Merge 2.2.1 to main#49
Merged
Merged
Conversation
check for duplicate PEMs
change default start sync date for first incremental sync
removing caching of product type list
change default incremental sync range
shorten incremental sync if it is too long
* add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io>
There was a problem hiding this comment.
Pull request overview
Automated merge from the release-2.2 line into main, updating the DigiCert CertCentral AnyCA Gateway REST plugin with new enrollment capabilities (certificate duplication and additional request options) plus some operational hotfixes and documentation updates.
Changes:
- Add support for duplicating existing certificate orders (via a
Duplicateenrollment field + new DigiCert API request). - Add
IncludeClientAuthEKUoption to include Client Authentication EKU for SSL enrollments (viaprofile_option). - Adjust sync window defaults and remove caching of DigiCert product type lookups; update docs/manifest/changelog accordingly.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates plugin naming and documents new options (IncludeClientAuthEKU, Duplicate). |
| integration-manifest.json | Advertises new enrollment options in the integration catalog manifest. |
| docsource/configuration.md | Adds documentation for duplicate-certificate behavior. |
| digicert-certcentral-caplugin/Models/CertCentralCertType.cs | Removes cached product type list; always refreshes from DigiCert. |
| digicert-certcentral-caplugin/digicert-certcentral-caplugin.csproj | Adds assembly/file version metadata. |
| digicert-certcentral-caplugin/Constants.cs | Adds constants for Duplicate and IncludeClientAuthEKU. |
| digicert-certcentral-caplugin/Client/CertCentralClient.cs | Adds DuplicateCertificate client method. |
| digicert-certcentral-caplugin/CertCentralCAPlugin.cs | Implements duplication flow, IncludeClientAuthEKU behavior, sync-window change, and status handling tweaks. |
| digicert-certcentral-caplugin/API/OrderCertificate.cs | Adds profile_option to certificate request payload. |
| digicert-certcentral-caplugin/API/Duplicate.cs | Introduces request/response models for DigiCert “duplicate” endpoint. |
| CHANGELOG.md | Records release notes through 2.2.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+298
to
+302
| if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH])) | ||
| { | ||
| orderRequest.Certificate.ProfileOption = "server_client_auth_eku"; | ||
| _logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in May 2026. Make sure any workflows that depend on this feature are updated before then to avoid interruptions."); | ||
| } |
Comment on lines
+1652
to
+1658
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
Comment on lines
+1510
to
+1520
| DuplicateRequest duplicateRequest = new DuplicateRequest(orderId) | ||
| { | ||
| Certificate = new CertificateDuplicateRequest | ||
| { | ||
| CommonName = commonName, | ||
| CSR = csr, | ||
| DnsNames = dnsNames, | ||
| SignatureHash = signatureHash, | ||
| CACertID = caCertId | ||
| } | ||
| }; |
Comment on lines
+1489
to
+1492
| /// <param name="client">The client used to contact DigiCert.</param> | ||
| /// <param name="request">The <see cref="OrderRequest"/>.</param> | ||
| /// <param name="enrollmentProductInfo">Information about the DigiCert product this certificate uses.</param> | ||
| /// <returns></returns> |
Comment on lines
+787
to
+789
| // DigiCert issue with treating the timezone as mountain time. -7 hours to accomodate DST | ||
| // If no last sync, use a 6 day window for the sync range (only relevant for incremental syncs) | ||
| lastSync = lastSync.HasValue ? lastSync.Value.AddHours(-7) : DateTime.UtcNow.AddDays(-5); |
Comment on lines
88
to
90
| "name": "ProfileType", | ||
| "description": "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict." | ||
| "description": "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal." | ||
| }, |
Comment on lines
8
to
+10
| <AssemblyName>DigicertCAPlugin</AssemblyName> | ||
| <AssemblyVersion>2.1.2</AssemblyVersion> | ||
| <FileVersion>2.1.2</FileVersion> |
Comment on lines
62
to
65
| public static List<CertCentralCertType> GetAllTypes(CertCentralConfig config) | ||
| { | ||
| if (_allTypes == null || !_allTypes.Any()) | ||
| { | ||
| _allTypes = RetrieveCertCentralCertTypes(config); | ||
| } | ||
|
|
||
| return _allTypes; | ||
| return RetrieveCertCentralCertTypes(config); | ||
| } |
Comment on lines
+15
to
+17
| * Add configuration flag to support adding client auth EKU to ssl cert requests | ||
| * NOTE: This is a temporary feature which is planned for loss of support by Digicert in May 2026 | ||
| * For smime certs, use profile type defined on the product as the default if not supplied, rather than just defaulting to 'strict' |
Comment on lines
18
to
20
| using Org.BouncyCastle.Asn1.X509; | ||
| using Org.BouncyCastle.Pqc.Crypto.Falcon; | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge release-2.2 to main - Automated PR