docs: apply docs-review corrections to source docs

- configuration.md: Command 25.5.x / AnyCA Gateway REST 25.5.0 requirements;
  inline ApiUrl examples include the /emSignHub-API/ path; drop the false
  'CERTInext renew API' claim (renewal is a new GenerateOrderSSL order).
- overview.md: fix dead ../../issues/{7,8} links to GitHub URLs; 3.3.0 ->
  3.3.0-PRERELEASE; lead the TypeLoadException mitigation with the action.
- development.md: document reject-order/reject-all-pending + probe-products.
- QUICKSTART.md: warn that CERTInext only issues RSA 2048/3072/4096 + ECC
  P-256/P-384 (gateway key_algs is a permissive superset); '8 non-EV products';
  fix TypeLoadException remediation to 'deploy the no-DCV build'.
- INTEGRATION_TESTING/TESTING.md: .NET 8 or .NET 10 SDK; drop the removed
  GetOrderReport_ContainsKnownDraftOrder row.
- docs/reference/README.md: note the CERTInext key-algorithm limit.
- integration-manifest.json: tighten the Enabled field description.

README.md is doctool-generated from docsource/, so it is not edited here; CI
regenerates it. (net6->net8/net10 install text lands once doctooldotnet#17 merges.)

Author: spbsoluble

CERTInext.IntegrationTests/INTEGRATION_TESTING.md

@@ -8,7 +8,7 @@ so the project is safe to include in CI pipelines that do not have API access.
 
 ## Prerequisites
 
-- .NET 8 SDK
+- .NET 8 or .NET 10 SDK
 - Access to a CERTInext account (sandbox or production)
 - An API Access Key generated in the CERTInext portal under **Integrations → APIs**
 
@@ -119,7 +119,6 @@ pipeline failure.
 | Test | What it checks |
 |------|---------------|
 | `GetOrderReport_ReturnsOrders` | Fetches page 1; asserts at least one order is returned |
-| `GetOrderReport_ContainsKnownDraftOrder` | Fetches all pages; asserts requestNumber `4572531551` (DV SSL 838 draft) is present |
 | `GetOrderReport_AllOrders_HaveRequiredFields` | For each order on page 1: `requestNumber`, `productCode`, and `orderDate` are non-empty |
 
 ### `PluginSmokeTests`
@@ -162,4 +161,3 @@ never transmitted over the wire — only the derived `authKey` hash is sent.
 | `Ping` fails with 401 | Wrong `CERTINEXT_ACCESS_KEY` | Regenerate the key in the CERTInext portal |
 | `Ping` fails with timeout | Wrong `CERTINEXT_API_URL` | Verify the URL matches your account region |
 | `GetOrderReport` returns 0 orders | Account has no orders | Place a test order first (see `make generate-order` in the project Makefile) |
-| `ContainsKnownDraftOrder` fails | Draft order `4572531551` not on this account | Update `KnownDraftRequestNumber` in `OrderReportTests.cs` to a request number from your account |

CERTInext.IntegrationTests/TESTING.md

@@ -41,7 +41,7 @@ which ones return a `requestNumber` (valid) vs. an error (invalid or not provisi
 
 ## Prerequisites
 
-- .NET 8 SDK
+- .NET 8 or .NET 10 SDK
 - Access to a CERTInext sandbox or production account
 - An API Access Key generated in the CERTInext portal under **Integrations → APIs**
 

CHANGELOG.md

@@ -9,7 +9,7 @@ Initial release of the CERTInext (emSign Hub) AnyCA REST Gateway plugin.
 - feat(sync): Sync-driven DCV retry drives orders left pending validation to completion on later sync passes, bounded by configurable `DcvSyncMaxOrderAgeHours` and `DcvSyncMaxPerPass` caps so large accounts stay fast.
 - feat(revoke): Certificate revocation via `RevokeOrder` with RFC 5280 reason-code mapping.
 - feat(auth): AccessKey (HMAC-SHA256) and OAuth client-credentials authentication modes.
-- feat(build): Single `DcvSupport` MSBuild flag selects the host-matched build from one codebase — default no-DCV (IAnyCAPlugin `3.2.0`, AnyCA Gateway 25.5.x) or `-p:DcvSupport=true` for the DCV build (IAnyCAPlugin `3.3.0`, 26.x). Records persist only when the build matches the host's IAnyCAPlugin version.
+- feat(build): Single `DcvSupport` MSBuild flag selects the host-matched build from one codebase — default no-DCV (IAnyCAPlugin `3.2.0`, AnyCA Gateway 25.5.x) or `-p:DcvSupport=true` for the DCV build (IAnyCAPlugin `3.3.0-PRERELEASE`, 26.x). Records persist only when the build matches the host's IAnyCAPlugin version.
 - feat(config): Connector-level configuration for pre-vetted organization/group/technical-contact injection, DCV timing knobs (challenge/issuance waits), and SSL order defaults.
 - feat(sync): `IgnoreExpired` flag to exclude expired certificates from synchronization.
 

QUICKSTART.md

@@ -322,11 +322,15 @@ try {
 }
 ```
 
-> **Doing this for all 8 sandbox products?** Wrap Steps 2 and 3 in a
-> loop over the (ProductID, ProductCode) pairs. The sandbox product
+> **Note on CERTInext key algorithm restrictions:** The gateway profile's `key_algs` block defines what Command *allows* — it does not reflect what CERTInext will accept. CERTInext additionally restricts enrollments to RSA 2048/3072/4096 and ECC P-256/P-384. Orders submitted with P-521, Ed25519, Ed448, or RSA larger than 4096 bits are accepted by Command and the gateway but rejected by CERTInext with `Invalid key size`. Configure your profiles and templates to only permit the key types CERTInext supports.
+
+> **Doing this for all 8 non-EV sandbox products?** Wrap Steps 2 and 3 in a
+> loop over the (ProductID, ProductCode) pairs. The sandbox non-EV product
 > codes are 842 (DV SSL), 843 (DV Wildcard), 844 (DV UCC), 845 (DV
 > Wildcard UCC), 846 (OV SSL), 847 (OV Wildcard), 848 (OV UCC), 849
-> (OV Wildcard UCC).
+> (OV Wildcard UCC). EV SSL (850) and EV UCC (851) require additional
+> `contractSignerInfo`, `certificateApproverInfo`, and org/contract fields
+> beyond the base product set.
 
 ---
 
@@ -799,4 +803,4 @@ sync pulls down the actual certificate.
 | Step 6 returns `0xA0110004` "Key type 'RSA' disallowed by policy" | Gateway `key_algs` are empty or wrong, or Command hasn't re-imported templates after a profile change | Update `key_algs` (Step 2), re-run `/Templates/Import` (Step 5). |
 | Step 6 returns `0xA0010023` "external validation" with HTTP 400 | The gateway returned a pending response and Command's exception filter translated it — Command 25.x bug | The plugin DID accept the order. Confirm via `GET ${GATEWAY_URL}/AnyGatewayREST/.../v1/certificate/<id>`. Fixed in newer Command builds; rewrite as 200 with disposition `EXTERNAL_VALIDATION`. |
 | Step 6 returns `"Inactive Account User."` from the gateway log | CERTInext sandbox rate limit | Wait 5-25 minutes; retry a single order to confirm the account is alive. See [#8](https://github.com/Keyfactor/certinext-caplugin/issues/8). |
-| Step 6 returns `TypeLoadException IDomainValidatorFactory` in the gateway pod log | Older plugin DLL incompatible with the host gateway's `IAnyCAPlugin` version | Rebuild the plugin from `main` and re-stage; the field re-typing fix is required for gateways shipping `IAnyCAPlugin` < v3.3. |
+| Step 6 returns `TypeLoadException IDomainValidatorFactory` in the gateway pod log | DCV build deployed on a gateway running IAnyCAPlugin 3.2.x (25.5.x) | Deploy the no-DCV build (the default release artifact); do not deploy the DCV build (`-p:DcvSupport=true`) on a gateway running IAnyCAPlugin 3.2.x (25.5.x). Use the DCV build only on 26.x. |

docs/reference/README.md

@@ -40,6 +40,11 @@ P-256/384/521 + Ed25519/Ed448" policy. Match this `key_algs` shape on
 new profiles to avoid Command's misleading `0xA0110004` "Key type
 disallowed by policy" error.
 
+> **Note:** The gateway profile defines what Command permits; CERTInext itself only
+> accepts RSA 2048/3072/4096 and ECC P-256/P-384. Orders using P-521, Ed25519,
+> Ed448, or RSA larger than 4096 bits are accepted by Command but rejected by
+> CERTInext with `Invalid key size`.
+
 The profiles **don't** carry CA-binding information; they're top-level
 gateway resources. The CA configuration's `Templates[].CertificateProfile`
 field is what binds a product to its profile by name.

docsource/configuration.md

@@ -7,7 +7,7 @@ The CERTInext AnyCA Gateway REST plugin extends the certificate lifecycle capabi
     * Expired certificates can optionally be excluded from synchronization using the `IgnoreExpired` configuration flag.
 * Certificate Enrollment for profiles configured in CERTInext:
     * New certificate enrollment (new keys and certificate).
-    * Certificate renewal via the CERTInext renew API when the prior certificate is within the configured renewal window.
+    * Certificate renewal — submits a new `GenerateOrderSSL` order when the prior certificate is within the configured renewal window (CERTInext has no dedicated renewal endpoint; the renewal-window check governs how Command tracks old→new, not which API is called).
     * Certificate reissuance (new keys with the same or updated subject/SANs) when outside the renewal window or no prior certificate is found.
 * Certificate Revocation:
     * Request revocation of a previously issued certificate using any RFC 5280 CRL reason code.
@@ -17,8 +17,8 @@ The CERTInext AnyCA Gateway REST plugin extends the certificate lifecycle capabi
 
 ## Requirements
 
-* Keyfactor Command 10.x or later
-* AnyCA Gateway REST framework version 24.2.0 or later
+* Keyfactor Command 25.5.x or later
+* AnyCA Gateway REST framework version 25.5.0 or later
 * A CERTInext account with API access enabled and at least one certificate product configured
 * Network connectivity from the AnyCA Gateway host to the CERTInext API endpoint for your region (see table below)
 * The AnyCA Gateway host must trust the TLS certificate presented by the CERTInext API endpoint
@@ -95,7 +95,7 @@ The following fields are presented in the Keyfactor Command Management Portal wh
 
 | Field | Required / Optional | Description | Where to find it | Example |
 |---|---|---|---|---|
-| `ApiUrl` | Required | CERTInext API base URL for your environment. Must include the `/emSignHub-API/` path segment. No trailing slash is required but is accepted. | See the environments table above. | `https://api.certinext.io/emSignHub-API` |
+| `ApiUrl` | Required | CERTInext API base URL for your environment. Must include the `/emSignHub-API/` path segment. No trailing slash is required but is accepted. | See the environments table above. | `https://api.certinext.io/emSignHub-API/` |
 | `AccountNumber` | Required | Your CERTInext account number (numeric string). Included in the `meta` block of every API request. | Portal → click your name or avatar → **Account Settings** or **My Profile**. | `1234567890` |
 | `AuthMode` | Required | Authentication mode. `AccessKey` uses HMAC signing (recommended). `OAuth` uses a bearer token. | N/A — choose based on the credential type you created. | `AccessKey` |
 | `ApiKey` | Conditional | The REST API Access Key generated in the CERTInext portal. Used to compute `authKey = SHA256(accessKey + ts + txn)`. The raw key is never transmitted. Required when `AuthMode` is `AccessKey`. This field is masked in the UI. | Portal → **Integrations → APIs** → generate or view the credential row. | *(generated, masked in UI)* |
@@ -231,8 +231,8 @@ Where `requestTs` is the ISO 8601 timestamp and `requestTxnId` is a unique trans
 When the gateway calls `Enroll`, the plugin selects between three paths based on the enrollment type and the age of the prior certificate:
 
 1. **New enrollment** — no prior certificate exists. A new `GenerateOrderSSL` request is submitted.
-2. **Renewal** — a prior certificate exists and its expiry is within the `RenewalWindowDays` threshold (default: 90 days). The plugin calls the CERTInext renew API, which reuses the existing subscription term.
-3. **Reissue** — a prior certificate exists but is outside the renewal window. A new order is placed with the updated CSR/subject, replacing the prior certificate under a new subscription.
+2. **Renewal** — a prior certificate exists and its expiry is within the `RenewalWindowDays` threshold (default: 90 days). A new `GenerateOrderSSL` order is submitted within the configured renewal window (CERTInext has no dedicated renewal endpoint; the renewal-window check governs how Command tracks old→new, not which API is called).
+3. **Reissue** — a prior certificate exists but is outside the renewal window. A new `GenerateOrderSSL` order is placed with the updated CSR/subject, replacing the prior certificate under a new subscription.
 
 The `RenewalWindowDays` template parameter controls the renewal/reissue boundary per certificate template.
 

docsource/development.md

@@ -80,6 +80,9 @@ make orders     # lists recent orders — useful to find an ORDER_NUMBER to test
 | Place a draft order | `make generate-order DOMAIN=example.com [CSR_FILE=req.pem] [VALIDITY=1] [SAVE_AND_HOLD=1]` | `GenerateOrderSSL` — places a new order; `SAVE_AND_HOLD=1` (default) creates a draft |
 | Revoke an order | `make revoke-order ORDER_NUMBER=NNNNN [REASON_ID=1]` | `RevokeOrder` — revokes an issued certificate |
 | Attach a CSR to a draft | `make submit-csr ORDER_NUMBER=NNNNN CSR_FILE=req.pem` | `SubmitCSR` — attaches a CSR to a saveAndHold draft order |
+| Discover product codes | `make probe-products` | Places `saveAndHold=1` draft orders for all known SSL/TLS product codes and reports which ones the account accepts |
+| Cancel one pending order | `scripts/reject-order.sh ORDER_NUMBER=NNNNN` | Shell script — cancels a single pending order (not a `make` target) |
+| Cancel all pending orders | `scripts/reject-all-pending.sh` | Shell script — dry-run by default; set `REJECT_ALL_PENDING=1` to fire (not a `make` target) |
 | Show API target help | `make api-help` | Prints usage for all API targets |
 
 > Note: `TrackOrder` and `GetCertificate` require a formal `orderNumber`, which is only assigned after a draft order is submitted and approved. Draft orders (created with `saveAndHold:"1"`) have a `requestNumber` but no `orderNumber` until that point.

docsource/overview.md

@@ -37,7 +37,7 @@ Empirically the limit kicks in at roughly **16+ enrollments submitted within 10
 **Confirmation steps**
 
 1. Run a single `Ping` against the same `ApiUrl` / `AccessKey`. If it succeeds, the account is active; the prior failure was almost certainly a rate-limit hit.
-2. Check the gateway warning log for the `LogApiFailure` line emitted just before the throw (see issue [#8](../../issues/8) and the `LogApiFailure` helper in `CERTInextClient.cs`). The full raw response body is included there — if CERTInext ever surfaces a distinguishing code or message for rate-limit (as opposed to account-state), it will appear in that line.
+2. Check the gateway warning log for the `LogApiFailure` line emitted just before the throw (see issue [#8](https://github.com/Keyfactor/certinext-caplugin/issues/8) and the `LogApiFailure` helper in `CERTInextClient.cs`). The full raw response body is included there — if CERTInext ever surfaces a distinguishing code or message for rate-limit (as opposed to account-state), it will appear in that line.
 3. Wait 30–60 seconds, then retry the failed enrollment(s). A successful retry confirms it was rate-limit.
 
 **Mitigation**
@@ -85,8 +85,8 @@ Gateway returns HTTP 500 on CA registration or first enrollment with the body `{
 
 **Root cause**
 
-Older gateway image whose bundled `Keyfactor.AnyGateway.IAnyCAPlugin` assembly is v3.2 or earlier (the `IDomainValidatorFactory` interface is v3.3+). This was fully addressed by the issue [#7](../../issues/7) fix in v1.0 — both the constructor-signature surface AND the field-type surface are now safe to load on v3.2 hosts.
+Older gateway image whose bundled `Keyfactor.AnyGateway.IAnyCAPlugin` assembly is v3.2 or earlier (the `IDomainValidatorFactory` interface is v3.3+). This was fully addressed by the issue [#7](https://github.com/Keyfactor/certinext-caplugin/issues/7) fix in v1.0 — both the constructor-signature surface AND the field-type surface are now safe to load on v3.2 hosts.
 
 **Mitigation**
 
-Use the build that matches your gateway host. The **default build (no-DCV, IAnyCAPlugin 3.2.0)** is the one that loads *and* persists records on AnyCA Gateway 25.5.x, and it is what the released artifact ships — so on a 25.5.x host, deploy the default build. The DCV-capable build (IAnyCAPlugin 3.3.0, `dotnet build -p:DcvSupport=true`) is for AnyCA Gateway 26.x; loading it on a 25.5.x host triggers the type-load error above and, even when it loads, its records do not persist on a 3.2 host. See the `DcvSupport` build variants in the developer guide.
+Deploy the default (no-DCV) build for AnyCA Gateway 25.5.x; do not deploy the DCV build on a 25.5.x host. The **default build (no-DCV, IAnyCAPlugin 3.2.0)** is the one that loads *and* persists records on AnyCA Gateway 25.5.x, and it is what the released artifact ships. The DCV-capable build (IAnyCAPlugin 3.3.0-PRERELEASE, `dotnet build -p:DcvSupport=true`) is for AnyCA Gateway 26.x; loading it on a 25.5.x host triggers the type-load error above and, even when it loads, its records do not persist on a 3.2 host. See the `DcvSupport` build variants in the developer guide.

integration-manifest.json

@@ -27,7 +27,7 @@
             "ca_plugin_config": [
                 {
                     "name": "ApiUrl",
-                    "description": "REQUIRED: CERTInext API base URL. Sandbox (US): https://sandbox-us-api.certinext.io/emSignHub-API/ \u2014 Production (US): https://us-api.certinext.io/ \u2014 Production (Global/India): https://api.certinext.io/"
+                    "description": "REQUIRED: CERTInext API base URL. Sandbox (US): https://sandbox-us-api.certinext.io/emSignHub-API/ \u2014 Production (US): https://us-api.certinext.io/emSignHub-API/ \u2014 Production (Global/India): https://api.certinext.io/emSignHub-API/"
                 },
                 {
                     "name": "AccountNumber",
@@ -139,7 +139,7 @@
                 },
                 {
                     "name": "Enabled",
-                    "description": "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA connector prior to configuration information being available."
+                    "description": "Enables or disables the CA connector. Set to false to create the connector record before credentials are available. Default: true."
                 },
                 {
                     "name": "DcvEnabled",