Merge 2.2.0 to main

* fix for smime profile type

* template parameter to include client auth eku

* Update generated docs

* changelog and logging

* check for duplicate PEMs

* change default start sync date for first incremental sync

* removing caching of product type list

* change default incremental sync range

* version

* changelog

* shorten incremental sync if it is too long

* feat: release v2.2.0

* add duplicate support

* Update generated docs

---------

Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io>

---------

Co-authored-by: David Galey <dgaley@keyfactor.com>
Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io>
Co-authored-by: Dave Galey <89407235+dgaley@users.noreply.github.com>
Co-authored-by: Sean <1661003+spbsoluble@users.noreply.github.com>

Author: 4 people

CHANGELOG.md

@@ -9,4 +9,18 @@
 * Add support for enrolling for client certs  
 * Option to filter sync by division ID  
 * Option to provide division ID for enrollment  
-* Add support for secure_email_* SMIME product types
+* Add support for secure_email_* SMIME product types  
+
+### 2.1.1  
+* Add configuration flag to support adding client auth EKU to ssl cert requests  
+	* NOTE: This is a temporary feature which is planned for loss of support by Digicert in May 2026   
+* For smime certs, use profile type defined on the product as the default if not supplied, rather than just defaulting to 'strict'  
+* Hotfix for data type conversion  
+
+### 2.1.2  
+* Hotfix for incremental sync to default to a 6 day window if no previous incremental sync has run  
+* Workaround for DigiCert API issue where retrieving the PEM data of multiple certificates in the same order can occasionally return duplicate data rather than the correct cert  
+* Remove caching of product ID lookups from DigiCert account  
+
+### 2.2.0  
+* Add support for duplicating certs

README.md

@@ -106,15 +106,20 @@ An API Key within your Digicert account that has the necessary permissions to en
     * **Organization-Name** - OPTIONAL: For requests that will not have a subject (such as ACME) you can use this field to provide the organization name. Value supplied here will override any CSR values, so do not include this field if you want the organization from the CSR to be used. 
     * **RenewalWindowDays** - OPTIONAL: The number of days from certificate expiration that the gateway should do a renewal rather than a reissue. If not provided, default is 90. 
     * **CertType** - OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'. Ignored for secure_email_* product types. 
+    * **IncludeClientAuthEKU** - OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026. 
     * **EnrollDivisionId** - OPTIONAL: The division (container) ID to use for enrollments against this template. 
     * **CommonNameIndicator** - Required for secure_email_sponsor and secure_email_organization products, ignored otherwise. Defines the source of the common name. Valid values are: email_address, given_name_surname, pseudonym, organization_name 
-    * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict. 
+    * **ProfileType** - Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal. 
     * **FirstName** - Required for secure_email_* types if CommonNameIndicator is given_name_surname, ignored otherwise. 
     * **LastName** - Required for secure_email_* types if CommonNameIndicator is given_name_surname, ignored otherwise. 
     * **Pseudonym** - Required for secure_email_* types if CommonNameIndicator is pseudonym, ignored otherwise. 
     * **UsageDesignation** - Required for secure_email_* types, ignored otherwise. The primary usage of the certificate. Valid values are: signing, key_management, dual_use 
 
 
+## Certificate Duplicates
+
+DigiCert supports the ability to duplicate existing certificate orders. To take advantage of this functionality, in Keyfactor Command, under the enrollment pattern you're using, create an Enrollment Field named 'Duplicate' of type Multiple Choice, and the values 'False', 'True'. When performing a renew operation against that enrollment pattern, set the value to True to tell the gateway to duplicate instead of renew. The field will be ignored on new enrollments.
+
 
 ## License
 

digicert-certcentral-caplugin/API/Duplicate.cs

@@ -0,0 +1,70 @@
+using Keyfactor.Extensions.CAPlugin.DigiCert.Models;
+using Newtonsoft.Json;
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Keyfactor.Extensions.CAPlugin.DigiCert.API
+{
+	[Serializable]
+	public class DuplicateRequest : CertCentralBaseRequest
+	{
+		public DuplicateRequest(uint orderId)
+		{
+			Method = "POST";
+			OrderId = orderId;
+			Resource = $"services/v2/order/certificate/{OrderId}/duplicate";
+			Certificate = new CertificateDuplicateRequest();
+		}
+
+		[JsonProperty("certificate")]
+		public CertificateDuplicateRequest Certificate { get; set; }
+
+		[JsonProperty("order_id")]
+		public uint OrderId { get; set; }
+
+		[JsonProperty("skip_approval")]
+		public bool SkipApproval { get; set; }
+	}
+
+	public class CertificateDuplicateRequest
+	{
+		[JsonProperty("common_name")]
+		public string CommonName { get; set; }
+
+		[JsonProperty("dns_names")]
+		public List<string> DnsNames { get; set; }
+
+		[JsonProperty("csr")]
+		public string CSR { get; set; }
+
+		[JsonProperty("server_platform")]
+		public Server_platform ServerPlatform { get; set; }
+
+		[JsonProperty("signature_hash")]
+		public string SignatureHash { get; set; }
+
+		[JsonProperty("ca_cert_id")]
+		public string CACertID { get; set; }
+	}
+
+	public class DuplicateResponse : CertCentralBaseResponse
+	{
+		public DuplicateResponse()
+		{
+			Requests = new List<Requests>();
+		}
+
+		[JsonProperty("id")]
+		public int OrderId { get; set; }
+
+		[JsonProperty("requests")]
+		public List<Requests> Requests { get; set; }
+
+		[JsonProperty("certificate_chain")]
+		public List<CertificateChainElement> CertificateChain { get; set; }
+	}
+}

digicert-certcentral-caplugin/API/OrderCertificate.cs

@@ -101,6 +101,9 @@ public class CertificateRequest
 
 		[JsonProperty("ca_cert_id")]
 		public string CACertID { get; set; }
+
+		[JsonProperty("profile_option")]
+		public string ProfileOption { get; set; }
 	}
 
 	public class CertificateOrderContainer

digicert-certcentral-caplugin/CertCentralCAPlugin.cs

@@ -17,6 +17,7 @@
 using Newtonsoft.Json;
 
 using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Pqc.Crypto.Falcon;
 
 using System.Collections.Concurrent;
 using System.Runtime.InteropServices;
@@ -298,33 +299,62 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 			string priorCertSnString = null;
 			string priorCertReqID = null;
 
-			// Current gateway core leaves it up to the integration to determine if it is a renewal or a reissue
+			if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]))
+			{
+				orderRequest.Certificate.ProfileOption = "server_client_auth_eku";
+				_logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in May 2026. Make sure any workflows that depend on this feature are updated before then to avoid interruptions.");
+			}
+
+			bool dupe = false;
+			// Current gateway core leaves it up to the integration to determine if it is a renewal, a reissue, or a duplicate
 			if (enrollmentType == EnrollmentType.RenewOrReissue)
 			{
-				//// Determine if we're going to do a renew or a reissue.
+				//// Determine if we're going to do a renew, reissue, or duplicate.
 				priorCertSnString = productInfo.ProductParameters["PriorCertSN"];
 				_logger.LogTrace($"Attempting to retrieve the certificate with serial number {priorCertSnString}.");
-				var reqId = _certificateDataReader.GetRequestIDBySerialNumber(priorCertSnString).Result;
-				if (string.IsNullOrEmpty(reqId))
+				priorCertReqID = await _certificateDataReader.GetRequestIDBySerialNumber(priorCertSnString);
+				if (string.IsNullOrEmpty(priorCertReqID))
 				{
 					throw new Exception($"No certificate with serial number '{priorCertSnString}' could be found.");
 				}
-				var expDate = _certificateDataReader.GetExpirationDateByRequestId(reqId);
 
-				var renewCutoff = DateTime.Now.AddDays(renewWindow * -1);
-
-				if (expDate > renewCutoff)
+				if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.DUPLICATE))
+				{
+					string dupStr = productInfo.ProductParameters[CertCentralConstants.Config.DUPLICATE].ToString();
+					if (!bool.TryParse(dupStr, out dupe))
+					{
+						_logger.LogError($"Could not parse 'Duplicate' field as true or false. Check configuration. Value: {dupStr}");
+						throw new Exception($"Could not parse 'Duplicate' field as true or false. Check configuration");
+					}
+				}
+				if (!dupe)
 				{
-					_logger.LogTrace($"Certificate with serial number {priorCertSnString} is within renewal window");
-					enrollmentType = EnrollmentType.Renew;
+					var expDate = _certificateDataReader.GetExpirationDateByRequestId(priorCertReqID);
+
+					var renewCutoff = DateTime.Now.AddDays(renewWindow * -1);
+
+					if (expDate > renewCutoff)
+					{
+						_logger.LogTrace($"Certificate with serial number {priorCertSnString} is within renewal window");
+						enrollmentType = EnrollmentType.Renew;
+					}
+					else
+					{
+						_logger.LogTrace($"Certificate with serial number {priorCertSnString} is not within renewal window. Reissuing...");
+						enrollmentType = EnrollmentType.Reissue;
+					}
 				}
 				else
 				{
-					_logger.LogTrace($"Certificate with serial number {priorCertSnString} is not within renewal window. Reissuing...");
-					enrollmentType = EnrollmentType.Reissue;
+					_logger.LogTrace($"'Duplicate' flag set, performing duplication");
 				}
 			}
 
+			if (dupe)
+			{
+				return await Duplicate(client, productInfo, priorCertReqID, commonName, csr, dnsNames, signatureHash, caCertId);
+			}
+
 			// Check if the order has more validity in it (multi-year cert). If so, do a reissue instead of a renew
 			if (enrollmentType == EnrollmentType.Renew)
 			{
@@ -588,6 +618,13 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
 					DefaultValue = "ssl",
 					Type = "String"
 				},
+				[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH] = new PropertyConfigInfo()
+				{
+					Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026.",
+					Hidden = false,
+					DefaultValue = false,
+					Type = "Boolean"
+				},
 				[CertCentralConstants.Config.ENROLL_DIVISION_ID] = new PropertyConfigInfo()
 				{
 					Comments = "OPTIONAL: The division (container) ID to use for enrollments against this template.",
@@ -604,9 +641,9 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
 				},
 				[CertCentralConstants.Config.PROFILE_TYPE] = new PropertyConfigInfo()
 				{
-					Comments = "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Default value is strict.",
+					Comments = "Optional for secure_email_* types, ignored otherwise. Valid values are: strict, multipurpose. Use 'multipurpose' if your cert includes any additional EKUs such as client auth. Default if not provided is dependent on product configuration within Digicert portal.",
 					Hidden = false,
-					DefaultValue = "strict",
+					DefaultValue = "",
 					Type = "String"
 				},
 				[CertCentralConstants.Config.FIRST_NAME] = new PropertyConfigInfo()
@@ -751,8 +788,14 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 
-			lastSync = lastSync.HasValue ? lastSync.Value.AddHours(-7) : DateTime.MinValue; // DigiCert issue with treating the timezone as mountain time. -7 to accomodate DST
+			// DigiCert issue with treating the timezone as mountain time. -7 hours to accomodate DST
+			// If no last sync, use a 6 day window for the sync range (only relevant for incremental syncs)
+			lastSync = lastSync.HasValue ? lastSync.Value.AddHours(-7) : DateTime.UtcNow.AddDays(-5); 
 			DateTime? utcDate = DateTime.UtcNow.AddDays(1);
+			if ((utcDate.Value - lastSync.Value).Days > 6)
+			{
+				lastSync = DateTime.UtcNow.AddDays(-5);
+			}
 			string lastSyncFormat = FormatSyncDate(lastSync);
 			string todaySyncFormat = FormatSyncDate(utcDate);
 
@@ -1027,7 +1070,7 @@ public async Task ValidateProductInfo(EnrollmentProductInfo productInfo, Diction
 			detailsRequest.ContainerId = null;
 			if (connectionInfo.ContainsKey(CertCentralConstants.Config.DIVISION_ID))
 			{
-				string div = (string)connectionInfo[CertCentralConstants.Config.DIVISION_ID];
+				string div = connectionInfo[CertCentralConstants.Config.DIVISION_ID].ToString();
 				if (!string.IsNullOrWhiteSpace(div))
 				{
 					if (int.TryParse($"{div}", out int divId))
@@ -1444,6 +1487,46 @@ private async Task<EnrollmentResult> Reissue(CertCentralClient client, Enrollmen
 			return await ExtractEnrollmentResult(client, client.ReissueCertificate(reissueRequest), commonName);
 		}
 
+		/// <summary>
+		/// Duplicates a certificate.
+		/// </summary>
+		/// <param name="client">The client used to contact DigiCert.</param>
+		/// <param name="request">The <see cref="OrderRequest"/>.</param>
+		/// <param name="enrollmentProductInfo">Information about the DigiCert product this certificate uses.</param>
+		/// <returns></returns>
+		private async Task<EnrollmentResult> Duplicate(CertCentralClient client, EnrollmentProductInfo enrollmentProductInfo, string caRequestId, string commonName, string csr, List<string> dnsNames, string signatureHash, string caCertId)
+		{
+			CheckProductExistence(enrollmentProductInfo.ProductID);
+
+			// Get order ID
+			_logger.LogTrace("Attempting to parse the order ID from the AnyGateway certificate.");
+			uint orderId = 0;
+			try
+			{
+				orderId = uint.Parse(caRequestId.Split('-').First());
+			}
+			catch (Exception e)
+			{
+				throw new Exception($"There was an error parsing the order ID from the certificate: {e.Message}", e);
+			}
+
+			// Duplicate certificate.
+			DuplicateRequest duplicateRequest = new DuplicateRequest(orderId)
+			{
+				Certificate = new CertificateDuplicateRequest
+				{
+					CommonName = commonName,
+					CSR = csr,
+					DnsNames = dnsNames,
+					SignatureHash = signatureHash,
+					CACertID = caCertId
+				}
+			};
+
+			_logger.LogTrace("Attempting to duplicate certificate.");
+			return await ExtractEnrollmentResult(client, client.DuplicateCertificate(duplicateRequest), commonName);
+		}
+
 		/// <summary>
 		/// Verify that the given product ID is valid
 		/// </summary>
@@ -1548,6 +1631,7 @@ private List<AnyCAPluginCertificate> GetAllConnectorCertsForOrder(string caReque
 			var orderCerts = GetAllCertsForOrder(orderId);
 
 			List<AnyCAPluginCertificate> certList = new List<AnyCAPluginCertificate>();
+			List<string> pemList = new List<string>();
 
 			foreach (var cert in orderCerts)
 			{
@@ -1569,6 +1653,13 @@ private List<AnyCAPluginCertificate> GetAllConnectorCertsForOrder(string caReque
 							throw new Exception($"Unexpected error downloading certificate {certId} for order {orderId}: {certificateChainResponse.Errors.FirstOrDefault()?.message}");
 						}
 					}
+					//Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs
+					if (pemList.Contains(certificate))
+					{
+						_logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping...");
+						continue;
+					}
+					pemList.Add(certificate);
 					var connCert = new AnyCAPluginCertificate
 					{
 						CARequestID = caReqId,
@@ -1684,9 +1775,10 @@ private EnrollmentResult EnrollForSmimeCert(string csr, string subject, Dictiona
 				}
 			}
 
+			string profile = null;
 			if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.PROFILE_TYPE))
 			{
-				string profile = productInfo.ProductParameters[CertCentralConstants.Config.PROFILE_TYPE].ToString();
+				profile = productInfo.ProductParameters[CertCentralConstants.Config.PROFILE_TYPE].ToString();
 
 				// Only validate if value provided
 				if (!string.IsNullOrEmpty(profile))
@@ -1697,6 +1789,10 @@ private EnrollmentResult EnrollForSmimeCert(string csr, string subject, Dictiona
 						throw new Exception($"Invalid profile type provided. Valid values are: strict, multipurpose");
 					}
 				}
+				else
+				{
+					profile = null;
+				}
 			}
 
 			if (cnIndic.Equals("given_name_surname", StringComparison.OrdinalIgnoreCase))
@@ -1888,12 +1984,11 @@ private EnrollmentResult EnrollForSmimeCert(string csr, string subject, Dictiona
 			orderRequest.Certificate.SignatureHash = certType.signatureAlgorithm;
 			orderRequest.Certificate.CACertID = caCertId;
 			orderRequest.SetOrganization(organizationId);
-			string profileType = "strict";
-			if (productInfo.ProductParameters.ContainsKey(Constants.Config.PROFILE_TYPE))
+			//If profile type is not provided, use the default on the digicert product configuration
+			if (!string.IsNullOrEmpty(profile))
 			{
-				profileType = productInfo.ProductParameters[Constants.Config.PROFILE_TYPE];
-			}
-			orderRequest.Certificate.ProfileType = profileType;
+				orderRequest.Certificate.ProfileType = profile;
+			}		
 			orderRequest.Certificate.CommonNameIndicator = cnIndicator;
 			if (productInfo.ProductID.Equals("secure_email_sponsor", StringComparison.OrdinalIgnoreCase))
 			{

digicert-certcentral-caplugin/Client/CertCentralClient.cs

@@ -357,6 +357,28 @@ public OrderResponse ReissueCertificate(ReissueRequest request)
 			return reissueResponse;
 		}
 
+		public OrderResponse DuplicateCertificate(DuplicateRequest request)
+		{
+			string jsonRequest = JsonConvert.SerializeObject(request, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore });
+			Logger.LogTrace($"Duplicate request:\n{jsonRequest}");
+
+			CertCentralResponse response = Request(request, jsonRequest);
+
+			OrderResponse duplicateResponse = new OrderResponse();
+			if (!response.Success)
+			{
+				Errors errors = JsonConvert.DeserializeObject<Errors>(response.Response);
+				duplicateResponse.Status = CertCentralBaseResponse.StatusType.ERROR;
+				duplicateResponse.Errors = errors.errors;
+			}
+			else
+			{
+				duplicateResponse = JsonConvert.DeserializeObject<OrderResponse>(response.Response);
+			}
+
+			return duplicateResponse;
+		}
+
 		public RevokeCertificateResponse RevokeCertificate(RevokeCertificateRequest request)
 		{
 			CertCentralResponse response = Request(request, JsonConvert.SerializeObject(request, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }));