build: default DcvSupport to false (ship the GA-host 3.2.0 build)

CI uses Keyfactor's shared starter workflow, which runs a plain 'dotnet build -c
Release' with no -p args — so it built the DEFAULT variant. With DcvSupport
defaulting to true that shipped the IAnyCAPlugin 3.3.0-PRERELEASE / DCV build,
which does NOT persist on the current GA gateway (AnyCA Gateway 25.5.x ships
IAnyCAPlugin 3.2.0 — issue 0003) and pinned an official release to a prerelease
package. Flip the default to false so the plain CI build produces the no-DCV /
3.2.0 GA artifact; DCV is now the opt-in '-p:DcvSupport=true' build for 26.x.

Docs updated (docsource/): DcvSupport build-variant table in the developer guide
(default = no-DCV/3.2.0), host-matched mitigation in overview troubleshooting,
and the confirmed CERTInext key-algorithm envelope (RSA 2048/3072/4096 + ECC
P-256/P-384) on the KeyType template parameter.

Author: spbsoluble

CERTInext.IntegrationTests/CERTInext.IntegrationTests.csproj

@@ -6,9 +6,9 @@
     <LangVersion>12.0</LangVersion>
     <IsPackable>false</IsPackable>
     <IsTestProject>true</IsTestProject>
-    <!-- Mirror the main project's DcvSupport flag so DCV test files compile in (and SUPPORTS_DCV
-         is defined) on the default DCV build, and are excluded with -p:DcvSupport=false. -->
-    <DcvSupport Condition="'$(DcvSupport)' == ''">true</DcvSupport>
+    <!-- Mirror the main project's DcvSupport flag. Default false → DCV test files are excluded
+         (matches the GA no-DCV build); -p:DcvSupport=true compiles them in with SUPPORTS_DCV. -->
+    <DcvSupport Condition="'$(DcvSupport)' == ''">false</DcvSupport>
     <DefineConstants Condition="'$(DcvSupport)' == 'true'">$(DefineConstants);SUPPORTS_DCV</DefineConstants>
   </PropertyGroup>
 

CERTInext.Tests/CERTInext.Tests.csproj

@@ -6,9 +6,9 @@
     <LangVersion>12.0</LangVersion>
     <IsPackable>false</IsPackable>
     <IsTestProject>true</IsTestProject>
-    <!-- Mirror the main project's DcvSupport flag so DCV test files compile in (and SUPPORTS_DCV
-         is defined) on the default DCV build, and are excluded with -p:DcvSupport=false. -->
-    <DcvSupport Condition="'$(DcvSupport)' == ''">true</DcvSupport>
+    <!-- Mirror the main project's DcvSupport flag. Default false → DCV test files are excluded
+         (matches the GA no-DCV build); -p:DcvSupport=true compiles them in with SUPPORTS_DCV. -->
+    <DcvSupport Condition="'$(DcvSupport)' == ''">false</DcvSupport>
     <DefineConstants Condition="'$(DcvSupport)' == 'true'">$(DefineConstants);SUPPORTS_DCV</DefineConstants>
   </PropertyGroup>
 

CERTInext/CERTInext.csproj

@@ -7,21 +7,24 @@
     <Nullable>warnings</Nullable>
     <LangVersion>12.0</LangVersion>
     <!-- DcvSupport toggles DCV (DNS-01 domain validation) across the entire build. Default
-         true → IAnyCAPlugin 3.3.0-PRERELEASE + the SUPPORTS_DCV compile constant (26.x hosts).
-         Build with -p:DcvSupport=false for the IAnyCAPlugin 3.2.0 / no-DCV variant required by
-         25.5.0 hosts — DCV code is then fenced out with #if SUPPORTS_DCV. This one property
-         drives the package version, the compile constant, and DCV test-file inclusion, so the
-         two host targets are a build flag rather than a maintained fork. See issue 0003. -->
-    <DcvSupport Condition="'$(DcvSupport)' == ''">true</DcvSupport>
+         FALSE → IAnyCAPlugin 3.2.0, DCV fenced out via #if SUPPORTS_DCV. This is the contract
+         that persists on the current GA gateway (AnyCA Gateway 25.5.x / IAnyCAPlugin 3.2.0), it
+         depends only on a stable (non-prerelease) package, and it is what CI ships by default —
+         so the released artifact works on GA hosts (see issue 0003). Build with
+         -p:DcvSupport=true for the IAnyCAPlugin 3.3.0-PRERELEASE + SUPPORTS_DCV variant (DCV;
+         AnyCA Gateway 26.x / IAnyCAPlugin >= 3.3). The one property drives the package version,
+         the SUPPORTS_DCV compile constant, and DCV test-file inclusion, so the two host targets
+         are a build flag rather than a maintained fork. -->
+    <DcvSupport Condition="'$(DcvSupport)' == ''">false</DcvSupport>
     <DefineConstants Condition="'$(DcvSupport)' == 'true'">$(DefineConstants);SUPPORTS_DCV</DefineConstants>
     <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
   </PropertyGroup>
 
   <ItemGroup>
     <!-- IAnyCAPlugin version follows DcvSupport so the plugin's AnyCAPluginCertificate contract
-         matches the gateway host: 3.3.0-PRERELEASE (DCV / 26.x hosts) by default, or 3.2.0
-         (no-DCV / 25.5.0 hosts, e.g. anygateway-rest 25.5.0) with -p:DcvSupport=false. The
-         3.3-only IDomainValidatorFactory is only referenced from #if SUPPORTS_DCV code, so the
+         matches the gateway host: 3.2.0 (no-DCV / 25.5.x hosts, e.g. anygateway-rest 25.5.0) by
+         default, or 3.3.0-PRERELEASE (DCV / 26.x hosts) with -p:DcvSupport=true. The 3.3-only
+         IDomainValidatorFactory is only referenced from #if SUPPORTS_DCV code, so the default
          3.2.0 build compiles cleanly. See issue 0003. -->
     <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.3.0-PRERELEASE-78770-979f582005" Condition="'$(DcvSupport)' == 'true'" />
     <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.2.0" Condition="'$(DcvSupport)' != 'true'" />

docsource/configuration.md

@@ -138,7 +138,7 @@ In the Keyfactor Command Management Portal, navigate to **Certificate Templates*
 | `RequesterName` | Optional | String | Per-template override for the requestor name. When set, overrides the connector-level `RequestorName` for orders using this template. | `Keyfactor Automation` |
 | `RequesterEmail` | Optional | String | Per-template override for the requestor email address. When set, overrides the connector-level `RequestorEmail` for orders using this template. | `pki-admin@example.com` |
 | `RenewalWindowDays` | Optional | Number | Number of days before certificate expiration within which a renewal is attempted instead of a reissue. Default: `90`. | `90` |
-| `KeyType` | Optional | String | Key algorithm to request at enrollment time. Valid values depend on what the target product supports. If omitted, the product default is used. | `RSA2048`, `RSA4096`, `EC256`, `EC384` |
+| `KeyType` | Optional | String | Key algorithm to request at enrollment time. The key type is carried by the submitted CSR. CERTInext accepts **RSA 2048 / 3072 / 4096 and ECC P-256 / P-384** only — larger RSA, ECC P-521, and the Ed25519/Ed448 curves are rejected by the CA (`Invalid key size`). If omitted, the product default is used. | `RSA2048`, `RSA3072`, `RSA4096`, `EC256`, `EC384` |
 | `DomainName` | Optional | String | Primary domain name for SSL/TLS orders. If omitted, the gateway derives the domain from the CSR `CN` field. | `example.com` |
 | `SignerName` | Optional | String | Per-template override for the subscriber agreement signer name. When omitted, defaults to the connector-level `RequestorName`. | `Jane Smith` |
 | `SignerPlace` | Optional | String | Per-template override for the subscriber agreement signer location. When omitted, defaults to the connector-level `SignerPlace`. | `Austin` |

docsource/development.md

@@ -40,6 +40,24 @@ CERTINEXT_SIGNER_IP=
 | Coverage report (browser) | `make coverage-report` | Same as `coverage`, then opens HTML report in the default browser |
 | Clean | `make clean` | `dotnet clean` and wipe coverage output directories |
 
+### Build variants — `DcvSupport` (DCV vs no-DCV)
+
+The plugin builds against two `Keyfactor.AnyGateway.IAnyCAPlugin` contracts from a single
+codebase, selected by the `DcvSupport` MSBuild property. The plugin's `AnyCAPluginCertificate`
+records must match the gateway host's IAnyCAPlugin version to persist, so the build must target
+the host (see issue 0003).
+
+| Build | Command | IAnyCAPlugin | DCV | Target gateway host |
+|---|---|---|---|---|
+| **No-DCV (default)** | `make build` / `dotnet build` | `3.2.0` (stable) | fenced out (`#if SUPPORTS_DCV`) | AnyCA Gateway **25.5.x** (IAnyCAPlugin 3.2.0) |
+| **DCV** | `dotnet build -p:DcvSupport=true` | `3.3.0-PRERELEASE` | enabled | AnyCA Gateway **26.x** (IAnyCAPlugin ≥ 3.3) |
+
+The **default is the no-DCV / 3.2.0 build** — it is the GA artifact that loads and persists on the
+current GA gateway (25.5.x) and depends only on a stable package, so it is what CI ships. Build the
+DCV variant explicitly with `-p:DcvSupport=true` for 26.x hosts. The one property drives the package
+version, the `SUPPORTS_DCV` compile constant, and DCV test-file inclusion across all three projects,
+so the two host targets are a build flag rather than a maintained fork.
+
 ## API Smoke-Test Targets
 
 All API targets source `~/.env_certinext`, compute the HMAC `authKey` (`SHA256(accessKey + ts + txn)`), and call the live CERTInext API via `curl`. All JSON responses are piped through `jq`.

docsource/overview.md

@@ -89,4 +89,4 @@ Older gateway image whose bundled `Keyfactor.AnyGateway.IAnyCAPlugin` assembly i
 
 **Mitigation**
 
-Upgrade to the v1.0 release or later. If you are on a build before that fix, the headline error means the plugin DLL was built against the v3.3 prerelease but is being loaded against a v3.2 host with no DCV path — older builds need to be rebuilt against the post-fix `main`.
+Use the build that matches your gateway host. The **default build (no-DCV, IAnyCAPlugin 3.2.0)** is the one that loads *and* persists records on AnyCA Gateway 25.5.x, and it is what the released artifact ships — so on a 25.5.x host, deploy the default build. The DCV-capable build (IAnyCAPlugin 3.3.0, `dotnet build -p:DcvSupport=true`) is for AnyCA Gateway 26.x; loading it on a 25.5.x host triggers the type-load error above and, even when it loads, its records do not persist on a 3.2 host. See the `DcvSupport` build variants in the developer guide.