Conversation
check for duplicate PEMs
change default start sync date for first incremental sync
removing caching of product type list
change default incremental sync range
shorten incremental sync if it is too long
* add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io>
* improve BouncyCastle parsing * add duplicate support * Update generated docs * Merge 2.2.0 to main * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs * Merge 2.2.1 to main (#49) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Dev 2.2 (#47) * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Merge to main (#48) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Update CHANGELOG.md (#50) * add option for kdc/smartcardlogon eku, fix template validation * Update generated docs * changelog --------- Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com>
Productsyncfilter
There was a problem hiding this comment.
Pull request overview
Automated merge of dev-2.4 into main for the DigiCert CertCentral AnyCA Gateway REST plugin, bringing in new enrollment/sync capabilities and aligning public docs/manifests with those capabilities.
Changes:
- Adds certificate duplication support and related documentation.
- Extends synchronization filtering (Division + new Product filter) and adjusts incremental sync window behavior.
- Adds SSL enrollment options for additional EKUs (Client Auth / KDC-SmartCardLogon) and updates approval-status handling.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 18 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates plugin naming and documents new config/template fields and duplication workflow. |
| integration-manifest.json | Adds new config/template parameters so the gateway can surface them in UI/metadata. |
| docsource/configuration.md | Documents certificate duplication workflow. |
| CHANGELOG.md | Adds version entries describing new features/fixes. |
| digicert-certcentral-caplugin/Constants.cs | Adds constants for new config/template field names. |
| digicert-certcentral-caplugin/CertCentralConfig.cs | Adds parsing for SyncProductFilter. |
| digicert-certcentral-caplugin/CertCentralCAPlugin.cs | Core logic changes: duplication path, new EKU profile option behavior, sync filtering/window changes, approval-status handling. |
| digicert-certcentral-caplugin/Client/CertCentralClient.cs | Adds duplicate endpoint call and updates list-orders call signature for new filters. |
| digicert-certcentral-caplugin/API/Duplicate.cs | Introduces request/response models for the duplicate endpoint. |
| digicert-certcentral-caplugin/API/OrderCertificate.cs | Adds profile_option field to certificate request model. |
| digicert-certcentral-caplugin/API/ListCertificateOrders.cs | Adds multi-filter support (division IDs + product IDs) to list-orders request. |
| digicert-certcentral-caplugin/Models/CertCentralCertType.cs | Removes product-type caching (behavior/perf impact). |
| digicert-certcentral-caplugin/digicert-certcentral-caplugin.csproj | Adds explicit assembly/file version metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+302
to
+319
| if (typeOfCert.Equals("ssl")) | ||
| { | ||
| bool clientAuth = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]); | ||
| bool kdc = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_KDC]); | ||
| if (clientAuth && kdc) | ||
| { | ||
| throw new Exception($"Cannot enroll for cert with both Client Auth and KDC/SmartCardLogon EKU set to 'true'"); | ||
| } | ||
| if (clientAuth) | ||
| { | ||
| orderRequest.Certificate.ProfileOption = "server_client_auth_eku"; | ||
| _logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in March 2027. Make sure any workflows that depend on this feature are updated before then to avoid interruptions."); | ||
| } | ||
| else if (kdc) | ||
| { | ||
| orderRequest.Certificate.ProfileOption = "kdc_smart_card"; | ||
| } | ||
| } |
Comment on lines
+1660
to
+1663
| if (productIds != null && productIds.Count > 0 && !productIds.Contains(orderResponse.product.name_id.ToString())) | ||
| { | ||
| _logger.LogTrace($"Found order ID {orderId} that does not match Product filter. Product ID: {orderResponse.product.name_id.ToString()} Skipping..."); | ||
| } |
Comment on lines
+1690
to
+1696
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
| @@ -767,12 +841,17 @@ | |||
|
|
|||
| caList.ForEach(c => c.ToUpper()); | |||
| _logger.MethodEntry(LogLevel.Trace); | ||
|
|
||
| lastSync = lastSync.HasValue ? lastSync.Value.AddHours(-7) : DateTime.MinValue; // DigiCert issue with treating the timezone as mountain time. -7 to accomodate DST | ||
| // DigiCert issue with treating the timezone as mountain time. -7 hours to accomodate DST |
| * **EnrollDivisionId** - OPTIONAL: The division (container) ID to use for enrollments against this template. | ||
| * **CommonNameIndicator** - Required for secure_email_sponsor and secure_email_organization products, ignored otherwise. Defines the source of the common name. Valid values are: email_address, given_name_surname, pseudonym, organization_name | ||
| * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict. | ||
| * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal. |
| @@ -38,6 +38,10 @@ | |||
| "name": "SyncDivisionFilter", | |||
| "description": "If you list one or more Divison IDs (also known as Container IDs) here (comma-separated), the sync process will filter records to only return orders from those divisions. If you want to sync all divisions, leave this field empty. Note that this has no relationship to the value of the DivisionId config field." | |||
| }, | ||
| { | ||
| "name": "CertType", | ||
| "description": "OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'. Ignored for secure_email_* product types." |
| { | ||
| "name": "ProfileType", | ||
| "description": "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict." | ||
| "description": "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal." |
Comment on lines
+9
to
+10
| <AssemblyVersion>2.1.2</AssemblyVersion> | ||
| <FileVersion>2.1.2</FileVersion> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge dev-2.4 to main - Automated PR