Merge 2.3.0 to main#55
Merged
Merged
Conversation
check for duplicate PEMs
change default start sync date for first incremental sync
removing caching of product type list
change default incremental sync range
shorten incremental sync if it is too long
* add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io>
* improve BouncyCastle parsing * add duplicate support * Update generated docs * Merge 2.2.0 to main * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs * Merge 2.2.1 to main (#49) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Dev 2.2 (#47) * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Merge to main (#48) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Update CHANGELOG.md (#50) * add option for kdc/smartcardlogon eku, fix template validation * Update generated docs * changelog --------- Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Merges the release-2.3 line into main, bringing forward new DigiCert CertCentral gateway capabilities (certificate duplication and additional SSL EKU options), along with documentation/manifest updates and several operational fixes.
Changes:
- Add certificate duplication support (API request/handler + docs) and new
Duplicateenrollment field. - Add SSL template flags to request additional EKUs via DigiCert
profile_option(IncludeClientAuthEKU,IncludeKDCSmartCardLogonEKU). - Update sync/enrollment behaviors (incremental sync window behavior, remove product type caching, handle
needs_approvalas pending).
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates naming/compatibility text and documents new template fields + duplicate workflow. |
| integration-manifest.json | Adds new template parameters and expands ProfileType description. |
| docsource/configuration.md | Documents certificate duplication behavior. |
| digicert-certcentral-caplugin/Models/CertCentralCertType.cs | Removes cached product type list (always retrieves from DigiCert). |
| digicert-certcentral-caplugin/digicert-certcentral-caplugin.csproj | Adds explicit assembly/file version properties. |
| digicert-certcentral-caplugin/Constants.cs | Adds new config keys for duplication and EKU flags. |
| digicert-certcentral-caplugin/Client/CertCentralClient.cs | Adds client method to call DigiCert duplicate endpoint. |
| digicert-certcentral-caplugin/CertCentralCAPlugin.cs | Implements duplication flow, EKU profile option logic, sync window tweak, and validation/status handling updates. |
| digicert-certcentral-caplugin/API/OrderCertificate.cs | Adds profile_option to certificate request payload model. |
| digicert-certcentral-caplugin/API/Duplicate.cs | Introduces Duplicate request/response models for DigiCert API. |
| CHANGELOG.md | Adds release notes up through 2.3.0. |
Comments suppressed due to low confidence (1)
digicert-certcentral-caplugin/CertCentralCAPlugin.cs:1105
ValidateProductInfosetsdetailsRequest.ContainerIdbased onEnrollDivisionId(a template/enrollment container), but the connector-level config fieldDivisionIdis documented as the value used “for retrieving product details” (seeGetCAConnectorAnnotations). This change likely breaks product detail validation for accounts using per-division product settings. UseconnectionInfo[DivisionId]here instead.
detailsRequest.ContainerId = null;
if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.ENROLL_DIVISION_ID))
{
string div = productInfo.ProductParameters[CertCentralConstants.Config.ENROLL_DIVISION_ID].ToString();
if (!string.IsNullOrWhiteSpace(div))
{
if (int.TryParse($"{div}", out int divId))
{
detailsRequest.ContainerId = divId;
}
else
{
throw new AnyCAValidationException($"Unable to parse division ID '{div}'. Check that this is a valid division ID.");
}
}
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| using Newtonsoft.Json; | ||
|
|
||
| using Org.BouncyCastle.Asn1.X509; | ||
| using Org.BouncyCastle.Pqc.Crypto.Falcon; |
Comment on lines
+302
to
+319
| if (typeOfCert.Equals("ssl")) | ||
| { | ||
| bool clientAuth = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]); | ||
| bool kdc = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_KDC]); | ||
| if (clientAuth && kdc) | ||
| { | ||
| throw new Exception($"Cannot enroll for cert with both Client Auth and KDC/SmartCardLogon EKU set to 'true'"); | ||
| } | ||
| if (clientAuth) | ||
| { | ||
| orderRequest.Certificate.ProfileOption = "server_client_auth_eku"; | ||
| _logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in March 2027. Make sure any workflows that depend on this feature are updated before then to avoid interruptions."); | ||
| } | ||
| else if (kdc) | ||
| { | ||
| orderRequest.Certificate.ProfileOption = "kdc_smart_card"; | ||
| } | ||
| } |
Comment on lines
+1691
to
+1697
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
Comment on lines
+1
to
+8
| using Keyfactor.Extensions.CAPlugin.DigiCert.Models; | ||
| using Newtonsoft.Json; | ||
|
|
||
| using System; | ||
| using System.Collections.Generic; | ||
| using System.Linq; | ||
| using System.Text; | ||
| using System.Threading.Tasks; |
Comment on lines
8
to
+10
| <AssemblyName>DigicertCAPlugin</AssemblyName> | ||
| <AssemblyVersion>2.1.2</AssemblyVersion> | ||
| <FileVersion>2.1.2</FileVersion> |
|
|
||
| ### 2.1.1 | ||
| * Add configuration flag to support adding client auth EKU to ssl cert requests | ||
| * NOTE: This is a temporary feature which is planned for loss of support by Digicert in May 2026 |
Comment on lines
+1115
to
1121
| if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.CERT_TYPE)) | ||
| { | ||
| var typeOfCert = (string)connectionInfo[CertCentralConstants.Config.CERT_TYPE]; | ||
| var typeOfCert = (string)productInfo.ProductParameters[CertCentralConstants.Config.CERT_TYPE]; | ||
| if (!(typeOfCert.Equals("ssl") || typeOfCert.Equals("client"))) | ||
| { | ||
| throw new AnyCAValidationException("Invalid Cert Type specified. Valid options are 'ssl' or 'client'"); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge release-2.3 to main - Automated PR