Support · Requirements · Installation · License · Related Integrations
This integration allows for the Synchronization, Enrollment, and Revocation of certificates from the CSCGlobal. This is the AnyGateway REST version.
The CSCGlobal CAPlugin AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2.0 and later.
The CSCGlobal CAPlugin AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
This integration is tested and confirmed as working for Anygateway REST 24.2 and above. Notice: Keyfactor Anygateway REST 24.4 requires the use of .Net 8.
-
Install the AnyCA Gateway REST per the official Keyfactor documentation.
-
On the server hosting the AnyCA Gateway REST, download and unzip the latest CSCGlobal CAPlugin AnyCA Gateway REST plugin from GitHub.
-
Copy the unzipped directory (usually called
net6.0ornet8.0) to the Extensions directory:Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations: Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions
The directory containing the CSCGlobal CAPlugin AnyCA Gateway REST plugin DLLs (
net6.0ornet8.0) can be named anything, as long as it is unique within theExtensionsdirectory. -
Restart the AnyCA Gateway REST service.
-
Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the CSCGlobal CAPlugin plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
-
Follow the official AnyCA Gateway REST documentation to define a new Certificate Authority, and use the notes below to configure the Gateway Registration and CA Connection tabs:
-
Gateway Registration
The Root certificates for installation on the Anygateway server machine should be obtained from CSC.
-
CA Connection
Populate using the configuration fields collected in the requirements section.
- CscGlobalUrl - CSCGlobal API URL
- ApiKey - CSCGlobal API Key
- BearerToken - CSCGlobal Bearer Token
- DefaultPageSize - Default page size for use with the API. Default is 100
- SyncFilterDays - Number of days from today to filter certificates by expiration date during incremental sync.
- RenewalWindowDays - Number of days before the annual order expiry within which a RenewOrReissue triggers a paid Renewal rather than a free Reissue. Default is 30.
- DcvPollTimeoutSeconds - Max seconds to synchronously poll CSC for issuance after submitting an order (and publishing CNAME DCV). 0 disables polling (enrollment returns pending immediately; cert arrives on next sync). When >0, fast-validating orders can return the cert directly. Keep small to avoid long-blocking enrollment requests.
-
-
PLEASE NOTE, AT THIS TIME THE RAPID_SSL TEMPLATE IS NOT SUPPORTED BY THE CSC API AND WILL NOT WORK WITH THIS INTEGRATION
The following certificate templates are supported. Please set up the key sizes accordingly in the Certificate Profile menu of Anygateway REST, then enter the remaining details and the Enrollment Fields for each Template accordingly using the Certificate Templates section in Command. If you would like to set up default values for enrollment parameters, you can do so the in the Certificate Template Menu of Anygateway REST. If a field value is specified as both an Enrollment Field in Command and in the Certificate Template Menu in the REST Gateway, the value in the Enrollment Field will take precedence.
CONFIG ELEMENT DESCRIPTION Template Short Name CSC TrustedSecure Premium Certificate Template Display Name CSC TrustedSecure Premium Certificate Friendly Name CSC TrustedSecure Premium Certificate Keys Size 2048 Enforce RFC 2818 Compliance True CSR Enrollment True Pfx Enrollment True CSC TrustedSecure Premium Certificate - Enrollment Fields
NAME DATA TYPE VALUES Term Multiple Choice 12,24 Applicant First Name String N/A Applicant Last Name String N/A Applicant Email Address String N/A Applicant Phone String N/A Domain Control Validation Method Multiple Choice EMAIL Organization Contact Multiple Choice Get From CSC Differs For Clients Business Unit Multiple Choice Get From CSC Differs For Clients Notification Email(s) Comma Separated String N/A CN DCV Email String N/A CSC TrustedSecure EV Certificate - Details Tab
CONFIG ELEMENT DESCRIPTION Template Short Name CSC TrustedSecure EV Certificate Template Display Name CSC TrustedSecure EV Certificate Friendly Name CSC TrustedSecure EV Certificate Keys Size 2048 Enforce RFC 2818 Compliance True CSR Enrollment True Pfx Enrollment True CSC TrustedSecure EV Certificate - Enrollment Fields
NAME DATA TYPE VALUES Term Multiple Choice 12,24 Applicant First Name String N/A Applicant Last Name String N/A Applicant Email Address String N/A Applicant Phone String N/A Domain Control Validation Method Multiple Choice EMAIL Organization Contact Multiple Choice Get From CSC Differs For Clients Business Unit Multiple Choice Get From CSC Differs For Clients Notification Email(s) Comma Separated String N/A CN DCV Email String N/A Organization Country String N/A CSC TrustedSecure UC Certificate - Details Tab
CONFIG ELEMENT DESCRIPTION Template Short Name CSC TrustedSecure UC Certificate Template Display Name CSC TrustedSecure UC Certificate Friendly Name CSC TrustedSecure UC Certificate Keys Size 2048 Enforce RFC 2818 Compliance True CSR Enrollment True Pfx Enrollment True CSC TrustedSecure UC Certificate - Enrollment Fields
NAME DATA TYPE VALUES Term Multiple Choice 12,24 Applicant First Name String N/A Applicant Last Name String N/A Applicant Email Address String N/A Applicant Phone String N/A Domain Control Validation Method Multiple Choice EMAIL Organization Contact Multiple Choice Get From CSC Differs For Clients Business Unit Multiple Choice Get From CSC Differs For Clients Notification Email(s) Comma Separated String N/A CN DCV Email String N/A Addtl Sans Comma Separated DCV Emails String N/A CSC TrustedSecure Premium Wildcard Certificate - Details Tab
CONFIG ELEMENT DESCRIPTION Template Short Name CSC TrustedSecure Premium Wildcard Certificate Template Display Name CSC TrustedSecure Premium Wildcard Certificate Friendly Name CSC TrustedSecure Premium Wildcard Certificate Keys Size 2048 Enforce RFC 2818 Compliance True CSR Enrollment True Pfx Enrollment True CSC TrustedSecure Premium Wildcard Certificate - Enrollment Fields
NAME DATA TYPE VALUES Term Multiple Choice 12,24 Applicant First Name String N/A Applicant Last Name String N/A Applicant Email Address String N/A Applicant Phone String N/A Domain Control Validation Method Multiple Choice EMAIL Organization Contact Multiple Choice Get From CSC Differs For Clients Business Unit Multiple Choice Get From CSC Differs For Clients Notification Email(s) Comma Separated String N/A CN DCV Email String N/A CSC TrustedSecure Domain Validated SSL - Details Tab
CONFIG ELEMENT DESCRIPTION Template Short Name CSC TrustedSecure Domain Validated SSL Template Display Name CSC TrustedSecure Domain Validated SSL Friendly Name CSC TrustedSecure Domain Validated SSL Keys Size 2048 Enforce RFC 2818 Compliance True CSR Enrollment True Pfx Enrollment True CSC TrustedSecure Domain Validated SSL - Enrollment Fields
NAME DATA TYPE VALUES Term Multiple Choice 12,24 Applicant First Name String N/A Applicant Last Name String N/A Applicant Email Address String N/A Applicant Phone String N/A Domain Control Validation Method Multiple Choice EMAIL Organization Contact Multiple Choice Get From CSC Differs For Clients Business Unit Multiple Choice Get From CSC Differs For Clients Notification Email(s) Comma Separated String N/A CN DCV Email String N/A CSC TrustedSecure Domain Validated Wildcard SSL - Details Tab
CONFIG ELEMENT DESCRIPTION Template Short Name CSC TrustedSecure Domain Validated Wildcard SSL Template Display Name CSC TrustedSecure Domain Validated Wildcard SSL Friendly Name CSC TrustedSecure Domain Validated Wildcard SSL Keys Size 2048 Enforce RFC 2818 Compliance True CSR Enrollment True Pfx Enrollment True CSC TrustedSecure Domain Validated Wildcard SSL - Enrollment Fields
NAME DATA TYPE VALUES Term Multiple Choice 12,24 Applicant First Name String N/A Applicant Last Name String N/A Applicant Email Address String N/A Applicant Phone String N/A Domain Control Validation Method Multiple Choice EMAIL Organization Contact Multiple Choice Get From CSC Differs For Clients Business Unit Multiple Choice Get From CSC Differs For Clients Notification Email(s) Comma Separated String N/A CN DCV Email String N/A CSC TrustedSecure Domain Validated UC Certificate - Details Tab
CONFIG ELEMENT DESCRIPTION Template Short Name CSC TrustedSecure Domain Validated UC Certificate Template Display Name CSC TrustedSecure Domain Validated UC Certificate Friendly Name CSC TrustedSecure Domain Validated UC Certificate Keys Size 2048 Enforce RFC 2818 Compliance True CSR Enrollment True Pfx Enrollment True CSC TrustedSecure Domain Validated UC Certificate - Enrollment Fields
NAME DATA TYPE VALUES Term Multiple Choice 12,24 Applicant First Name String N/A Applicant Last Name String N/A Applicant Email Address String N/A Applicant Phone String N/A Domain Control Validation Method Multiple Choice EMAIL Organization Contact Multiple Choice Get From CSC Differs For Clients Business Unit Multiple Choice Get From CSC Differs For Clients Notification Email(s) Comma Separated String N/A CN DCV Email String N/A Addtl Sans Comma Separated DCV Emails String N/A -
Follow the official Keyfactor documentation to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
-
In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the official documentation to define enrollment fields for each of the following parameters:
- Term - OPTIONAL: Certificate term (e.g. 12 or 24 months)
- Applicant First Name - OPTIONAL: Applicant First Name
- Applicant Last Name - OPTIONAL: Applicant Last Name
- Applicant Email Address - OPTIONAL: Applicant Email Address
- Applicant Phone - OPTIONAL: Applicant Phone (+nn.nnnnnnnn)
- Domain Control Validation Method - OPTIONAL: Domain Control Validation Method (e.g. EMAIL)
- Organization Contact - OPTIONAL: Organization Contact (selected from CSC configuration)
- Business Unit - OPTIONAL: Business Unit (selected from CSC configuration)
- Notification Email(s) Comma Separated - OPTIONAL: Notification Email(s), comma separated
- CN DCV Email - OPTIONAL: CN DCV Email (e.g. admin@yourdomain.com)
- Organization Country - OPTIONAL: Organization Country
- Addtl Sans Comma Separated DCV Emails - OPTIONAL: Additional SANs DCV Emails, comma separated
When defining the Certificate Authority in the AnyCA Gateway REST portal, configure the following fields on the CA Connection tab:
| CONFIG ELEMENT | DESCRIPTION | DEFAULT |
|---|---|---|
| CscGlobalUrl | The base URL for the CSCGlobal API (e.g. https://apis.cscglobal.com) |
(required) |
| ApiKey | Your CSCGlobal API key | (required) |
| BearerToken | Your CSCGlobal Bearer token for authentication | (required) |
| DefaultPageSize | Page size for API list requests | 100 |
| SyncFilterDays | Number of days from today used to filter certificates by expiration date during incremental sync. Only certificates expiring within this window are returned. Does not apply to full sync. | 5 |
| RenewalWindowDays | Number of days before the annual order expiry date within which a RenewOrReissue request triggers a paid Renewal rather than a free Reissue. See Renewal vs. Reissue Logic below. | 30 |
| DcvPollTimeoutSeconds | Max seconds to synchronously poll CSC for certificate issuance after submitting an order. 0 disables polling (enrollment returns pending immediately; cert arrives on the next sync). When >0, fast-validating orders can return the issued cert directly in the enrollment response. See Synchronous Issuance Polling below. |
0 |
Note: DNS auto-publishing for CNAME DCV is handled by the AnyCA Gateway REST framework's Domain Validation system (gateway 3.3+). It's configured in the gateway UI under Domain Validation Configurations, not on the CA Connection tab. See DNS Auto-Publishing (CNAME DCV).
CSC Global subscriptions are annual orders. When Keyfactor Command sends a RenewOrReissue request, the plugin must decide whether to submit a Renewal (a new paid order) or a Reissue (a free re-key under the existing active order).
The decision is based on the RenewalWindowDays setting and works as follows:
- The plugin fetches the original certificate from CSC and reads its
orderDate. - It computes the order expiry as
orderDate + 1 year. - It calculates days remaining until the order expires.
- If
days remaining <= RenewalWindowDays, the request is treated as a Renewal (new paid order). - If
days remaining > RenewalWindowDays, the request is treated as a Reissue (free under the active order).
Example with default RenewalWindowDays = 30:
Order Date: 2025-04-08
Order Expiry: 2026-04-08
Today: 2026-03-15
Days Left: 24
24 <= 30 --> RENEWAL (new paid order)
Order Date: 2025-04-08
Order Expiry: 2026-04-08
Today: 2025-09-01
Days Left: 219
219 > 30 --> REISSUE (free under active order)
Fallback behavior: If the plugin cannot retrieve the orderDate from CSC (e.g., API error or missing field), it falls back to checking the certificate's expiration date. If the certificate is already expired, it treats the request as a Renewal.
Note: Both Renewal and Reissue submissions are asynchronous at CSC. The plugin returns a "pending" status and the issued certificate will appear in Keyfactor after the next sync cycle.
CSC supports two Domain Control Validation (DCV) methods: EMAIL and CNAME. With CNAME validation, CSC returns a CNAME record (name → target) that must exist in DNS before they will validate the order.
By default this plugin returns the CNAME details to Keyfactor Command for manual publishing. To fully automate enrollment, the plugin uses the AnyCA Gateway REST framework's built-in DNS provider system (available in framework 3.3 and later). The framework discovers DNS provider plugins deployed alongside the CA plugin and routes each CNAME to whichever provider claims the matching DNS zone.
- AnyCA Gateway REST framework 3.3 or later (the
IDomainValidatorFactoryinterface ships inKeyfactor.AnyGateway.IAnyCAPlugin3.3+). - At least one DNS provider DLL (e.g. GoDaddy, Cloudflare, Route 53, Azure) deployed in the gateway
Extensionsfolder. - A Domain Validation Configuration registered in the gateway UI that maps your domain(s) to the deployed provider (for example,
*.example.com→ GoDaddy).
- CSC returns the CNAME
name → targetdetails in the enrollment response. - For each CNAME entry, the plugin calls
IDomainValidatorFactory.ResolveDomainValidator(recordName, "cname"). - The framework returns the
IDomainValidatorwhose Domain Validation Configuration matches the record's zone (ornullif no match). - The plugin calls
validator.StageValidation(recordName, cnameTarget, ct)to publish the record. - CSC asynchronously validates the CNAME; the issued certificate appears on the next sync.
- Resolution is per record, not per CA. One CA can drive multiple DNS providers (GoDaddy for some domains, Route 53 for others) with no per-CA configuration.
- Only invoked for CNAME DCV. Templates configured with EMAIL validation are unaffected — no DNS publishing occurs.
- Best-effort. If no provider claims the zone, the publish call fails, or the factory wasn't injected (gateway pre-3.3), the enrollment still succeeds and the CNAME details remain in the Keyfactor request so a human can publish manually as a fallback.
- Trace-logged. Every resolution (matched/unresolved) and publish attempt (success/failure) is logged at Info/Trace level.
- Validation type string. The plugin passes
"cname"toResolveDomainValidator. CSC's DCV requires a CNAME record, which is different from ACME's"dns-01"challenge (a TXT record). A single DNS provider DLL can ship multiple validator classes — one advertising"dns-01"(publishes TXT, for ACME) and one advertising"cname"(publishes CNAME, for CSC). You must deploy and configure a validator that advertises"cname"or no provider will match. - Trailing dots normalized. CSC returns FQDN-canonical names with a trailing dot (e.g.
_token.example.com.). The plugin strips the trailing dot before resolution and publishing, because Domain Validation Configurations and DNS provider APIs expect names without it.
In the AnyCA Gateway REST portal, under Domain Validation Configurations:
- Add a new configuration.
- Pick a Domain Validator Type that publishes CNAME records and advertises validation type
cname. For GoDaddy this isGoDaddyCnameDomainValidator(theGoDaddyDomainValidatorvariant publishes TXT for ACME and will not work for CSC). - Add one or more domain patterns (e.g.
*.example.com). - Fill out the provider-specific Configuration Settings (API keys, base URL, etc.).
- Save.
Once configured, any CSC enrollment for a domain matching one of those patterns will have its CNAME auto-published.
Common pitfall: If you configure the TXT/
dns-01validator (e.g.GoDaddyDomainValidator) for a CSC domain, the record will publish as a TXT and CSC's CNAME validation will never succeed. Make sure you select the CNAME validator variant.
CSC validates domain control asynchronously — after an order is submitted (and the CNAME DCV record published), CSC/Sectigo polls public DNS on its own schedule and issues the certificate once validation passes. By default this plugin returns a pending (EXTERNALVALIDATION) result immediately and the issued certificate is picked up on the next gateway sync cycle.
For environments where DNS is published automatically (see DNS Auto-Publishing) and validation tends to complete quickly, you can have the plugin poll CSC synchronously at the end of enrollment and return the issued certificate directly — avoiding the wait for the next sync.
- Set
DcvPollTimeoutSecondsto the maximum number of seconds to poll (e.g.60).0(default) disables polling entirely. - The plugin polls CSC every 10 seconds until the order is issued or the timeout is reached.
- If the certificate issues within the window, the enrollment returns it immediately with a success status.
- If the window expires, the plugin falls back to the pending result and the certificate arrives on the next sync — exactly as it would with polling disabled.
Tradeoff: Polling blocks the enrollment request for up to DcvPollTimeoutSeconds. CSC validation frequently takes minutes to hours, so most orders will still fall through to pending — keep the timeout small (30–90s) to catch only the fast cases without hanging callers. This applies to New enrollments, Renewals, and Reissues.
Apache License 2.0, see LICENSE.
See all Keyfactor Any CA Gateways (REST).