Merge v1.0_GW_4.48.0 into v1.0

unknown · unknown · commit 8f89cf4d2fd6 · 2026-04-02T05:22:59.000Z
diff --git a/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-universal-identity/index.md b/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-universal-identity/index.md
@@ -174,22 +174,26 @@ Universal Identity Details:
 
 3. Define the remaining parameters as follows:
 
-    * **Expiration Date:** Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.
+   * **Expiration Date:** Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.
 
-    * **Allowed Client IPs:** Enter a comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean cURL, SDK, and so on. This parameter is optional. Leave it empty for unrestricted access.
+   * **Allowed Client IPs:** Enter a comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean cURL, SDK, and so on. This parameter is optional. Leave it empty for unrestricted access.
 
-    * **Allowed Trusted Gateway IPs:** Enter a comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so they will be visible in the logs).
-    If empty, the Gateway's IP will be used in the logs.
+   * **Allowed Trusted Gateway IPs:** Enter a comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so they will be visible in the logs).
+     If empty, the Gateway's IP will be used in the logs.
 
-    * **Audit Log Sub Claims:** Enter a comma-separated list of sub-claims keys to be included in the Audit Logs.
+   * **Audit Log Sub Claims:** Enter a comma-separated list of sub-claims keys to be included in the Audit Logs.
 
-    * **Allowed Client Type:** Select the allowed client type that will be authorized to use this authentication method. For example, `CLI`, `Web UI`, `SDK`.
+   * **Allowed Client Type:** Select the allowed client type that will be authorized to use this authentication method. For example, `CLI`, `Web UI`, `SDK`.
 
-    * Check **Deny Rotate** if you want to forbid token rotation.
+   * Check **Deny Rotate** if you want to forbid token rotation.
 
-    * Check **Deny Inheritance** if you want to forbid creating child tokens.
+   * Check **Deny Inheritance** if you want to forbid creating child tokens.
+
+   * **TTL (minutes):** Specify token TTL.
+
+   * **Tree Length:** Set the number of child tokens that can be created.
 
-    * **TTL (minutes):** Specify token TTL.
+   * **Limit Child TTL:** Set the limitation for the child tokens max TTL
 
 4. Click **Finish**.
 
@@ -219,8 +223,11 @@ To revoke a token in the Console:
 To create a child token in the Console:
 
 1. Open the corresponding authentication method.
+
 2. Go to **UID Tree** tab.
+
 3. Right-click the root node and click **Create child token**.
+
 4. Define the parameters as follows:
 
    * Check **Deny Rotate** if you want to forbid child token rotation.
diff --git a/docs/Advanced Functionality/automatic-migration/resource-discovery.md b/docs/Advanced Functionality/automatic-migration/resource-discovery.md
@@ -35,6 +35,7 @@ When working with [SSH Target](https://docs.akeyless.io/docs/ssh-target), the mi
 Note: When using Self Signed Certificate, please mount the matching certificate to the Akeyless Gateway server at `etc/ssl/certs`
 
 > ℹ️ **Note (Active Directory migration compatibility):**
+>
 > The OpenSSH server is available as a supported Feature-on-Demand in Windows Server 2022, Windows Server 2019, and Windows 10 (build 1809 and later)
 
 ## Set Up Automatic Migration for Active Directory
@@ -64,6 +65,8 @@ To create the migration from your Active Directory, log in to your **Gateway Con
 
 * **Discover IIS Applications:** Discover any existing IIS Application that runs with explicit user credentials, as part of the rotated secret those IIS Application will be reflected, and upon Rotation, the relevant IIS Application will be restarted with the latest password.
 
+* **AI Certificate Discovery:** Discover existing certificates across the environment using an AI-driven scanner as part of Active Directory Migration.
+
 > ℹ️ **Note:**
 >
 > Discover Local Users might require further installations of SSH on the servers, based on the supplied Computer Base DN. This will be done automatically by the migration process
diff --git a/docs/Certificate Lifecycle Management/public-ca.md b/docs/Certificate Lifecycle Management/public-ca.md
@@ -10,7 +10,7 @@ metadata:
 next:
   description: ''
 ---
-Akeyless supports [ZeroSSL](https://zerossl.com/), [GlobalSign](https://www.globalsign.com/), [Venafi (now part of CyberArk)](https://www.cyberark.com/venafi-and-cyberark-machine-identity-security/), [GoDaddy](https://www.godaddy.com/), [Sectigo](https://www.sectigo.com/), and [Let's Encrypt](https://letsencrypt.org/) as Public CAs.
+Akeyless supports [ZeroSSL](https://zerossl.com/), [GlobalSign](https://www.globalsign.com/), [Venafi (now part of CyberArk)](https://www.cyberark.com/venafi-and-cyberark-machine-identity-security/), [GoDaddy](https://www.godaddy.com/), [Sectigo](https://www.sectigo.com/), [Google Trust Services (Google CA)](https://cloud.google.com/security/products/certificate-authority-service), [DigiCert](https://www.digicert.com/), and [Let's Encrypt](https://letsencrypt.org/) as Public CAs.
 
 The public certificate authority will sign and issue the certificate, while Akeyless will store and manage the certificate lifecycle.
 
diff --git a/docs/Secrets Management/targets/_order.yaml b/docs/Secrets Management/targets/_order.yaml
@@ -3,6 +3,7 @@
 - azure-targets
 - chef-infra-targets
 - database-targets
+- digicert-target
 - docker-hub-target
 - gcp-targets
 - gemini-target
@@ -12,6 +13,7 @@
 - globalsign-atlas
 - globalsign-target
 - godaddy-target
+- google-ca-target
 - hashicorp-vault-target
 - kubernetes-targets
 - ldap-target
diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md
@@ -0,0 +1,111 @@
+---
+title: DigiCert Target
+deprecated: false
+hidden: false
+metadata:
+  robots: index
+---
+The [Digicert](https://www.digicert.com/) Target enables the use of **Digicert** as a Public Certificate Authority (CA) with an Akeyless [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates).
+
+With a public CA, Akeyless cannot access the private key that signs certificates. Akeyless validates certificate issuance requests by connecting to **Digicert** through the [Akeyless Gateway](https://docs.akeyless.io/docs/api-gw).
+
+The **DigiCert** integration uses an [ACME Client (v2)](https://datatracker.ietf.org/doc/html/rfc8555).
+
+To prove domain ownership, the Akeyless integration supports DNS validation:
+
+* **DNS validation**: Ownership is proven by adding a DNS TXT record. This requires the domain to be managed in a supported DNS provider's hosted zone (for example, AWS Route 53, GCP Cloud DNS, or Azure DNS).
+
+## Create a Digicert Target with the CLI
+
+To create a Digicert target with the CLI, use one of the following examples based on the challenge method and DNS provider:
+
+```shell DNS with AWS
+akeyless target create digicert \
+--name <Target Name> \
+--digicert-url <us-production / eu-production / us-demo / eu-demo> \
+--email <ACME Account Email> \
+--eab-key-id <EAB Key ID> \
+--eab-hmac-key <EAB HAMC Key> \
+--acme-challenge dns \
+--dns-target-creds <AWS DNS Target Name> \
+--hosted-zone <Route53 Hosted Zone ID>
+```
+```shell DNS with GCP
+akeyless target create digicert \
+--name <Target Name> \
+--digicert-url <us-production / eu-production / us-demo / eu-demo> \
+--email <ACME Account Email> \
+--eab-key-id <EAB Key ID> \
+--eab-hmac-key <EAB HAMC Key> \
+--acme-challenge dns \
+--dns-target-creds <GCP DNS Target Name> \
+--gcp-project <GCP Project ID>
+```
+```shell DNS with Azure
+akeyless target create digicert \
+--name <Target Name> \
+--digicert-url <us-production / eu-production / us-demo / eu-demo> \
+--email <ACME Account Email> \
+--eab-key-id <EAB Key ID> \
+--eab-hmac-key <EAB HAMC Key> \
+--acme-challenge dns \
+--dns-target-creds <Azure DNS Target Name> \
+--resource-group <Azure Resource Group Name>
+```
+
+Where:
+
+* `name`: A unique name for the target. The name can include a path to a virtual folder by using slash `/` separators. If the folder does not exist, Akeyless creates it with the target.
+
+* `digicert-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`.
+
+* `email`: Email address used for ACME account registration.
+
+* `eab-key-id`: External Account Binding Key ID from DigiCert Services.
+
+  `eab-hmac-key`: External Account Binding Key ID from DigiCert Services.
+
+* `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`.
+
+* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP.
+
+* `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone.
+
+* `resource-group`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an Azure target.
+
+* `gcp-project`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a GCP target and the project ID cannot be derived automatically.
+
+* `timeout`: Use this when challenge validation needs a custom wait time. Default is `5m`. Supported range is `1m` to `1h`.
+
+* `key`: Use this when you want to encrypt target secret values with a specific protection key instead of the account default key.
+
+[View the complete list of parameters for this command.](https://docs.akeyless.io/docs/cli-ref-targets#lets-encrypt)
+
+## Create a Digicert Target in the Console
+
+1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Certificate Automation (Digicert)**.
+
+2. Define the Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target.
+
+3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/implement-zero-knowledge).
+
+4. Define the remaining parameters as follows:
+   * **Environment**: The ACME environment, **US Production** / **EU Production** / **US Demo** or **EU Demo**
+
+   * **Email**: Email address used to register the ACME account.
+
+   * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**).
+
+   * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**).
+
+   * **Hosted Zone**: [AWS Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**).
+
+   * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**).
+
+   * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**.
+
+   * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes).
+
+5. Click Finish.
+
+<br />
diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md
@@ -0,0 +1,115 @@
+---
+title: Google CA Target
+deprecated: false
+hidden: false
+metadata:
+  robots: index
+---
+The [Google CA](https://cloud.google.com/security/products/certificate-authority-service?hl=en) Target enables the use of **Google CA** as a Public Certificate Authority (CA) with an Akeyless [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates).
+
+With a public CA, Akeyless cannot access the private key that signs certificates. Akeyless validates certificate issuance requests by connecting to **Google CA** through the [Akeyless Gateway](https://docs.akeyless.io/docs/api-gw).
+
+The **Google CA** integration uses an [ACME Client (v2)](https://datatracker.ietf.org/doc/html/rfc8555).
+
+To prove domain ownership, the Akeyless integration supports DNS validation:
+
+* **DNS validation**: Ownership is proven by adding a DNS TXT record. This requires the domain to be managed in a supported DNS provider's hosted zone (for example, AWS Route 53, GCP Cloud DNS, or Azure DNS).
+
+## Create a Google CA Target with the CLI
+
+To create a Google CA target with the CLI, use one of the following examples based on the challenge method and DNS provider:
+
+```shell DNS with AWS
+akeyless target create google-trust \
+--name <Target Name> \
+--google-trust-url <production / staging> \
+--email <ACME Account Email> \
+--eab-key-id <EAB Key ID> \
+--eab-hmac-key <EAB HMAC Key> \
+--acme-challenge dns \
+--dns-target-creds <AWS DNS Target Name> \
+--hosted-zone <Route53 Hosted Zone ID>
+```
+```shell DNS with GCP
+akeyless target create google-trust \
+--name <Target Name> \
+--google-trust-url <production / staging>
+--email <ACME Account Email> \
+--eab-key-id <EAB Key ID> \
+--eab-hmac-key <EAB HMAC Key> \
+--acme-challenge dns \
+--dns-target-creds <GCP DNS Target Name> \
+--gcp-project <GCP Project ID>
+```
+```shell DNS with Azure
+akeyless target create google-trust \
+--name <Target Name> \
+--google-trust-url <production / staging>
+--email <ACME Account Email> \
+--eab-key-id <EAB Key ID>
+--eab-hmac-key <EAB HMAC Key>
+--acme-challenge dns \
+--dns-target-creds <Azure DNS Target Name> \
+--resource-group <Azure Resource Group Name>
+```
+
+Where:
+
+* `name`: A unique name for the target. The name can include a path to a virtual folder by using slash `/` separators. If the folder does not exist, Akeyless creates it with the target.
+
+* `email`: Email address used for ACME account registration.
+
+* `eab-key-id`: External Account Binding Key ID from Google CA Services.
+
+* `eab-hmac-key`: External Account Binding Key ID from Google CA Services.
+
+* `--google-trust-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`.
+
+* `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. 
+
+* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP.
+
+* `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone.
+
+* `resource-group`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an Azure target.
+
+* `gcp-project`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a GCP target and the project ID cannot be derived automatically.
+
+* `timeout`: Use this when challenge validation needs a custom wait time. Default is `5m`. Supported range is `1m` to `1h`.
+
+* `key`: Use this when you want to encrypt target secret values with a specific protection key instead of the account default key.
+
+[View the complete list of parameters for this command.](https://docs.akeyless.io/docs/cli-ref-targets#lets-encrypt)
+
+## Create a Google CA Target in the Console
+
+1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Certificate Automation (Google CA)**.
+
+2. Define the Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target.
+
+3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/implement-zero-knowledge).
+
+4. Define the remaining parameters as follows:
+   * **Email**: Email address used to register the ACME account.
+
+   * **URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory).
+
+   * **EAB KID**: External Account Binding Key ID from Google CA Services.
+
+   * **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services.
+
+   * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**).
+
+   * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**).
+
+   * **Hosted Zone**: [AWS Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**).
+
+   * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**).
+
+   * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**.
+
+   * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes).
+
+5. Click Finish.
+
+<br />
diff --git a/docs/Universal Secret Connector/universal-secrets-connector/_order.yaml b/docs/Universal Secret Connector/universal-secrets-connector/_order.yaml
@@ -3,3 +3,4 @@
 - gcp-universal-secrets-connector
 - hc-vault-universal-secrets-connector
 - kubernetes-universal-secrets-connector
+- github-universal-secret-connector
diff --git a/docs/Universal Secret Connector/universal-secrets-connector/github-universal-secret-connector.md b/docs/Universal Secret Connector/universal-secrets-connector/github-universal-secret-connector.md
