Initial release of the CERTInext (emSign Hub) AnyCA REST Gateway plugin.
- feat(enroll): Certificate enrollment for CERTInext SSL products — DV, OV, and EV SSL, including Wildcard and Multi-Domain (UCC) variants — with connector- and template-level overrides for product code, requestor identity, organization/group, and validity.
- feat(dcv): End-to-end DNS-01 domain validation for DV SSL through a pluggable
IDomainValidatorFactory(Cloudflare provider included). Publishes the TXT challenge, asks CERTInext to verify, waits for issuance, and returns the issued certificate directly fromEnroll. (DCV build — AnyCA Gateway 26.x.) - feat(sync): Full and incremental CA synchronization via paginated
GetOrderReport. Issued certificates carry their full PEM body; revoked certificates carry revocation metadata. - feat(sync): Sync-driven DCV retry drives orders left pending validation to completion on later sync passes, bounded by configurable
DcvSyncMaxOrderAgeHoursandDcvSyncMaxPerPasscaps so large accounts stay fast. - feat(revoke): Certificate revocation via
RevokeOrderwith RFC 5280 reason-code mapping. - feat(auth): AccessKey (HMAC-SHA256) and OAuth client-credentials authentication modes.
- feat(build): Single
DcvSupportMSBuild flag selects the host-matched build from one codebase — default no-DCV (IAnyCAPlugin3.2.0, AnyCA Gateway 25.5.x) or-p:DcvSupport=truefor the DCV build (IAnyCAPlugin3.3.0-PRERELEASE, 26.x). Records persist only when the build matches the host's IAnyCAPlugin version. - feat(config): Connector-level configuration for pre-vetted organization/group/technical-contact injection, DCV timing knobs (challenge/issuance waits), and SSL order defaults.
- feat(sync):
IgnoreExpiredflag to exclude expired certificates from synchronization.
- fix(sync): Issued certificates now synchronize with their full PEM body — the
GetOrderReportlisting carries no body, so the plugin refetches the full certificate for issued/revoked records. Previously issued certs synced empty and never appeared in Command. - fix(sync): Preserve listing metadata (
Subject,ProductID, order date) when refetching the certificate body during synchronization, so issued records are not emitted with null fields. - fix(diagnostics): Every CERTInext API failure logs the HTTP status plus the CA's error code and message; transient rate-limit responses are retried with exponential backoff and jitter.
- chore(crypto): All cryptographic operations (CSR/key generation, hashing, the auth nonce) use BouncyCastle exclusively — no
System.Security.Cryptography. - chore(deps):
BouncyCastle.Cryptography2.6.2 (closes 3 moderate-severity CVEs). - chore(compat): Ship builds for both
net8.0andnet10.0. - chore(logging): Verbose Debug/Trace logging across the sync flow with method entry/exit tracing.
- chore(tests): Live integration tests covering all supported SSL/TLS product types, the DCV enroll → issue → sync flow, and a key-algorithm matrix — confirms CERTInext issues RSA 2048/3072/4096 and ECC P-256/P-384, and rejects larger RSA, ECC P-521, and Ed25519/Ed448.
- chore(scripts): API smoke-test scripts for every endpoint, including
reject-order/reject-all-pendingfor cancelling pending orders.