutil pam-types delete](kfutil_pam-types_delete.md) - Deletes a defined PAM Provider type by ID or Name.
-* [kfutil pam-types get](kfutil_pam-types_get.md) - Get a specific defined PAM Provider type by ID or Name.
-* [kfutil pam-types list](kfutil_pam-types_list.md) - Returns a list of all available PAM provider types.
-
-###### Auto generated on 26-Jan-2026
+* [kfutil](kfutil.md) - Keyfactor CLI utilities
+* [kfutil pam-types create](kfutil_pam-types_create.md) - Creates a new PAM provider type.
+* [kfutil pam-types delete](kfutil_pam-types_delete.md) - Deletes a defined PAM Provider type by ID or Name.
+* [kfutil pam-types get](kfutil_pam-types_get.md) - Get a specific defined PAM Provider type by ID or Name.
+* [kfutil pam-types list](kfutil_pam-types_list.md) - Returns a list of all available PAM provider types.
diff --git a/docs/kfutil_pam-types_create.md b/docs/kfutil_pam-types_create.md
index 5e251062..624a4f8f 100644
--- a/docs/kfutil_pam-types_create.md
+++ b/docs/kfutil_pam-types_create.md
@@ -4,9 +4,9 @@ Creates a new PAM provider type.
### Synopsis
-Creates a new PAM Provider type, currently only supported from JSON file and from GitHub. To install from
-Github. To install from GitHub, use the --repo flag to specify the GitHub repository and optionally the branch to use.
-NOTE: the file from Github must be named integration-manifest.json and must use the same schema as
+Creates a new PAM Provider type, currently only supported from JSON file and from GitHub. To install from
+Github. To install from GitHub, use the --repo flag to specify the GitHub repository and optionally the branch to use.
+NOTE: the file from Github must be named integration-manifest.json and must use the same schema as
https://github.com/Keyfactor/hashicorp-vault-pam/blob/main/integration-manifest.json. To install from a local file, use
--from-file to specify the path to the JSON file.
@@ -50,6 +50,4 @@ kfutil pam-types create [flags]
### SEE ALSO
-* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
+* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
diff --git a/docs/kfutil_pam-types_delete.md b/docs/kfutil_pam-types_delete.md
index 33a38850..1545e376 100644
--- a/docs/kfutil_pam-types_delete.md
+++ b/docs/kfutil_pam-types_delete.md
@@ -44,6 +44,4 @@ kfutil pam-types delete [flags]
### SEE ALSO
-* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
+* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
diff --git a/docs/kfutil_pam-types_get.md b/docs/kfutil_pam-types_get.md
index cfb4cd4a..2c2a8894 100644
--- a/docs/kfutil_pam-types_get.md
+++ b/docs/kfutil_pam-types_get.md
@@ -43,6 +43,4 @@ kfutil pam-types get [flags]
### SEE ALSO
-* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
+* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
diff --git a/docs/kfutil_pam-types_list.md b/docs/kfutil_pam-types_list.md
index c1a82c89..928ae938 100644
--- a/docs/kfutil_pam-types_list.md
+++ b/docs/kfutil_pam-types_list.md
@@ -41,6 +41,4 @@ kfutil pam-types list [flags]
### SEE ALSO
-* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
+* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities.
diff --git a/docs/kfutil_pam.md b/docs/kfutil_pam.md
index c81bb8ae..799af94d 100644
--- a/docs/kfutil_pam.md
+++ b/docs/kfutil_pam.md
@@ -4,8 +4,8 @@ Keyfactor PAM Provider APIs.
### Synopsis
-Privileged Access Management (PAM) functionality in Keyfactor Web APIs allows for configuration of third
-party PAM providers to secure certificate stores. The PAM component of the Keyfactor API includes methods necessary to
+Privileged Access Management (PAM) functionality in Keyfactor Web APIs allows for configuration of third
+party PAM providers to secure certificate stores. The PAM component of the Keyfactor API includes methods necessary to
programmatically create, delete, edit, and list PAM Providers.
### Options
@@ -45,5 +45,3 @@ programmatically create, delete, edit, and list PAM Providers.
* [kfutil pam get](kfutil_pam_get.md) - Get a specific defined PAM Provider by ID.
* [kfutil pam list](kfutil_pam_list.md) - Returns a list of all the configured PAM providers.
* [kfutil pam update](kfutil_pam_update.md) - Updates an existing PAM Provider, currently only supported from file.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_pam_create.md b/docs/kfutil_pam_create.md
index 9e705305..4200a70b 100644
--- a/docs/kfutil_pam_create.md
+++ b/docs/kfutil_pam_create.md
@@ -43,5 +43,3 @@ kfutil pam create [flags]
### SEE ALSO
* [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_pam_delete.md b/docs/kfutil_pam_delete.md
index 97011087..59b556f5 100644
--- a/docs/kfutil_pam_delete.md
+++ b/docs/kfutil_pam_delete.md
@@ -44,5 +44,3 @@ kfutil pam delete [flags]
### SEE ALSO
* [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_pam_get.md b/docs/kfutil_pam_get.md
index c5781c84..373d5fcd 100644
--- a/docs/kfutil_pam_get.md
+++ b/docs/kfutil_pam_get.md
@@ -44,5 +44,3 @@ kfutil pam get [flags]
### SEE ALSO
* [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_pam_list.md b/docs/kfutil_pam_list.md
index c876e565..a06f1b36 100644
--- a/docs/kfutil_pam_list.md
+++ b/docs/kfutil_pam_list.md
@@ -42,5 +42,3 @@ kfutil pam list [flags]
### SEE ALSO
* [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_pam_update.md b/docs/kfutil_pam_update.md
index 59dd1f4f..67fdd309 100644
--- a/docs/kfutil_pam_update.md
+++ b/docs/kfutil_pam_update.md
@@ -43,5 +43,3 @@ kfutil pam update [flags]
### SEE ALSO
* [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_status.md b/docs/kfutil_status.md
index 86a239d5..cd437eed 100644
--- a/docs/kfutil_status.md
+++ b/docs/kfutil_status.md
@@ -42,5 +42,3 @@ kfutil status [flags]
### SEE ALSO
* [kfutil](kfutil.md) - Keyfactor CLI utilities
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_store-types.md b/docs/kfutil_store-types.md
index a30e94e3..bbe92554 100644
--- a/docs/kfutil_store-types.md
+++ b/docs/kfutil_store-types.md
@@ -43,5 +43,3 @@ A collections of APIs and utilities for interacting with Keyfactor certificate s
* [kfutil store-types get](kfutil_store-types_get.md) - Get a specific store type by either name or ID.
* [kfutil store-types list](kfutil_store-types_list.md) - List certificate store types.
* [kfutil store-types templates-fetch](kfutil_store-types_templates-fetch.md) - Fetches store type templates from Keyfactor's Github.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_store-types_create.md b/docs/kfutil_store-types_create.md
index 2eef609b..bdb606fd 100644
--- a/docs/kfutil_store-types_create.md
+++ b/docs/kfutil_store-types_create.md
@@ -18,7 +18,7 @@ kfutil store-types create [flags]
-b, --git-ref string The git branch or tag to reference when pulling store-types from the internet. (default "main")
-h, --help help for create
-l, --list List valid store types.
- -n, --name string Short name of the certificate store type to get. Valid choices are: Akamai, AKV, AlteonLB, AppGwBin, AWS-ACM, AWS-ACM-v3, AxisIPCamera, AzureApp, AzureApp2, AzureAppGw, AzureSP, AzureSP2, BoschIPCamera, CiscoAsa, CitrixAdc, DataPower, F5-BigIQ, F5-CA-REST, F5-SL-REST, F5-WS-REST, f5WafCa, f5WafTls, Fortigate, FortiWeb, GcpApigee, GcpCertMgr, GCPLoadBal, HCVKV, HCVKVJKS, HCVKVP12, HCVKVPEM, HCVKVPFX, HCVPKI, HPiLO, iDRAC, IISU, Imperva, K8SCert, K8SCluster, K8SJKS, K8SNS, K8SPKCS12, K8SSecret, K8STLSSecr, Kemp, Nmap, OktaApp, OktaIdP, PaloAlto, RFDER, RFJKS, RFKDB, RFORA, RFPEM, RFPkcs12, Signum, SOS, vCenter, VMware-NSX, WinCerMgmt, WinCert, WinSql
+ -n, --name string Short name of the certificate store type to get. Valid choices are: Akamai, AKV, AlteonLB, AppGwBin, Aruba, AWS-ACM, AWS-ACM-v3, AxisIPCamera, AzureApp, AzureApp2, AzureAppGw, AzureSP, AzureSP2, BarracudaWaf, BMC, BoschIPCamera, CiscoAsa, CitrixAdc, DataPower, F5-BigIQ, F5-CA-REST, F5-SL-REST, F5-WS-REST, f5WafCa, f5WafTls, Fortigate, FortiWeb, GcpApigee, GcpCertMgr, GCPLoadBal, GCPScrtMgr, HCVKV, HCVKVJKS, HCVKVP12, HCVKVPEM, HCVKVPFX, HCVPKI, HPiLO, iDRAC, IISU, Imperva, K8SCert, K8SCluster, K8SJKS, K8SNS, K8SPKCS12, K8SSecret, K8STLSSecr, Kemp, MOST, Nmap, OktaApp, OktaIdP, PaloAlto, RFDER, RFJKS, RFKDB, RFORA, RFPEM, RFPkcs12, Signum, SOS, ThunderMgmt, ThunderSsl, vCenter, VMware-NSX, WinAdfs, WinCerMgmt, WinCert, WinSql
-r, --repo string The repository to pull store-types definitions from. (default "kfutil")
```
@@ -48,5 +48,3 @@ kfutil store-types create [flags]
### SEE ALSO
* [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_store-types_delete.md b/docs/kfutil_store-types_delete.md
index b83c9728..ceccd963 100644
--- a/docs/kfutil_store-types_delete.md
+++ b/docs/kfutil_store-types_delete.md
@@ -46,5 +46,3 @@ kfutil store-types delete [flags]
### SEE ALSO
* [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_store-types_get.md b/docs/kfutil_store-types_get.md
index b3e52b50..32a15c1c 100644
--- a/docs/kfutil_store-types_get.md
+++ b/docs/kfutil_store-types_get.md
@@ -47,5 +47,3 @@ kfutil store-types get [-i | -n ] [-b
### SEE ALSO
* [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_store-types_list.md b/docs/kfutil_store-types_list.md
index 3dc0242d..121b13f0 100644
--- a/docs/kfutil_store-types_list.md
+++ b/docs/kfutil_store-types_list.md
@@ -42,5 +42,3 @@ kfutil store-types list [flags]
### SEE ALSO
* [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_store-types_templates-fetch.md b/docs/kfutil_store-types_templates-fetch.md
index d8d00f4d..a42307fe 100644
--- a/docs/kfutil_store-types_templates-fetch.md
+++ b/docs/kfutil_store-types_templates-fetch.md
@@ -44,5 +44,3 @@ kfutil store-types templates-fetch [flags]
### SEE ALSO
* [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores.md b/docs/kfutil_stores.md
index 8b512215..92471fe3 100644
--- a/docs/kfutil_stores.md
+++ b/docs/kfutil_stores.md
@@ -41,10 +41,7 @@ A collections of APIs and utilities for interacting with Keyfactor certificate s
* [kfutil stores delete](kfutil_stores_delete.md) - Delete a certificate store by ID.
* [kfutil stores export](kfutil_stores_export.md) - Export existing defined certificate stores by type or store Id.
* [kfutil stores get](kfutil_stores_get.md) - Get a certificate store by ID.
-* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them
- in Keyfactor Command.
+* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them in Keyfactor Command.
* [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management
* [kfutil stores list](kfutil_stores_list.md) - List certificate stores.
-* [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility
-
-###### Auto generated on 26-Jan-2026
+* [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility
diff --git a/docs/kfutil_stores_delete.md b/docs/kfutil_stores_delete.md
index 733dfce1..3761d475 100644
--- a/docs/kfutil_stores_delete.md
+++ b/docs/kfutil_stores_delete.md
@@ -45,5 +45,3 @@ kfutil stores delete [flags]
### SEE ALSO
* [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_export.md b/docs/kfutil_stores_export.md
index 9cd56c48..e244ff91 100644
--- a/docs/kfutil_stores_export.md
+++ b/docs/kfutil_stores_export.md
@@ -46,5 +46,3 @@ kfutil stores export [flags]
### SEE ALSO
* [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_get.md b/docs/kfutil_stores_get.md
index 1c50c23d..f1d45038 100644
--- a/docs/kfutil_stores_get.md
+++ b/docs/kfutil_stores_get.md
@@ -43,5 +43,3 @@ kfutil stores get [flags]
### SEE ALSO
* [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_import.md b/docs/kfutil_stores_import.md
index a151a3f6..0203cedc 100644
--- a/docs/kfutil_stores_import.md
+++ b/docs/kfutil_stores_import.md
@@ -40,5 +40,3 @@ Tools for generating import templates and importing certificate stores
* [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities.
* [kfutil stores import csv](kfutil_stores_import_csv.md) - Create certificate stores from CSV file.
* [kfutil stores import generate-template](kfutil_stores_import_generate-template.md) - For generating a CSV template with headers for bulk store creation.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_import_csv.md b/docs/kfutil_stores_import_csv.md
index c7683ab9..2215f41a 100644
--- a/docs/kfutil_stores_import_csv.md
+++ b/docs/kfutil_stores_import_csv.md
@@ -17,29 +17,27 @@ Required Flags:
###### Credential Fields
-| Header | Description |
-|---------------------------|---------------------------------------------------------------------------------------|
+| Header | Description |
+| --- | --- |
| Properties.ServerUsername | This is equivalent to the 'ServerUsername' field in the Command Certificate Store UI. |
| Properties.ServerPassword | This is equivalent to the 'ServerPassword' field in the Command Certificate Store UI. |
-| Password | This is equivalent to the 'StorePassword' field in the Command Certificate Store UI. |
+| Password | This is equivalent to the 'StorePassword' field in the Command Certificate Store UI. |
###### Inventory Schedule Fields
-
-For full information on certificate store schedules
-visit: https://software.keyfactor.com/Core-OnPrem/v25.1.1/Content/WebAPI/KeyfactorAPI/CertificateStoresPostSchedule.htm#API-Table-Schedule
+For full information on certificate store schedules visit: https://software.keyfactor.com/Core-OnPrem/v25.1.1/Content/WebAPI/KeyfactorAPI/CertificateStoresPostSchedule.htm#API-Table-Schedule
> [!NOTE]
> Only one type of schedule can be specified in the CSV file. If multiple are specified,
> the last one will be used. For example you can't schedule both "InventorySchedule.Immediate" and "InventorySchedule.
> Interval.Minutes", in which case the value of "InventorySchedule.Interval.Minutes" would be used.
-| Header | Description |
-|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| InventorySchedule.Immediate | A Boolean that indicates a job scheduled to run immediately (TRUE) or not (FALSE). |
-| InventorySchedule.Interval.Minutes | An integer indicating the number of minutes between each interval. |
-| InventorySchedule.Daily.Time | The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format "YYYY-MM-DDTHH:mm:ss.000Z"" (e.g. 2023-11-19T16:23:01Z). |
-| InventorySchedule.Weekly.Days | An array of values representing the days of the week on which to run the job. These can either be entered as integers (0 for Sunday, 1 for Monday, etc.) or as days of the week (e.g. "Sunday"). |
-| InventorySchedule.Weekly.Time | The time of day to inventory daily, RFC3339 format. Ex. "2023-10-01T12:00:00Z" for noon UTC. |
+| Header | Description |
+| --- | --- |
+| InventorySchedule.Immediate | A Boolean that indicates a job scheduled to run immediately (TRUE) or not (FALSE). |
+| InventorySchedule.Interval.Minutes | An integer indicating the number of minutes between each interval. |
+| InventorySchedule.Daily.Time | The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format "YYYY-MM-DDTHH:mm:ss.000Z"" (e.g. 2023-11-19T16:23:01Z). |
+| InventorySchedule.Weekly.Days | An array of values representing the days of the week on which to run the job. These can either be entered as integers (0 for Sunday, 1 for Monday, etc.) or as days of the week (e.g. "Sunday"). |
+| InventorySchedule.Weekly.Time | The time of day to inventory daily, RFC3339 format. Ex. "2023-10-01T12:00:00Z" for noon UTC. |
##### Outside CSV file:
If you do not wish to include credentials in your CSV file they can be provided one of three ways:
@@ -92,7 +90,4 @@ kfutil stores import csv --file --store-type-id --store-t
### SEE ALSO
-* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them
- in Keyfactor Command.
-
-###### Auto generated on 26-Jan-2026
+* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them in Keyfactor Command.
diff --git a/docs/kfutil_stores_inventory.md b/docs/kfutil_stores_inventory.md
index ade5aae5..db7481f2 100644
--- a/docs/kfutil_stores_inventory.md
+++ b/docs/kfutil_stores_inventory.md
@@ -41,5 +41,3 @@ Commands related to certificate store inventory management
* [kfutil stores inventory add](kfutil_stores_inventory_add.md) - Adds one or more certificates to one or more certificate store inventories.
* [kfutil stores inventory remove](kfutil_stores_inventory_remove.md) - Removes a certificate from the certificate store inventory.
* [kfutil stores inventory show](kfutil_stores_inventory_show.md) - Show the inventory of a certificate store.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_inventory_add.md b/docs/kfutil_stores_inventory_add.md
index b4f15262..ad150411 100644
--- a/docs/kfutil_stores_inventory_add.md
+++ b/docs/kfutil_stores_inventory_add.md
@@ -56,5 +56,3 @@ kfutil stores inventory add [flags]
### SEE ALSO
* [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_inventory_remove.md b/docs/kfutil_stores_inventory_remove.md
index ff071c0c..fa9a7069 100644
--- a/docs/kfutil_stores_inventory_remove.md
+++ b/docs/kfutil_stores_inventory_remove.md
@@ -52,5 +52,3 @@ kfutil stores inventory remove [flags]
### SEE ALSO
* [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_inventory_show.md b/docs/kfutil_stores_inventory_show.md
index 08ecf61b..823f899b 100644
--- a/docs/kfutil_stores_inventory_show.md
+++ b/docs/kfutil_stores_inventory_show.md
@@ -46,5 +46,3 @@ kfutil stores inventory show [flags]
### SEE ALSO
* [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_list.md b/docs/kfutil_stores_list.md
index 5b79ff9a..d7d9a205 100644
--- a/docs/kfutil_stores_list.md
+++ b/docs/kfutil_stores_list.md
@@ -42,5 +42,3 @@ kfutil stores list [flags]
### SEE ALSO
* [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_rot.md b/docs/kfutil_stores_rot.md
index 0a62c7ac..61159e03 100644
--- a/docs/kfutil_stores_rot.md
+++ b/docs/kfutil_stores_rot.md
@@ -53,5 +53,3 @@ kfutil stores rot reconcile --import-csv
* [kfutil stores rot audit](kfutil_stores_rot_audit.md) - Audit generates a CSV report of what actions will be taken based on input CSV files.
* [kfutil stores rot generate-template](kfutil_stores_rot_generate-template.md) - For generating Root Of Trust template(s)
* [kfutil stores rot reconcile](kfutil_stores_rot_reconcile.md) - Reconcile either takes in or will generate an audit report and then add/remove certs as needed.
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_rot_audit.md b/docs/kfutil_stores_rot_audit.md
index e2612432..1f3a83cb 100644
--- a/docs/kfutil_stores_rot_audit.md
+++ b/docs/kfutil_stores_rot_audit.md
@@ -50,5 +50,3 @@ kfutil stores rot audit [flags]
### SEE ALSO
* [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_rot_generate-template.md b/docs/kfutil_stores_rot_generate-template.md
index 6c3f46b0..eb5ff54f 100644
--- a/docs/kfutil_stores_rot_generate-template.md
+++ b/docs/kfutil_stores_rot_generate-template.md
@@ -48,5 +48,3 @@ kfutil stores rot generate-template [flags]
### SEE ALSO
* [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_stores_rot_reconcile.md b/docs/kfutil_stores_rot_reconcile.md
index 9e85606a..7b6ed7b8 100644
--- a/docs/kfutil_stores_rot_reconcile.md
+++ b/docs/kfutil_stores_rot_reconcile.md
@@ -55,5 +55,3 @@ kfutil stores rot reconcile [flags]
### SEE ALSO
* [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/kfutil_version.md b/docs/kfutil_version.md
index 73c7df04..27bef179 100644
--- a/docs/kfutil_version.md
+++ b/docs/kfutil_version.md
@@ -42,5 +42,3 @@ kfutil version [flags]
### SEE ALSO
* [kfutil](kfutil.md) - Keyfactor CLI utilities
-
-###### Auto generated on 26-Jan-2026
diff --git a/docs/use-cases/Certificate Store Operations/README.md b/docs/use-cases/Certificate Store Operations/README.md
new file mode 100644
index 00000000..3526c78b
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/README.md
@@ -0,0 +1,8 @@
+# Certificate Store Operations
+
+Use cases for bulk certificate store workflows.
+
+- [Bulk Certificate Store Creation](bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](migrate-static-store-credentials-to-pam.md)
+- [Store Type Bulk Create And Update Guides](Store%20Types/README.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/README.md b/docs/use-cases/Certificate Store Operations/Store Types/README.md
new file mode 100644
index 00000000..06f214dd
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/README.md
@@ -0,0 +1,103 @@
+
+# Store Type Bulk Create And Update Guides
+
+These docs are generated from `cmd/store_types.json` and `cmd/pam_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.
+
+Regenerate after store type metadata changes:
+
+```bash
+kfutil makedocs
+```
+
+Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations.
+
+## PAM Provider Parameter Columns
+
+PAM-backed secret columns vary by PAM provider type. Certificate store CSV rows can only set the instance-level parameter names exposed to certificate stores, with the secret column prefix. For example, use `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## Store Types
+
+| Store Type | Name | Store Password | Secret/PAM Columns |
+| --- | --- | --- | --- |
+| [`Akamai`](akamai.md) | Akamai Certificate Provisioning Service | Not required | 3 secret properties |
+| [`AKV`](akv.md) | Azure Keyvault | Not required | None |
+| [`AlteonLB`](alteonlb.md) | Alteon Load Balancer | Not required | None |
+| [`AppGwBin`](appgwbin.md) | Azure Application Gateway Certificate Binding | Not required | 3 secret properties |
+| [`Aruba`](aruba.md) | Aruba | Not required | 2 secret properties |
+| [`AWS-ACM`](aws-acm.md) | AWS Certificate Manager | Not required | 2 secret properties |
+| [`AWS-ACM-v3`](aws-acm-v3.md) | AWS Certificate Manager v3 | Not required | 4 secret properties |
+| [`AxisIPCamera`](axisipcamera.md) | Axis IP Camera | Not required | 2 secret properties |
+| [`AzureApp`](azureapp.md) | Azure App Registration (Application) | Not required | 3 secret properties |
+| [`AzureApp2`](azureapp2.md) | Azure App Registration 2 (Application) | Not required | 4 secret properties |
+| [`AzureAppGw`](azureappgw.md) | Azure Application Gateway Certificate | Not required | 3 secret properties |
+| [`AzureSP`](azuresp.md) | Azure Enterprise Application (Service Principal) | Not required | 3 secret properties |
+| [`AzureSP2`](azuresp2.md) | Azure Enterprise Application 2 (Service Principal) | Not required | 4 secret properties |
+| [`BarracudaWaf`](barracudawaf.md) | Barracuda WAF | Not required | None |
+| [`BMC`](bmc.md) | BMC Orchestrator Solution | Required | 2 secret properties |
+| [`BoschIPCamera`](boschipcamera.md) | Bosch IP Camera | Not required | 2 secret properties |
+| [`CiscoAsa`](ciscoasa.md) | CiscoAsa | Not required | 2 secret properties |
+| [`CitrixAdc`](citrixadc.md) | CitrixAdc | Required; PAM eligible | 2 secret properties |
+| [`DataPower`](datapower.md) | IBM Data Power | Not required | 2 secret properties |
+| [`F5-BigIQ`](f5-bigiq.md) | F5 Big IQ | Not required | 2 secret properties |
+| [`F5-CA-REST`](f5-ca-rest.md) | F5 CA Profiles REST | Not required | 2 secret properties |
+| [`F5-SL-REST`](f5-sl-rest.md) | F5 SSL Profiles REST | Required; PAM eligible | 2 secret properties |
+| [`F5-WS-REST`](f5-ws-rest.md) | F5 WS Profiles REST | Not required | 2 secret properties |
+| [`f5WafCa`](f5wafca.md) | F5 WAF CA | Not required | 2 secret properties |
+| [`f5WafTls`](f5waftls.md) | F5 WAF TLS | Not required | 2 secret properties |
+| [`Fortigate`](fortigate.md) | Fortigate | Required; PAM eligible | None |
+| [`FortiWeb`](fortiweb.md) | FortiWeb | Not required | 2 secret properties |
+| [`GcpApigee`](gcpapigee.md) | Google Cloud Provider Apigee | Not required | 1 secret property |
+| [`GcpCertMgr`](gcpcertmgr.md) | GCP Certificate Manager | Not required | None |
+| [`GCPLoadBal`](gcploadbal.md) | GCP Load Balancer | Not required | 1 secret property |
+| [`GCPScrtMgr`](gcpscrtmgr.md) | GCPScrtMgr | Required; PAM eligible | None |
+| [`HCVKV`](hcvkv.md) | Hashicorp Vault Key-Value | Not required | None |
+| [`HCVKVJKS`](hcvkvjks.md) | Hashicorp Vault Key-Value JKS | Optional; PAM eligible | 2 secret properties |
+| [`HCVKVP12`](hcvkvp12.md) | Hashicorp Vault Key-Value PKCS12 | Optional; PAM eligible | 2 secret properties |
+| [`HCVKVPEM`](hcvkvpem.md) | Hashicorp Vault Key-Value PEM | Optional; PAM eligible | 2 secret properties |
+| [`HCVKVPFX`](hcvkvpfx.md) | Hashicorp Vault Key-Value PFX | Optional; PAM eligible | 2 secret properties |
+| [`HCVPKI`](hcvpki.md) | Hashicorp Vault PKI | Optional; PAM eligible | 2 secret properties |
+| [`HPiLO`](hpilo.md) | HP iLO Cert Store | Not required | None |
+| [`iDRAC`](idrac.md) | iDRAC | Not required | 2 secret properties |
+| [`IISU`](iisu.md) | IIS Bound Certificate | Not required | 2 secret properties |
+| [`Imperva`](imperva.md) | Imperva | Required; PAM eligible | None |
+| [`K8SCert`](k8scert.md) | K8SCert | Not required | 2 secret properties |
+| [`K8SCluster`](k8scluster.md) | K8SCluster | Not required | 2 secret properties |
+| [`K8SJKS`](k8sjks.md) | K8SJKS | Required | 2 secret properties |
+| [`K8SNS`](k8sns.md) | K8SNS | Not required | 2 secret properties |
+| [`K8SPKCS12`](k8spkcs12.md) | K8SPKCS12 | Required | 2 secret properties |
+| [`K8SSecret`](k8ssecret.md) | K8SSecret | Not required | 2 secret properties |
+| [`K8STLSSecr`](k8stlssecr.md) | K8STLSSecr | Not required | 2 secret properties |
+| [`Kemp`](kemp.md) | Kemp | Not required | 2 secret properties |
+| [`MOST`](most.md) | MyOrchestratorStoreType | Not required | None |
+| [`Nmap`](nmap.md) | Nmap Orchestrator | Not required | None |
+| [`OktaApp`](oktaapp.md) | OktaApp | Not required | None |
+| [`OktaIdP`](oktaidp.md) | OktaIdP | Not required | None |
+| [`PaloAlto`](paloalto.md) | PaloAlto | Not required | 2 secret properties |
+| [`RFDER`](rfder.md) | RFDER | Required; PAM eligible | 2 secret properties |
+| [`RFJKS`](rfjks.md) | RFJKS | Required; PAM eligible | 2 secret properties |
+| [`RFKDB`](rfkdb.md) | RFKDB | Required; PAM eligible | 2 secret properties |
+| [`RFORA`](rfora.md) | RFORA | Required; PAM eligible | 2 secret properties |
+| [`RFPEM`](rfpem.md) | RFPEM | Required; PAM eligible | 2 secret properties |
+| [`RFPkcs12`](rfpkcs12.md) | RFPkcs12 | Required; PAM eligible | 2 secret properties |
+| [`Signum`](signum.md) | Signum | Not required | 2 secret properties |
+| [`SOS`](sos.md) | Sample Orchestrator Solution | Required | 1 secret property |
+| [`ThunderMgmt`](thundermgmt.md) | A10 Thunder Management Certificates | Not required | 2 secret properties |
+| [`ThunderSsl`](thunderssl.md) | A10 Thunder Ssl Certificates | Not required | None |
+| [`vCenter`](vcenter.md) | VMware vCenter | Not required | 2 secret properties |
+| [`VMware-NSX`](vmware-nsx.md) | VMware-NSX | Not required | 2 secret properties |
+| [`WinAdfs`](winadfs.md) | ADFS Rotation Manager | Not required | 2 secret properties |
+| [`WinCerMgmt`](wincermgmt.md) | WinCerMgmt | Not required | None |
+| [`WinCert`](wincert.md) | Windows Certificate | Not required | 2 secret properties |
+| [`WinSql`](winsql.md) | WinSql | Not required | 2 secret properties |
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md
new file mode 100644
index 00000000..739112fb
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md
@@ -0,0 +1,171 @@
+
+# Akamai - Akamai Certificate Provisioning Service
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `Akamai` |
+| Name | Akamai Certificate Provisioning Service |
+| Capability | Akamai |
+| Server required | No |
+| Store path type | MultipleChoice |
+| Store path value | ["Production","Staging"] |
+| Custom alias | Forbidden |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Enrollment |
+
+**ClientMachine:** The Client Machine field is the Akamai REST API URL. This should be equal to the "host" value from the API credentials file.
+
+**StorePath:** The Akamai network the certificate will be managed from. Value can be either "Production" or "Staging".
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.access_token,Properties.client_token,Properties.client_secret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file akamai_bulk_create.csv \
+ --store-type-name Akamai \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name Akamai \
+ --outpath akamai_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name Akamai \
+ --outpath akamai_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file akamai_export.csv \
+ --store-type-name Akamai \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.access_token,Properties.client_token,Properties.client_secret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.access_token` | Access Token | Secret | Yes | - | - | Secret | The Akamai access_token for authentication. |
+| `Properties.client_token` | Client Token | Secret | Yes | - | - | Secret | The Akamai client_token for authentication. |
+| `Properties.client_secret` | Client Secret | Secret | Yes | - | - | Secret | The Akamai client_secret for authentication. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `EnrollmentId` | Enrollment ID | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Enrollment ID of a certificate enrollment in Akamai. This should only be supplied for ODKG when replacing an existing certificate. |
+| `ContractId` | Contract ID | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | The Contract ID of your account in Akamai. |
+| `Sans` | SANs | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | SANs for the new certificate. If multiple are supplied, they should be split with an ampersand character '&' |
+| `admin-addressLineOne` | Admin - Address Line 1 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-addressLineTwo` | Admin - Address Line 2 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Optional field for Administrator contact. |
+| `admin-city` | Admin - City | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-country` | Admin - Country | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-email` | Admin - Email | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-firstName` | Admin - First Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-lastName` | Admin - Last Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-organizationName` | Admin - Organization Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-phone` | Admin - Phone | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-postalCode` | Admin - Postal Code | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-region` | Admin - Region | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `admin-title` | Admin - Title | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. |
+| `org-addressLineOne` | Org - Address Line 1 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. |
+| `org-addressLineTwo` | Org - Address Line 2 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Optional field for Organization contact. |
+| `org-city` | Org - City | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. |
+| `org-country` | Org - Country | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. |
+| `org-organizationName` | Org - Organization Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. |
+| `org-phone` | Org - Phone | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. |
+| `org-postalCode` | Org - Postal Code | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. |
+| `org-region` | Org - Region | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. |
+| `tech-addressLineOne` | Tech - Address Line 1 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-addressLineTwo` | Tech - Address Line 2 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Optional field for Akamai Tech contact. |
+| `tech-city` | Tech - City | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-country` | Tech - Country | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-email` | Tech - Email | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. Must be an akamai.com email address. |
+| `tech-firstName` | Tech - First Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-lastName` | Tech - Last Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-organizationName` | Tech - Organization Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | Akamai | - | Required field for Akamai Tech contact. |
+| `tech-phone` | Tech - Phone | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-postalCode` | Tech - Postal Code | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-region` | Tech - Region | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `tech-title` | Tech - Title | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. |
+| `deployment-network` | Deployment Network | MultipleChoice | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | Standard TLS | - | Required field for Deployment Network. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.access_token
+Properties.client_token
+Properties.client_secret
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.access_token.Provider,Properties.access_token.Parameters.
+Properties.client_token.Provider,Properties.client_token.Parameters.
+Properties.client_secret.Provider,Properties.client_secret.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akv.md b/docs/use-cases/Certificate Store Operations/Store Types/akv.md
new file mode 100644
index 00000000..7a6b719b
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/akv.md
@@ -0,0 +1,108 @@
+
+# AKV - Azure Keyvault
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AKV` |
+| Name | Azure Keyvault |
+| Capability | AKV |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** The GUID of the tenant ID of the Azure Keyvault instance; for example, '12345678-1234-1234-1234-123456789abc'.
+
+**StorePath:** A string formatted as '{subscription id}:{resource group name}:{vault name}'; for example, '12345678-1234-1234-1234-123456789abc:myResourceGroup:myVault'.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.TenantId,Properties.SkuType,Properties.VaultRegion,Properties.AzureCloud,Properties.PrivateEndpoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file akv_bulk_create.csv \
+ --store-type-name AKV \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AKV \
+ --outpath akv_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AKV \
+ --outpath akv_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file akv_export.csv \
+ --store-type-name AKV \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.TenantId,Properties.SkuType,Properties.VaultRegion,Properties.AzureCloud,Properties.PrivateEndpoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.TenantId` | Tenant Id | String | No | - | - | No | The ID of the primary Azure Tenant where the KeyVaults are hosted |
+| `Properties.SkuType` | SKU Type | MultipleChoice | No | standard,premium | - | No | The SKU type for newly created KeyVaults (only needed if needing to create new KeyVaults in your Azure subscription via Command) |
+| `Properties.VaultRegion` | Vault Region | MultipleChoice | No | eastus,eastus2,westus2,westus3,westus | - | No | The Azure Region to put newly created KeyVaults (only needed if needing to create new KeyVaults in your Azure subscription via Command) |
+| `Properties.AzureCloud` | Azure Cloud | MultipleChoice | No | public,china,government | - | No | The Azure Cloud where the KeyVaults are located (only necessary if not using the standard Azure Public cloud) |
+| `Properties.PrivateEndpoint` | Private KeyVault Endpoint | String | No | - | - | No | The private endpoint of your vault instance (if a private endpoint is configured in Azure) |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `CertificateTags` | Certificate Tags | string | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | If desired, tags can be applied to the KeyVault entries. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}' |
+| `PreserveExistingTags` | Preserve Existing Tags | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | False | - | If true, this will perform a union of any tags provided with enrollment with the tags on the existing cert with the same alias and apply the result to the new certificate. |
+| `NonExportable` | Non Exportable Private Key | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | False | - | If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md b/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md
new file mode 100644
index 00000000..46305676
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md
@@ -0,0 +1,90 @@
+
+# AlteonLB - Alteon Load Balancer
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AlteonLB` |
+| Name | Alteon Load Balancer |
+| Capability | - |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** The hostname or IP address of the Alteon Load Balancer device (example: https://alteonlb.test.com).
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file alteonlb_bulk_create.csv \
+ --store-type-name AlteonLB \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AlteonLB \
+ --outpath alteonlb_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AlteonLB \
+ --outpath alteonlb_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file alteonlb_export.csv \
+ --store-type-name AlteonLB \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+This store type does not define additional `Properties.*` CSV columns.
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md
new file mode 100644
index 00000000..d91fb014
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md
@@ -0,0 +1,130 @@
+
+# AppGwBin - Azure Application Gateway Certificate Binding
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AppGwBin` |
+| Name | Azure Application Gateway Certificate Binding |
+| Capability | AzureAppGwBin |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Discovery |
+
+**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal.
+
+**StorePath:** Azure resource ID of the application gateway, following the format: /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/applicationGateways/<application-gateway-name>.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file appgwbin_bulk_create.csv \
+ --store-type-name AppGwBin \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AppGwBin \
+ --outpath appgwbin_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AppGwBin \
+ --outpath appgwbin_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file appgwbin_export.csv \
+ --store-type-name AppGwBin \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Application ID of the service principal, representing the identity used for managing the Application Gateway. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate |
+| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. |
+| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+Properties.ClientCertificate
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aruba.md b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md
new file mode 100644
index 00000000..cab0254e
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md
@@ -0,0 +1,136 @@
+
+# Aruba - Aruba
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `Aruba` |
+| Name | Aruba |
+| Capability | Aruba |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Enrollment |
+
+**ClientMachine:** The base URL / IP address of the Aruba instance without the scheme. (i.e. my-server-name.com if the Aruba URL is https://my-server-name.com)
+
+**StorePath:** A semicolon-delimited string that in the format `<server-hostname>;<service>` (i.e. clearpass.localhost;HTTP(RSA)). Please see orchestrator documentation for more information.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.FileServerType,Properties.FileServerHost,Properties.FileServerUsername,Properties.FileServerPassword,Properties.DigestAlgorithm,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file aruba_bulk_create.csv \
+ --store-type-name Aruba \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name Aruba \
+ --outpath aruba_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name Aruba \
+ --outpath aruba_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file aruba_export.csv \
+ --store-type-name Aruba \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.FileServerType,Properties.FileServerHost,Properties.FileServerUsername,Properties.FileServerPassword,Properties.DigestAlgorithm,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.FileServerType` | File Server Type | MultipleChoice | Yes | Amazon S3 | - | No | The type of file server that the certificate will be uploaded to. The file server must be able to serve the file via HTTPS. |
+| `Properties.FileServerHost` | File Server Host | String | Yes | - | - | No | Required. The base URL for the file server host without the scheme. (i.e. my-server-name.com if the file server URL is https://my-server-name.com). See File Server Configuration section in the orchestrator documentation for more details. |
+| `Properties.FileServerUsername` | File Server Username | Secret | No | - | - | Secret | Optional. The username used to access the file server. See File Server Configuration section in the orchestrator documentation for more details. |
+| `Properties.FileServerPassword` | File Server Password | Secret | No | - | - | Secret | Optional. The password used to access the file server. See File Server Configuration section in the orchestrator documentation for more details. |
+| `Properties.DigestAlgorithm` | Digest Algorithm | MultipleChoice | Yes | SHA-256,SHA-1,SHA-224,SHA-384,SHA-512 | - | No | The hash digest algorithm used for the certificate signing request (CSR). |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `SAN` | SAN | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of <san_type>:<san_value> entries separated by comma; Example: 'DNS:www.example.com,DNS:www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. Allowed SAN types are email, URI, DNS, RID or IP. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.FileServerUsername
+Properties.FileServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.FileServerUsername.Provider,Properties.FileServerUsername.Parameters.
+Properties.FileServerPassword.Provider,Properties.FileServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md
new file mode 100644
index 00000000..5f410220
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md
@@ -0,0 +1,147 @@
+
+# AWS-ACM-v3 - AWS Certificate Manager v3
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AWS-ACM-v3` |
+| Name | AWS Certificate Manager v3 |
+| Capability | AWS-ACM-v3 |
+| Server required | No |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.
+
+**StorePath:** A single specified AWS Region the store will operate in. Additional regions should get their own store defined.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseDefaultSdkAuth,Properties.DefaultSdkAssumeRole,Properties.UseOAuth,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.OAuthClientId,Properties.OAuthClientSecret,Properties.UseIAM,Properties.IAMUserAccessKey,Properties.IAMUserAccessSecret,Properties.ExternalId,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file aws-acm-v3_bulk_create.csv \
+ --store-type-name AWS-ACM-v3 \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AWS-ACM-v3 \
+ --outpath aws-acm-v3_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AWS-ACM-v3 \
+ --outpath aws-acm-v3_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file aws-acm-v3_export.csv \
+ --store-type-name AWS-ACM-v3 \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseDefaultSdkAuth,Properties.DefaultSdkAssumeRole,Properties.UseOAuth,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.OAuthClientId,Properties.OAuthClientSecret,Properties.UseIAM,Properties.IAMUserAccessKey,Properties.IAMUserAccessSecret,Properties.ExternalId,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.UseDefaultSdkAuth` | Use Default SDK Auth | Bool | Yes | false | - | No | A switch to enable the store to use Default SDK credentials |
+| `Properties.DefaultSdkAssumeRole` | Assume new Role using Default SDK Auth | Bool | No | false | UseDefaultSdkAuth | No | A switch to enable the store to assume a new Role when using Default SDK credentials |
+| `Properties.UseOAuth` | Use OAuth 2.0 Provider | Bool | Yes | false | - | No | A switch to enable the store to use an OAuth provider workflow to authenticate with AWS |
+| `Properties.OAuthScope` | OAuth Scope | String | No | - | UseOAuth | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta |
+| `Properties.OAuthGrantType` | OAuth Grant Type | String | No | client_credentials | UseOAuth | No | In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials` |
+| `Properties.OAuthUrl` | OAuth Url | String | No | https://***/oauth2/default/v1/token | UseOAuth | No | An optional parameter sts:ExternalId to pass with Assume Role calls |
+| `Properties.OAuthClientId` | OAuth Client ID | Secret | No | - | - | Secret; PAM eligible | The Client ID for OAuth. |
+| `Properties.OAuthClientSecret` | OAuth Client Secret | Secret | No | - | - | Secret; PAM eligible | The Client Secret for OAuth. |
+| `Properties.UseIAM` | Use IAM User Auth | Bool | Yes | false | - | No | A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS |
+| `Properties.IAMUserAccessKey` | IAM User Access Key | Secret | No | - | - | Secret; PAM eligible | The AWS Access Key for an IAM User |
+| `Properties.IAMUserAccessSecret` | IAM User Access Secret | Secret | No | - | - | Secret; PAM eligible | The AWS Access Secret for an IAM User. |
+| `Properties.ExternalId` | sts:ExternalId | String | No | - | - | No | An optional parameter sts:ExternalId to pass with Assume Role calls |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `ACM Tags` | ACM Tags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | The optional ACM tags that should be assigned to the certificate. Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN` |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.OAuthClientId
+Properties.OAuthClientSecret
+Properties.IAMUserAccessKey
+Properties.IAMUserAccessSecret
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.OAuthClientId.Provider,Properties.OAuthClientId.Parameters.
+Properties.OAuthClientSecret.Provider,Properties.OAuthClientSecret.Parameters.
+Properties.IAMUserAccessKey.Provider,Properties.IAMUserAccessKey.Parameters.
+Properties.IAMUserAccessSecret.Provider,Properties.IAMUserAccessSecret.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md
new file mode 100644
index 00000000..7285bfbc
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md
@@ -0,0 +1,144 @@
+
+# AWS-ACM - AWS Certificate Manager
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AWS-ACM` |
+| Name | AWS Certificate Manager |
+| Capability | AWS-ACM |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. Note: this does not have any effect on EC2 inferred credentials, which are limited to a specific role/account.
+
+**StorePath:** The AWS Region, or a comma-separated list of multiple regions, the store will operate in.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseEC2AssumeRole,Properties.UseOAuth,Properties.UseIAM,Properties.EC2AssumeRole,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.IAMAssumeRole,Properties.OAuthAssumeRole,Properties.ExternalId,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file aws-acm_bulk_create.csv \
+ --store-type-name AWS-ACM \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AWS-ACM \
+ --outpath aws-acm_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AWS-ACM \
+ --outpath aws-acm_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file aws-acm_export.csv \
+ --store-type-name AWS-ACM \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseEC2AssumeRole,Properties.UseOAuth,Properties.UseIAM,Properties.EC2AssumeRole,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.IAMAssumeRole,Properties.OAuthAssumeRole,Properties.ExternalId,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.UseEC2AssumeRole` | Assume new Account / Role in EC2 | Bool | Yes | false | - | No | A switch to enable the store to assume a new Account ID and Role when using EC2 credentials |
+| `Properties.UseOAuth` | Use OAuth 2.0 Provider | Bool | Yes | false | - | No | A switch to enable the store to use an OAuth provider workflow to authenticate with AWS ACM |
+| `Properties.UseIAM` | Use IAM User Auth | Bool | Yes | false | - | No | A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS ACM |
+| `Properties.EC2AssumeRole` | AWS Role to Assume (EC2) | String | No | - | UseEC2AssumeRole | No | The AWS Role to assume using the EC2 instance credentials |
+| `Properties.OAuthScope` | OAuth Scope | String | No | - | UseOAuth | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta |
+| `Properties.OAuthGrantType` | OAuth Grant Type | String | No | client_credentials | UseOAuth | No | In OAuth 2.0, the term �grant type� refers to the way an application gets an access token. In Okta this is `client_credentials` |
+| `Properties.OAuthUrl` | OAuth Url | String | No | https://***/oauth2/default/v1/token | UseOAuth | No | An optional parameter sts:ExternalId to pass with Assume Role calls |
+| `Properties.IAMAssumeRole` | AWS Role to Assume (IAM) | String | No | - | UseIAM | No | The AWS Role to assume as the IAM User. |
+| `Properties.OAuthAssumeRole` | AWS Role to Assume (OAuth) | String | No | - | UseOAuth | No | The AWS Role to assume after getting an OAuth token. |
+| `Properties.ExternalId` | sts:ExternalId | String | No | - | - | No | An optional parameter sts:ExternalId to pass with Assume Role calls |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | The AWS Access Key for an IAM User or Client ID for OAuth. Depends on Auth method in use. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The AWS Access Secret for an IAM User or Client Secret for OAuth. Depends on Auth method in use. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `AWS Region` | AWS Region | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":false,"OnRemove":false} | - | - | When adding, this is the Region that the Certificate will be added to |
+| `ACM Tags` | ACM Tags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | The optional ACM tags that should be assigned to the certificate. Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN` |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md
new file mode 100644
index 00000000..f5d0b38b
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md
@@ -0,0 +1,134 @@
+
+# AxisIPCamera - Axis IP Camera
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AxisIPCamera` |
+| Name | Axis IP Camera |
+| Capability | AxisIPCamera |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Add, Enrollment, Remove |
+
+**ClientMachine:** The IP address of the Camera. Sample is "192.167.231.174:44444". Include the port if necessary.
+
+**StorePath:** Enter the Serial Number of the camera e.g. `0b7c3d2f9e8a`
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file axisipcamera_bulk_create.csv \
+ --store-type-name AxisIPCamera \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AxisIPCamera \
+ --outpath axisipcamera_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AxisIPCamera \
+ --outpath axisipcamera_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file axisipcamera_export.csv \
+ --store-type-name AxisIPCamera \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | Enter the username of the configured "service" user on the camera |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret | Enter the password of the configured "service" user on the camera |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. This should always be "True" |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `CertUsage` | Certificate Usage | MultipleChoice | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":false} | - | - | The Certificate Usage to assign to the cert after enrollment. Can be left 'Other' to be assigned later. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md
new file mode 100644
index 00000000..e3bddde7
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md
@@ -0,0 +1,130 @@
+
+# AzureApp - Azure App Registration (Application)
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AzureApp` |
+| Name | Azure App Registration (Application) |
+| Capability | AzureApp |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Inventory, Remove |
+
+**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal.
+
+**StorePath:** The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file azureapp_bulk_create.csv \
+ --store-type-name AzureApp \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AzureApp \
+ --outpath azureapp_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AzureApp \
+ --outpath azureapp_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file azureapp_export.csv \
+ --store-type-name AzureApp \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |
+| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |
+| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+Properties.ClientCertificate
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md
new file mode 100644
index 00000000..6b21a08a
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md
@@ -0,0 +1,132 @@
+
+# AzureApp2 - Azure App Registration 2 (Application)
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AzureApp2` |
+| Name | Azure App Registration 2 (Application) |
+| Capability | AzureApp2 |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Inventory, Remove |
+
+**ClientMachine:** The Azure Tenant (directory) ID where the Application is instantiated
+
+**StorePath:** The Object ID of the target Application/App Registration that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file azureapp2_bulk_create.csv \
+ --store-type-name AzureApp2 \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AzureApp2 \
+ --outpath azureapp2_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AzureApp2 \
+ --outpath azureapp2_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file azureapp2_export.csv \
+ --store-type-name AzureApp2 \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/App Registration certificates. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | ServerUsername | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/App Registration certificates. If Client Certificate Auth is used, you **must** select 'No Value'. |
+| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | ServerUsername | Secret | The client certificate used to authenticate with Microsoft Graph for managing Application/App Registrations certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |
+| `Properties.ClientCertificatePassword` | Client Certificate Password | Secret | No | - | ClientCertificate | Secret | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used, you **must** check 'No Value'. |
+| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+Properties.ClientCertificate
+Properties.ClientCertificatePassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.
+Properties.ClientCertificatePassword.Provider,Properties.ClientCertificatePassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md
new file mode 100644
index 00000000..8aa45677
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md
@@ -0,0 +1,130 @@
+
+# AzureAppGw - Azure Application Gateway Certificate
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AzureAppGw` |
+| Name | Azure Application Gateway Certificate |
+| Capability | AzureAppGw |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Inventory, Remove |
+
+**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal.
+
+**StorePath:** Azure resource ID of the application gateway, following the format: /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/applicationGateways/<application-gateway-name>.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file azureappgw_bulk_create.csv \
+ --store-type-name AzureAppGw \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AzureAppGw \
+ --outpath azureappgw_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AzureAppGw \
+ --outpath azureappgw_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file azureappgw_export.csv \
+ --store-type-name AzureAppGw \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Application ID of the service principal, representing the identity used for managing the Application Gateway. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate |
+| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. |
+| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+Properties.ClientCertificate
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md
new file mode 100644
index 00000000..80a3044b
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md
@@ -0,0 +1,130 @@
+
+# AzureSP - Azure Enterprise Application (Service Principal)
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AzureSP` |
+| Name | Azure Enterprise Application (Service Principal) |
+| Capability | AzureSP |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Inventory, Remove |
+
+**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal.
+
+**StorePath:** The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file azuresp_bulk_create.csv \
+ --store-type-name AzureSP \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AzureSP \
+ --outpath azuresp_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AzureSP \
+ --outpath azuresp_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file azuresp_export.csv \
+ --store-type-name AzureSP \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |
+| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |
+| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+Properties.ClientCertificate
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md
new file mode 100644
index 00000000..f8377c6a
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md
@@ -0,0 +1,132 @@
+
+# AzureSP2 - Azure Enterprise Application 2 (Service Principal)
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `AzureSP2` |
+| Name | Azure Enterprise Application 2 (Service Principal) |
+| Capability | AzureSP2 |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Inventory, Remove |
+
+**ClientMachine:** The Azure Tenant (directory) ID where the Service Principal is instantiated
+
+**StorePath:** The Object ID of the target Service Principal/Enterprise Application that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file azuresp2_bulk_create.csv \
+ --store-type-name AzureSP2 \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name AzureSP2 \
+ --outpath azuresp2_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name AzureSP2 \
+ --outpath azuresp2_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file azuresp2_export.csv \
+ --store-type-name AzureSP2 \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | ServerUsername | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. If Client Certificate Auth is used, you **must** check 'No Value'. |
+| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | ServerUsername | Secret | The client certificate used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |
+| `Properties.ClientCertificatePassword` | Client Certificate Password | Secret | No | - | ClientCertificate | Secret | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used or the certificate's private key is not encrypted, you **must** check 'No Value'. |
+| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+Properties.ClientCertificate
+Properties.ClientCertificatePassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.
+Properties.ClientCertificatePassword.Provider,Properties.ClientCertificatePassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md b/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md
new file mode 100644
index 00000000..94bd5470
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md
@@ -0,0 +1,97 @@
+
+# BarracudaWaf - Barracuda WAF
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `BarracudaWaf` |
+| Name | Barracuda WAF |
+| Capability | BarracudaWaf |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | / |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** The hostname or IP address of the Barracuda WAF appliance. This is used to connect to the REST API on port 8443 (HTTPS) or 8000 (HTTP).
+
+**StorePath:** Not used for this integration. Set to '/' or leave at the default value.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUseSsl,Properties.ApiVersion,Properties.InventorySelfSignedCerts,Properties.InventoryTrustedCerts,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file barracudawaf_bulk_create.csv \
+ --store-type-name BarracudaWaf \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name BarracudaWaf \
+ --outpath barracudawaf_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name BarracudaWaf \
+ --outpath barracudawaf_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file barracudawaf_export.csv \
+ --store-type-name BarracudaWaf \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUseSsl,Properties.ApiVersion,Properties.InventorySelfSignedCerts,Properties.InventoryTrustedCerts,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUseSsl` | Use SSL | Bool | No | true | - | No | Determines whether to connect to the Barracuda WAF management interface over HTTPS (port 8443) or HTTP (port 8000). Default is true (HTTPS). |
+| `Properties.ApiVersion` | API Version | String | No | v3.2 | - | No | The Barracuda WAF REST API version to use for all requests. Defaults to 'v3.2'. Only change this if your WAF firmware requires a different API version. |
+| `Properties.InventorySelfSignedCerts` | Inventory Self-Signed Certificates | Bool | No | true | - | No | When enabled, the inventory job will include self-signed certificates from the WAF in addition to signed certificates. Default is true. |
+| `Properties.InventoryTrustedCerts` | Inventory Trusted Certificates | Bool | No | false | - | No | When enabled, the inventory job will include trusted CA certificates and trusted server certificates from the WAF. Default is false. |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/bmc.md b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md
new file mode 100644
index 00000000..7ebc5ff9
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md
@@ -0,0 +1,140 @@
+
+# BMC - BMC Orchestrator Solution
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `BMC` |
+| Name | BMC Orchestrator Solution |
+| Capability | BMC |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Required |
+| Supported operations | Add, Create, Discovery, Enrollment, Remove |
+
+**ClientMachine:** Runs on a Windows or Linux based machine.
+
+**StorePath:** Path points to a BMC Keyring.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file bmc_bulk_create.csv \
+ --store-type-name BMC \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name BMC \
+ --outpath bmc_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name BMC \
+ --outpath bmc_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file bmc_export.csv \
+ --store-type-name BMC \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | - |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | - |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | - |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `CertLabel` | CertLabel | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | - | - | Cert label as it appears in the BMC API (without the suffix). |
+| `CertOwner` | CertOwner | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | - | - | Cert owner as it appears in the BMC API. |
+| `CertUse` | CertUse | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Cert use as returned by the BMC API. |
+| `ImplementCert` | ImplementCert | Bool | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":false} | - | - | Is used to pass an implement cert command to BMC. |
+| `IsCertDefault` | IsCertDefault | Bool | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":false} | - | - | Indicates whether a given cert is set as default in a keyring. |
+| `RemoveFromAllKeyrings` | RemoveFromAllKeyrings | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":true} | false | - | A bool to indicate whether a given cert is to be removed from all keyrings. |
+| `RollbackCert` | RollbackCert | Bool | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":false,"OnRemove":false} | false | - | A bool to indicate whether a given cert is to be rolled back. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md
new file mode 100644
index 00000000..150b6db6
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md
@@ -0,0 +1,136 @@
+
+# BoschIPCamera - Bosch IP Camera
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `BoschIPCamera` |
+| Name | Bosch IP Camera |
+| Capability | BoschIPCamera |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Enrollment |
+
+**ClientMachine:** The IP address of the Camera. Sample is "192.167.231.174:44444". Include the port if necessary.
+
+**StorePath:** Enter the Serial Number of the camera e.g. `068745431065110085`
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file boschipcamera_bulk_create.csv \
+ --store-type-name BoschIPCamera \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name BoschIPCamera \
+ --outpath boschipcamera_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name BoschIPCamera \
+ --outpath boschipcamera_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file boschipcamera_export.csv \
+ --store-type-name BoschIPCamera \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Enter the username of the configured "service" user on the camera |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Enter the password of the configured "service" user on the camera |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `CertificateUsage` | Certificate Usage | MultipleChoice | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later. |
+| `Name` | Name (Alias) | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | The certificate Alias, entered again. |
+| `Overwrite` | Overwrite | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | false | - | Select `True` if using an existing Alias name to remove and replace an existing certificate. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md
new file mode 100644
index 00000000..63ad619f
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md
@@ -0,0 +1,135 @@
+
+# CiscoAsa - CiscoAsa
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `CiscoAsa` |
+| Name | CiscoAsa |
+| Capability | CiscoAsa |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Hostname or IP of the Cisco Asa Device without the http:// or https:// prefix same sample would be 10.5.0.4.
+
+**StorePath:** Cisco Asa Certificate Types to manage for Now all that is supported is /Identity.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CommitToDisk,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file ciscoasa_bulk_create.csv \
+ --store-type-name CiscoAsa \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name CiscoAsa \
+ --outpath ciscoasa_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name CiscoAsa \
+ --outpath ciscoasa_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file ciscoasa_export.csv \
+ --store-type-name CiscoAsa \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CommitToDisk,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.CommitToDisk` | Commit To Disk | Bool | Yes | false | - | No | This controls if you will write to the disk or memory on the device when adding or removing certificates. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | The username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The password that matches the username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determines whether the server uses SSL or not (This field is automatically created). |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `interfaces` | Interfaces Comma Separated | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Comma separated list of Interfaces to bind to. One can be the primary certificate and the other can be the load balancing certificate. For inside here is a sample of binding to both primary and load balancing inside,inside vpnlb-ip. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md
new file mode 100644
index 00000000..60960e51
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md
@@ -0,0 +1,138 @@
+
+# CitrixAdc - CitrixAdc
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `CitrixAdc` |
+| Name | CitrixAdc |
+| Capability | CitrixAdc |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** The DNS or IP Address of the Citrix ADC Appliance.
+
+**StorePath:** The path where certificate files are located on the Citrix ADC appliance. This value will likely be /nsconfig/ssl/
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.linkToIssuer,Properties.timeout,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file citrixadc_bulk_create.csv \
+ --store-type-name CitrixAdc \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name CitrixAdc \
+ --outpath citrixadc_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name CitrixAdc \
+ --outpath citrixadc_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file citrixadc_export.csv \
+ --store-type-name CitrixAdc \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.linkToIssuer,Properties.timeout,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device. |
+| `Properties.linkToIssuer` | Link To Issuer | Bool | No | false | - | No | Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate. |
+| `Properties.timeout` | Login Timeout in seconds | String | No | 3600 | - | No | Determines timeout in seconds for all Citrix ADC API calls. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `virtualServerName` | Virtual Server Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | When adding a certificate, this can be a single VServer name or a comma separated list of VServers to bind to Note: must match the number of Virtual SNI Cert values. |
+| `sniCert` | SNI Cert | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | When adding a certificate, this can be a single boolean value (true/false) or a comma separated list of boolean values to determine whether the binding should use server name indication. Note: must match the number of Virtual Server Name values. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md
new file mode 100644
index 00000000..213c3d2f
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md
@@ -0,0 +1,130 @@
+
+# DataPower - IBM Data Power
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `DataPower` |
+| Name | IBM Data Power |
+| Capability | DataPower |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add |
+
+**ClientMachine:** The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used.
+
+**StorePath:** The Store Path field should always be / unless we later determine there are alternate locations needed.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.InventoryBlackList,Properties.Protocol,Properties.PublicCertStoreName,Properties.InventoryPageSize,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file datapower_bulk_create.csv \
+ --store-type-name DataPower \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name DataPower \
+ --outpath datapower_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name DataPower \
+ --outpath datapower_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file datapower_export.csv \
+ --store-type-name DataPower \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.InventoryBlackList,Properties.Protocol,Properties.PublicCertStoreName,Properties.InventoryPageSize,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Api UserName for DataPower. (or valid PAM key if the username is stored in a KF Command configured PAM integration). |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password for DataPower API access. Used for inventory.(or valid PAM key if the password is stored in a KF Command configured PAM integration). |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. |
+| `Properties.InventoryBlackList` | Inventory Black List | String | No | - | - | No | Comma seperated list of alias values you do not want to inventory from DataPower. |
+| `Properties.Protocol` | Protocol Name | String | Yes | https | - | No | Comma seperated list of alias values you do not want to inventory from DataPower. |
+| `Properties.PublicCertStoreName` | Public Cert Store Name | String | Yes | pubcert | - | No | This probably will remain pubcert unless someone changed the default name in DataPower. |
+| `Properties.InventoryPageSize` | Inventory Page Size | String | Yes | 100 | - | No | This determines the page size during the inventory calls. (100 should be fine). |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md
new file mode 100644
index 00000000..9ae5453b
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md
@@ -0,0 +1,125 @@
+
+# F5-BigIQ - F5 Big IQ
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `F5-BigIQ` |
+| Name | F5 Big IQ |
+| Capability | F5-BigIQ |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Enrollment, Remove |
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DeployCertificateOnRenewal,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.LoginProviderName,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file f5-bigiq_bulk_create.csv \
+ --store-type-name F5-BigIQ \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name F5-BigIQ \
+ --outpath f5-bigiq_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name F5-BigIQ \
+ --outpath f5-bigiq_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file f5-bigiq_export.csv \
+ --store-type-name F5-BigIQ \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DeployCertificateOnRenewal,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.LoginProviderName,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.DeployCertificateOnRenewal` | Deploy Certificate to Linked Big IP on Renewal | Bool | No | false | - | No | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. |
+| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | No | false | - | No | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. |
+| `Properties.UseTokenAuth` | Use Token Authentication | Bool | No | false | - | No | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. |
+| `Properties.LoginProviderName` | Authentication Provider Name | String | No | - | UseTokenAuth | No | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 Big IQ device. MUST be an Admin account. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 Big IQ device. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md
new file mode 100644
index 00000000..d5c295fa
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md
@@ -0,0 +1,132 @@
+
+# F5-CA-REST - F5 CA Profiles REST
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `F5-CA-REST` |
+| Name | F5 CA Profiles REST |
+| Capability | F5-CA-REST |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Remove |
+
+**ClientMachine:** The server name or IP Address for the F5 device.
+
+**StorePath:** Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename",
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file f5-ca-rest_bulk_create.csv \
+ --store-type-name F5-CA-REST \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name F5-CA-REST \
+ --outpath f5-ca-rest_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name F5-CA-REST \
+ --outpath f5-ca-rest_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file f5-ca-rest_export.csv \
+ --store-type-name F5-CA-REST \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.PrimaryNode` | Primary Node | String | Yes | - | PrimaryNodeOnlineRequired | No | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
+| `Properties.PrimaryNodeCheckRetryWaitSecs` | Primary Node Check Retry Wait Seconds | String | Yes | 120 | PrimaryNodeOnlineRequired | No | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
+| `Properties.PrimaryNodeCheckRetryMax` | Primary Node Check Retry Maximum | String | Yes | 3 | PrimaryNodeOnlineRequired | No | Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing. |
+| `Properties.PrimaryNodeOnlineRequired` | Primary Node Online Required | Bool | Yes | - | - | No | Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed. |
+| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | Yes | False | - | No | Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs. |
+| `Properties.UseTokenAuth` | Use Token Authentication | Bool | Yes | false | - | No | Select this if you wish to use F5's token authentiation instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 device. MUST be an Admin account. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 device. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | True if using https to access the F5 device. False if using http. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md
new file mode 100644
index 00000000..a1bbcb44
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md
@@ -0,0 +1,143 @@
+
+# F5-SL-REST - F5 SSL Profiles REST
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `F5-SL-REST` |
+| Name | F5 SSL Profiles REST |
+| Capability | F5-SL-REST |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Discovery, Remove |
+
+**ClientMachine:** The server name or IP Address for the F5 device.
+
+**StorePath:** Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common",
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.RemoveChain,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file f5-sl-rest_bulk_create.csv \
+ --store-type-name F5-SL-REST \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name F5-SL-REST \
+ --outpath f5-sl-rest_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name F5-SL-REST \
+ --outpath f5-sl-rest_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file f5-sl-rest_export.csv \
+ --store-type-name F5-SL-REST \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.RemoveChain,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.PrimaryNode` | Primary Node | String | Yes | - | PrimaryNodeOnlineRequired | No | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
+| `Properties.PrimaryNodeCheckRetryWaitSecs` | Primary Node Check Retry Wait Seconds | String | Yes | 120 | PrimaryNodeOnlineRequired | No | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
+| `Properties.PrimaryNodeCheckRetryMax` | Primary Node Check Retry Maximum | String | Yes | 3 | PrimaryNodeOnlineRequired | No | Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing. |
+| `Properties.PrimaryNodeOnlineRequired` | Primary Node Online Required | Bool | Yes | - | - | No | Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed. |
+| `Properties.RemoveChain` | Remove Chain on Add | Bool | No | False | - | No | Optional setting. Set this to true if you would like to remove the certificate chain before adding or replacing a certificate on your F5 device. |
+| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | Yes | False | - | No | Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs. |
+| `Properties.UseTokenAuth` | Use Token Authentication | Bool | Yes | false | - | No | Select this if you wish to use F5's token authentication instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 device. MUST be an Admin account. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 device. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | True if using https to access the F5 device. False if using http. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `SSLProfiles` | SSL Profiles | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | One to many comma delimited F5 SSL Profiles to bind the certificate to (new certificates ONLY) |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md
new file mode 100644
index 00000000..c0a6f4da
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md
@@ -0,0 +1,132 @@
+
+# F5-WS-REST - F5 WS Profiles REST
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `F5-WS-REST` |
+| Name | F5 WS Profiles REST |
+| Capability | F5-WS-REST |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add |
+
+**ClientMachine:** The server name or IP Address for the F5 device.
+
+**StorePath:** Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common",
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file f5-ws-rest_bulk_create.csv \
+ --store-type-name F5-WS-REST \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name F5-WS-REST \
+ --outpath f5-ws-rest_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name F5-WS-REST \
+ --outpath f5-ws-rest_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file f5-ws-rest_export.csv \
+ --store-type-name F5-WS-REST \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.PrimaryNode` | Primary Node | String | Yes | - | PrimaryNodeOnlineRequired | No | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
+| `Properties.PrimaryNodeCheckRetryWaitSecs` | Primary Node Check Retry Wait Seconds | String | Yes | 120 | PrimaryNodeOnlineRequired | No | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
+| `Properties.PrimaryNodeCheckRetryMax` | Primary Node Check Retry Maximum | String | Yes | 3 | PrimaryNodeOnlineRequired | No | Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing. |
+| `Properties.PrimaryNodeOnlineRequired` | Primary Node Online Required | Bool | Yes | - | - | No | Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed. |
+| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | Yes | False | - | No | Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs. |
+| `Properties.UseTokenAuth` | Use Token Authentication | Bool | Yes | false | - | No | Select this if you wish to use F5's token authentiation instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 device. MUST be an Admin account. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 device. |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | True if using https to access the F5 device. False if using http. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md
new file mode 100644
index 00000000..ded638df
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md
@@ -0,0 +1,125 @@
+
+# f5WafCa - F5 WAF CA
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `f5WafCa` |
+| Name | F5 WAF CA |
+| Capability | f5WafCa |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Remove |
+
+**ClientMachine:** The URL for the F5 Distributed Cloud instance (typically ending in '.console.ves.volterra.io').
+
+**StorePath:** The Multi-Cloud App Connect namespace containing the certificates you wish to manage.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file f5wafca_bulk_create.csv \
+ --store-type-name f5WafCa \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name f5WafCa \
+ --outpath f5wafca_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name f5WafCa \
+ --outpath f5wafca_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file f5wafca_export.csv \
+ --store-type-name f5WafCa \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Not used. Set to No Value. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The API Token configured in the F5 Distributed Cloud instance's Account Settings. Please review the Requirements & Prerequisites section in this README for more information on creating this API token. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md
new file mode 100644
index 00000000..73cdbe1a
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md
@@ -0,0 +1,125 @@
+
+# f5WafTls - F5 WAF TLS
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `f5WafTls` |
+| Name | F5 WAF TLS |
+| Capability | f5WafTls |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Discovery, Remove |
+
+**ClientMachine:** The URL for the F5 Distributed Cloud instance (typically ending in '.console.ves.volterra.io').
+
+**StorePath:** The Multi-Cloud App Connect namespace containing the certificates you wish to manage.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file f5waftls_bulk_create.csv \
+ --store-type-name f5WafTls \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name f5WafTls \
+ --outpath f5waftls_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name f5WafTls \
+ --outpath f5waftls_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file f5waftls_export.csv \
+ --store-type-name f5WafTls \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Not used. Set to No Value. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The API Token configured in the F5 Distributed Cloud instance's Account Settings. Please review the Requirements & Prerequisites section in this README for more information on creating this API token. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md
new file mode 100644
index 00000000..f8c06e2a
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md
@@ -0,0 +1,108 @@
+
+# Fortigate - Fortigate
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `Fortigate` |
+| Name | Fortigate |
+| Capability | Fortigate |
+| Server required | No |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** The IP address or DNS of the Fortigate server
+
+**StorePath:** Value must contain the VDOM this certificate store will be managing. `root` must be entered to manage the default 'root' VDOM.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file fortigate_bulk_create.csv \
+ --store-type-name Fortigate \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name Fortigate \
+ --outpath fortigate_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name Fortigate \
+ --outpath fortigate_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file fortigate_export.csv \
+ --store-type-name Fortigate \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+This store type does not define additional `Properties.*` CSV columns.
+
+## Secret And PAM Formatting
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md
new file mode 100644
index 00000000..518b9af0
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md
@@ -0,0 +1,127 @@
+
+# FortiWeb - FortiWeb
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `FortiWeb` |
+| Name | FortiWeb |
+| Capability | FortiWeb |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add |
+
+**ClientMachine:** The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used.
+
+**StorePath:** The Store Path field should always be / unless we later determine there are alternate locations needed.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.ADom,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file fortiweb_bulk_create.csv \
+ --store-type-name FortiWeb \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name FortiWeb \
+ --outpath fortiweb_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name FortiWeb \
+ --outpath fortiweb_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file fortiweb_export.csv \
+ --store-type-name FortiWeb \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.ADom,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username for CLI/SSH and REST API access. Used for inventory. (or valid PAM key if the username is stored in a KF Command configured PAM integration). |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password for CLI/SSH and REST API access. Used for inventory.(or valid PAM key if the password is stored in a KF Command configured PAM integration). |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. |
+| `Properties.ADom` | Administrative Domain | String | Yes | root | - | No | Specifies the administrative or virtual domain within the FortiWeb system that the API user is targeting. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md
new file mode 100644
index 00000000..0c6db912
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md
@@ -0,0 +1,123 @@
+
+# GcpApigee - Google Cloud Provider Apigee
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `GcpApigee` |
+| Name | Google Cloud Provider Apigee |
+| Capability | GcpApigee |
+| Server required | No |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Create, Remove |
+
+**ClientMachine:** The Base URL for the GCP Apigee REST Api. Should be *apigee.googleapis.com*
+
+**StorePath:** The Apigee keystore being managed. Must be provided in the following format: organizations/{org}/environments/{env}/keystores/{keystore}, where {org}, {env}, and {keystore} will be replaced with your environment-specific values.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.isTrustStore,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file gcpapigee_bulk_create.csv \
+ --store-type-name GcpApigee \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name GcpApigee \
+ --outpath gcpapigee_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name GcpApigee \
+ --outpath gcpapigee_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file gcpapigee_export.csv \
+ --store-type-name GcpApigee \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.isTrustStore,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.isTrustStore` | Is Trust Store? | Bool | Yes | false | - | No | Should be checked if the Apigee keystore being managed is a truststore. |
+| `Properties.jsonKey` | Google Json Key File | Secret | Yes | - | - | Secret | The JSON key tied to the Apigee service account. You can copy and paste the entire Json key in the textbox when creating a certificate store in the Keyfactor Command UI. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.jsonKey
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.jsonKey.Provider,Properties.jsonKey.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md
new file mode 100644
index 00000000..97d0d3cb
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md
@@ -0,0 +1,95 @@
+
+# GcpCertMgr - GCP Certificate Manager
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `GcpCertMgr` |
+| Name | GCP Certificate Manager |
+| Capability | GcpCertMgr |
+| Server required | No |
+| Store path type | - |
+| Store path value | n/a |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** GCP Project ID for your account.
+
+**StorePath:** This is not used and should be defaulted to n/a per the certificate store type set up.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.Location,Properties.ServiceAccountKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file gcpcertmgr_bulk_create.csv \
+ --store-type-name GcpCertMgr \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name GcpCertMgr \
+ --outpath gcpcertmgr_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name GcpCertMgr \
+ --outpath gcpcertmgr_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file gcpcertmgr_export.csv \
+ --store-type-name GcpCertMgr \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.Location,Properties.ServiceAccountKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.Location` | Location | String | Yes | global | - | No | The GCP region used for this Certificate Manager instance. **global** is the default but could be another region based on the project. |
+| `Properties.ServiceAccountKey` | Service Account Key File Path | String | No | - | - | No | The file name of the Google Cloud Service Account Key File installed in the same folder as the orchestrator extension. Empty if the orchestrator server resides in GCP and you are not using a service account key. |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md
new file mode 100644
index 00000000..4336ec26
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md
@@ -0,0 +1,122 @@
+
+# GCPLoadBal - GCP Load Balancer
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `GCPLoadBal` |
+| Name | GCP Load Balancer |
+| Capability | GCPLoadBal |
+| Server required | No |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Not used, but required when creating a store. Just enter any value.
+
+**StorePath:** Your Google Cloud Project ID only if you choose to use global resources. Append a forward slash '/' and valid GCP region to process against a specific [GCP region](https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59).
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file gcploadbal_bulk_create.csv \
+ --store-type-name GCPLoadBal \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name GCPLoadBal \
+ --outpath gcploadbal_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name GCPLoadBal \
+ --outpath gcploadbal_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file gcploadbal_export.csv \
+ --store-type-name GCPLoadBal \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.jsonKey` | Service Account Key | Secret | Yes | - | - | Secret | If authenticating by passing credentials from Keyfactor Command, this is the JSON-based service account key created from within Google Cloud. If authenticating via Application Default Credentials (ADC), select No Value |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.jsonKey
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.jsonKey.Provider,Properties.jsonKey.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md
new file mode 100644
index 00000000..de1ddf84
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md
@@ -0,0 +1,119 @@
+
+# GCPScrtMgr - GCPScrtMgr
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `GCPScrtMgr` |
+| Name | GCPScrtMgr |
+| Capability | GCPScrtMgr |
+| Server required | No |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Not used
+
+**StorePath:** The Project ID of the Google Secret Manager being managed.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PasswordSecretSuffix,Properties.IncludeChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file gcpscrtmgr_bulk_create.csv \
+ --store-type-name GCPScrtMgr \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name GCPScrtMgr \
+ --outpath gcpscrtmgr_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name GCPScrtMgr \
+ --outpath gcpscrtmgr_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file gcpscrtmgr_export.csv \
+ --store-type-name GCPScrtMgr \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PasswordSecretSuffix,Properties.IncludeChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.PasswordSecretSuffix` | Password Secret Location Suffix | String | No | - | - | No | If storing a certificate with an encrypted private key, this is the suffix to add to the certificate (secret) alias name where the encrypted private key password will be stored. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information |
+| `Properties.IncludeChain` | Include Chain | Bool | No | True | - | No | Determines whether to include the certificate chain when adding a certificate as a secret. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `tags` | Tags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN |
+
+## Secret And PAM Formatting
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md
new file mode 100644
index 00000000..d5928929
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md
@@ -0,0 +1,94 @@
+
+# HCVKV - Hashicorp Vault Key-Value
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `HCVKV` |
+| Name | Hashicorp Vault Key-Value |
+| Capability | HCVKV |
+| Server required | No |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.MountPoint,Properties.VaultToken,Properties.VaultServerUrl,Properties.SubfolderInventory,Properties.IncludeCertChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file hcvkv_bulk_create.csv \
+ --store-type-name HCVKV \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name HCVKV \
+ --outpath hcvkv_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name HCVKV \
+ --outpath hcvkv_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file hcvkv_export.csv \
+ --store-type-name HCVKV \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.MountPoint,Properties.VaultToken,Properties.VaultServerUrl,Properties.SubfolderInventory,Properties.IncludeCertChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.MountPoint` | Mount Point | String | No | - | - | No | - |
+| `Properties.VaultToken` | Vault Token | String | No | - | - | No | - |
+| `Properties.VaultServerUrl` | Vault Server URL | String | No | - | - | No | - |
+| `Properties.SubfolderInventory` | Subfolder Inventory | Bool | No | false | - | No | - |
+| `Properties.IncludeCertChain` | Include Cert Chain | Bool | No | true | - | No | - |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md
new file mode 100644
index 00000000..ca388f4c
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md
@@ -0,0 +1,130 @@
+
+# HCVKVJKS - Hashicorp Vault Key-Value JKS
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `HCVKVJKS` |
+| Name | Hashicorp Vault Key-Value JKS |
+| Capability | HCVKVJKS |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | example: '/mycerts/certstore.jks?b64cert' |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Optional; PAM eligible |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration.
+
+**StorePath:** This is the path to the secret containing the store.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file hcvkvjks_bulk_create.csv \
+ --store-type-name HCVKVJKS \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name HCVKVJKS \
+ --outpath hcvkvjks_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name HCVKVJKS \
+ --outpath hcvkvjks_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file hcvkvjks_export.csv \
+ --store-type-name HCVKVJKS \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? |
+| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> |
+| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md
new file mode 100644
index 00000000..7aeb5d61
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md
@@ -0,0 +1,130 @@
+
+# HCVKVP12 - Hashicorp Vault Key-Value PKCS12
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `HCVKVP12` |
+| Name | Hashicorp Vault Key-Value PKCS12 |
+| Capability | HCVKVP12 |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | example: '/mycerts/certstore.p12?b64cert' |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Optional; PAM eligible |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration.
+
+**StorePath:** This is the path to the secret containing the store.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file hcvkvp12_bulk_create.csv \
+ --store-type-name HCVKVP12 \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name HCVKVP12 \
+ --outpath hcvkvp12_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name HCVKVP12 \
+ --outpath hcvkvp12_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file hcvkvp12_export.csv \
+ --store-type-name HCVKVP12 \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? |
+| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> |
+| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md
new file mode 100644
index 00000000..9161afc8
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md
@@ -0,0 +1,130 @@
+
+# HCVKVPEM - Hashicorp Vault Key-Value PEM
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `HCVKVPEM` |
+| Name | Hashicorp Vault Key-Value PEM |
+| Capability | HCVKVPEM |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Optional; PAM eligible |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration.
+
+**StorePath:** This is the path after mount point where the certificates will be stored.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.SubfolderInventory,Properties.IncludeCertChain,Properties.MountPoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file hcvkvpem_bulk_create.csv \
+ --store-type-name HCVKVPEM \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name HCVKVPEM \
+ --outpath hcvkvpem_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name HCVKVPEM \
+ --outpath hcvkvpem_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file hcvkvpem_export.csv \
+ --store-type-name HCVKVPEM \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.SubfolderInventory,Properties.IncludeCertChain,Properties.MountPoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
+| `Properties.SubfolderInventory` | Subfolder Inventory | Bool | No | false | - | No | Should certificates found in sub-paths be included when performing an inventory? |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? |
+| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md
new file mode 100644
index 00000000..0017503a
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md
@@ -0,0 +1,130 @@
+
+# HCVKVPFX - Hashicorp Vault Key-Value PFX
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `HCVKVPFX` |
+| Name | Hashicorp Vault Key-Value PFX |
+| Capability | HCVKVPFX |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | example: '/mycerts/certstore.pfx?b64cert' |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Optional; PAM eligible |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration.
+
+**StorePath:** This is the path to the secret containing the store.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file hcvkvpfx_bulk_create.csv \
+ --store-type-name HCVKVPFX \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name HCVKVPFX \
+ --outpath hcvkvpfx_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name HCVKVPFX \
+ --outpath hcvkvpfx_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file hcvkvpfx_export.csv \
+ --store-type-name HCVKVPFX \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? |
+| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> |
+| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md
new file mode 100644
index 00000000..3f50c623
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md
@@ -0,0 +1,129 @@
+
+# HCVPKI - Hashicorp Vault PKI
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `HCVPKI` |
+| Name | Hashicorp Vault PKI |
+| Capability | HCVPKI |
+| Server required | Yes |
+| Store path type | Fixed |
+| Store path value | / |
+| Custom alias | Forbidden |
+| Private key | Forbidden |
+| Store password | Optional; PAM eligible |
+| Supported operations | None |
+
+**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration.
+
+**StorePath:** For HCVPKI, this will be '/'
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file hcvpki_bulk_create.csv \
+ --store-type-name HCVPKI \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name HCVPKI \
+ --outpath hcvpki_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name HCVPKI \
+ --outpath hcvpki_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file hcvpki_export.csv \
+ --store-type-name HCVPKI \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
+| `Properties.MountPoint` | Mount Point | String | Yes | - | - | No | This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: <namespace>/<mount point> |
+| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md b/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md
new file mode 100644
index 00000000..0f32ec73
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md
@@ -0,0 +1,104 @@
+
+# HPiLO - HP iLO Cert Store
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `HPiLO` |
+| Name | HP iLO Cert Store |
+| Capability | HPiLO |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Enrollment, Remove |
+
+**ClientMachine:** Currently unused.
+
+**StorePath:** This should contain the full URI pointing to the HPiLO instance, using IP (e.g. `https://10.1.1.1/`) or domain name (e.g. `https://hpilo.test.local/`). The orchestrator will connect to the iLO instance using the iLO API.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.InventoryAll,Properties.IgnoreValidation,Properties.HTTPSCertWaitTime,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file hpilo_bulk_create.csv \
+ --store-type-name HPiLO \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name HPiLO \
+ --outpath hpilo_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name HPiLO \
+ --outpath hpilo_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file hpilo_export.csv \
+ --store-type-name HPiLO \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.InventoryAll,Properties.IgnoreValidation,Properties.HTTPSCertWaitTime,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.InventoryAll` | InventoryAll | Bool | Yes | false | - | No | If true, allows for inventory of additional factory-installed certificates and their chains: `Platform Cert`,`SystemIAK`,`SystemIDevID`, `iLOIDevID/BMCIDevIDPCA` |
+| `Properties.IgnoreValidation` | IgnoreValidation | Bool | Yes | false | - | No | WARNING: Only enable if testing. Used to disable certificate validation checks at the API endpoint. Should be set to false in any production scenario. |
+| `Properties.HTTPSCertWaitTime` | HTTPS Cert Wait Time | String | Yes | 60 | - | No | The HPiLO API requires the user to wait while the HTTPS Cert CSR is generated. HP suggests a time of 60 seconds, as is the default setting, but it can be adjusted. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `IncludeIP` | IncludeIP | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | false | - | Enables the addition of the device IP as a SAN to the CSR during reenrollment. Used particularly during HTTPSCert reenrollment, where it can be set as desired, and should be set to false during all other operations. |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md
new file mode 100644
index 00000000..39de5707
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md
@@ -0,0 +1,125 @@
+
+# iDRAC - iDRAC
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `iDRAC` |
+| Name | iDRAC |
+| Capability | iDRAC |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add |
+
+**ClientMachine:** The IP address of the iDRAC instance being managed.
+
+**StorePath:** Enter the full path where the Racadm executable is installed on the orchestrator server. See [Requirements & Prerequisites](#requirements--prerequisites) above for more details.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file idrac_bulk_create.csv \
+ --store-type-name iDRAC \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name iDRAC \
+ --outpath idrac_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name iDRAC \
+ --outpath idrac_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file idrac_export.csv \
+ --store-type-name iDRAC \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The user ID (or, if using a PAM provider, the key pointing to the user ID) to log into the iDRAC instance being managed. |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The password (or, if using a PAM provider, the key pointing to the password) for the user ID above. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/iisu.md b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md
new file mode 100644
index 00000000..f2167bb7
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md
@@ -0,0 +1,143 @@
+
+# IISU - IIS Bound Certificate
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `IISU` |
+| Name | IIS Bound Certificate |
+| Capability | IISU |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | ["My","WebHosting"] |
+| Custom alias | Forbidden |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Enrollment, Remove |
+
+**ClientMachine:** Hostname of the Windows Server containing the IIS certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).
+
+**StorePath:** Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file iisu_bulk_create.csv \
+ --store-type-name IISU \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name IISU \
+ --outpath iisu_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name IISU \
+ --outpath iisu_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file iisu_export.csv \
+ --store-type-name IISU \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `Port` | Port | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | 443 | - | String value specifying the IP port to bind the certificate to for the IIS site. Example: '443' for HTTPS. |
+| `IPAddress` | IP Address | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | * | - | String value specifying the IP address to bind the certificate to for the IIS site. Example: '*' for all IP addresses or '192.168.1.1' for a specific IP address. |
+| `HostName` | Host Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | String value specifying the host name (host header) to bind the certificate to for the IIS site. Leave blank for all host names or enter a specific hostname such as 'www.example.com'. |
+| `SiteName` | IIS Site Name | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | Default Web Site | - | String value specifying the name of the IIS web site to bind the certificate to. Example: 'Default Web Site' or any custom site name such as 'MyWebsite'. |
+| `SniFlag` | SSL Flags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | 0 | - | A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.) |
+| `Protocol` | Protocol | MultipleChoice | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | https | - | Multiple choice value specifying the protocol to bind to. Example: 'https' for secure communication. |
+| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md
new file mode 100644
index 00000000..badf5089
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md
@@ -0,0 +1,108 @@
+
+# Imperva - Imperva
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `Imperva` |
+| Name | Imperva |
+| Capability | Imperva |
+| Server required | No |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** The URL that will be used as the base URL for Imperva endpoint calls. Should be https://my.imperva.com
+
+**StorePath:** Your Imperva account id. Please refer to the [Imperva documentation](https://docs.imperva.com/howto/bd68301b) as to how to find your Imperva account id.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file imperva_bulk_create.csv \
+ --store-type-name Imperva \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name Imperva \
+ --outpath imperva_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name Imperva \
+ --outpath imperva_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file imperva_export.csv \
+ --store-type-name Imperva \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+This store type does not define additional `Properties.*` CSV columns.
+
+## Secret And PAM Formatting
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md
new file mode 100644
index 00000000..79142ce1
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md
@@ -0,0 +1,124 @@
+
+# K8SCert - K8SCert
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `K8SCert` |
+| Name | K8SCert |
+| Capability | K8SCert |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Discovery |
+
+**ClientMachine:** The Kubernetes cluster name or identifier.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretName,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file k8scert_bulk_create.csv \
+ --store-type-name K8SCert \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8SCert \
+ --outpath k8scert_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name K8SCert \
+ --outpath k8scert_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file k8scert_export.csv \
+ --store-type-name K8SCert \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretName,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |
+| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md
new file mode 100644
index 00000000..8a146ca2
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md
@@ -0,0 +1,125 @@
+
+# K8SCluster - K8SCluster
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `K8SCluster` |
+| Name | K8SCluster |
+| Capability | K8SCluster |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Create, Remove |
+
+**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file k8scluster_bulk_create.csv \
+ --store-type-name K8SCluster \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8SCluster \
+ --outpath k8scluster_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name K8SCluster \
+ --outpath k8scluster_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file k8scluster_export.csv \
+ --store-type-name K8SCluster \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |
+| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md
new file mode 100644
index 00000000..a8b9ab8a
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md
@@ -0,0 +1,131 @@
+
+# K8SJKS - K8SJKS
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `K8SJKS` |
+| Name | K8SJKS |
+| Capability | K8SJKS |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.IncludeCertChain,Properties.StorePasswordPath,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file k8sjks_bulk_create.csv \
+ --store-type-name K8SJKS \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8SJKS \
+ --outpath k8sjks_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name K8SJKS \
+ --outpath k8sjks_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file k8sjks_export.csv \
+ --store-type-name K8SJKS \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.IncludeCertChain,Properties.StorePasswordPath,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.KubeNamespace` | KubeNamespace | String | No | default | - | No | The K8S namespace to use to manage the K8S secret object. |
+| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of the K8S secret object. |
+| `Properties.KubeSecretType` | KubeSecretType | String | No | jks | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. |
+| `Properties.CertificateDataFieldName` | CertificateDataFieldName | String | No | - | - | No | The field name to use when looking for certificate data in the K8S secret. |
+| `Properties.PasswordFieldName` | PasswordFieldName | String | No | password | - | No | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. |
+| `Properties.PasswordIsK8SSecret` | PasswordIsK8SSecret | Bool | No | false | - | No | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |
+| `Properties.StorePasswordPath` | StorePasswordPath | String | No | - | - | No | The path to the K8S secret object to use as the password to the JKS keystore. Example: `<namespace>/<secret_name>` |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md
new file mode 100644
index 00000000..1013d740
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md
@@ -0,0 +1,126 @@
+
+# K8SNS - K8SNS
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `K8SNS` |
+| Name | K8SNS |
+| Capability | K8SNS |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file k8sns_bulk_create.csv \
+ --store-type-name K8SNS \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8SNS \
+ --outpath k8sns_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name K8SNS \
+ --outpath k8sns_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file k8sns_export.csv \
+ --store-type-name K8SNS \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.KubeNamespace` | Kube Namespace | String | No | default | - | No | The K8S namespace to use to manage the K8S secret object. |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |
+| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md
new file mode 100644
index 00000000..79dedf55
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md
@@ -0,0 +1,131 @@
+
+# K8SPKCS12 - K8SPKCS12
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `K8SPKCS12` |
+| Name | K8SPKCS12 |
+| Capability | K8SPKCS12 |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.KubeNamespace,Properties.KubeSecretName,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretType,Properties.StorePasswordPath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file k8spkcs12_bulk_create.csv \
+ --store-type-name K8SPKCS12 \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8SPKCS12 \
+ --outpath k8spkcs12_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name K8SPKCS12 \
+ --outpath k8spkcs12_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file k8spkcs12_export.csv \
+ --store-type-name K8SPKCS12 \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.KubeNamespace,Properties.KubeSecretName,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretType,Properties.StorePasswordPath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |
+| `Properties.CertificateDataFieldName` | CertificateDataFieldName | String | Yes | .p12 | - | No | - |
+| `Properties.PasswordFieldName` | Password Field Name | String | No | password | - | No | The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. |
+| `Properties.PasswordIsK8SSecret` | Password Is K8S Secret | Bool | No | false | - | No | Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object. |
+| `Properties.KubeNamespace` | Kube Namespace | String | No | default | - | No | The K8S namespace to use to manage the K8S secret object. |
+| `Properties.KubeSecretName` | Kube Secret Name | String | No | - | - | No | The name of the K8S secret object. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |
+| `Properties.KubeSecretType` | Kube Secret Type | String | No | pkcs12 | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`. |
+| `Properties.StorePasswordPath` | StorePasswordPath | String | No | - | - | No | The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `<namespace>/<secret_name>` |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md
new file mode 100644
index 00000000..7612eb54
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md
@@ -0,0 +1,128 @@
+
+# K8SSecret - K8SSecret
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `K8SSecret` |
+| Name | K8SSecret |
+| Capability | K8SSecret |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file k8ssecret_bulk_create.csv \
+ --store-type-name K8SSecret \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8SSecret \
+ --outpath k8ssecret_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name K8SSecret \
+ --outpath k8ssecret_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file k8ssecret_export.csv \
+ --store-type-name K8SSecret \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.KubeNamespace` | KubeNamespace | String | No | - | - | No | The K8S namespace to use to manage the K8S secret object. |
+| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of the K8S secret object. |
+| `Properties.KubeSecretType` | KubeSecretType | String | No | secret | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`. |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |
+| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md
new file mode 100644
index 00000000..d90fa13e
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md
@@ -0,0 +1,128 @@
+
+# K8STLSSecr - K8STLSSecr
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `K8STLSSecr` |
+| Name | K8STLSSecr |
+| Capability | K8STLSSecr |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file k8stlssecr_bulk_create.csv \
+ --store-type-name K8STLSSecr \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8STLSSecr \
+ --outpath k8stlssecr_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name K8STLSSecr \
+ --outpath k8stlssecr_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file k8stlssecr_export.csv \
+ --store-type-name K8STLSSecr \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.KubeNamespace` | KubeNamespace | String | No | - | - | No | The K8S namespace to use to manage the K8S secret object. |
+| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of the K8S secret object. |
+| `Properties.KubeSecretType` | KubeSecretType | String | No | tls_secret | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`. |
+| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. |
+| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/kemp.md b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md
new file mode 100644
index 00000000..e5dec4d8
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md
@@ -0,0 +1,126 @@
+
+# Kemp - Kemp
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `Kemp` |
+| Name | Kemp |
+| Capability | Kemp |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Kemp Load Balancer Client Machine and port example TestKemp:8443.
+
+**StorePath:** Not used just put a /
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file kemp_bulk_create.csv \
+ --store-type-name Kemp \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name Kemp \
+ --outpath kemp_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name Kemp \
+ --outpath kemp_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file kemp_export.csv \
+ --store-type-name Kemp \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Not used. |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Kemp Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration). |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/most.md b/docs/use-cases/Certificate Store Operations/Store Types/most.md
new file mode 100644
index 00000000..5f83ed7d
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/most.md
@@ -0,0 +1,91 @@
+
+# MOST - MyOrchestratorStoreType
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `MOST` |
+| Name | MyOrchestratorStoreType |
+| Capability | MOST |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Discovery |
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CustomField1,Properties.CustomField2,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file most_bulk_create.csv \
+ --store-type-name MOST \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name MOST \
+ --outpath most_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name MOST \
+ --outpath most_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file most_export.csv \
+ --store-type-name MOST \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CustomField1,Properties.CustomField2,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.CustomField1` | CustomField1 | String | Yes | default | - | No | - |
+| `Properties.CustomField2` | CustomField2 | String | Yes | - | - | No | - |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/nmap.md b/docs/use-cases/Certificate Store Operations/Store Types/nmap.md
new file mode 100644
index 00000000..604a96b5
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/nmap.md
@@ -0,0 +1,88 @@
+
+# Nmap - Nmap Orchestrator
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `Nmap` |
+| Name | Nmap Orchestrator |
+| Capability | Nmap |
+| Server required | No |
+| Store path type | Freeform |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Inventory, Remove |
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file nmap_bulk_create.csv \
+ --store-type-name Nmap \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name Nmap \
+ --outpath nmap_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name Nmap \
+ --outpath nmap_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file nmap_export.csv \
+ --store-type-name Nmap \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+This store type does not define additional `Properties.*` CSV columns.
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md b/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md
new file mode 100644
index 00000000..f309fb19
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md
@@ -0,0 +1,103 @@
+
+# OktaApp - OktaApp
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `OktaApp` |
+| Name | OktaApp |
+| Capability | - |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Discovery, Enrollment |
+
+**ClientMachine:** This should contain your Okta URL (e.g. https://trial-1111.okta.com).
+
+**StorePath:** This should contain the Okta App ID (please see overview for description).
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file oktaapp_bulk_create.csv \
+ --store-type-name OktaApp \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name OktaApp \
+ --outpath oktaapp_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name OktaApp \
+ --outpath oktaapp_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file oktaapp_export.csv \
+ --store-type-name OktaApp \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.DefaultValidityYears` | DefaultValidityYears | String | Yes | 1 | - | No | Number of years the certificate will be valid for by default. Required by Okta. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `SANList` | SANList | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN. |
+| `ActivateCredential` | ActivateCredential | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | false | - | This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG. |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md b/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md
new file mode 100644
index 00000000..d0c9f58e
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md
@@ -0,0 +1,103 @@
+
+# OktaIdP - OktaIdP
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `OktaIdP` |
+| Name | OktaIdP |
+| Capability | - |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Forbidden |
+| Store password | Not required |
+| Supported operations | Discovery, Enrollment |
+
+**ClientMachine:** This should contain your Okta URL (e.g. https://trial-1111.okta.com).
+
+**StorePath:** This should contain the Okta IdP ID (please see overview for description).
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file oktaidp_bulk_create.csv \
+ --store-type-name OktaIdP \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name OktaIdP \
+ --outpath oktaidp_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name OktaIdP \
+ --outpath oktaidp_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file oktaidp_export.csv \
+ --store-type-name OktaIdP \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.DefaultValidityYears` | DefaultValidityYears | String | Yes | 1 | - | No | Number of years the certificate will be valid for by default. Required by Okta. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `SANList` | SANList | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN. |
+| `ActivateCredential` | ActivateCredential | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | true | - | This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG. |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md
new file mode 100644
index 00000000..18fdbf00
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md
@@ -0,0 +1,129 @@
+
+# PaloAlto - PaloAlto
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `PaloAlto` |
+| Name | PaloAlto |
+| Capability | PaloAlto |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Either the Panorama or Palo Alto Firewall URI or IP address.
+
+**StorePath:** The Store Path field should be reviewed in the store path explanation section. It varies depending on configuration.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.DeviceGroup,Properties.InventoryTrustedCerts,Properties.TemplateStack,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file paloalto_bulk_create.csv \
+ --store-type-name PaloAlto \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name PaloAlto \
+ --outpath paloalto_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name PaloAlto \
+ --outpath paloalto_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file paloalto_export.csv \
+ --store-type-name PaloAlto \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.DeviceGroup,Properties.InventoryTrustedCerts,Properties.TemplateStack,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Palo Alto or Panorama Api User. (or valid PAM key if the username is stored in a KF Command configured PAM integration). |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Palo Alto or Panorama Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration). |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. |
+| `Properties.DeviceGroup` | Device Group | String | No | - | - | No | A semicolon delimited list of Device Groups that Panorama will push changes to (i.e. 'Group 1', 'Group 1;Group 2', or 'Group 1; Group 2', etc.). |
+| `Properties.InventoryTrustedCerts` | Inventory Trusted Certs | Bool | Yes | false | - | No | If false, will not inventory default trusted certs, saves time. |
+| `Properties.TemplateStack` | Template Stack | String | No | - | - | No | Template stack used for device push of certificates via Template. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md
new file mode 100644
index 00000000..6d0b6dc8
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md
@@ -0,0 +1,135 @@
+
+# RFDER - RFDER
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `RFDER` |
+| Name | RFDER |
+| Capability | RFDER |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Create, Discovery, Enrollment, Remove |
+
+**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access.
+
+**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.der) for Windows orchestrated servers. Example: '/folder/path/storename.der' or 'c:\folder\path\storename.der'.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.SeparatePrivateKeyFilePath,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file rfder_bulk_create.csv \
+ --store-type-name RFDER \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name RFDER \
+ --outpath rfder_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name RFDER \
+ --outpath rfder_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file rfder_export.csv \
+ --store-type-name RFDER \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.SeparatePrivateKeyFilePath,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |
+| `Properties.SeparatePrivateKeyFilePath` | Separate Private Key File Location | String | No | - | - | No | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'. |
+| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. |
+| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
+| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md
new file mode 100644
index 00000000..f7769265
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md
@@ -0,0 +1,135 @@
+
+# RFJKS - RFJKS
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `RFJKS` |
+| Name | RFJKS |
+| Capability | RFJKS |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Create, Discovery, Enrollment, Remove |
+
+**ClientMachine:** The IP address or DNS of the server hosting the certificate store. For more information, see [Client Machine ](#client-machine-instructions)
+
+**StorePath:** The full path and file name, including file extension if one exists where the certificate store file is located. For Linux orchestrated servers, StorePath will begin with a forward slash (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should begin with a drive letter (i.e. c:\folder\path\storename.ext).
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file rfjks_bulk_create.csv \
+ --store-type-name RFJKS \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name RFJKS \
+ --outpath rfjks_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name RFJKS \
+ --outpath rfjks_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file rfjks_export.csv \
+ --store-type-name RFJKS \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. |
+| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. |
+| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
+| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+| `Properties.PostJobApplicationRestart` | Post Job Application Restart | MultipleChoice | No | Apache Tomcat Restart,Jetty Restart | - | No | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md
new file mode 100644
index 00000000..69b9fe55
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md
@@ -0,0 +1,134 @@
+
+# RFKDB - RFKDB
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `RFKDB` |
+| Name | RFKDB |
+| Capability | RFKDB |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access.
+
+**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.kdb) for Windows orchestrated servers. Example: '/folder/path/storename.kdb' or 'c:\folder\path\storename.kdb'.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file rfkdb_bulk_create.csv \
+ --store-type-name RFKDB \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name RFKDB \
+ --outpath rfkdb_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name RFKDB \
+ --outpath rfkdb_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file rfkdb_export.csv \
+ --store-type-name RFKDB \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |
+| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. |
+| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
+| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md
new file mode 100644
index 00000000..0f21dd32
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md
@@ -0,0 +1,135 @@
+
+# RFORA - RFORA
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `RFORA` |
+| Name | RFORA |
+| Capability | RFORA |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Create, Discovery, Remove |
+
+**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access.
+
+**StorePath:** The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name by convention. Example: '/path/to/eWallet.p12' or 'c:\path\to\eWallet.p12'.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.WorkFolder,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file rfora_bulk_create.csv \
+ --store-type-name RFORA \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name RFORA \
+ --outpath rfora_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name RFORA \
+ --outpath rfora_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file rfora_export.csv \
+ --store-type-name RFORA \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.WorkFolder,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |
+| `Properties.WorkFolder` | Location to use for creation/removal of work files | String | Yes | - | - | No | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. |
+| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. |
+| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
+| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md
new file mode 100644
index 00000000..27a70024
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md
@@ -0,0 +1,139 @@
+
+# RFPEM - RFPEM
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `RFPEM` |
+| Name | RFPEM |
+| Capability | RFPEM |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Create, Discovery, Enrollment, Remove |
+
+**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access.
+
+**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.ext) for Windows orchestrated servers. Example: '/folder/path/storename.pem' or 'c:\folder\path\storename.pem'.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.IsTrustStore,Properties.IncludesChain,Properties.SeparatePrivateKeyFilePath,Properties.IgnorePrivateKeyOnInventory,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file rfpem_bulk_create.csv \
+ --store-type-name RFPEM \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name RFPEM \
+ --outpath rfpem_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name RFPEM \
+ --outpath rfpem_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file rfpem_export.csv \
+ --store-type-name RFPEM \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.IsTrustStore,Properties.IncludesChain,Properties.SeparatePrivateKeyFilePath,Properties.IgnorePrivateKeyOnInventory,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.. |
+| `Properties.IsTrustStore` | Trust Store | Bool | No | false | - | No | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. |
+| `Properties.IncludesChain` | Store Includes Chain | Bool | No | false | - | No | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. |
+| `Properties.SeparatePrivateKeyFilePath` | Separate Private Key File Location | String | No | - | - | No | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. |
+| `Properties.IgnorePrivateKeyOnInventory` | Ignore Private Key On Inventory | Bool | No | false | - | No | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. |
+| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. |
+| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
+| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+| `Properties.PostJobApplicationRestart` | Post Job Application Restart | MultipleChoice | No | Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart | - | No | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md
new file mode 100644
index 00000000..e6bb4161
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md
@@ -0,0 +1,134 @@
+
+# RFPkcs12 - RFPkcs12
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `RFPkcs12` |
+| Name | RFPkcs12 |
+| Capability | RFPkcs12 |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Required; PAM eligible |
+| Supported operations | Add, Create, Discovery, Enrollment, Remove |
+
+**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access.
+
+**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.p12) for Windows orchestrated servers. Example: '/folder/path/storename.p12' or 'c:\folder\path\storename.p12'.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file rfpkcs12_bulk_create.csv \
+ --store-type-name RFPkcs12 \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name RFPkcs12 \
+ --outpath rfpkcs12_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name RFPkcs12 \
+ --outpath rfpkcs12_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file rfpkcs12_export.csv \
+ --store-type-name RFPkcs12 \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
+| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
+| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. |
+| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. |
+| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
+| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/signum.md b/docs/use-cases/Certificate Store Operations/Store Types/signum.md
new file mode 100644
index 00000000..ba8f21cb
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/signum.md
@@ -0,0 +1,125 @@
+
+# Signum - Signum
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `Signum` |
+| Name | Signum |
+| Capability | Signum |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | None |
+
+**ClientMachine:** The URL that will be used as the base URL for Signum endpoint calls. Should be something like https://{base url for your signum install}/rtadminservice.svc/basic. The API service port can be configured so yours may use something other than default https/443. The '/basic' at the end is required, as this integration makes use of Basic Authentication only when consuming the Signum SOAP API library.
+
+**StorePath:** Not used and hardcoded to NA for 'not applicable'
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file signum_bulk_create.csv \
+ --store-type-name Signum \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name Signum \
+ --outpath signum_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name Signum \
+ --outpath signum_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file signum_export.csv \
+ --store-type-name Signum \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment. |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The password (or PAM key pointing to the password) for the user ID you entered for Server User Name. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/sos.md b/docs/use-cases/Certificate Store Operations/Store Types/sos.md
new file mode 100644
index 00000000..b9e9cb17
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/sos.md
@@ -0,0 +1,136 @@
+
+# SOS - Sample Orchestrator Solution
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `SOS` |
+| Name | Sample Orchestrator Solution |
+| Capability | SOS |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Required |
+| Supported operations | Add, Create, Discovery, Enrollment, Remove |
+
+**ClientMachine:** The base URL of the SOS API (i.e. http://localhost:8080)
+
+**StorePath:** The name of the store as defined in the SOS system (i.e. SampleKeyStore2).
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.StoreNameString,Properties.ForTestingOnlyBool,Properties.CollectionNameMultipleChoice,Properties.PrivateDetailsSecret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file sos_bulk_create.csv \
+ --store-type-name SOS \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name SOS \
+ --outpath sos_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name SOS \
+ --outpath sos_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file sos_export.csv \
+ --store-type-name SOS \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.StoreNameString,Properties.ForTestingOnlyBool,Properties.CollectionNameMultipleChoice,Properties.PrivateDetailsSecret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.StoreNameString` | Store Name | String | No | - | - | No | The Store name for the particular SOS store. |
+| `Properties.ForTestingOnlyBool` | For Testing Only | Bool | No | true | - | No | Test bool variable. |
+| `Properties.CollectionNameMultipleChoice` | Collection Name | MultipleChoice | Yes | internal | - | No | A test collection. |
+| `Properties.PrivateDetailsSecret` | Private Details | Secret | No | test | - | Secret | A test secret. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `CommaSeparatedSansString` | SANs | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | SAN string. |
+| `CertColorMultipleChoice` | Certificate Color | MultipleChoice | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | red | - | A test variable with multiple choice. |
+| `ForTestingOnlyBool` | For Testing Only | Bool | {"HasPrivateKey":true,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | true | - | Another test boolean. |
+| `PrivateCertDetailsSecret` | Private Cert Details | Secret | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | test | - | A per cert secret. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.PrivateDetailsSecret
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.PrivateDetailsSecret.Provider,Properties.PrivateDetailsSecret.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md
new file mode 100644
index 00000000..5cdf8088
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md
@@ -0,0 +1,129 @@
+
+# ThunderMgmt - A10 Thunder Management Certificates
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `ThunderMgmt` |
+| Name | A10 Thunder Management Certificates |
+| Capability | ThunderMgmt |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP.
+
+**StorePath:** Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.OrchToScpServerIp,Properties.ScpPort,Properties.ScpUserName,Properties.ScpPassword,Properties.A10ToScpServerIp,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file thundermgmt_bulk_create.csv \
+ --store-type-name ThunderMgmt \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name ThunderMgmt \
+ --outpath thundermgmt_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name ThunderMgmt \
+ --outpath thundermgmt_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file thundermgmt_export.csv \
+ --store-type-name ThunderMgmt \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.OrchToScpServerIp,Properties.ScpPort,Properties.ScpUserName,Properties.ScpPassword,Properties.A10ToScpServerIp,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.OrchToScpServerIp` | Orch To Scp Server Ip | String | Yes | - | - | No | IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates. |
+| `Properties.ScpPort` | Port Used For Scp | String | Yes | - | - | No | TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations. |
+| `Properties.ScpUserName` | UserName Used For Scp | Secret | Yes | - | - | Secret | Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval. |
+| `Properties.ScpPassword` | Password Used For Scp | Secret | Yes | - | - | Secret | Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval. |
+| `Properties.A10ToScpServerIp` | A10 Device To Scp Server Ip | String | Yes | - | - | No | IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths. |
+| `Properties.allowInvalidCert` | Allow Invalid Cert on A10 Management API | Bool | Yes | true | - | No | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ScpUserName
+Properties.ScpPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ScpUserName.Provider,Properties.ScpUserName.Parameters.
+Properties.ScpPassword.Provider,Properties.ScpPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md b/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md
new file mode 100644
index 00000000..08451210
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md
@@ -0,0 +1,94 @@
+
+# ThunderSsl - A10 Thunder Ssl Certificates
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `ThunderSsl` |
+| Name | A10 Thunder Ssl Certificates |
+| Capability | ThunderSsl |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device.
+
+**StorePath:** A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file thunderssl_bulk_create.csv \
+ --store-type-name ThunderSsl \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name ThunderSsl \
+ --outpath thunderssl_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name ThunderSsl \
+ --outpath thunderssl_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file thunderssl_export.csv \
+ --store-type-name ThunderSsl \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.allowInvalidCert` | Allow Invalid Cert on A10 Management API | Bool | Yes | true | - | No | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections. |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md
new file mode 100644
index 00000000..7308460b
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md
@@ -0,0 +1,125 @@
+
+# vCenter - VMware vCenter
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `vCenter` |
+| Name | VMware vCenter |
+| Capability | vCenter |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Optional |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** The domain name of the vSphere client managing vCenter (url to vCenter host without the 'https://'.
+
+**StorePath:** A unique identifier for this store. The actual value is unused by the orchestrator extension
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file vcenter_bulk_create.csv \
+ --store-type-name vCenter \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name vCenter \
+ --outpath vcenter_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name vCenter \
+ --outpath vcenter_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file vcenter_export.csv \
+ --store-type-name vCenter \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The vCenter username used to manage the vCenter connection |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The secret vCenter password used to manage the vCenter connection |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md
new file mode 100644
index 00000000..d8eadc52
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md
@@ -0,0 +1,126 @@
+
+# VMware-NSX - VMware-NSX
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `VMware-NSX` |
+| Name | VMware-NSX |
+| Capability | VMware-NSX |
+| Server required | Yes |
+| Store path type | MultipleChoice |
+| Store path value | ["Application","Controller","CA"] |
+| Custom alias | Required |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/
+
+**StorePath:** A selection from the different certificate types supported: Application, Controller, or CA.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ApiVersion,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file vmware-nsx_bulk_create.csv \
+ --store-type-name VMware-NSX \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name VMware-NSX \
+ --outpath vmware-nsx_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name VMware-NSX \
+ --outpath vmware-nsx_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file vmware-nsx_export.csv \
+ --store-type-name VMware-NSX \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ApiVersion,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The username of the user to log on as in VMware NSX ALB. |
+| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The password of the user to log on as in VMware NSX ALB. |
+| `Properties.ApiVersion` | X-Avi-Version | String | Yes | 20.1.1 | - | No | The API Version of Avi / NSX to target. A default is set for the version this was originally developed and tested against. |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md
new file mode 100644
index 00000000..a4579eb0
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md
@@ -0,0 +1,137 @@
+
+# WinAdfs - ADFS Rotation Manager
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `WinAdfs` |
+| Name | ADFS Rotation Manager |
+| Capability | WinAdfs |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | My |
+| Custom alias | Forbidden |
+| Private key | Required |
+| Store password | Not required |
+| Supported operations | Add |
+
+**ClientMachine:** Since this extension type must run as an agent (The UO Must be installed on the PRIMARY ADFS Server), the ClientMachine must follow the naming convention as outlined in the Client Machine Instructions. Secondary ADFS Nodes will be automatically be updated with the same certificate added on the PRIMARY ADFS server.
+
+**StorePath:** Fixed string value of 'My' indicating the Personal store on the Local Machine. All ADFS Service-Communications certificates are located in the 'My' personal store by default.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file winadfs_bulk_create.csv \
+ --store-type-name WinAdfs \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name WinAdfs \
+ --outpath winadfs_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name WinAdfs \
+ --outpath winadfs_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file winadfs_export.csv \
+ --store-type-name WinAdfs \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md b/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md
new file mode 100644
index 00000000..f8afa297
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md
@@ -0,0 +1,90 @@
+
+# WinCerMgmt - WinCerMgmt
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `WinCerMgmt` |
+| Name | WinCerMgmt |
+| Capability | WinCerMgmt |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file wincermgmt_bulk_create.csv \
+ --store-type-name WinCerMgmt \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name WinCerMgmt \
+ --outpath wincermgmt_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name WinCerMgmt \
+ --outpath wincermgmt_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file wincermgmt_export.csv \
+ --store-type-name WinCerMgmt \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.spnwithport` | spnwithport | Bool | No | false | - | No | - |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/wincert.md b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md
new file mode 100644
index 00000000..f19e4964
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md
@@ -0,0 +1,137 @@
+
+# WinCert - Windows Certificate
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `WinCert` |
+| Name | Windows Certificate |
+| Capability | WinCert |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | - |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Enrollment, Remove |
+
+**ClientMachine:** Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).
+
+**StorePath:** Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file wincert_bulk_create.csv \
+ --store-type-name WinCert \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name WinCert \
+ --outpath wincert_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name WinCert \
+ --outpath wincert_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file wincert_export.csv \
+ --store-type-name WinCert \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winsql.md b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md
new file mode 100644
index 00000000..3ade021b
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md
@@ -0,0 +1,139 @@
+
+# WinSql - WinSql
+
+[Store Type Index](README.md) | [Certificate Store Operations](../README.md)
+
+Generated from `cmd/store_types.json`. Regenerate with:
+
+```bash
+kfutil makedocs
+```
+
+## Overview
+
+| Field | Value |
+| --- | --- |
+| Store type | `WinSql` |
+| Name | WinSql |
+| Capability | WinSql |
+| Server required | Yes |
+| Store path type | - |
+| Store path value | My |
+| Custom alias | Forbidden |
+| Private key | Optional |
+| Store password | Not required |
+| Supported operations | Add, Remove |
+
+**ClientMachine:** Hostname of the Windows Server containing the SQL Server Certificate Store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).
+
+**StorePath:** Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server.
+
+## Bulk Create
+
+Use one CSV per store type. The generated create headers for this store type are:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.RestartService,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+Create stores from the CSV:
+
+```bash
+kfutil stores import csv \
+ --file winsql_bulk_create.csv \
+ --store-type-name WinSql \
+ --no-prompt
+```
+
+To generate a live template from Command instead of using the static header list above:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name WinSql \
+ --outpath winsql_bulk_create_template.csv \
+ --no-prompt
+```
+
+## Bulk Update
+
+Export existing stores, edit the desired columns, then sync the rows back by `Id`:
+
+```bash
+kfutil stores export \
+ --store-type-name WinSql \
+ --outpath winsql_export.csv \
+ --no-prompt
+
+kfutil stores import csv \
+ --file winsql_export.csv \
+ --store-type-name WinSql \
+ --sync \
+ --no-prompt
+```
+
+Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.
+
+Common update headers for this store type are:
+
+```csv
+Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.RestartService,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time
+```
+
+## Store Properties
+
+| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
+| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
+| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) |
+| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) |
+| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) |
+| `Properties.RestartService` | Restart SQL Service After Cert Installed | Bool | Yes | false | - | No | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. |
+
+## Certificate Entry Parameters
+
+These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.
+
+| Name | Display name | Type | Required when | Default | Depends on | Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| `InstanceName` | Instance Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | String value specifying the SQL Server instance name to bind the certificate to. Example: 'MSSQLServer' for the default instance or 'Instance1' for a named instance. |
+| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' |
+
+## Secret And PAM Formatting
+
+Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.
+
+```csv
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
+
+```csv
+Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.
+```
+
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Store CSV parameter names |
+| --- | --- |
+| `1Password-CLI` | Item, Field |
+| `Azure-KeyVault` | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | SecretId |
+| `BeyondTrust-PasswordSafe` | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object |
+| `Delinea-SecretServer` | SecretId, SecretFieldName |
+| `GCP-SecretManager` | secretId |
+| `Hashicorp-Vault` | Secret, Key |
+
+## References
+
+- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)
+- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)
+- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)
+- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)
diff --git a/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md
new file mode 100644
index 00000000..d34f2aa3
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md
@@ -0,0 +1,187 @@
+# Bulk Certificate Store Creation
+
+Use this workflow when you need to create many certificate stores of the same type from a CSV file.
+
+This example creates ten Kubernetes certificate stores:
+
+- Five `K8SSecret` stores.
+- Five `K8STLSSecr` stores.
+- Three stores of each type use static Keyfactor-encrypted credentials.
+- Two stores of each type use a PAM provider-backed `ServerPassword`.
+
+## Contents
+
+- [Before You Begin](#before-you-begin)
+- [Step 1: Choose The Store Types](#step-1-choose-the-store-types)
+- [Step 2: Prepare Static Credential Rows](#step-2-prepare-static-credential-rows)
+- [Step 3: Prepare PAM Provider Rows](#step-3-prepare-pam-provider-rows)
+- [Formatting Secret Values In CSV](#formatting-secret-values-in-csv)
+- [Step 4: Create K8SSecret Stores](#step-4-create-k8ssecret-stores)
+- [Step 5: Create K8STLSSecr Stores](#step-5-create-k8stlssecr-stores)
+- [Step 6: Verify The Created Stores](#step-6-verify-the-created-stores)
+- [Notes](#notes)
+- [Related Commands](#related-commands)
+
+## Before You Begin
+
+You need:
+
+- `kfutil` configured to authenticate to Keyfactor Command.
+- Permission to create certificate stores.
+- The target certificate store types already created in Command.
+- A registered orchestrator agent ID.
+- Static credential values or a configured PAM provider.
+
+For Kubernetes stores, `ClientMachine` should match the orchestrator target expected by the extension, and `StorePath` should identify the Kubernetes namespace and secret name.
+
+## Step 1: Choose The Store Types
+
+This demo uses:
+
+```text
+K8SSecret
+K8STLSSecr
+```
+
+Each type gets its own CSV because `kfutil stores import csv` accepts one store type per command.
+
+## Step 2: Prepare Static Credential Rows
+
+Static credential rows use direct credential columns:
+
+```text
+Properties.ServerUsername
+Properties.ServerPassword
+```
+
+Example `K8SSecret` static row:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUseSsl,AgentId,Properties.ServerUsername,Properties.ServerPassword
+0,kf-integrations,default/kfutil-demo-k8ssecret-1,true,kfutil-demo-k8ssecret-1,secret,true,true,true,275bcd31-9e7b-4c4a-bce9-1719e0c2168d,kubeconfig,""
+```
+
+If the credential value is JSON, keep it as a CSV string. `kfutil` treats credential fields as secret strings even when the cell value looks like JSON.
+
+## Step 3: Prepare PAM Provider Rows
+
+PAM-backed rows use provider columns instead of a direct `Properties.ServerPassword` value:
+
+```text
+Properties.ServerPassword.Provider
+Properties.ServerPassword.Parameters.SecretName
+Properties.ServerPassword.Parameters.SecretType
+Properties.ServerPassword.Parameters.StaticSecretFieldName
+```
+
+Example `K8SSecret` PAM row:
+
+```csv
+ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUseSsl,AgentId,Properties.ServerUsername,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType,Properties.ServerPassword.Parameters.StaticSecretFieldName
+0,kf-integrations,default/kfutil-demo-k8ssecret-4,true,kfutil-demo-k8ssecret-4,secret,true,true,true,275bcd31-9e7b-4c4a-bce9-1719e0c2168d,kubeconfig,30,dev/aks/kf-integrations,static_json," "
+```
+
+The provider ID and parameter names depend on your PAM provider type.
+
+## Formatting Secret Values In CSV
+
+Use normal CSV quoting rules for static credential values.
+
+For non-JSON secrets, put the value directly in the credential column. Quote the value if it contains commas, quotes, or line breaks:
+
+```csv
+Properties.ServerUsername,Properties.ServerPassword
+kubeconfig,"plain,password,with,commas"
+```
+
+For JSON secrets, put the complete JSON document in one CSV cell and escape inner quotes by doubling them:
+
+```csv
+Properties.ServerUsername,Properties.ServerPassword
+kubeconfig,"{""kind"":""Config"",""apiVersion"":""v1"",""clusters"":[]}"
+```
+
+Do not split JSON secrets across multiple property columns. The entire JSON value belongs in `Properties.ServerPassword`, `Properties.ServerUsername`, `Password`, or a `*.SecretValue` column.
+
+For PAM-backed credentials, do not put JSON in the direct secret column. Use the provider and parameter columns instead:
+
+```csv
+Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType
+30,dev/aks/kf-integrations,static_json
+```
+
+## Step 4: Create K8SSecret Stores
+
+Create a CSV named `k8ssecret_bulk_create.csv` with five rows:
+
+- Rows 1-3 use `Properties.ServerPassword`.
+- Rows 4-5 use `Properties.ServerPassword.Provider` and `Properties.ServerPassword.Parameters.*`.
+
+Run:
+
+```bash
+kfutil stores import csv \
+ --file k8ssecret_bulk_create.csv \
+ --store-type-name K8SSecret \
+ --no-prompt \
+ --results-path k8ssecret_bulk_create_results.csv
+```
+
+Expected output:
+
+```text
+5 records processed.
+5 certificate stores successfully created.
+Import results written to k8ssecret_bulk_create_results.csv
+```
+
+## Step 5: Create K8STLSSecr Stores
+
+Create a CSV named `k8stlssecr_bulk_create.csv` with five rows. Use the same credential pattern, but set the Kubernetes secret type values for TLS secret stores.
+
+Run:
+
+```bash
+kfutil stores import csv \
+ --file k8stlssecr_bulk_create.csv \
+ --store-type-name K8STLSSecr \
+ --no-prompt \
+ --results-path k8stlssecr_bulk_create_results.csv
+```
+
+Expected output:
+
+```text
+5 records processed.
+5 certificate stores successfully created.
+Import results written to k8stlssecr_bulk_create_results.csv
+```
+
+## Step 6: Verify The Created Stores
+
+Export each store type:
+
+```bash
+kfutil stores export --store-type-name K8SSecret
+kfutil stores export --store-type-name K8STLSSecr
+```
+
+Verify that the five new rows for each store type are present.
+
+For the static rows, confirm that `Properties.ServerPassword.SecretValue` is present in the export.
+
+For the PAM-backed rows, confirm that `Properties.ServerPassword.Provider` and the expected `Properties.ServerPassword.Parameters.*` columns are present.
+
+## Notes
+
+- Use unique `StorePath` and `Properties.KubeSecretName` values for each row.
+- Keep one CSV per store type.
+- Check the `Errors` column in the results CSV after every import.
+- CSV files may contain sensitive credentials. Protect the input and results files according to your operating procedures.
+
+## Related Commands
+
+- [kfutil stores import csv](../../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../../kfutil_stores_import_generate-template.md)
+- [kfutil stores export](../../kfutil_stores_export.md)
+- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md)
diff --git a/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md
new file mode 100644
index 00000000..4d20fec7
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md
@@ -0,0 +1,309 @@
+# Bulk Certificate Store Updates
+
+Use this workflow when you need to update many existing Keyfactor Command certificate stores from a CSV file instead of editing each store in the Command UI.
+
+Common examples include:
+
+- Moving stores to a different orchestrator agent.
+- Updating inventory schedules.
+- Changing store metadata such as client machine, store path, container, or store-type properties.
+- Correcting repeated configuration values after onboarding, migration, or environment changes.
+
+`kfutil` performs bulk certificate store updates through the CSV import command with the `--sync` flag. The usual flow is:
+
+```text
+export stores -> edit CSV -> sync import -> review results -> verify changes
+```
+
+## Contents
+
+- [Before You Begin](#before-you-begin)
+- [Step 1: Export Stores](#step-1-export-stores)
+- [Step 2: Edit The CSV](#step-2-edit-the-csv)
+- [Step 3: Sync The Updates](#step-3-sync-the-updates)
+- [Step 4: Review Results](#step-4-review-results)
+- [Step 5: Verify Changes](#step-5-verify-changes)
+- [Credentials](#credentials)
+- [Formatting Secret Values In CSV](#formatting-secret-values-in-csv)
+- [PAM Provider Credentials](#pam-provider-credentials)
+- [Template Option](#template-option)
+- [Operational Guidance](#operational-guidance)
+- [Related Commands](#related-commands)
+
+## Before You Begin
+
+You need:
+
+- `kfutil` configured to authenticate to Keyfactor Command.
+- Permission to list, export, and update certificate stores.
+- The certificate store type already created in Command.
+- The store type short name, or the store type ID.
+
+Keep one CSV file per certificate store type. The import command accepts one `--store-type-name` or `--store-type-id` per run, and store-type-specific properties differ by type.
+
+## Step 1: Export Stores
+
+Export the stores you want to update. For a single store type, use the store type short name:
+
+```bash
+kfutil stores export --store-type-name K8SSecret
+```
+
+Or use the store type ID:
+
+```bash
+kfutil stores export --store-type-id 154
+```
+
+To export all stores, grouped into separate CSV files by store type:
+
+```bash
+kfutil stores export --all
+```
+
+The export command writes files named like:
+
+```text
+K8SSecret_stores_export_1765743627.csv
+```
+
+The exported CSV includes an `Id` column. Preserve this column for every row you want to update.
+
+## Step 2: Edit The CSV
+
+Open the exported CSV and edit only the fields you intend to change.
+
+For example, to move stores to another orchestrator, update the `AgentId` column:
+
+```csv
+Id,ClientMachine,StorePath,AgentId
+6d1c7e86-0000-0000-0000-000000000000,k8s-worker-01,default/web-tls,275bcd31-0000-0000-0000-000000000000
+```
+
+For store-type properties, edit the `Properties.` columns exported for that store type, such as:
+
+```text
+Properties.KubeNamespace
+Properties.KubeSecretName
+Properties.KubeSecretType
+Properties.IncludeCertChain
+```
+
+For schedules, use one schedule shape per row:
+
+```text
+InventorySchedule.Immediate
+InventorySchedule.Interval.Minutes
+InventorySchedule.Daily.Time
+InventorySchedule.Weekly.Days
+InventorySchedule.Weekly.Time
+```
+
+Do not remove `Id` for update rows. When `--sync` is used, rows with an `Id` are updated. Rows without an `Id` are treated as create requests.
+
+## Step 3: Sync The Updates
+
+Run the CSV import command with `--sync`:
+
+```bash
+kfutil stores import csv \
+ --file K8SSecret_stores_export_1765743627.csv \
+ --store-type-name K8SSecret \
+ --sync \
+ --no-prompt
+```
+
+The equivalent command using a store type ID is:
+
+```bash
+kfutil stores import csv \
+ --file K8SSecret_stores_export_1765743627.csv \
+ --store-type-id 154 \
+ --sync \
+ --no-prompt
+```
+
+Use `--results-path` to choose where the results CSV is written:
+
+```bash
+kfutil stores import csv \
+ --file K8SSecret_stores_export_1765743627.csv \
+ --store-type-name K8SSecret \
+ --sync \
+ --no-prompt \
+ --results-path K8SSecret_update_results.csv
+```
+
+## Step 4: Review Results
+
+The command prints a summary:
+
+```text
+1 records processed.
+1 certificate stores successfully updated.
+Import results written to K8SSecret_update_results.csv
+```
+
+By default, the results file is named from the input file:
+
+```text
+_results.csv
+```
+
+The results CSV contains the original row data and an `Errors` column. Successful rows have an empty `Errors` value. Failed rows include the API error message and should be corrected before rerunning.
+
+Bulk sync is row-based, not all-or-nothing. One failed row does not mean every row failed.
+
+## Step 5: Verify Changes
+
+Verify the update by exporting the store type again:
+
+```bash
+kfutil stores export --store-type-name K8SSecret
+```
+
+Compare the updated columns against the original export and results file. For spot checks, fetch an individual store by ID:
+
+```bash
+kfutil stores get --id 6d1c7e86-0000-0000-0000-000000000000
+```
+
+## Credentials
+
+Credential values can be supplied in the CSV, by flags, by environment variables, or by interactive prompts.
+
+CSV columns:
+
+```text
+Properties.ServerUsername
+Properties.ServerPassword
+Password
+```
+
+Flags:
+
+```bash
+--server-username
+--server-password
+--store-password
+```
+
+Environment variables:
+
+```text
+KFUTIL_CSV_SERVER_USERNAME
+KFUTIL_CSV_SERVER_PASSWORD
+KFUTIL_CSV_STORE_PASSWORD
+```
+
+Values in the CSV take precedence over flags, environment variables, and prompts.
+
+Avoid putting secrets in CSV files unless your operating procedures allow it. If you do use CSV-based secrets, protect the file, results file, and shell history accordingly.
+
+## Formatting Secret Values In CSV
+
+Static credential values use normal CSV quoting rules.
+
+For non-JSON secrets, put the value directly in the credential column. Quote the value if it contains commas, quotes, or line breaks:
+
+```csv
+Properties.ServerUsername,Properties.ServerPassword
+kubeconfig,"plain,password,with,commas"
+```
+
+For JSON secrets such as kubeconfig content, put the complete JSON document in one CSV cell and escape inner quotes by doubling them:
+
+```csv
+Properties.ServerUsername,Properties.ServerPassword
+kubeconfig,"{""kind"":""Config"",""apiVersion"":""v1"",""clusters"":[]}"
+```
+
+`kfutil` treats credential fields as secret strings even when they look like JSON. This applies to:
+
+```text
+Properties.ServerUsername
+Properties.ServerPassword
+Password
+*.SecretValue
+```
+
+For PAM-backed credentials, use provider and parameter columns instead of a direct secret value.
+
+## PAM Provider Credentials
+
+Certificate store credentials can also reference a Keyfactor PAM provider instead of carrying a direct secret value. This is supported for CSV create and sync workflows when the CSV uses the provider columns exported by `kfutil`.
+
+For an existing PAM-backed store, export the store type and use the exported credential columns as the pattern:
+
+```bash
+kfutil stores export --store-type-name K8SCluster
+```
+
+A PAM-backed `ServerPassword` uses columns like:
+
+```text
+Properties.ServerPassword.Provider
+Properties.ServerPassword.Parameters.SecretName
+Properties.ServerPassword.Parameters.SecretType
+Properties.ServerPassword.Parameters.StaticSecretFieldName
+```
+
+Example:
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType,Properties.ServerPassword.Parameters.StaticSecretFieldName
+13b0b2c5-eb27-4885-91ec-fad35d0268df,kf-integrations,fresh,30,dev/aks/kf-integrations,static_json," "
+```
+
+To convert direct `ServerPassword` values to the same PAM provider, add the provider columns if they are not already present, fill in the provider ID and parameters, and leave any direct `Properties.ServerPassword.SecretValue` column empty.
+
+Then run the normal sync command:
+
+```bash
+kfutil stores import csv \
+ --file K8SCluster_pam_sync.csv \
+ --store-type-name K8SCluster \
+ --sync \
+ --no-prompt
+```
+
+For a new store, leave the `Id` column empty or omit it and provide the same provider-backed credential columns:
+
+```bash
+kfutil stores import csv \
+ --file K8SCluster_create_with_pam.csv \
+ --store-type-name K8SCluster \
+ --no-prompt
+```
+
+If the exported CSV contains masked direct credential values such as `********************`, prefer changing only the PAM-backed credential columns you intend to update. Do not copy masked values into new rows as real secrets.
+
+## Template Option
+
+If you need a blank CSV for a store type instead of exporting existing stores, generate a template:
+
+```bash
+kfutil stores import generate-template \
+ --store-type-name K8SSecret \
+ --outpath K8SSecret_bulk_import_template.csv
+```
+
+The template includes the common certificate store columns and the properties required for the selected store type. For updates, exporting existing stores is usually safer because it includes the `Id` values needed by `--sync`.
+
+## Operational Guidance
+
+- Start with a small CSV containing one or two stores.
+- Keep the original export unchanged as a rollback/reference artifact.
+- Preserve the `Id` column for update rows.
+- Keep separate CSV files per store type.
+- Edit only the columns needed for the change.
+- Review the results CSV before rerunning failed rows.
+- Rerun only corrected failed rows when possible.
+
+## Related Commands
+
+- [kfutil stores export](../kfutil_stores_export.md)
+- [kfutil stores import csv](../kfutil_stores_import_csv.md)
+- [kfutil stores import generate-template](../kfutil_stores_import_generate-template.md)
+- [kfutil stores get](../kfutil_stores_get.md)
+- [Migrate Static Store Credentials To A PAM Provider](migrate-static-store-credentials-to-pam.md)
diff --git a/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md b/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md
new file mode 100644
index 00000000..d47b620c
--- /dev/null
+++ b/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md
@@ -0,0 +1,208 @@
+# Migrate Static Store Credentials To A PAM Provider
+
+Use this workflow when existing certificate stores have static Keyfactor-encrypted credential values and you want those stores to reference a Keyfactor PAM provider instead.
+
+This is a specialized bulk certificate store update. The workflow uses exported CSV files, edits the `Properties.ServerPassword` credential columns, then syncs the changes back to Keyfactor Command.
+
+## Contents
+
+- [Before You Begin](#before-you-begin)
+- [Step 1: Export Stores](#step-1-export-stores)
+- [Step 2: Identify The PAM Provider Columns](#step-2-identify-the-pam-provider-columns)
+- [Step 3: Build The Sync CSV](#step-3-build-the-sync-csv)
+- [RFPKCS12 Examples By PAM Type](#rfpkcs12-examples-by-pam-type)
+- [Step 4: Sync The Migration](#step-4-sync-the-migration)
+- [Step 5: Verify The Migration](#step-5-verify-the-migration)
+- [Notes](#notes)
+- [Related Commands](#related-commands)
+
+## Before You Begin
+
+You need:
+
+- `kfutil` configured to authenticate to Keyfactor Command.
+- Permission to export and update certificate stores.
+- A configured PAM provider in Keyfactor Command.
+- The PAM provider ID and any provider parameter names and values required by that provider.
+- The target store type short name or store type ID.
+
+Keep each CSV scoped to one certificate store type. The import command accepts one `--store-type-name` or `--store-type-id` per run.
+
+## Step 1: Export Stores
+
+Export the stores you want to migrate:
+
+```bash
+kfutil stores export --store-type-name K8SCluster
+```
+
+For all store types:
+
+```bash
+kfutil stores export --all
+```
+
+The export includes the `Id` column required for sync updates.
+
+## Step 2: Identify The PAM Provider Columns
+
+If you already have a store using the target PAM provider, export that store type and use its columns as the pattern.
+
+For a PAM-backed `ServerPassword`, the CSV uses columns like:
+
+```text
+Properties.ServerPassword.Provider
+Properties.ServerPassword.Parameters.SecretName
+Properties.ServerPassword.Parameters.SecretType
+Properties.ServerPassword.Parameters.StaticSecretFieldName
+```
+
+Example values:
+
+```text
+Properties.ServerPassword.Provider=30
+Properties.ServerPassword.Parameters.SecretName=dev/aks/kf-integrations
+Properties.ServerPassword.Parameters.SecretType=static_json
+Properties.ServerPassword.Parameters.StaticSecretFieldName=" "
+```
+
+The parameter names depend on the PAM provider type. Use the names exported from a known-good store or from the PAM provider type definition.
+
+## Step 3: Build The Sync CSV
+
+For each row you want to migrate:
+
+- Preserve `Id`.
+- Preserve `ClientMachine`, `StorePath`, `AgentId`, and other store configuration values.
+- Add the PAM provider columns if they are not already present.
+- Set `Properties.ServerPassword.Provider` to the PAM provider ID.
+- Set the `Properties.ServerPassword.Parameters.*` columns to the provider parameter values.
+- Leave `Properties.ServerPassword.SecretValue` empty if that column exists.
+
+Example:
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType,Properties.ServerPassword.Parameters.StaticSecretFieldName,Properties.ServerPassword.SecretValue
+13b0b2c5-eb27-4885-91ec-fad35d0268df,kf-integrations,fresh,30,dev/aks/kf-integrations,static_json," ",
+```
+
+Do not put the masked export value `********************` into a new direct secret value column. That is a placeholder, not the original secret.
+
+## RFPKCS12 Examples By PAM Type
+
+The embedded store type short name is `RFPkcs12`; use that exact value with `--store-type-name`.
+
+These examples show the columns to migrate an `RFPkcs12` row from static values to PAM-backed `Properties.ServerPassword` and PAM-backed store `Password`. Replace provider IDs, store IDs, paths, and PAM parameter values with values from your environment.
+
+If you are migrating `Properties.ServerUsername` instead of `Properties.ServerPassword`, use the same provider and parameter pattern with the `Properties.ServerUsername.*` prefix.
+
+### 1Password-CLI
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Item,Properties.ServerPassword.Parameters.Field,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Item,Password.Parameters.Field,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,101,linux-service-account,password,,101,rfpkcs12-store,password,
+```
+
+### Azure-KeyVault
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SecretId,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,102,linux-service-account-password,,102,rfpkcs12-store-password,
+```
+
+### Azure-KeyVault-ServicePrincipal
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SecretId,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,103,linux-service-account-password,,103,rfpkcs12-store-password,
+```
+
+### BeyondTrust-PasswordSafe
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SystemId,Properties.ServerPassword.Parameters.AccountId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SystemId,Password.Parameters.AccountId,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,104,bt-system-123,bt-account-456,,104,bt-system-123,bt-account-789,
+```
+
+### CyberArk-CentralCredentialProvider
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Safe,Properties.ServerPassword.Parameters.Folder,Properties.ServerPassword.Parameters.Object,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Safe,Password.Parameters.Folder,Password.Parameters.Object,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,105,Certificates,Root,linux-service-account,,105,Certificates,Root,rfpkcs12-store-password,
+```
+
+### CyberArk-SdkCredentialProvider
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Safe,Properties.ServerPassword.Parameters.Folder,Properties.ServerPassword.Parameters.Object,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Safe,Password.Parameters.Folder,Password.Parameters.Object,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,106,Certificates,Root,linux-service-account,,106,Certificates,Root,rfpkcs12-store-password,
+```
+
+### Delinea-SecretServer
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretId,Properties.ServerPassword.Parameters.SecretFieldName,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SecretId,Password.Parameters.SecretFieldName,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,107,12001,password,,107,12002,password,
+```
+
+### GCP-SecretManager
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.secretId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.secretId,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,108,linux-service-account-password,,108,rfpkcs12-store-password,
+```
+
+### Hashicorp-Vault
+
+```csv
+Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Secret,Properties.ServerPassword.Parameters.Key,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Secret,Password.Parameters.Key,Password.SecretValue
+00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,109,certstores/linux01,serverPassword,,109,certstores/linux01,storePassword,
+```
+
+## Step 4: Sync The Migration
+
+Run the import command with `--sync`:
+
+```bash
+kfutil stores import csv \
+ --file K8SCluster_pam_sync.csv \
+ --store-type-name K8SCluster \
+ --sync \
+ --no-prompt
+```
+
+Use one command per store type CSV.
+
+## Step 5: Verify The Migration
+
+Export the store type again:
+
+```bash
+kfutil stores export --store-type-name K8SCluster
+```
+
+Confirm the migrated rows include:
+
+```text
+Properties.ServerPassword.Provider
+Properties.ServerPassword.Parameters.
+```
+
+Confirm `Properties.ServerPassword.SecretValue` is empty or absent for migrated rows.
+
+Review the sync results file and confirm the `Errors` column is empty for each migrated row.
+
+## Notes
+
+- This workflow changes where Keyfactor retrieves the store credential. It does not rotate the credential in the target system.
+- When moving the other direction, from PAM-backed credentials to static credentials, put JSON secrets in one CSV cell and escape inner quotes by doubling them, for example `"{""kind"":""Config""}"`.
+- Non-JSON static secrets can be written directly in the credential column, with normal CSV quoting when the value contains commas, quotes, or line breaks.
+- For provider-backed `ServerUsername`, use the same pattern with `Properties.ServerUsername.Provider` and `Properties.ServerUsername.Parameters.*`.
+- For store-level passwords, use `Password.ProviderId` and `Password.Parameters.*`.
+- Test with one store before applying the same provider values to many stores.
+
+## Related Commands
+
+- [kfutil stores export](../kfutil_stores_export.md)
+- [kfutil stores import csv](../kfutil_stores_import_csv.md)
+- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md)
diff --git a/docs/use-cases/PAM Operations/README.md b/docs/use-cases/PAM Operations/README.md
new file mode 100644
index 00000000..31a018b9
--- /dev/null
+++ b/docs/use-cases/PAM Operations/README.md
@@ -0,0 +1,27 @@
+
+# PAM Operations
+
+Use cases for creating PAM provider types and PAM providers with `kfutil`.
+
+These docs are generated from `cmd/pam_types.json`. Regenerate after PAM type metadata changes:
+
+```bash
+kfutil makedocs
+```
+
+- [Create PAM Types](create-pam-types.md)
+- [Create PAM Providers](create-pam-providers.md)
+
+## Embedded PAM Types
+
+| PAM type | Provider configuration parameters | Certificate store instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
diff --git a/docs/use-cases/PAM Operations/create-pam-providers.md b/docs/use-cases/PAM Operations/create-pam-providers.md
new file mode 100644
index 00000000..74b88f03
--- /dev/null
+++ b/docs/use-cases/PAM Operations/create-pam-providers.md
@@ -0,0 +1,746 @@
+
+# Create PAM Providers
+
+[PAM Operations](README.md) | [Use Cases](../README.md)
+
+This use case creates PAM providers from JSON files. `kfutil pam create` currently accepts provider configuration with `--from-file`.
+
+Create the PAM provider type first, then create the provider that uses it:
+
+```bash
+kfutil pam-types create --name Hashicorp-Vault --no-prompt
+kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt
+```
+
+Provider JSON contains provider-level connection settings only. Certificate-store instance parameters are not set on the provider; they are supplied later on certificate store CSV columns such as `Properties.ServerPassword.Parameters.SecretId`.
+
+Provider type IDs and provider parameter IDs are assigned by Command when PAM types are created. Get the live provider type first and replace the `Id` placeholders in the generated template before running `kfutil pam create`:
+
+```bash
+kfutil pam-types get --name Hashicorp-Vault --no-prompt
+```
+
+## Embedded PAM Types
+
+| PAM type | Provider configuration parameters | Certificate store instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
+## Provider Examples
+
+### 1Password-CLI
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-1password-cli",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "1Password-CLI",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "Vault",
+ "DisplayName": "1Password Secret Vault",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Token",
+ "DisplayName": "1Password Service Account Token",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Vault",
+ "DisplayName": "1Password Secret Vault",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Token",
+ "DisplayName": "1Password Service Account Token",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file 1password-cli-provider.json --no-prompt
+```
+
+### Azure-KeyVault
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-azure-keyvault",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "Azure-KeyVault",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "KeyVaultUri",
+ "DisplayName": "Key Vault URI",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "AuthorityHost",
+ "DisplayName": "Authority Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "KeyVaultUri",
+ "DisplayName": "Key Vault URI",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "AuthorityHost",
+ "DisplayName": "Authority Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file azure-keyvault-provider.json --no-prompt
+```
+
+### Azure-KeyVault-ServicePrincipal
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-azure-keyvault-serviceprincipal",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "Azure-KeyVault-ServicePrincipal",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "KeyVaultUri",
+ "DisplayName": "Key Vault URI",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "AuthorityHost",
+ "DisplayName": "Authority Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "TenantId",
+ "DisplayName": "Tenant ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "ClientId",
+ "DisplayName": "Client ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "ClientSecret",
+ "DisplayName": "ClientSecret",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "KeyVaultUri",
+ "DisplayName": "Key Vault URI",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "AuthorityHost",
+ "DisplayName": "Authority Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "TenantId",
+ "DisplayName": "Tenant ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "N/A",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "ClientId",
+ "DisplayName": "Client ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "N/A",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "ClientSecret",
+ "DisplayName": "ClientSecret",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file azure-keyvault-serviceprincipal-provider.json --no-prompt
+```
+
+### BeyondTrust-PasswordSafe
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-beyondtrust-passwordsafe",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "BeyondTrust-PasswordSafe",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "BeyondTrust Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "APIKey",
+ "DisplayName": "BeyondTrust API Key",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Username",
+ "DisplayName": "BeyondTrust Username",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "ClientCertificate",
+ "DisplayName": "BeyondTrust Client Certificate Thumbprint",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "BeyondTrust Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "APIKey",
+ "DisplayName": "BeyondTrust API Key",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Username",
+ "DisplayName": "BeyondTrust Username",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "ClientCertificate",
+ "DisplayName": "BeyondTrust Client Certificate Thumbprint",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file beyondtrust-passwordsafe-provider.json --no-prompt
+```
+
+### CyberArk-CentralCredentialProvider
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-cyberark-centralcredentialprovider",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "CyberArk-CentralCredentialProvider",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "AppId",
+ "DisplayName": "Application ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "CyberArk Host and Port",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Site",
+ "DisplayName": "CyberArk API Site",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "AppId",
+ "DisplayName": "Application ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "CyberArk Host and Port",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Site",
+ "DisplayName": "CyberArk API Site",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file cyberark-centralcredentialprovider-provider.json --no-prompt
+```
+
+### CyberArk-SdkCredentialProvider
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-cyberark-sdkcredentialprovider",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "CyberArk-SdkCredentialProvider",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "AppId",
+ "DisplayName": "Application ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "AppId",
+ "DisplayName": "Application ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file cyberark-sdkcredentialprovider-provider.json --no-prompt
+```
+
+### Delinea-SecretServer
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-delinea-secretserver",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "Delinea-SecretServer",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "Secret Server URL",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Username",
+ "DisplayName": "Secret Server Username",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Password",
+ "DisplayName": "Secret Server Password",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "ClientId",
+ "DisplayName": "Secret Server Client ID",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "ClientSecret",
+ "DisplayName": "Secret Server Client Secret",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "GrantType",
+ "DisplayName": "Grant Type",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "Secret Server URL",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Username",
+ "DisplayName": "Secret Server Username",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Password",
+ "DisplayName": "Secret Server Password",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "N/A",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "ClientId",
+ "DisplayName": "Secret Server Client ID",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "N/A",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "ClientSecret",
+ "DisplayName": "Secret Server Client Secret",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "password",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "GrantType",
+ "DisplayName": "Grant Type",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file delinea-secretserver-provider.json --no-prompt
+```
+
+### GCP-SecretManager
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-gcp-secretmanager",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "GCP-SecretManager",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "projectId",
+ "DisplayName": "Unique Google Cloud Project ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "projectId",
+ "DisplayName": "Unique Google Cloud Project ID",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file gcp-secretmanager-provider.json --no-prompt
+```
+
+### Hashicorp-Vault
+
+Write a provider config file:
+
+```json
+{
+ "Area": 1,
+ "Name": "example-hashicorp-vault",
+ "Remote": false,
+ "ProviderType": {
+ "Id": "",
+ "Name": "Hashicorp-Vault",
+ "ProviderTypeParams": [
+ {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "Vault Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Token",
+ "DisplayName": "Vault Token",
+ "DataType": 2,
+ "InstanceLevel": false
+ },
+ {
+ "Id": "",
+ "Name": "Path",
+ "DisplayName": "KV Engine Path",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ ]
+ },
+ "ProviderTypeParamValues": [
+ {
+ "Value": "https://example.invalid",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Host",
+ "DisplayName": "Vault Host",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Token",
+ "DisplayName": "Vault Token",
+ "DataType": 2,
+ "InstanceLevel": false
+ }
+ },
+ {
+ "Value": "",
+ "ProviderTypeParam": {
+ "Id": "",
+ "Name": "Path",
+ "DisplayName": "KV Engine Path",
+ "DataType": 1,
+ "InstanceLevel": false
+ }
+ }
+ ],
+ "SecuredAreaId": null
+}
+```
+
+Create the provider:
+
+```bash
+kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt
+```
+
+## References
+
+- [kfutil pam create](../../kfutil_pam_create.md)
+- [kfutil pam list](../../kfutil_pam_list.md)
+- [kfutil pam-types create](../../kfutil_pam-types_create.md)
+- [kfutil pam-types list](../../kfutil_pam-types_list.md)
diff --git a/docs/use-cases/PAM Operations/create-pam-types.md b/docs/use-cases/PAM Operations/create-pam-types.md
new file mode 100644
index 00000000..312c3447
--- /dev/null
+++ b/docs/use-cases/PAM Operations/create-pam-types.md
@@ -0,0 +1,89 @@
+
+# Create PAM Types
+
+[PAM Operations](README.md) | [Use Cases](../README.md)
+
+This use case installs the PAM provider type definitions embedded in `cmd/pam_types.json`.
+
+## Create All Embedded PAM Types
+
+```bash
+kfutil pam-types create --all --no-prompt
+```
+
+## Create One PAM Type
+
+Use `--name` when you only want one provider type:
+
+```bash
+kfutil pam-types create --name Hashicorp-Vault --no-prompt
+```
+
+## Commands For Each Embedded PAM Type
+
+### 1Password-CLI
+
+```bash
+kfutil pam-types create --name 1Password-CLI --no-prompt
+```
+
+### Azure-KeyVault
+
+```bash
+kfutil pam-types create --name Azure-KeyVault --no-prompt
+```
+
+### Azure-KeyVault-ServicePrincipal
+
+```bash
+kfutil pam-types create --name Azure-KeyVault-ServicePrincipal --no-prompt
+```
+
+### BeyondTrust-PasswordSafe
+
+```bash
+kfutil pam-types create --name BeyondTrust-PasswordSafe --no-prompt
+```
+
+### CyberArk-CentralCredentialProvider
+
+```bash
+kfutil pam-types create --name CyberArk-CentralCredentialProvider --no-prompt
+```
+
+### CyberArk-SdkCredentialProvider
+
+```bash
+kfutil pam-types create --name CyberArk-SdkCredentialProvider --no-prompt
+```
+
+### Delinea-SecretServer
+
+```bash
+kfutil pam-types create --name Delinea-SecretServer --no-prompt
+```
+
+### GCP-SecretManager
+
+```bash
+kfutil pam-types create --name GCP-SecretManager --no-prompt
+```
+
+### Hashicorp-Vault
+
+```bash
+kfutil pam-types create --name Hashicorp-Vault --no-prompt
+```
+
+## Verify
+
+```bash
+kfutil pam-types list --no-prompt
+```
+
+## References
+
+- [kfutil pam create](../../kfutil_pam_create.md)
+- [kfutil pam list](../../kfutil_pam_list.md)
+- [kfutil pam-types create](../../kfutil_pam-types_create.md)
+- [kfutil pam-types list](../../kfutil_pam-types_list.md)
diff --git a/docs/use-cases/README.md b/docs/use-cases/README.md
new file mode 100644
index 00000000..40799303
--- /dev/null
+++ b/docs/use-cases/README.md
@@ -0,0 +1,6 @@
+# Use Cases
+
+Task-oriented guides for common `kfutil` workflows.
+
+- [Certificate Store Operations](Certificate%20Store%20Operations/README.md)
+- [PAM Operations](PAM%20Operations/README.md)
diff --git a/internal/docgen/pamdocs/pamdocs.go b/internal/docgen/pamdocs/pamdocs.go
new file mode 100644
index 00000000..35547ffa
--- /dev/null
+++ b/internal/docgen/pamdocs/pamdocs.go
@@ -0,0 +1,347 @@
+// Copyright 2026 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pamdocs
+
+import (
+ "bytes"
+ "encoding/json"
+ "fmt"
+ "html"
+ "os"
+ "path/filepath"
+ "regexp"
+ "sort"
+ "strings"
+)
+
+const generatedMarker = ""
+
+const (
+ DefaultSourcePath = "cmd/pam_types.json"
+ DefaultOutputDir = "docs/use-cases/PAM Operations"
+)
+
+type pamType struct {
+ Name string `json:"Name"`
+ Parameters []pamParameter `json:"Parameters"`
+}
+
+type pamParameter struct {
+ Name string `json:"Name"`
+ DisplayName string `json:"DisplayName"`
+ Description string `json:"Description"`
+ DataType int `json:"DataType"`
+ InstanceLevel bool `json:"InstanceLevel"`
+}
+
+type providerTemplate struct {
+ Area int `json:"Area"`
+ Name string `json:"Name"`
+ Remote bool `json:"Remote"`
+ ProviderType providerTemplateType `json:"ProviderType"`
+ ProviderTypeParamValues []providerTemplateParamValue `json:"ProviderTypeParamValues"`
+ SecuredAreaId *int `json:"SecuredAreaId"`
+}
+
+type providerTemplateType struct {
+ Id string `json:"Id"`
+ Name string `json:"Name"`
+ ProviderTypeParams []providerTemplateParameter `json:"ProviderTypeParams"`
+}
+
+type providerTemplateParamValue struct {
+ Value string `json:"Value"`
+ ProviderTypeParam providerTemplateParameter `json:"ProviderTypeParam"`
+}
+
+type providerTemplateParameter struct {
+ Id string `json:"Id"`
+ Name string `json:"Name"`
+ DisplayName string `json:"DisplayName,omitempty"`
+ DataType int `json:"DataType"`
+ InstanceLevel bool `json:"InstanceLevel"`
+}
+
+func Generate(sourcePath, outputDir string) error {
+ if sourcePath == "" {
+ sourcePath = DefaultSourcePath
+ }
+ if outputDir == "" {
+ outputDir = DefaultOutputDir
+ }
+
+ pamTypes, err := readPAMTypes(sourcePath)
+ if err != nil {
+ return err
+ }
+ sort.Slice(pamTypes, func(i, j int) bool {
+ return strings.ToLower(pamTypes[i].Name) < strings.ToLower(pamTypes[j].Name)
+ })
+
+ if err := os.MkdirAll(outputDir, 0o755); err != nil {
+ return err
+ }
+
+ files := map[string]string{
+ "README.md": renderIndex(pamTypes),
+ "create-pam-types.md": renderCreatePAMTypes(pamTypes),
+ "create-pam-providers.md": renderCreatePAMProviders(pamTypes),
+ }
+
+ for name, content := range files {
+ path := filepath.Join(outputDir, name)
+ if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+ return fmt.Errorf("write %s: %w", path, err)
+ }
+ }
+
+ fmt.Printf("Generated PAM operation docs for %d PAM types in %s\n", len(pamTypes), outputDir)
+ return nil
+}
+
+func readPAMTypes(path string) ([]pamType, error) {
+ data, err := os.ReadFile(path)
+ if err != nil {
+ return nil, fmt.Errorf("read %s: %w", path, err)
+ }
+
+ var pamTypes []pamType
+ if err := json.Unmarshal(data, &pamTypes); err != nil {
+ return nil, fmt.Errorf("parse %s: %w", path, err)
+ }
+ if len(pamTypes) == 0 {
+ return nil, fmt.Errorf("%s did not contain any PAM types", path)
+ }
+ for i := range pamTypes {
+ if pamTypes[i].Name == "" {
+ return nil, fmt.Errorf("PAM type at index %d is missing Name", i)
+ }
+ }
+ return pamTypes, nil
+}
+
+func renderIndex(pamTypes []pamType) string {
+ var b strings.Builder
+ b.WriteString(generatedMarker + "\n")
+ b.WriteString("# PAM Operations\n\n")
+ b.WriteString("Use cases for creating PAM provider types and PAM providers with `kfutil`.\n\n")
+ b.WriteString("These docs are generated from `cmd/pam_types.json`. Regenerate after PAM type metadata changes:\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString("kfutil makedocs\n")
+ b.WriteString("```\n\n")
+ b.WriteString("- [Create PAM Types](create-pam-types.md)\n")
+ b.WriteString("- [Create PAM Providers](create-pam-providers.md)\n\n")
+ writePAMTypeTable(&b, pamTypes)
+ return b.String()
+}
+
+func renderCreatePAMTypes(pamTypes []pamType) string {
+ var b strings.Builder
+ b.WriteString(generatedMarker + "\n")
+ b.WriteString("# Create PAM Types\n\n")
+ b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n")
+ b.WriteString("This use case installs the PAM provider type definitions embedded in `cmd/pam_types.json`.\n\n")
+ b.WriteString("## Create All Embedded PAM Types\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString("kfutil pam-types create --all --no-prompt\n")
+ b.WriteString("```\n\n")
+ b.WriteString("## Create One PAM Type\n\n")
+ b.WriteString("Use `--name` when you only want one provider type:\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n")
+ b.WriteString("```\n\n")
+ b.WriteString("## Commands For Each Embedded PAM Type\n\n")
+ for _, pamType := range pamTypes {
+ b.WriteString("### " + pamType.Name + "\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString(fmt.Sprintf("kfutil pam-types create --name %s --no-prompt\n", shellQuote(pamType.Name)))
+ b.WriteString("```\n\n")
+ }
+ b.WriteString("## Verify\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString("kfutil pam-types list --no-prompt\n")
+ b.WriteString("```\n\n")
+ writeReferences(&b)
+ return b.String()
+}
+
+func renderCreatePAMProviders(pamTypes []pamType) string {
+ var b strings.Builder
+ b.WriteString(generatedMarker + "\n")
+ b.WriteString("# Create PAM Providers\n\n")
+ b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n")
+ b.WriteString("This use case creates PAM providers from JSON files. `kfutil pam create` currently accepts provider configuration with `--from-file`.\n\n")
+ b.WriteString("Create the PAM provider type first, then create the provider that uses it:\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n")
+ b.WriteString("kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt\n")
+ b.WriteString("```\n\n")
+ b.WriteString("Provider JSON contains provider-level connection settings only. Certificate-store instance parameters are not set on the provider; they are supplied later on certificate store CSV columns such as `Properties.ServerPassword.Parameters.SecretId`.\n\n")
+ b.WriteString("Provider type IDs and provider parameter IDs are assigned by Command when PAM types are created. Get the live provider type first and replace the `Id` placeholders in the generated template before running `kfutil pam create`:\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString("kfutil pam-types get --name Hashicorp-Vault --no-prompt\n")
+ b.WriteString("```\n\n")
+ writePAMTypeTable(&b, pamTypes)
+ b.WriteString("## Provider Examples\n\n")
+ for _, pamType := range pamTypes {
+ writeProviderExample(&b, pamType)
+ }
+ writeReferences(&b)
+ return b.String()
+}
+
+func writePAMTypeTable(b *strings.Builder, pamTypes []pamType) {
+ b.WriteString("## Embedded PAM Types\n\n")
+ b.WriteString("| PAM type | Provider configuration parameters | Certificate store instance parameters |\n")
+ b.WriteString("| --- | --- | --- |\n")
+ for _, pamType := range pamTypes {
+ b.WriteString(fmt.Sprintf("| `%s` | %s | %s |\n",
+ mdTable(pamType.Name),
+ mdTable(strings.Join(parameterNames(pamType.Parameters, false), ", ")),
+ mdTable(strings.Join(parameterNames(pamType.Parameters, true), ", ")),
+ ))
+ }
+ b.WriteString("\n")
+}
+
+func writeProviderExample(b *strings.Builder, pamType pamType) {
+ fileName := slugify(pamType.Name) + "-provider.json"
+ b.WriteString("### " + pamType.Name + "\n\n")
+ b.WriteString("Write a provider config file:\n\n")
+ b.WriteString("```json\n")
+ b.WriteString(providerJSON(pamType))
+ b.WriteString("\n```\n\n")
+ b.WriteString("Create the provider:\n\n")
+ b.WriteString("```bash\n")
+ b.WriteString(fmt.Sprintf("kfutil pam create --from-file %s --no-prompt\n", fileName))
+ b.WriteString("```\n\n")
+}
+
+func providerJSON(pamType pamType) string {
+ providerParams := filterParameters(pamType.Parameters, false)
+ templateParams := make([]providerTemplateParameter, 0, len(providerParams))
+ templateValues := make([]providerTemplateParamValue, 0, len(providerParams))
+ for _, param := range providerParams {
+ templateParam := providerTemplateParameter{
+ Id: "<" + param.Name + "-parameter-id>",
+ Name: param.Name,
+ DisplayName: param.DisplayName,
+ DataType: param.DataType,
+ InstanceLevel: param.InstanceLevel,
+ }
+ templateParams = append(templateParams, templateParam)
+ templateValues = append(templateValues, providerTemplateParamValue{
+ Value: placeholderValue(param),
+ ProviderTypeParam: templateParam,
+ })
+ }
+
+ template := providerTemplate{
+ Area: 1,
+ Name: "example-" + slugify(pamType.Name),
+ Remote: false,
+ ProviderType: providerTemplateType{
+ Id: "",
+ Name: pamType.Name,
+ ProviderTypeParams: templateParams,
+ },
+ ProviderTypeParamValues: templateValues,
+ SecuredAreaId: nil,
+ }
+
+ var out bytes.Buffer
+ encoder := json.NewEncoder(&out)
+ encoder.SetEscapeHTML(false)
+ encoder.SetIndent("", " ")
+ err := encoder.Encode(template)
+ if err != nil {
+ panic(err)
+ }
+ return strings.TrimSpace(out.String())
+}
+
+func parameterNames(parameters []pamParameter, instanceLevel bool) []string {
+ params := filterParameters(parameters, instanceLevel)
+ if len(params) == 0 {
+ return []string{"-"}
+ }
+ names := make([]string, 0, len(params))
+ for _, param := range params {
+ names = append(names, param.Name)
+ }
+ return names
+}
+
+func filterParameters(parameters []pamParameter, instanceLevel bool) []pamParameter {
+ var filtered []pamParameter
+ for _, param := range parameters {
+ if param.InstanceLevel == instanceLevel {
+ filtered = append(filtered, param)
+ }
+ }
+ return filtered
+}
+
+func placeholderValue(param pamParameter) string {
+ name := strings.ToLower(param.Name)
+ if name == "clientid" || name == "clientsecret" {
+ return "N/A"
+ }
+ if name == "granttype" {
+ return "password"
+ }
+ if strings.Contains(name, "uri") || strings.Contains(name, "url") || strings.Contains(name, "host") {
+ return "https://example.invalid"
+ }
+ if param.DataType == 2 || strings.Contains(name, "secret") || strings.Contains(name, "token") || strings.Contains(name, "password") || strings.Contains(name, "key") {
+ return "