Conversation
check for duplicate PEMs
change default start sync date for first incremental sync
removing caching of product type list
change default incremental sync range
shorten incremental sync if it is too long
add duplicate support
treat needs_approval the same as pending on enrollments and don't ret…
There was a problem hiding this comment.
Pull request overview
This automated merge PR brings dev-2.2 changes into main, primarily expanding the DigiCert CertCentral AnyCA Gateway REST plugin’s enrollment capabilities (duplicate orders, optional client auth EKU) and adjusting sync/enrollment behaviors alongside documentation/manifest updates.
Changes:
- Add support for duplicating existing certificate orders during renew flows (new DigiCert API request model + client method + plugin flow).
- Add optional
IncludeClientAuthEKUenrollment setting (viaprofile_option) and adjust SMIMEProfileTypedefault behavior. - Update sync behavior/workarounds (incremental sync window, PEM duplication workaround) and remove product type caching; update docs/changelog.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates product naming and documents new enrollment options (client auth EKU, duplicates). |
| integration-manifest.json | Adds IncludeClientAuthEKU to published enrollment configuration metadata. |
| docsource/configuration.md | Documents the “Certificate Duplicates” enrollment field workflow. |
| digicert-certcentral-caplugin/Models/CertCentralCertType.cs | Removes caching for certificate type lookups. |
| digicert-certcentral-caplugin/digicert-certcentral-caplugin.csproj | Adds explicit assembly/file versions. |
| digicert-certcentral-caplugin/Constants.cs | Adds constants for Duplicate and IncludeClientAuthEKU. |
| digicert-certcentral-caplugin/Client/CertCentralClient.cs | Adds DuplicateCertificate(...) API call wrapper. |
| digicert-certcentral-caplugin/CertCentralCAPlugin.cs | Implements duplicate enrollment flow, client auth EKU option handling, sync-window adjustment, and PEM workaround. |
| digicert-certcentral-caplugin/API/OrderCertificate.cs | Adds profile_option serialization support for order requests. |
| digicert-certcentral-caplugin/API/Duplicate.cs | Introduces DigiCert duplicate request/response models. |
| CHANGELOG.md | Documents new versions/features up through 2.2.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
18
to
20
| using Org.BouncyCastle.Asn1.X509; | ||
| using Org.BouncyCastle.Pqc.Crypto.Falcon; | ||
|
|
Comment on lines
+298
to
+302
| if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH])) | ||
| { | ||
| orderRequest.Certificate.ProfileOption = "server_client_auth_eku"; | ||
| _logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in May 2026. Make sure any workflows that depend on this feature are updated before then to avoid interruptions."); | ||
| } |
Comment on lines
+618
to
+620
| { | ||
| Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026.", | ||
| Hidden = false, |
Comment on lines
+1652
to
+1658
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
| 4. Restart the AnyCA Gateway REST service. | ||
|
|
||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. | ||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. |
Comment on lines
+1652
to
+1658
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
| 4. Restart the AnyCA Gateway REST service. | ||
|
|
||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. | ||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. |
| * **Organization-Name** - OPTIONAL: For requests that will not have a subject (such as ACME) you can use this field to provide the organization name. Value supplied here will override any CSR values, so do not include this field if you want the organization from the CSR to be used. | ||
| * **RenewalWindowDays** - OPTIONAL: The number of days from certificate expiration that the gateway should do a renewal rather than a reissue. If not provided, default is 90. | ||
| * **CertType** - OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'. Ignored for secure_email_* product types. | ||
| * **IncludeClientAuthEKU** - OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026. |
Comment on lines
+76
to
+78
| "name": "IncludeClientAuthEKU", | ||
| "description": "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026." | ||
| }, |
Comment on lines
8
to
+10
| <AssemblyName>DigicertCAPlugin</AssemblyName> | ||
| <AssemblyVersion>2.1.2</AssemblyVersion> | ||
| <FileVersion>2.1.2</FileVersion> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge dev-2.2 to main - Automated PR