add option for kdc/smartcardlogon eku, fix template validation

dgaley · dgaley · commit 0ca0beb099c6 · 2026-06-11T05:34:42.000-04:00
diff --git a/digicert-certcentral-caplugin/CertCentralCAPlugin.cs b/digicert-certcentral-caplugin/CertCentralCAPlugin.cs
@@ -295,10 +295,23 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 			string priorCertSnString = null;
 			string priorCertReqID = null;
 
-			if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]))
+			if (typeOfCert.Equals("ssl"))
 			{
-				orderRequest.Certificate.ProfileOption = "server_client_auth_eku";
-				_logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in May 2026. Make sure any workflows that depend on this feature are updated before then to avoid interruptions.");
+				bool clientAuth = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]);
+				bool kdc = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_KDC]);
+				if (clientAuth && kdc)
+				{
+					throw new Exception($"Cannot enroll for cert with both Client Auth and KDC/SmartCardLogon EKU set to 'true'");
+				}
+				if (clientAuth)
+				{
+					orderRequest.Certificate.ProfileOption = "server_client_auth_eku";
+					_logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in March 2027. Make sure any workflows that depend on this feature are updated before then to avoid interruptions.");
+				}
+				else if (kdc)
+				{
+					orderRequest.Certificate.ProfileOption = "kdc_smart_card";
+				}
 			}
 
 			bool dupe = false;
@@ -616,7 +629,14 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
 				},
 				[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH] = new PropertyConfigInfo()
 				{
-					Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026.",
+					Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in March 2027.",
+					Hidden = false,
+					DefaultValue = false,
+					Type = "Boolean"
+				},
+				[CertCentralConstants.Config.INCLUDE_KDC] = new PropertyConfigInfo()
+				{
+					Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the KDC/SmartCardLogon EKU added to the request.",
 					Hidden = false,
 					DefaultValue = false,
 					Type = "Boolean"
@@ -1064,9 +1084,9 @@ public async Task ValidateProductInfo(EnrollmentProductInfo productInfo, Diction
 			CertificateTypeDetailsRequest detailsRequest = new CertificateTypeDetailsRequest(product.NameId);
 
 			detailsRequest.ContainerId = null;
-			if (connectionInfo.ContainsKey(CertCentralConstants.Config.DIVISION_ID))
+			if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.ENROLL_DIVISION_ID))
 			{
-				string div = connectionInfo[CertCentralConstants.Config.DIVISION_ID].ToString();
+				string div = productInfo.ProductParameters[CertCentralConstants.Config.ENROLL_DIVISION_ID].ToString();
 				if (!string.IsNullOrWhiteSpace(div))
 				{
 					if (int.TryParse($"{div}", out int divId))
@@ -1088,15 +1108,30 @@ public async Task ValidateProductInfo(EnrollmentProductInfo productInfo, Diction
 
 			if (!Constants.ProductTypes.SMIME_CERT.Contains(productInfo.ProductID, StringComparer.OrdinalIgnoreCase))
 			{
-				if (connectionInfo.ContainsKey(CertCentralConstants.Config.CERT_TYPE))
+				if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.CERT_TYPE))
 				{
-					var typeOfCert = (string)connectionInfo[CertCentralConstants.Config.CERT_TYPE];
+					var typeOfCert = (string)productInfo.ProductParameters[CertCentralConstants.Config.CERT_TYPE];
 					if (!(typeOfCert.Equals("ssl") || typeOfCert.Equals("client")))
 					{
 						throw new AnyCAValidationException("Invalid Cert Type specified. Valid options are 'ssl' or 'client'");
 					}
 				}
 			}
+
+			bool clientAuth = false, kdc = false;
+			if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.INCLUDE_CLIENT_AUTH))
+			{
+				clientAuth = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]);
+			}
+			if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.INCLUDE_KDC))
+			{
+				kdc = Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_KDC]);
+			}
+			if (clientAuth && kdc)
+			{
+				throw new AnyCAValidationException($"Unable to use both {CertCentralConstants.Config.INCLUDE_CLIENT_AUTH} and {CertCentralConstants.Config.INCLUDE_KDC} in the same certificate.");
+			}
+
 			_logger.MethodExit(LogLevel.Trace);
 		}
 
diff --git a/digicert-certcentral-caplugin/Constants.cs b/digicert-certcentral-caplugin/Constants.cs
@@ -34,6 +34,7 @@ public class Config
 			public const string SYNC_EXPIRATION_DAYS = "SyncExpirationDays";
 			public const string CERT_TYPE = "CertType";
 			public const string INCLUDE_CLIENT_AUTH = "IncludeClientAuthEKU";
+			public const string INCLUDE_KDC = "IncludeKDCSmartCardLogonEKU";
 			public const string ENROLL_DIVISION_ID = "EnrollDivisionId";
 			public const string COMMON_NAME_INDICATOR = "CommonNameIndicator";
 			public const string PROFILE_TYPE = "ProfileType";
