200 day renewal fixes

.claude/settings.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git fetch:*)",
+      "Bash(git checkout:*)"
+    ]
+  }
+}

README.md

@@ -1,5 +1,5 @@
 <h1 align="center" style="border-bottom: none">
-    CSCGlobal CA  Gateway AnyCA Gateway REST Plugin
+    CSCGlobal CAPlugin AnyCA Gateway REST Plugin
 </h1>
 
 <p align="center">
@@ -38,10 +38,10 @@ This integration allows for the Synchronization, Enrollment, and Revocation of c
 
 ## Compatibility
 
-The CSCGlobal CA  Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2.0 and later.
+The CSCGlobal CAPlugin AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2.0 and later.
 
 ## Support
-The CSCGlobal CA  Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
+The CSCGlobal CAPlugin AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
 
 > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -53,7 +53,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.2 and
 
 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
 
-2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [CSCGlobal CA  Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/cscglobal-caplugin/releases/latest) from GitHub.
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [CSCGlobal CAPlugin AnyCA Gateway REST plugin](https://github.com/Keyfactor/cscglobal-caplugin/releases/latest) from GitHub.
 
 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory:
 
@@ -64,11 +64,11 @@ This integration is tested and confirmed as working for Anygateway REST 24.2 and
     Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions
     ```
 
-    > The directory containing the CSCGlobal CA  Gateway AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
+    > The directory containing the CSCGlobal CAPlugin AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory.
 
 4. Restart the AnyCA Gateway REST service.
 
-5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the CSCGlobal CA  Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
+5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the CSCGlobal CAPlugin plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
 
 ## Configuration
 
@@ -86,8 +86,8 @@ This integration is tested and confirmed as working for Anygateway REST 24.2 and
         * **ApiKey** - CSCGlobal API Key 
         * **BearerToken** - CSCGlobal Bearer Token 
         * **DefaultPageSize** - Default page size for use with the API. Default is 100 
-        * **TemplateSync** - Enable template sync. 
         * **SyncFilterDays** - Number of days from today to filter certificates by expiration date during incremental sync. 
+        * **RenewalWindowDays** - Number of days before the annual order expiry within which a RenewOrReissue triggers a paid Renewal rather than a free Reissue. Default is 30. 
 
 2. PLEASE NOTE, AT THIS TIME THE RAPID_SSL TEMPLATE IS NOT SUPPORTED BY THE CSC API AND WILL NOT WORK WITH THIS INTEGRATION
 
@@ -311,6 +311,55 @@ This integration is tested and confirmed as working for Anygateway REST 24.2 and
     * **Addtl Sans Comma Separated DCV Emails** - OPTIONAL: Additional SANs DCV Emails, comma separated 
 
 
+## CA Connection Configuration
+
+When defining the Certificate Authority in the AnyCA Gateway REST portal, configure the following fields on the **CA Connection** tab:
+
+CONFIG ELEMENT | DESCRIPTION | DEFAULT
+---------------|-------------|--------
+CscGlobalUrl | The base URL for the CSCGlobal API (e.g. `https://apis.cscglobal.com`) | (required)
+ApiKey | Your CSCGlobal API key | (required)
+BearerToken | Your CSCGlobal Bearer token for authentication | (required)
+DefaultPageSize | Page size for API list requests | 100
+SyncFilterDays | Number of days from today used to filter certificates by expiration date during **incremental** sync. Only certificates expiring within this window are returned. Does not apply to full sync. | 5
+RenewalWindowDays | Number of days before the annual order expiry date within which a **RenewOrReissue** request triggers a paid **Renewal** rather than a free **Reissue**. See [Renewal vs. Reissue Logic](#renewal-vs-reissue-logic) below. | 30
+
+## Renewal vs. Reissue Logic
+
+CSC Global subscriptions are annual orders. When Keyfactor Command sends a **RenewOrReissue** request, the plugin must decide whether to submit a **Renewal** (a new paid order) or a **Reissue** (a free re-key under the existing active order).
+
+The decision is based on the **RenewalWindowDays** setting and works as follows:
+
+1. The plugin fetches the original certificate from CSC and reads its `orderDate`.
+2. It computes the **order expiry** as `orderDate + 1 year`.
+3. It calculates **days remaining** until the order expires.
+4. If `days remaining <= RenewalWindowDays`, the request is treated as a **Renewal** (new paid order).
+5. If `days remaining > RenewalWindowDays`, the request is treated as a **Reissue** (free under the active order).
+
+**Example with default RenewalWindowDays = 30:**
+
+```
+Order Date:    2025-04-08
+Order Expiry:  2026-04-08
+Today:         2026-03-15
+Days Left:     24
+
+24 <= 30  -->  RENEWAL (new paid order)
+```
+
+```
+Order Date:    2025-04-08
+Order Expiry:  2026-04-08
+Today:         2025-09-01
+Days Left:     219
+
+219 > 30  -->  REISSUE (free under active order)
+```
+
+**Fallback behavior:** If the plugin cannot retrieve the `orderDate` from CSC (e.g., API error or missing field), it falls back to checking the certificate's expiration date. If the certificate is already expired, it treats the request as a Renewal.
+
+**Note:** Both Renewal and Reissue submissions are asynchronous at CSC. The plugin returns a "pending" status and the issued certificate will appear in Keyfactor after the next sync cycle.
+
 
 ## License