template parameter to include client auth eku

Author: dgaley

digicert-certcentral-caplugin/API/OrderCertificate.cs

@@ -101,6 +101,9 @@ public class CertificateRequest
 
 		[JsonProperty("ca_cert_id")]
 		public string CACertID { get; set; }
+
+		[JsonProperty("profile_option")]
+		public string ProfileOption { get; set; }
 	}
 
 	public class CertificateOrderContainer

digicert-certcentral-caplugin/CertCentralCAPlugin.cs

@@ -294,6 +294,11 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 			string priorCertSnString = null;
 			string priorCertReqID = null;
 
+			if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]))
+			{
+				orderRequest.Certificate.ProfileOption = "server_client_auth_eku";
+			}
+
 			// Current gateway core leaves it up to the integration to determine if it is a renewal or a reissue
 			if (enrollmentType == EnrollmentType.RenewOrReissue)
 			{
@@ -584,6 +589,13 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
 					DefaultValue = "ssl",
 					Type = "String"
 				},
+				[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH] = new PropertyConfigInfo()
+				{
+					Comments = "OPTIONAL for SSL certs, ignored otherwise. If set to 'true', SSL certs enrolled under this template will have the Client Authentication EKU added to the request. NOTE: This feature is currently planned to be removed by DigiCert in May 2026.",
+					Hidden = false,
+					DefaultValue = false,
+					Type = "Boolean"
+				},
 				[CertCentralConstants.Config.ENROLL_DIVISION_ID] = new PropertyConfigInfo()
 				{
 					Comments = "OPTIONAL: The division (container) ID to use for enrollments against this template.",

digicert-certcentral-caplugin/Constants.cs

@@ -32,6 +32,7 @@ public class Config
 			public const string FILTER_EXPIRED = "FilterExpiredOrders";
 			public const string SYNC_EXPIRATION_DAYS = "SyncExpirationDays";
 			public const string CERT_TYPE = "CertType";
+			public const string INCLUDE_CLIENT_AUTH = "IncludeClientAuthEKU";
 			public const string ENROLL_DIVISION_ID = "EnrollDivisionId";
 			public const string COMMON_NAME_INDICATOR = "CommonNameIndicator";
 			public const string PROFILE_TYPE = "ProfileType";