{{ message }}
Conversation
check for duplicate PEMs
change default start sync date for first incremental sync
removing caching of product type list
change default incremental sync range
shorten incremental sync if it is too long
add duplicate support
treat needs_approval the same as pending on enrollments and don't ret…
There was a problem hiding this comment.
Pull request overview
This automated merge PR brings dev-2.2 changes into main, primarily expanding the DigiCert CertCentral AnyCA Gateway REST plugin’s enrollment capabilities (duplicate orders, optional client auth EKU) and adjusting sync/enrollment behaviors alongside documentation/manifest updates.
Changes:
- Add support for duplicating existing certificate orders during renew flows (new DigiCert API request model + client method + plugin flow).
- Add optional
IncludeClientAuthEKUenrollment setting (viaprofile_option) and adjust SMIMEProfileTypedefault behavior. - Update sync behavior/workarounds (incremental sync window, PEM duplication workaround) and remove product type caching; update docs/changelog.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 16 comments.
Show a summary per file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
18
to
20
| using Org.BouncyCastle.Asn1.X509; | ||
| using Org.BouncyCastle.Pqc.Crypto.Falcon; | ||
|
|
Comment on lines
+298
to
+302
| if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH])) | ||
| { | ||
| orderRequest.Certificate.ProfileOption = "server_client_auth_eku"; | ||
| _logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in May 2026. Make sure any workflows that depend on this feature are updated before then to avoid interruptions."); | ||
| } |
Comment on lines
+618
to
+620
| { | ||
| Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026.", | ||
| Hidden = false, |
Comment on lines
+1652
to
+1658
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
| 4. Restart the AnyCA Gateway REST service. | ||
|
|
||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. | ||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. |
Comment on lines
+1652
to
+1658
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
| 4. Restart the AnyCA Gateway REST service. | ||
|
|
||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. | ||
| 5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the DigiCert CertCentral plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. |
| * **Organization-Name** - OPTIONAL: For requests that will not have a subject (such as ACME) you can use this field to provide the organization name. Value supplied here will override any CSR values, so do not include this field if you want the organization from the CSR to be used. | ||
| * **RenewalWindowDays** - OPTIONAL: The number of days from certificate expiration that the gateway should do a renewal rather than a reissue. If not provided, default is 90. | ||
| * **CertType** - OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'. Ignored for secure_email_* product types. | ||
| * **IncludeClientAuthEKU** - OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026. |
Comment on lines
+76
to
+78
| "name": "IncludeClientAuthEKU", | ||
| "description": "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026." | ||
| }, |
Comment on lines
8
to
+10
indrora
added a commit
that referenced
this pull request
Jun 17, 2026
* improve BouncyCastle parsing * add duplicate support * Update generated docs * Merge 2.2.0 to main * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs * Merge 2.2.1 to main (#49) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Dev 2.2 (#47) * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Merge to main (#48) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Update CHANGELOG.md (#50) * add option for kdc/smartcardlogon eku, fix template validation * Update generated docs * changelog --------- Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com>
indrora
added a commit
that referenced
this pull request
Jun 18, 2026
* fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Dev 2.2 (#47) * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Dev 2.3 (#54) * improve BouncyCastle parsing * add duplicate support * Update generated docs * Merge 2.2.0 to main * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs * Merge 2.2.1 to main (#49) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * feat: release v2.2.0 * add duplicate support * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Dev 2.2 (#47) * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Merge to main (#48) * fix for smime profile type * template parameter to include client auth eku * Update generated docs * changelog and logging * check for duplicate PEMs * change default start sync date for first incremental sync * removing caching of product type list * change default incremental sync range * version * changelog * shorten incremental sync if it is too long * add duplicate support * Update generated docs * treat needs_approval the same as pending on enrollments and don't return failure code * Update generated docs --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> * Update CHANGELOG.md (#50) * add option for kdc/smartcardlogon eku, fix template validation * Update generated docs * changelog --------- Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> --------- Co-authored-by: David Galey <dgaley@keyfactor.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com> Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Merge dev-2.2 to main - Automated PR