diff --git a/README.md b/README.md
index 9de9764..a54528c 100644
--- a/README.md
+++ b/README.md
@@ -63,126 +63,176 @@ The Remote File Universal Orchestrator extension is supported by Keyfactor for K
 > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
 ## Installation
-Before installing the Remote File Universal Orchestrator extension, it's recommended to install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
 
-The Remote File Universal Orchestrator extension implements 6 Certificate Store Types. Depending on your use case, you may elect to install one, or all of these Certificate Store Types. An overview for each type is linked below:
-* [RFJKS](docs/rfjks.md)
-* [RFPEM](docs/rfpem.md)
-* [RFPkcs12](docs/rfpkcs12.md)
-* [RFDER](docs/rfder.md)
-* [RFKDB](docs/rfkdb.md)
-* [RFORA](docs/rfora.md)
+Before installing the Remote File Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
 
-<details><summary>RFJKS</summary>
+1. **Create Certificate Store Types in Keyfactor Command**  
+The Remote File Universal Orchestrator extension implements 6 Certificate Store Types. Depending on your use case, you may elect to install one, or all of these Certificate Store Types.
 
+    <details><summary>RFJKS</summary>
 
-1. Follow the [requirements section](docs/rfjks.md#requirements) to configure a Service Account and grant necessary API permissions.
 
-    <details><summary>Requirements</summary>
+    > More information on the RFJKS Certificate Store Type can be found [here](docs/rfjks.md).
 
-    <details>
-    <summary><b>Certificate stores hosted on Linux servers:</b></summary>
+    * **Create RFJKS using kfutil**:
 
-    1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y".  When RemoteFile is using orchestration, managing local or external certificate stores using SSH or WinRM, the security context is determined by the user id entered in the Keyfactor Command certificate store or discovery job screens.  When RemoteFile is running as an agent, managing local stores only, the security context is the user id running the Keyfactor Command Universal Orchestrator service account.  The full list of these commands below:
+        ```shell
+        # RFJKS
+        kfutil store-types create RFJKS
+        ```
 
-    |Shell Command|Used For|
-    |---|---|
-    |echo|Used to append a newline and terminate all commands sent.|
-    |find|Used by Discovery jobs to locate potential certificate stores on the file system.|
-    |cp|Used by Inventory and Management Add/Remove jobs to copy the certificate store file to a temporary file (only when an alternate download folder has been configured).|
-    |chown|Used by the Inventory and Management Add/Remove jobs to set the permissions on the temporary file (only when an alternate download folder has been configured).|
-    |tee|Used by Management Add/Remove jobs to copy the temporary uploaded certificate file to the certificate store file (only when an alternate upload folder has been configured).|
-    |rm|Used by Inventory and Management Add/Remove jobs to remove temporary files (only when an alternate upload/download folder has been configured).|
-    |install|Used by the Management Create Store job when initializing a certificate store file.|
-    |orapki|Oracle Wallet CLI utility used by Inventory and Management Add/Remove jobs to manipulate an Oracle Wallet certificate store.  Used for the RFORA store type only.|
-    |gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store.  Used for the RFKDB store type only.|  
+    * **Create RFJKS manually in the Command UI**:
+        
+        Refer to the [RFJKS](docs/rfjks.md#certificate-store-type-configuration) creation docs.
+    </details>
 
-    2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server.  SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer for the user assigned to the certificate store/discovery job.  If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer.  If the certificate store/discovery job is configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have access to read/write to the certificate store location, OR the config.json file must be set up to use the alternative upload/download file.  
+    <details><summary>RFPEM</summary>
 
-    3. SSH Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key.  When using a password, the connection is attempted using SSH Password Authentication.  If that fails, Keyboard Interactive Authentication is automatically attempted.  One or both of these must be enabled on the Linux box being managed.  If private key authentication is desired, copy and paste the full SSH private key into the Password textbox (or pointer to the private key if using a PAM provider).  Please note that SSH Private Key Authentication is not available when running locally as an agent.  The following private key formats are supported: 
-    - PKCS#1 (BEGIN RSA PRIVATE KEY) 
-    - PKCS#8 (BEGIN PRIVATE KEY)
-    - ECDSA OPENSSH (BEGIN OPENSSH PRIVATE KEY)   
 
-    Please reference [Configuration File Setup](#configuration-file-setup) for more information on setting up the config.json file and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on the items above.    
-    </details>  
+    > More information on the RFPEM Certificate Store Type can be found [here](docs/rfpem.md).
 
-    <details>  
-    <summary><b>Certificate stores hosted on Windows servers:</b></summary>
-    1. When orchestrating management of external (and potentially local) certificate stores, the RemoteFile Orchestrator Extension makes use of WinRM to connect to external certificate store servers.  The security context used is the user id entered in the Keyfactor Command certificate store or discovery job screen.  Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores/discovery jobs.  If running as an agent, managing local certificate stores, local commands are run under the security context of the user account running the Keyfactor Universal Orchestrator Service.  Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension.  
+    * **Create RFPEM using kfutil**:
 
+        ```shell
+        # RFPEM
+        kfutil store-types create RFPEM
+        ```
+
+    * **Create RFPEM manually in the Command UI**:
+        
+        Refer to the [RFPEM](docs/rfpem.md#certificate-store-type-configuration) creation docs.
     </details>
 
-    Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment.
+    <details><summary>RFPkcs12</summary>
+
+
+    > More information on the RFPkcs12 Certificate Store Type can be found [here](docs/rfpkcs12.md).
+
+    * **Create RFPkcs12 using kfutil**:
+
+        ```shell
+        # RFPkcs12
+        kfutil store-types create RFPkcs12
+        ```
 
+    * **Create RFPkcs12 manually in the Command UI**:
+        
+        Refer to the [RFPkcs12](docs/rfpkcs12.md#certificate-store-type-configuration) creation docs.
     </details>
 
-2. Create Certificate Store Types for the Remote File Orchestrator extension. 
+    <details><summary>RFDER</summary>
+
+
+    > More information on the RFDER Certificate Store Type can be found [here](docs/rfder.md).
 
-    * **Using kfutil**:
+    * **Create RFDER using kfutil**:
 
         ```shell
-        # RFJKS
-        kfutil store-types create RFJKS
+        # RFDER
+        kfutil store-types create RFDER
         ```
 
-    * **Manually**:
-        * [RFJKS](docs/rfjks.md#certificate-store-type-configuration)
+    * **Create RFDER manually in the Command UI**:
+        
+        Refer to the [RFDER](docs/rfder.md#certificate-store-type-configuration) creation docs.
+    </details>
 
-3. Install the Remote File Universal Orchestrator extension.
-    
-    * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command:
+    <details><summary>RFKDB</summary>
+
+
+    > More information on the RFKDB Certificate Store Type can be found [here](docs/rfkdb.md).
+
+    * **Create RFKDB using kfutil**:
 
         ```shell
-        # Windows Server
-        kfutil orchestrator extension -e remote-file-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions"
+        # RFKDB
+        kfutil store-types create RFKDB
+        ```
 
-        # Linux
-        kfutil orchestrator extension -e remote-file-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions"
+    * **Create RFKDB manually in the Command UI**:
+        
+        Refer to the [RFKDB](docs/rfkdb.md#certificate-store-type-configuration) creation docs.
+    </details>
+
+    <details><summary>RFORA</summary>
+
+
+    > More information on the RFORA Certificate Store Type can be found [here](docs/rfora.md).
+
+    * **Create RFORA using kfutil**:
+
+        ```shell
+        # RFORA
+        kfutil store-types create RFORA
         ```
 
-    * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Remote File Universal Orchestrator extension](https://github.com/Keyfactor/remote-file-orchestrator/releases/latest).
+    * **Create RFORA manually in the Command UI**:
+        
+        Refer to the [RFORA](docs/rfora.md#certificate-store-type-configuration) creation docs.
+    </details>
 
-4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension.
+2. **Download the latest Remote File Universal Orchestrator extension from GitHub.** 
 
-    * [RFJKS](docs/rfjks.md#certificate-store-configuration)
+    On the [Remote File Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/remote-file-orchestrator/releases/latest), click the `remote-file-orchestrator` asset to download the zip archive. Unzip the archive containing extension assemblies to a known location.
 
+3. **Locate the Universal Orchestrator extensions directory.**
 
-</details>
+    * **Default on Windows** - `C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions`
+    * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions`
+    
+4. **Create a new directory for the Remote File Universal Orchestrator extension inside the extensions directory.**
+        
+    Create a new directory called `remote-file-orchestrator`.
+    > The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.
 
-<details><summary>RFPEM</summary>
+5. **Copy the contents of the downloaded and unzipped assemblies from __step 2__ to the `remote-file-orchestrator` directory.**
 
-TODO Installation is an optional section - if you don't need it, feel free to remove it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+6. **Restart the Universal Orchestrator service.**
 
+    Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm).
 
-</details>
 
-<details><summary>RFPkcs12</summary>
 
-TODO Installation is an optional section - if you don't need it, feel free to remove it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+> The above installation steps can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions).
 
+## Configuration and Usage
 
-</details>
+The Remote File Universal Orchestrator extension implements 6 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.
 
-<details><summary>RFDER</summary>
+<details><summary>RFJKS</summary>
 
-TODO Installation is an optional section - if you don't need it, feel free to remove it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+1. Refer to the [requirements section](docs/rfjks.md#requirements) to ensure all prerequisites are met before using the RFJKS Certificate Store Type.
+2. Create new [RFJKS](docs/rfjks.md#certificate-store-configuration) Certificate Stores in Keyfactor Command.
+</details>
 
+<details><summary>RFPEM</summary>
 
+1. Refer to the [requirements section](docs/rfpem.md#requirements) to ensure all prerequisites are met before using the RFPEM Certificate Store Type.
+2. Create new [RFPEM](docs/rfpem.md#certificate-store-configuration) Certificate Stores in Keyfactor Command.
 </details>
 
-<details><summary>RFKDB</summary>
+<details><summary>RFPkcs12</summary>
 
-TODO Installation is an optional section - if you don't need it, feel free to remove it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+1. Refer to the [requirements section](docs/rfpkcs12.md#requirements) to ensure all prerequisites are met before using the RFPkcs12 Certificate Store Type.
+2. Create new [RFPkcs12](docs/rfpkcs12.md#certificate-store-configuration) Certificate Stores in Keyfactor Command.
+</details>
 
+<details><summary>RFDER</summary>
 
+1. Refer to the [requirements section](docs/rfder.md#requirements) to ensure all prerequisites are met before using the RFDER Certificate Store Type.
+2. Create new [RFDER](docs/rfder.md#certificate-store-configuration) Certificate Stores in Keyfactor Command.
 </details>
 
-<details><summary>RFORA</summary>
+<details><summary>RFKDB</summary>
 
-TODO Installation is an optional section - if you don't need it, feel free to remove it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+1. Refer to the [requirements section](docs/rfkdb.md#requirements) to ensure all prerequisites are met before using the RFKDB Certificate Store Type.
+2. Create new [RFKDB](docs/rfkdb.md#certificate-store-configuration) Certificate Stores in Keyfactor Command.
+</details>
 
+<details><summary>RFORA</summary>
 
+1. Refer to the [requirements section](docs/rfora.md#requirements) to ensure all prerequisites are met before using the RFORA Certificate Store Type.
+2. Create new [RFORA](docs/rfora.md#certificate-store-configuration) Certificate Stores in Keyfactor Command.
 </details>
 
 
diff --git a/docs/rfpem.md b/docs/rfpem.md
index f1ad30b..c8e6a18 100644
--- a/docs/rfpem.md
+++ b/docs/rfpem.md
@@ -1,6 +1,15 @@
 ## RFPEM
 
-TODO Overview is a required section
+The RFPEM store type can be used to manage PEM encoded files.
+
+Use cases supported:
+1. Trust stores - A file with one-to-many certificates (no private keys, no certificate chains).
+2. Single certificate stores with private key in the file.
+3. Single certificate stores with certificate chain and private key in the file.
+4. Single certificate stores with private key in an external file.
+5. Single certificate stores with certificate chain in the file and private key in an external file
+
+NOTE: PEM stores may only have one private key (internal or external) associated with the store, as only one certificate/chain/private key combination can be stored in a PEM store supported by RFPEM.
 
 
 
@@ -17,7 +26,40 @@ TODO Overview is a required section
 
 ## Requirements
 
-TODO Requirements is a required section
+<details>
+<summary><b>Certificate stores hosted on Linux servers:</b></summary>
+
+1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y".  When RemoteFile is using orchestration, managing local or external certificate stores using SSH or WinRM, the security context is determined by the user id entered in the Keyfactor Command certificate store or discovery job screens.  When RemoteFile is running as an agent, managing local stores only, the security context is the user id running the Keyfactor Command Universal Orchestrator service account.  The full list of these commands below:
+
+|Shell Command|Used For|
+|---|---|
+|echo|Used to append a newline and terminate all commands sent.|
+|find|Used by Discovery jobs to locate potential certificate stores on the file system.|
+|cp|Used by Inventory and Management Add/Remove jobs to copy the certificate store file to a temporary file (only when an alternate download folder has been configured).|
+|chown|Used by the Inventory and Management Add/Remove jobs to set the permissions on the temporary file (only when an alternate download folder has been configured).|
+|tee|Used by Management Add/Remove jobs to copy the temporary uploaded certificate file to the certificate store file (only when an alternate upload folder has been configured).|
+|rm|Used by Inventory and Management Add/Remove jobs to remove temporary files (only when an alternate upload/download folder has been configured).|
+|install|Used by the Management Create Store job when initializing a certificate store file.|
+|orapki|Oracle Wallet CLI utility used by Inventory and Management Add/Remove jobs to manipulate an Oracle Wallet certificate store.  Used for the RFORA store type only.|
+|gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store.  Used for the RFKDB store type only.|  
+
+2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server.  SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer for the user assigned to the certificate store/discovery job.  If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer.  If the certificate store/discovery job is configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have access to read/write to the certificate store location, OR the config.json file must be set up to use the alternative upload/download file.  
+
+3. SSH Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key.  When using a password, the connection is attempted using SSH Password Authentication.  If that fails, Keyboard Interactive Authentication is automatically attempted.  One or both of these must be enabled on the Linux box being managed.  If private key authentication is desired, copy and paste the full SSH private key into the Password textbox (or pointer to the private key if using a PAM provider).  Please note that SSH Private Key Authentication is not available when running locally as an agent.  The following private key formats are supported: 
+- PKCS#1 (BEGIN RSA PRIVATE KEY) 
+- PKCS#8 (BEGIN PRIVATE KEY)
+- ECDSA OPENSSH (BEGIN OPENSSH PRIVATE KEY)   
+
+Please reference [Configuration File Setup](#configuration-file-setup) for more information on setting up the config.json file and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on the items above.    
+</details>  
+
+<details>  
+<summary><b>Certificate stores hosted on Windows servers:</b></summary>
+1. When orchestrating management of external (and potentially local) certificate stores, the RemoteFile Orchestrator Extension makes use of WinRM to connect to external certificate store servers.  The security context used is the user id entered in the Keyfactor Command certificate store or discovery job screen.  Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores/discovery jobs.  If running as an agent, managing local certificate stores, local commands are run under the security context of the user account running the Keyfactor Universal Orchestrator Service.  Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension.  
+
+</details>
+
+Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment.
 
 
 ## Certificate Store Type Configuration
@@ -89,12 +131,6 @@ The Custom Fields tab should look like this:
 </details>
 
 
-## Extension Mechanics
-
-TODO Extension Mechanics is an optional section - if you don't need it, feel free to remove it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
-
-
-
 
 
 ## Certificate Store Configuration
@@ -134,8 +170,162 @@ The following table describes the required and optional fields for the `RFPEM` c
 * **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above.
 
 
-## Test Cases
+## Configuration File Setup
+
+The Remote File Orchestrator Extension uses a JSON configuration file.  It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile.  None of the values are required, and a description of each follows below:  
+{  
+   "UseSudo": "N",  
+   "DefaultSudoImpersonatedUser": "",  
+   "CreateStoreIfMissing": "N",  
+   "UseNegotiate": "N",  
+   "SeparateUploadFilePath": "",  
+   "FileTransferProtocol":  "SCP",  
+   "DefaultLinuxPermissionsOnStoreCreation": "600",  
+   "DefaultOwnerOnStoreCreation": ""  
+}  
+
+<details>
+<summary><b>UseSudo</b> (Applicable for Linux hosted certificate stores only)</summary>
+
+* Determines whether to prefix Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands.  
+* Allowed values - Y/N  
+* Default value - N  
+
+</details>  
+
+<details>
+<summary><b>DefaultSudoImpersonatedUser</b> (Applicable for Linux hosted certificate stores only)</summary>
+
+* Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo.  If this option does not exist or is set to an empty string, the default user of "root" will be used.  Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above.  This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the [Creating Certificate Store Types](#creating-certificate-store-types) section.
+* Allowed values - Any valid user id that the destination Linux server will recognize
+* Default value - blank (root will be used)
+
+</details>
+
+<details>  
+<summary><b>CreateStoreOnAddIfMissing</b></summary>
+
+* Determines, during a Management-Add job, if a certificate store should be created if it does not already exist.  If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist.  If set to "Y", the store will be created and the certificate added to the certificate store.
+* Allowed values - Y/N  
+* Default value - N  
+
+</details>  
+
+<details>  
+<summary><b>UseNegotiateAuth</b> (Applicable for Windows hosted certificate stores only)</summary>
+
+* Determines if WinRM should use Negotiate (Y) when connecting to the remote server.
+* Allowed values - Y/N  
+* Default value - N  
+
+</details>  
+
+<details>  
+<summary><b>SeparateUploadFilePath</b> (Applicable for Linux hosted certificate stores only)</summary>
+
+* Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs.  If set to "" or not provided, the location of the certificate store itself will be used.  File transfer is performed using the SCP or SFTP protocols (see the File TransferProtocol setting).
+* Allowed values - Any valid, existing Linux path configured to allow SCP/SFTP file upload/download tranfers.
+* Default value - blank (actual store path will be used)
+
+</details>
+
+<details>  
+<summary><b>FileTransferProtocol</b> (Applicable for Linux hosted certificate stores only)</summary>
+
+* Determines the protocol to use when uploading/downloading files while processing a job.
+* Allowed values - SCP, SFTP or Both.  If "Both" is entered, SCP will be attempted first, and if that does not work, SFTP will be tried.
+* Default value - SCP. 
+
+</details>
+
+<details>  
+<summary><b>DefaultLinuxPermissionsOnStoreCreation</b> (Applicable for Linux hosted certificate stores only)</summary>
+
+* The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y".  This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store.  See the [Creating Certificate Store Types](#creating-certificate-store-types) section for more information on creating RemoteFile certificate store types.
+* Allowed values - Any 3 digit value from 000-777.
+* Default Value - 600.  
+
+</details>
+
+<details>  
+<summary><b>DefaultOwnerOnStoreCreation</b> (Applicable for Linux hosted certificate stores only)</summary>
+
+* When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store.  Setting DefaultOwnerOnStoreCreation to an alternate valid Linux user name will set that as the owner instead.  The owner AND group may be supplied by adding a ":" as a delimitter between the owner and group values, such as ownerId:groupId.  Supplying only the ownerId will set that value as the file owner.  The group name will default to how the Linux "install" command handles assigning the group.  The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store can override this value for a specific store.  See the [Creating Certificate Store Types](#creating-certificate-store-types) section for more information on creating RemoteFile certificate store types.
+* Allowed values - Any valid user id that the destination Linux server will recognize
+* Default Value - blank (the ID associated with the Keyfactor certificate store will be used).  
+
+</details>
+
+## Discovery
+
+When scheduling discovery jobs in Keyfactor Command, there are a few fields that are important to highlight here:  
+
+<details>
+<summary>Client Machine</summary>
+
+The IP address or DNS of the server hosting the certificate store.  For more information, see [Client Machine ](#client-machine-instructions)
+
+</details>
+
+<details>
+<summary>Store Path</summary>
+
+For Linux orchestrated servers, "StorePath" will begin with a forward slash (/) and contain the full path and file name, including file extension if one exists (i.e. /folder/path/storename.ext).  For Windows orchestrated servers, it should be the full path and file name, including file extension if one exists, beginning with a drive letter (i.e. c:\folder\path\storename.ext).  
+
+</details>
+
+<details>
+<summary>Server Username/Password</summary>
+
+A username and password (or valid PAM key if the username and/or password is stored in a KF Command configured PAM integration).  The password can be an SSH private key if connecting via SSH to a server using SSH private key authentication.  If acting as an *agent* using local file access, just check "No Value" for the username and password.
+
+</details>
+<details>
+<summary>Directories to Search</summary>
+
+Enter one or more comma delimitted file paths to search (please reference the Keyfactor Command Reference Guide for more information), but there is also a special value that can be used on Windows orchestrated servers instead - "fullscan".  Entering fullscan in this field will tell the RemoteFile discovery job to search all available drive letters at the root and recursively search all of them for files matching the other search criteria.
+
+</details>
+
+<details>
+<summary>Extensions</summary>
+
+In addition to entering one or more comma delimitted extensions to search for (please reference the Keyfactor Command Reference Guide for more information), a reserved value of "noext" can be used that will cause the RemoteFile discovery job to search for files that do not have an extension.  This value can be chained with other extensions using the comma delimiter.  For example, entering pem,jks,noext will cause the RemoteFile discovery job to return file locations with extensions of "pem", "jks", *and* files that do not have extensions.  
+
+</details>
+
+Please refer to the Keyfactor Command Reference Guide for complete information on creating certificate stores and scheduling discovery jobs in Keyfactor Command.
+
+## Client Machine Instructions
+
+When creating a Certificate Store or scheduling a Discovery Job, you will be asked to provide a "Client Machine".
+
+For Linux orchestrated servers, "Client Machine" should be the DNS name or IP address of the remote orchestrated server, while for Windows orchestratred servers, it should be the following URL format: protocol://dns-or-ip:port, where
+* protocol is http or https, whatever your WinRM configuration uses
+* dns-or-ip is the DNS name or IP address of the server
+* port is the port WinRM is running under, usually 5985 for http and 5986 for https.
+
+Example: https://myserver.mydomain.com:5986
+
+If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), Client Machine can be entered as stated above, OR you can bypass SSH/WinRM and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine".  In this instance the value to the left of the pipe (|) is ignored.  It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique.  To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a cerificate store that will accessed without a WinRM/SSH connection.
+
+## Developer Notes
 
-TODO Test Cases is an optional section - if you don't need it, feel free to remove it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+The Remote File Orchestrator Extension is meant to be extended to be used for other file based certificate store types than the ones referenced above.  The advantage to extending this integration rather than creating a new one is that the configuration, remoting, and Inventory/Management/Discovery logic is already written.  The developer needs to only implement a few classes and write code to convert the destired file based store to a common format.  This section describes the steps necessary to add additional store/file types.  Please note that familiarity with the [.Net Core BouncyCastle cryptography library](https://github.com/bcgit/bc-csharp) is a prerequisite for adding additional supported file/store types.  
 
+Steps to create a new supported file based certificate store type:
 
+1. Clone this repository from GitHub
+2. Open the .net core solution in the IDE of your choice
+3. Under the ImplementationStoreTypes folder, create a new folder named for the new certificate store type
+4. Create a new class (with namespace of Keyfactor.Extensions.Orchestrator.RemoteFile.{NewType}) in the new folder that will implement ICertificateStoreSerializer.  By convention, {StoreTypeName}CertificateSerializer would be a good choice for the class name.  This interface requires you to implement three methods:
+    - DesrializeRemoteCertificateStore - This method takes in a byte array containing the contents of file based store you are managing.  The developer will need to convert that to an Org.BouncyCastle.Pkcs.Pkcs12Store class and return it. 
+    - SerializeRemoteCertificateStore - This method takes in an Org.BouncyCastle.Pkcs.Pkcs12Store and converts it to a collection of custom file representations.  
+    - GetPrivateKeyPath - This method returns the location of the external private key file for single certificate stores.  Currently this is only used for RFPEM, and all other implementations return NULL for this method.  If this is not applicable to your implementation just return a NULL value for this method. 
+5. Create an Inventory.cs class (with namespace of Keyfactor.Extensions.Orchestrator.RemoteFile.{NewType}) under the new folder and have it inherit InventoryBase.  Override the internal GetCertificateStoreSerializer() method with a one line implementation returning a new instantiation of the class created in step 4.
+6. Create a Management.cs class (with namespace of Keyfactor.Extensions.Orchestrator.RemoteFile.{NewType}) under the new folder and have it inherit ManagementBase.  Override the internal GetCertificateStoreSerializer() method with a one line implementation returning a new instantiation of the class created in step 4.
+7. Modify the manifest.json file to add three new sections (for Inventory, Management, and Discovery).  Make sure for each, the "NewType" in Certstores.{NewType}.{Operation}, matches what you will use for the certificate store type short name in Keyfactor Command.  On the "TypeFullName" line for all three sections, make sure the namespace matches what you used for your new classes.  Note that the namespace for Discovery uses a common class for all supported types.  Discovery is a common implementation for all supported store types.
+8. After compiling, move all compiled files, including the config.json and manifest.json to {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile.
+9. Create the certificate store type in Keyfactor Command
+10. Add a new CURL script to build the proper Keyfactor Command certificate store type and place it under "Certificate Store Type CURL Scripts".  The name of the file should match the ShortName you are using for the new store type.
+11. Update the documenation in readme_source.md by adding a new section under [Creating Certificate Store Types](#creating-certificate-store-types) for this new supported file based store type.  Include a pointer to the CURL script created in step 10.