Merge to main

CHANGELOG.md

@@ -9,4 +9,15 @@
 * Add support for enrolling for client certs  
 * Option to filter sync by division ID  
 * Option to provide division ID for enrollment  
-* Add support for secure_email_* SMIME product types
+* Add support for secure_email_* SMIME product types  
+
+### 2.1.1  
+* Add configuration flag to support adding client auth EKU to ssl cert requests  
+	* NOTE: This is a temporary feature which is planned for loss of support by Digicert in May 2026   
+* For smime certs, use profile type defined on the product as the default if not supplied, rather than just defaulting to 'strict'  
+* Hotfix for data type conversion  
+
+### 2.1.2  
+* Hotfix for incremental sync to default to a 6 day window if no previous incremental sync has run  
+* Workaround for DigiCert API issue where retrieving the PEM data of multiple certificates in the same order can occasionally return duplicate data rather than the correct cert  
+* Remove caching of product ID lookups from DigiCert account  

README.md

@@ -106,9 +106,10 @@ An API Key within your Digicert account that has the necessary permissions to en
     * **Organization-Name** - OPTIONAL: For requests that will not have a subject (such as ACME) you can use this field to provide the organization name. Value supplied here will override any CSR values, so do not include this field if you want the organization from the CSR to be used. 
     * **RenewalWindowDays** - OPTIONAL: The number of days from certificate expiration that the gateway should do a renewal rather than a reissue. If not provided, default is 90. 
     * **CertType** - OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'. Ignored for secure_email_* product types. 
+    * **IncludeClientAuthEKU** - OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026. 
     * **EnrollDivisionId** - OPTIONAL: The division (container) ID to use for enrollments against this template. 
     * **CommonNameIndicator** - Required for secure_email_sponsor and secure_email_organization products, ignored otherwise. Defines the source of the common name. Valid values are: email_address, given_name_surname, pseudonym, organization_name 
-    * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict. 
+    * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal. 
     * **FirstName** - Required for secure_email_* types if CommonNameIndicator is given_name_surname, ignored otherwise. 
     * **LastName** - Required for secure_email_* types if CommonNameIndicator is given_name_surname, ignored otherwise. 
     * **Pseudonym** - Required for secure_email_* types if CommonNameIndicator is pseudonym, ignored otherwise. 

digicert-certcentral-caplugin/API/OrderCertificate.cs

@@ -101,6 +101,9 @@ public class CertificateRequest
 
 		[JsonProperty("ca_cert_id")]
 		public string CACertID { get; set; }
+
+		[JsonProperty("profile_option")]
+		public string ProfileOption { get; set; }
 	}
 
 	public class CertificateOrderContainer

digicert-certcentral-caplugin/CertCentralCAPlugin.cs

@@ -294,6 +294,12 @@
 			string priorCertSnString = null;
 			string priorCertReqID = null;
 
+			if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]))
+			{
+				orderRequest.Certificate.ProfileOption = "server_client_auth_eku";
+				_logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in May 2026. Make sure any workflows that depend on this feature are updated before then to avoid interruptions.");
+			}
+
 			// Current gateway core leaves it up to the integration to determine if it is a renewal or a reissue
 			if (enrollmentType == EnrollmentType.RenewOrReissue)
 			{
@@ -491,11 +497,11 @@
 		/// </summary>
 		/// <param name="caRequestID">The gateway request ID of the record to retrieve, in the format 'orderID-certID'</param>
 		/// <returns></returns>
 		public async Task<AnyCAPluginCertificate> GetSingleRecord(string caRequestID)
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 			// Split ca request id into order and cert id
 			string[] idParts = caRequestID.Split('-');
 			int orderId = Int32.Parse(idParts.First());
 			string certId = idParts.Last();
 			int certIdInt = Int32.Parse(certId);
@@ -584,6 +590,13 @@
 					DefaultValue = "ssl",
 					Type = "String"
 				},
+				[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH] = new PropertyConfigInfo()
+				{
+					Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026.",
+					Hidden = false,
+					DefaultValue = false,
+					Type = "Boolean"
+				},
 				[CertCentralConstants.Config.ENROLL_DIVISION_ID] = new PropertyConfigInfo()
 				{
 					Comments = "OPTIONAL: The division (container) ID to use for enrollments against this template.",
@@ -600,9 +613,9 @@
 				},
 				[CertCentralConstants.Config.PROFILE_TYPE] = new PropertyConfigInfo()
 				{
-					Comments = "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict.",
+					Comments = "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal.",
 					Hidden = false,
-					DefaultValue = "strict",
+					DefaultValue = "",
 					Type = "String"
 				},
 				[CertCentralConstants.Config.FIRST_NAME] = new PropertyConfigInfo()
@@ -641,11 +654,11 @@
 		/// </summary>
 		/// <returns></returns>
 		/// <exception cref="Exception"></exception>
 		public async Task Ping()
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 			if (!_config.Enabled)
 			{
 				_logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping connectivity test...");
 				_logger.MethodExit(LogLevel.Trace);
 				return;
@@ -683,11 +696,11 @@
 		/// <returns></returns>
 		/// <exception cref="COMException"></exception>
 		/// <exception cref="Exception"></exception>
 		public async Task<int> Revoke(string caRequestID, string hexSerialNumber, uint revocationReason)
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 			int orderId = Int32.Parse(caRequestID.Substring(0, caRequestID.IndexOf('-')));
 			int certId = Int32.Parse(caRequestID.Substring(caRequestID.IndexOf('-') + 1));
 			CertCentralClient client = CertCentralClientUtilities.BuildCertCentralClient(_config);
 			ViewCertificateOrderResponse orderResponse = client.ViewCertificateOrder(new ViewCertificateOrderRequest((uint)orderId));
 			if (orderResponse.Status == CertCentralBaseResponse.StatusType.ERROR || orderResponse.status.ToLower() != "issued")
@@ -743,11 +756,13 @@
 		/// <param name="cancelToken"></param>
 		/// <returns></returns>
 		/// <exception cref="Exception"></exception>
 		public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockingBuffer, DateTime? lastSync, bool fullSync, CancellationToken cancelToken)
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 
-			lastSync = lastSync.HasValue ? lastSync.Value.AddHours(-7) : DateTime.MinValue; // DigiCert issue with treating the timezone as mountain time. -7 to accomodate DST
+			// DigiCert issue with treating the timezone as mountain time. -7 hours to accomodate DST
+			// If no last sync, use a 6 day window for the sync range (only relevant for incremental syncs)
+			lastSync = lastSync.HasValue ? lastSync.Value.AddHours(-7) : DateTime.UtcNow.AddDays(-5); 
 			DateTime? utcDate = DateTime.UtcNow.AddDays(1);
 			string lastSyncFormat = FormatSyncDate(lastSync);
 			string todaySyncFormat = FormatSyncDate(utcDate);
@@ -913,11 +928,11 @@
 		/// </summary>
 		/// <param name="connectionInfo"></param>
 		/// <returns></returns>
 		public async Task ValidateCAConnectionInfo(Dictionary<string, object> connectionInfo)
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 			try
 			{
 				if (!(bool)connectionInfo[CertCentralConstants.Config.ENABLED])
 				{
 					_logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation...");
@@ -984,11 +999,11 @@
 		/// <param name="connectionInfo"></param>
 		/// <returns></returns>
 		/// <exception cref="Exception"></exception>
 		public async Task ValidateProductInfo(EnrollmentProductInfo productInfo, Dictionary<string, object> connectionInfo)
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 			// Set up.
 			string productId = productInfo.ProductID;
 			string apiKey = (string)connectionInfo[CertCentralConstants.Config.APIKEY];
 			string region = "US";
 			if (connectionInfo.ContainsKey(CertCentralConstants.Config.REGION))
@@ -1023,7 +1038,7 @@
 			detailsRequest.ContainerId = null;
 			if (connectionInfo.ContainsKey(CertCentralConstants.Config.DIVISION_ID))
 			{
-				string div = (string)connectionInfo[CertCentralConstants.Config.DIVISION_ID];
+				string div = connectionInfo[CertCentralConstants.Config.DIVISION_ID].ToString();
 				if (!string.IsNullOrWhiteSpace(div))
 				{
 					if (int.TryParse($"{div}", out int divId))
@@ -1544,6 +1559,7 @@
 			var orderCerts = GetAllCertsForOrder(orderId);
 
 			List<AnyCAPluginCertificate> certList = new List<AnyCAPluginCertificate>();
+			List<string> pemList = new List<string>();
 
 			foreach (var cert in orderCerts)
 			{
@@ -1565,6 +1581,13 @@
 							throw new Exception($"Unexpected error downloading certificate {certId} for order {orderId}: {certificateChainResponse.Errors.FirstOrDefault()?.message}");
 						}
 					}
+					//Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs
+					if (pemList.Contains(certificate))
+					{
+						_logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping...");
+						continue;
+					}
+					pemList.Add(certificate);
 					var connCert = new AnyCAPluginCertificate
 					{
 						CARequestID = caReqId,
@@ -1680,9 +1703,10 @@
 				}
 			}
 
+			string profile = null;
 			if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.PROFILE_TYPE))
 			{
-				string profile = productInfo.ProductParameters[CertCentralConstants.Config.PROFILE_TYPE].ToString();
+				profile = productInfo.ProductParameters[CertCentralConstants.Config.PROFILE_TYPE].ToString();
 
 				// Only validate if value provided
 				if (!string.IsNullOrEmpty(profile))
@@ -1693,6 +1717,10 @@
 						throw new Exception($"Invalid profile type provided. Valid values are: strict, multipurpose");
 					}
 				}
+				else
+				{
+					profile = null;
+				}
 			}
 
 			if (cnIndic.Equals("given_name_surname", StringComparison.OrdinalIgnoreCase))
@@ -1884,12 +1912,11 @@
 			orderRequest.Certificate.SignatureHash = certType.signatureAlgorithm;
 			orderRequest.Certificate.CACertID = caCertId;
 			orderRequest.SetOrganization(organizationId);
-			string profileType = "strict";
-			if (productInfo.ProductParameters.ContainsKey(Constants.Config.PROFILE_TYPE))
+			//If profile type is not provided, use the default on the digicert product configuration
+			if (!string.IsNullOrEmpty(profile))
 			{
-				profileType = productInfo.ProductParameters[Constants.Config.PROFILE_TYPE];
-			}
-			orderRequest.Certificate.ProfileType = profileType;
+				orderRequest.Certificate.ProfileType = profile;
+			}		
 			orderRequest.Certificate.CommonNameIndicator = cnIndicator;
 			if (productInfo.ProductID.Equals("secure_email_sponsor", StringComparison.OrdinalIgnoreCase))
 			{

digicert-certcentral-caplugin/Constants.cs

@@ -32,6 +32,7 @@ public class Config
 			public const string FILTER_EXPIRED = "FilterExpiredOrders";
 			public const string SYNC_EXPIRATION_DAYS = "SyncExpirationDays";
 			public const string CERT_TYPE = "CertType";
+			public const string INCLUDE_CLIENT_AUTH = "IncludeClientAuthEKU";
 			public const string ENROLL_DIVISION_ID = "EnrollDivisionId";
 			public const string COMMON_NAME_INDICATOR = "CommonNameIndicator";
 			public const string PROFILE_TYPE = "ProfileType";

digicert-certcentral-caplugin/Models/CertCentralCertType.cs

@@ -16,7 +16,6 @@ public class CertCentralCertType
         #region Private Fields
 
         private static readonly ILogger Logger = LogHandler.GetClassLogger<CertCentralCertType>();
-        private static List<CertCentralCertType> _allTypes;
 
         #endregion Private Fields
 
@@ -62,12 +61,7 @@ public class CertCentralCertType
 		/// <returns></returns>
 		public static List<CertCentralCertType> GetAllTypes(CertCentralConfig config)
         {
-            if (_allTypes == null || !_allTypes.Any())
-            {
-                _allTypes = RetrieveCertCentralCertTypes(config);
-            }
-
-            return _allTypes;
+			return RetrieveCertCentralCertTypes(config);
         }
 
         /// <summary>

digicert-certcentral-caplugin/digicert-certcentral-caplugin.csproj

@@ -1,11 +1,13 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
     <RootNamespace>Keyfactor.Extensions.CAPlugin.DigiCert</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>disable</Nullable>
     <AssemblyName>DigicertCAPlugin</AssemblyName>
+    <AssemblyVersion>2.1.2</AssemblyVersion>
+    <FileVersion>2.1.2</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>

integration-manifest.json

@@ -72,6 +72,10 @@
                     "name": "CertType",
                     "description": "OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'. Ignored for secure_email_* product types."
                 },
+                {
+                    "name": "IncludeClientAuthEKU",
+                    "description": "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026."
+                },
                 {
                     "name": "EnrollDivisionId",
                     "description": "OPTIONAL: The division (container) ID to use for enrollments against this template."
@@ -82,7 +86,7 @@
                 },
                 {
                     "name": "ProfileType",
-                    "description": "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict."
+                    "description": "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal."
                 },
                 {
                     "name": "FirstName",