|
1 | | -# Changelog |
| 1 | +# 1.0.0 |
2 | 2 |
|
3 | | -## [1.0.0] - Unreleased |
| 3 | +Initial release of the CERTInext (emSign Hub) AnyCA REST Gateway plugin. |
4 | 4 |
|
5 | | -### Added |
| 5 | +## Features |
| 6 | +- feat(enroll): Certificate enrollment for CERTInext SSL products — DV, OV, and EV SSL, including Wildcard and Multi-Domain (UCC) variants — with connector- and template-level overrides for product code, requestor identity, organization/group, and validity. |
| 7 | +- feat(dcv): End-to-end DNS-01 domain validation for DV SSL through a pluggable `IDomainValidatorFactory` (Cloudflare provider included). Publishes the TXT challenge, asks CERTInext to verify, waits for issuance, and returns the issued certificate directly from `Enroll`. (DCV build — AnyCA Gateway 26.x.) |
| 8 | +- feat(sync): Full and incremental CA synchronization via paginated `GetOrderReport`. Issued certificates carry their full PEM body; revoked certificates carry revocation metadata. |
| 9 | +- feat(sync): Sync-driven DCV retry drives orders left pending validation to completion on later sync passes, bounded by configurable `DcvSyncMaxOrderAgeHours` and `DcvSyncMaxPerPass` caps so large accounts stay fast. |
| 10 | +- feat(revoke): Certificate revocation via `RevokeOrder` with RFC 5280 reason-code mapping. |
| 11 | +- feat(auth): AccessKey (HMAC-SHA256) and OAuth client-credentials authentication modes. |
| 12 | +- feat(build): Single `DcvSupport` MSBuild flag selects the host-matched build from one codebase — default no-DCV (IAnyCAPlugin `3.2.0`, AnyCA Gateway 25.5.x) or `-p:DcvSupport=true` for the DCV build (IAnyCAPlugin `3.3.0`, 26.x). Records persist only when the build matches the host's IAnyCAPlugin version. |
| 13 | +- feat(config): Connector-level configuration for pre-vetted organization/group/technical-contact injection, DCV timing knobs (challenge/issuance waits), and SSL order defaults. |
| 14 | +- feat(sync): `IgnoreExpired` flag to exclude expired certificates from synchronization. |
6 | 15 |
|
7 | | -- Initial release of the CERTInext AnyCA REST Gateway plugin |
8 | | -- Certificate enrollment for DV SSL (838), DV Wildcard (839), DV UCC (840), OV SSL (842), and EV SSL (846) product types |
9 | | -- Certificate revocation via `RevokeOrder` with RFC 5280 reason code mapping |
10 | | -- Full and incremental CA synchronization via paginated `GetOrderReport` |
11 | | -- AccessKey (HMAC-SHA256) and OAuth client credentials authentication modes |
12 | | -- `IgnoreExpired` flag to exclude expired certificates from synchronization |
13 | | -- Live integration tests covering all supported SSL/TLS product types (draft order mode) |
| 16 | +## Bug Fixes |
| 17 | +- fix(sync): Issued certificates now synchronize with their full PEM body — the `GetOrderReport` listing carries no body, so the plugin refetches the full certificate for issued/revoked records. Previously issued certs synced empty and never appeared in Command. |
| 18 | +- fix(sync): Preserve listing metadata (`Subject`, `ProductID`, order date) when refetching the certificate body during synchronization, so issued records are not emitted with null fields. |
| 19 | +- fix(diagnostics): Every CERTInext API failure logs the HTTP status plus the CA's error code and message; transient rate-limit responses are retried with exponential backoff and jitter. |
| 20 | + |
| 21 | +## Chores |
| 22 | +- chore(crypto): All cryptographic operations (CSR/key generation, hashing, the auth nonce) use BouncyCastle exclusively — no `System.Security.Cryptography`. |
| 23 | +- chore(deps): `BouncyCastle.Cryptography` 2.6.2 (closes 3 moderate-severity CVEs). |
| 24 | +- chore(compat): Ship builds for both `net8.0` and `net10.0`. |
| 25 | +- chore(logging): Verbose Debug/Trace logging across the sync flow with method entry/exit tracing. |
| 26 | +- chore(tests): Live integration tests covering all supported SSL/TLS product types, the DCV enroll → issue → sync flow, and a key-algorithm matrix — confirms CERTInext issues RSA 2048/3072/4096 and ECC P-256/P-384, and rejects larger RSA, ECC P-521, and Ed25519/Ed448. |
| 27 | +- chore(scripts): API smoke-test scripts for every endpoint, including `reject-order` / `reject-all-pending` for cancelling pending orders. |
0 commit comments