Conversation
check for duplicate PEMs
change default start sync date for first incremental sync
removing caching of product type list
change default incremental sync range
shorten incremental sync if it is too long
add duplicate support
There was a problem hiding this comment.
Pull request overview
Merge of dev-2.2 into main, adding support for DigiCert certificate duplication and additional enrollment/sync behaviors.
Changes:
- Add “Duplicate” renewal behavior and client auth EKU option for SSL enrollments.
- Adjust SMIME profile type defaults and tighten incremental sync date range behavior.
- Update documentation/manifest and bump assembly/file versions.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| integration-manifest.json | Adds IncludeClientAuthEKU param and updates ProfileType description. |
| docsource/configuration.md | Documents how to enable “Duplicate” behavior via enrollment fields. |
| digicert-certcentral-caplugin/digicert-certcentral-caplugin.csproj | Adds explicit AssemblyVersion/FileVersion. |
| digicert-certcentral-caplugin/Models/CertCentralCertType.cs | Removes cached cert type lookups; always retrieves from API. |
| digicert-certcentral-caplugin/Constants.cs | Adds config keys for Duplicate and IncludeClientAuthEKU. |
| digicert-certcentral-caplugin/Client/CertCentralClient.cs | Adds client method to call DigiCert “duplicate” endpoint. |
| digicert-certcentral-caplugin/CertCentralCAPlugin.cs | Implements duplicate flow, client auth EKU option, sync window logic, and SMIME profile handling. |
| digicert-certcentral-caplugin/API/OrderCertificate.cs | Adds profile_option field to certificate request model. |
| digicert-certcentral-caplugin/API/Duplicate.cs | Introduces request/response models for duplication calls. |
| README.md | Documents IncludeClientAuthEKU and “Certificate Duplicates”. |
| CHANGELOG.md | Adds entries through 2.2.0 describing the new features/fixes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH])) | ||
| { |
There was a problem hiding this comment.
productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH] is accessed without checking the key exists, which can throw KeyNotFoundException when the flag isn’t provided. Consider guarding with ContainsKey and parsing via bool.TryParse (or using a safe default of false) so missing/invalid values don’t crash enrollment.
| if (typeOfCert.Equals("ssl") && Convert.ToBoolean(productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH])) | |
| { | |
| bool includeClientAuth = false; | |
| if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.INCLUDE_CLIENT_AUTH)) | |
| { | |
| var includeClientAuthRaw = productInfo.ProductParameters[CertCentralConstants.Config.INCLUDE_CLIENT_AUTH]; | |
| if (!bool.TryParse(Convert.ToString(includeClientAuthRaw), out includeClientAuth)) | |
| { | |
| _logger.LogWarning($"Could not parse '{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}' field as true or false. Treating as false. Value: {includeClientAuthRaw}"); | |
| includeClientAuth = false; | |
| } | |
| } | |
| if (typeOfCert.Equals("ssl") && includeClientAuth) | |
| { |
| public OrderResponse DuplicateCertificate(DuplicateRequest request) | ||
| { | ||
| string jsonRequest = JsonConvert.SerializeObject(request, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }); | ||
| Logger.LogTrace($"Duplicate request:\n{jsonRequest}"); |
There was a problem hiding this comment.
Logging the full serialized duplicate request can leak sensitive material (notably the CSR and potentially subject/SANs) into logs. Recommend redacting/omitting sensitive fields (e.g., certificate.csr) or logging only non-sensitive identifiers (order id, product id, CN) at trace level.
| Logger.LogTrace($"Duplicate request:\n{jsonRequest}"); | |
| Logger.LogTrace("Duplicate certificate request initiated."); |
| <AssemblyVersion>2.1.2</AssemblyVersion> | ||
| <FileVersion>2.1.2</FileVersion> |
There was a problem hiding this comment.
The assembly/file version is set to 2.1.2, but the changelog in this PR includes 2.2.0 with the new duplicate feature. Align the project’s versioning with the release being merged (and consider setting Version/PackageVersion as well if this is packed/published), to avoid shipping 2.2.0 behavior under a 2.1.2 assembly version.
| <AssemblyVersion>2.1.2</AssemblyVersion> | |
| <FileVersion>2.1.2</FileVersion> | |
| <AssemblyVersion>2.2.0</AssemblyVersion> | |
| <FileVersion>2.2.0</FileVersion> | |
| <Version>2.2.0</Version> | |
| <PackageVersion>2.2.0</PackageVersion> |
| _logger.MethodEntry(LogLevel.Trace); | ||
|
|
||
| lastSync = lastSync.HasValue ? lastSync.Value.AddHours(-7) : DateTime.MinValue; // DigiCert issue with treating the timezone as mountain time. -7 to accomodate DST | ||
| // DigiCert issue with treating the timezone as mountain time. -7 hours to accomodate DST |
There was a problem hiding this comment.
Correct spelling in comment: “accomodate” → “accommodate”.
| // DigiCert issue with treating the timezone as mountain time. -7 hours to accomodate DST | |
| // DigiCert issue with treating the timezone as mountain time. -7 hours to accommodate DST |
| throw new Exception($"Unexpected error downloading certificate {certId} for order {orderId}: {certificateChainResponse.Errors.FirstOrDefault()?.message}"); | ||
| } | ||
| } | ||
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs |
There was a problem hiding this comment.
Correct spelling in comment: “arround” → “around”.
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | |
| //Another check for duplicate PEMs to get around issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs |
| List<AnyCAPluginCertificate> certList = new List<AnyCAPluginCertificate>(); | ||
| List<string> pemList = new List<string>(); |
There was a problem hiding this comment.
pemList.Contains(...) inside the loop makes duplicate detection O(n²) as the number of certs grows. Use a HashSet<string> for pemList to get O(1) lookups and simplify the “contains then add” logic.
| //Another check for duplicate PEMs to get arround issue with DigiCert API returning incorrect data sometimes on reissued/duplicate certs | ||
| if (pemList.Contains(certificate)) | ||
| { | ||
| _logger.LogWarning($"Found duplicate PEM for ID {caReqId}. Skipping..."); | ||
| continue; | ||
| } | ||
| pemList.Add(certificate); |
There was a problem hiding this comment.
pemList.Contains(...) inside the loop makes duplicate detection O(n²) as the number of certs grows. Use a HashSet<string> for pemList to get O(1) lookups and simplify the “contains then add” logic.
| using System.Linq; | ||
| using System.Text; | ||
| using System.Threading.Tasks; |
There was a problem hiding this comment.
This new file includes unused using directives (System.Linq, System.Text, System.Threading.Tasks aren’t used in the shown code). Removing them reduces clutter and avoids warnings (especially if warnings are treated as errors in CI).
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; |
3 participants
Merge dev-2.2 to main - Automated PR