Merge 2.2.1 to main

CHANGELOG.md

@@ -9,4 +9,18 @@
 * Add support for enrolling for client certs  
 * Option to filter sync by division ID  
 * Option to provide division ID for enrollment  
-* Add support for secure_email_* SMIME product types
+* Add support for secure_email_* SMIME product types  
+
+### 2.1.1  
+* Add configuration flag to support adding client auth EKU to ssl cert requests  
+	* NOTE: This is a temporary feature which is planned for loss of support by Digicert in May 2026   
+* For smime certs, use profile type defined on the product as the default if not supplied, rather than just defaulting to 'strict'  
+* Hotfix for data type conversion  
+
+### 2.1.2  
+* Hotfix for incremental sync to default to a 6 day window if no previous incremental sync has run  
+* Workaround for DigiCert API issue where retrieving the PEM data of multiple certificates in the same order can occasionally return duplicate data rather than the correct cert  
+* Remove caching of product ID lookups from DigiCert account  
+
+### 2.2.0  
+* Add support for duplicating certs

README.md

@@ -1,5 +1,5 @@
 <h1 align="center" style="border-bottom: none">
-    DigiCert CertCentral   Gateway AnyCA Gateway REST Plugin
+    DigiCert CertCentral AnyCA Gateway REST Plugin
 </h1>
 
 <p align="center">
@@ -41,10 +41,10 @@ The Digicert CertCentral AnyCA REST plugin extends the capabilities of Digicert'
 
 ## Compatibility
 
-The DigiCert CertCentral   Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2.0 and later.
+The DigiCert CertCentral AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2.0 and later.
 
 ## Support
-The DigiCert CertCentral   Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
+The DigiCert CertCentral AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
 
 > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -56,7 +56,7 @@ An API Key within your Digicert account that has the necessary permissions to en
 
 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
 
-2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [DigiCert CertCentral   Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/digicert-certcentral-caplugin/releases/latest) from GitHub.
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [DigiCert CertCentral AnyCA Gateway REST plugin](https://github.com/Keyfactor/digicert-certcentral-caplugin/releases/latest) from GitHub.
 
 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory:
 
@@ -67,11 +67,11 @@ An API Key within your Digicert account that has the necessary permissions to en
     Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions
     ```
 
-    > The directory containing the DigiCert CertCentral   Gateway AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
+    > The directory containing the DigiCert CertCentral AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
 
 4. Restart the AnyCA Gateway REST service.
 
-5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral   Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
+5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
 
 ## Configuration
 
@@ -106,15 +106,20 @@ An API Key within your Digicert account that has the necessary permissions to en
     * **Organization-Name** - OPTIONAL: For requests that will not have a subject (such as ACME) you can use this field to provide the organization name. Value supplied here will override any CSR values, so do not include this field if you want the organization from the CSR to be used. 
     * **RenewalWindowDays** - OPTIONAL: The number of days from certificate expiration that the gateway should do a renewal rather than a reissue. If not provided, default is 90. 
     * **CertType** - OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'. Ignored for secure_email_* product types. 
+    * **IncludeClientAuthEKU** - OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026. 
     * **EnrollDivisionId** - OPTIONAL: The division (container) ID to use for enrollments against this template. 
     * **CommonNameIndicator** - Required for secure_email_sponsor and secure_email_organization products, ignored otherwise. Defines the source of the common name. Valid values are: email_address, given_name_surname, pseudonym, organization_name 
-    * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict. 
+    * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal. 
     * **FirstName** - Required for secure_email_* types if CommonNameIndicator is given_name_surname, ignored otherwise. 
     * **LastName** - Required for secure_email_* types if CommonNameIndicator is given_name_surname, ignored otherwise. 
     * **Pseudonym** - Required for secure_email_* types if CommonNameIndicator is pseudonym, ignored otherwise. 
     * **UsageDesignation** - Required for secure_email_* types, ignored otherwise. The primary usage of the certificate. Valid values are: signing, key_management, dual_use 
 
 
+## Certificate Duplicates
+
+DigiCert supports the ability to duplicate existing certificate orders. To take advantage of this functionality, in Keyfactor Command, under the enrollment pattern you're using, create an Enrollment Field named 'Duplicate' of type Multiple Choice, and the values 'False', 'True'. When performing a renew operation against that enrollment pattern, set the value to True to tell the gateway to duplicate instead of renew. The field will be ignored on new enrollments.
+
 
 ## License
 

digicert-certcentral-caplugin/API/Duplicate.cs

@@ -0,0 +1,70 @@
+using Keyfactor.Extensions.CAPlugin.DigiCert.Models;
+using Newtonsoft.Json;
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Keyfactor.Extensions.CAPlugin.DigiCert.API
+{
+	[Serializable]
+	public class DuplicateRequest : CertCentralBaseRequest
+	{
+		public DuplicateRequest(uint orderId)
+		{
+			Method = "POST";
+			OrderId = orderId;
+			Resource = $"services/v2/order/certificate/{OrderId}/duplicate";
+			Certificate = new CertificateDuplicateRequest();
+		}
+
+		[JsonProperty("certificate")]
+		public CertificateDuplicateRequest Certificate { get; set; }
+
+		[JsonProperty("order_id")]
+		public uint OrderId { get; set; }
+
+		[JsonProperty("skip_approval")]
+		public bool SkipApproval { get; set; }
+	}
+
+	public class CertificateDuplicateRequest
+	{
+		[JsonProperty("common_name")]
+		public string CommonName { get; set; }
+
+		[JsonProperty("dns_names")]
+		public List<string> DnsNames { get; set; }
+
+		[JsonProperty("csr")]
+		public string CSR { get; set; }
+
+		[JsonProperty("server_platform")]
+		public Server_platform ServerPlatform { get; set; }
+
+		[JsonProperty("signature_hash")]
+		public string SignatureHash { get; set; }
+
+		[JsonProperty("ca_cert_id")]
+		public string CACertID { get; set; }
+	}
+
+	public class DuplicateResponse : CertCentralBaseResponse
+	{
+		public DuplicateResponse()
+		{
+			Requests = new List<Requests>();
+		}
+
+		[JsonProperty("id")]
+		public int OrderId { get; set; }
+
+		[JsonProperty("requests")]
+		public List<Requests> Requests { get; set; }
+
+		[JsonProperty("certificate_chain")]
+		public List<CertificateChainElement> CertificateChain { get; set; }
+	}
+}

digicert-certcentral-caplugin/API/OrderCertificate.cs

@@ -101,6 +101,9 @@ public class CertificateRequest
 
 		[JsonProperty("ca_cert_id")]
 		public string CACertID { get; set; }
+
+		[JsonProperty("profile_option")]
+		public string ProfileOption { get; set; }
 	}
 
 	public class CertificateOrderContainer