Keyfactor · indrora · Dec 13, 2025 · Dec 12, 2025
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(dotnet build:*)"
+    ]
+  }
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+v1.2.0
+- Incremental Sync Support with effectiveDate within last 5 days
+
 v1.1.2
 - Fix Renewal bug referencing the wrong REST Resource V1
 

diff --git a/CscGlobalCaProxy/Client/CscGlobalClient.cs b/CscGlobalCaProxy/Client/CscGlobalClient.cs
@@ -163,6 +163,25 @@ public async Task<CertificateListResponse> SubmitCertificateListRequestAsync()
             return certificateListResponse;
         }
 
+        public async Task<CertificateListResponse> SubmitIncrementalCertificateListRequestAsync(DateTime effectiveDate)
+        {
+            Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug);
+            var dateFilter = effectiveDate.ToString("yyyy/MM/dd");
+            Logger.Trace($"Incremental Sync with effectiveDate filter: {dateFilter}");
+            var resp = RestClient.GetAsync($"/dbs/api/v2/tls/certificate?filter=effectiveDate=ge={dateFilter}").Result;
+
+            if (!resp.IsSuccessStatusCode)
+            {
+                var responseMessage = resp.Content.ReadAsStringAsync().Result;
+                Logger.Error(
+                    $"Failed Request to Keyfactor. Retrying request. Status Code {resp.StatusCode} | Message: {responseMessage}");
+            }
+
+            var certificateListResponse =
+                JsonConvert.DeserializeObject<CertificateListResponse>(await resp.Content.ReadAsStringAsync());
+            return certificateListResponse;
+        }
+
         private HttpClient ConfigureRestClient()
         {
             var clientHandler = new WebRequestHandler();

diff --git a/CscGlobalCaProxy/Constants.cs b/CscGlobalCaProxy/Constants.cs
@@ -6,5 +6,6 @@ public class Constants
         public static string CscGlobalApiKey = "ApiKey";
         public static string BearerToken = "BearerToken";
         public static int DefaultPageSize = 100;
+        public static int IncrementalSyncDays = 5;
     }
 }
diff --git a/CscGlobalCaProxy/CscGlobalCaProxy.cs b/CscGlobalCaProxy/CscGlobalCaProxy.cs
@@ -81,54 +81,64 @@ public override void Synchronize(ICertificateDataReader certificateDataReader,
             Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug);
             try
             {
+                CertificateListResponse certs;
+
                 if (certificateAuthoritySyncInfo.DoFullSync)
                 {
-                    var certs = Task.Run(async () => await CscGlobalClient.SubmitCertificateListRequestAsync()).Result;
+                    Logger.Trace("Performing Full Sync");
+                    certs = Task.Run(async () => await CscGlobalClient.SubmitCertificateListRequestAsync()).Result;
+                }
+                else
+                {
+                    // Incremental sync - get certificates from the last X days (default 5)
+                    var effectiveDate = DateTime.Now.AddDays(-Constants.IncrementalSyncDays);
+                    Logger.Trace($"Performing Incremental Sync with effectiveDate: {effectiveDate:yyyy/MM/dd}");
+                    certs = Task.Run(async () => await CscGlobalClient.SubmitIncrementalCertificateListRequestAsync(effectiveDate)).Result;
+                }
+
+                foreach (var currentResponseItem in certs.Results)
+                {
+
+                    cancelToken.ThrowIfCancellationRequested();
+                    Logger.Trace($"Took Certificate ID {currentResponseItem?.Uuid} from Queue");
+                    var certStatus = _requestManager.MapReturnStatus(currentResponseItem?.Status);
 
-                    foreach (var currentResponseItem in certs.Results)
+                    //Keyfactor sync only seems to work when there is a valid cert and I can only get Active valid certs from Csc Global
+                    if (certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.ISSUED) ||
+                        certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.REVOKED))
                     {
+                        //One click renewal/reissue won't work for this implementation so there is an option to disable it by not syncing back template
+                        var productId = "CscGlobal";
+                        if (EnableTemplateSync) productId = currentResponseItem?.CertificateType;
 
-                        cancelToken.ThrowIfCancellationRequested();
-                        Logger.Trace($"Took Certificate ID {currentResponseItem?.Uuid} from Queue");
-                        var certStatus = _requestManager.MapReturnStatus(currentResponseItem?.Status);
+                        var fileContent =
+                            Encoding.ASCII.GetString(
+                                Convert.FromBase64String(currentResponseItem?.Certificate ?? string.Empty));
 
-                        //Keyfactor sync only seems to work when there is a valid cert and I can only get Active valid certs from Csc Global
-                        if (certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.ISSUED) ||
-                            certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.REVOKED))
+                        if (fileContent.Length > 0)
                         {
-                            //One click renewal/reissue won't work for this implementation so there is an option to disable it by not syncing back template
-                            var productId = "CscGlobal";
-                            if (EnableTemplateSync) productId = currentResponseItem?.CertificateType;
-
-                            var fileContent =
-                                Encoding.ASCII.GetString(
-                                    Convert.FromBase64String(currentResponseItem?.Certificate ?? string.Empty));
+                            Logger.Trace($"File Content {fileContent}");
+                            var certData = fileContent.Replace("\r\n", string.Empty);
+                            var certString = GetEndEntityCertificate(certData);
+                            var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(certString));
 
-                            if (fileContent.Length > 0)
+                            if (certString.Length > 0)
                             {
-                                Logger.Trace($"File Content {fileContent}");
-                                var certData = fileContent.Replace("\r\n", string.Empty);
-                                var certString = GetEndEntityCertificate(certData);
-                                var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(certString));
-
-                                if (certString.Length > 0)
+                                blockingBuffer.Add(new CAConnectorCertificate
                                 {
-                                    blockingBuffer.Add(new CAConnectorCertificate
-                                    {
-                                        CARequestID = $"{currentResponseItem?.Uuid}",
-                                        Certificate = certString,
-                                        SubmissionDate = currentResponseItem?.OrderDate == null
-                                            ? Convert.ToDateTime(currentCert.NotBefore)
-                                            : Convert.ToDateTime(currentResponseItem.OrderDate),
-                                        Status = certStatus,
-                                        ProductID = productId
-                                    }, cancelToken);
-                                }
+                                    CARequestID = $"{currentResponseItem?.Uuid}",
+                                    Certificate = certString,
+                                    SubmissionDate = currentResponseItem?.OrderDate == null
+                                        ? Convert.ToDateTime(currentCert.NotBefore)
+                                        : Convert.ToDateTime(currentResponseItem.OrderDate),
+                                    Status = certStatus,
+                                    ProductID = productId
+                                }, cancelToken);
                             }
                         }
                     }
-                    blockingBuffer.CompleteAdding();
                 }
+                blockingBuffer.CompleteAdding();
             }
             catch (Exception e)
             {

diff --git a/CscGlobalCaProxy/Interfaces/ICscGlobalClient.cs b/CscGlobalCaProxy/Interfaces/ICscGlobalClient.cs
@@ -1,4 +1,5 @@
-using System.Collections.Concurrent;
+using System;
+using System.Collections.Concurrent;
 using System.Threading;
 using System.Threading.Tasks;
 using Keyfactor.AnyGateway.CscGlobal.Client.Models;
@@ -20,6 +21,8 @@ Task<ReissueResponse> SubmitReissueAsync(
 
         Task<CertificateListResponse> SubmitCertificateListRequestAsync();
 
+        Task<CertificateListResponse> SubmitIncrementalCertificateListRequestAsync(DateTime effectiveDate);
+
         Task<RevokeResponse> SubmitRevokeCertificateAsync(string uuId);
     }
 }