feat: add Vault PKI and DigiCert CertCentral issuer connectors (M32 + M37)

Vault PKI: synchronous issuance via /v1/{mount}/sign/{role}, token auth,
revocation, CA cert retrieval, 14 tests. DigiCert CertCentral: async order
model (submit → poll → download), X-DC-DEVKEY auth, OV/EV support, PEM
bundle parsing, 16 tests. Both conditionally registered based on env vars.
Includes OpenAPI enum updates, seed data, connector docs, architecture docs,
README badges, and testing guide sign-off (Parts 38 + 39, 12 automated
smoke test assertions all passing).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/connector/issuer/digicert/digicert.go

@@ -0,0 +1,524 @@
+// Package digicert implements the issuer.Connector interface for DigiCert CertCentral.
+//
+// DigiCert CertCentral is an enterprise certificate authority offering DV, OV, and EV
+// certificates. Unlike synchronous issuers (Vault, step-ca), DigiCert uses an
+// asynchronous order model: submit an order, receive an order ID, then poll for
+// completion. OV/EV certificates require organization validation which may take hours
+// or days; DV certificates may be issued immediately.
+//
+// This connector maps to certctl's existing job state machine:
+//   - IssueCertificate submits the order; if status is "issued", returns cert immediately.
+//     If status is "pending", returns OrderID with empty CertPEM — the job system polls
+//     via GetOrderStatus.
+//   - GetOrderStatus polls the order; when status becomes "issued", downloads and
+//     parses the PEM bundle.
+//
+// Authentication: API key via X-DC-DEVKEY header.
+//
+// DigiCert CertCentral API used:
+//
+//	POST /order/certificate/{product_type}          - Submit certificate order
+//	GET  /order/certificate/{order_id}              - Check order status
+//	GET  /certificate/{certificate_id}/download/format/pem_all - Download cert bundle
+//	PUT  /certificate/{certificate_id}/revoke       - Revoke certificate
+//	GET  /user/me                                   - Validate API credentials
+package digicert
+
+import (
+	"bytes"
+	"context"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+)
+
+// Config represents the DigiCert CertCentral issuer connector configuration.
+type Config struct {
+	// APIKey is the CertCentral API key for authentication.
+	// Required. Set via CERTCTL_DIGICERT_API_KEY environment variable.
+	APIKey string `json:"api_key"`
+
+	// OrgID is the DigiCert organization ID for certificate orders.
+	// Required. Set via CERTCTL_DIGICERT_ORG_ID environment variable.
+	OrgID string `json:"org_id"`
+
+	// ProductType is the DigiCert product type for certificate orders.
+	// Default: "ssl_basic". Set via CERTCTL_DIGICERT_PRODUCT_TYPE environment variable.
+	// Common values: "ssl_basic", "ssl_wildcard", "ssl_ev_basic", "ssl_plus", "ssl_multi_domain".
+	ProductType string `json:"product_type"`
+
+	// BaseURL is the DigiCert CertCentral API base URL.
+	// Default: "https://www.digicert.com/services/v2".
+	// Set via CERTCTL_DIGICERT_BASE_URL environment variable.
+	BaseURL string `json:"base_url"`
+}
+
+// Connector implements the issuer.Connector interface for DigiCert CertCentral.
+type Connector struct {
+	config     *Config
+	logger     *slog.Logger
+	httpClient *http.Client
+}
+
+// New creates a new DigiCert CertCentral connector with the given configuration and logger.
+func New(config *Config, logger *slog.Logger) *Connector {
+	if config != nil {
+		if config.ProductType == "" {
+			config.ProductType = "ssl_basic"
+		}
+		if config.BaseURL == "" {
+			config.BaseURL = "https://www.digicert.com/services/v2"
+		}
+	}
+
+	return &Connector{
+		config: config,
+		logger: logger,
+		httpClient: &http.Client{
+			Timeout: 30 * time.Second,
+		},
+	}
+}
+
+// orderRequest is the JSON body for DigiCert certificate order submission.
+type orderRequest struct {
+	Certificate   orderCert   `json:"certificate"`
+	Organization  orderOrg    `json:"organization"`
+	ValidityYears int         `json:"validity_years"`
+}
+
+type orderCert struct {
+	CommonName string   `json:"common_name"`
+	CSR        string   `json:"csr"`
+	DNSNames   []string `json:"dns_names,omitempty"`
+}
+
+type orderOrg struct {
+	ID json.Number `json:"id"`
+}
+
+// orderResponse is the JSON response from a certificate order submission.
+type orderResponse struct {
+	ID            int    `json:"id"`
+	Status        string `json:"status"`
+	CertificateID int    `json:"certificate_id,omitempty"`
+}
+
+// orderStatusResponse is the JSON response from an order status check.
+type orderStatusResponse struct {
+	ID          int    `json:"id"`
+	Status      string `json:"status"`
+	Certificate struct {
+		ID         int    `json:"id"`
+		CommonName string `json:"common_name"`
+	} `json:"certificate"`
+}
+
+// ValidateConfig checks that the DigiCert configuration is valid and API access works.
+func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
+	var cfg Config
+	if err := json.Unmarshal(rawConfig, &cfg); err != nil {
+		return fmt.Errorf("invalid DigiCert config: %w", err)
+	}
+
+	if cfg.APIKey == "" {
+		return fmt.Errorf("DigiCert api_key is required")
+	}
+
+	if cfg.OrgID == "" {
+		return fmt.Errorf("DigiCert org_id is required")
+	}
+
+	if cfg.ProductType == "" {
+		cfg.ProductType = "ssl_basic"
+	}
+	if cfg.BaseURL == "" {
+		cfg.BaseURL = "https://www.digicert.com/services/v2"
+	}
+
+	// Test API access via /user/me
+	meURL := cfg.BaseURL + "/user/me"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, meURL, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create API test request: %w", err)
+	}
+	req.Header.Set("X-DC-DEVKEY", cfg.APIKey)
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("DigiCert API not reachable at %s: %w", cfg.BaseURL, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusForbidden || resp.StatusCode == http.StatusUnauthorized {
+		return fmt.Errorf("DigiCert API key is invalid (status %d)", resp.StatusCode)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("DigiCert API returned status %d", resp.StatusCode)
+	}
+
+	c.config = &cfg
+	c.logger.Info("DigiCert CertCentral configuration validated",
+		"base_url", cfg.BaseURL,
+		"product_type", cfg.ProductType)
+
+	return nil
+}
+
+// IssueCertificate submits a certificate order to DigiCert CertCentral.
+// If the certificate is issued immediately (DV certs), returns the cert.
+// If pending (OV/EV certs), returns OrderID with empty CertPEM for polling.
+func (c *Connector) IssueCertificate(ctx context.Context, request issuer.IssuanceRequest) (*issuer.IssuanceResult, error) {
+	c.logger.Info("processing DigiCert issuance request",
+		"common_name", request.CommonName,
+		"san_count", len(request.SANs),
+		"product_type", c.config.ProductType)
+
+	orderReq := orderRequest{
+		Certificate: orderCert{
+			CommonName: request.CommonName,
+			CSR:        request.CSRPEM,
+			DNSNames:   request.SANs,
+		},
+		Organization: orderOrg{
+			ID: json.Number(c.config.OrgID),
+		},
+		ValidityYears: 1,
+	}
+
+	body, err := json.Marshal(orderReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal order request: %w", err)
+	}
+
+	orderURL := fmt.Sprintf("%s/order/certificate/%s", c.config.BaseURL, c.config.ProductType)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, orderURL, bytes.NewReader(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create order request: %w", err)
+	}
+	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("DigiCert order request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read order response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		return nil, fmt.Errorf("DigiCert order returned status %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	var orderResp orderResponse
+	if err := json.Unmarshal(respBody, &orderResp); err != nil {
+		return nil, fmt.Errorf("failed to parse order response: %w", err)
+	}
+
+	orderID := fmt.Sprintf("%d", orderResp.ID)
+
+	c.logger.Info("DigiCert order submitted",
+		"order_id", orderID,
+		"status", orderResp.Status)
+
+	// If issued immediately (DV certs), download the certificate
+	if orderResp.Status == "issued" && orderResp.CertificateID > 0 {
+		certPEM, chainPEM, serial, notBefore, notAfter, err := c.downloadCertificate(ctx, orderResp.CertificateID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to download certificate: %w", err)
+		}
+
+		c.logger.Info("DigiCert certificate issued immediately",
+			"order_id", orderID,
+			"serial", serial)
+
+		return &issuer.IssuanceResult{
+			CertPEM:   certPEM,
+			ChainPEM:  chainPEM,
+			Serial:    serial,
+			NotBefore: notBefore,
+			NotAfter:  notAfter,
+			OrderID:   orderID,
+		}, nil
+	}
+
+	// Pending — return OrderID for polling via GetOrderStatus
+	c.logger.Info("DigiCert order pending validation",
+		"order_id", orderID,
+		"status", orderResp.Status)
+
+	return &issuer.IssuanceResult{
+		OrderID: orderID,
+	}, nil
+}
+
+// RenewCertificate renews a certificate by submitting a new order.
+// DigiCert uses reissue for renewal, but for simplicity we submit a new order
+// (reissue requires the original order ID which may not be available).
+func (c *Connector) RenewCertificate(ctx context.Context, request issuer.RenewalRequest) (*issuer.IssuanceResult, error) {
+	c.logger.Info("processing DigiCert renewal request",
+		"common_name", request.CommonName,
+		"san_count", len(request.SANs))
+
+	return c.IssueCertificate(ctx, issuer.IssuanceRequest{
+		CommonName: request.CommonName,
+		SANs:       request.SANs,
+		CSRPEM:     request.CSRPEM,
+		EKUs:       request.EKUs,
+	})
+}
+
+// RevokeCertificate revokes a certificate at DigiCert CertCentral.
+// DigiCert revocation uses certificate_id, so we extract it from the serial
+// by looking up the order. For simplicity, we use the serial as the cert ID
+// (the caller should provide the DigiCert certificate ID).
+func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.RevocationRequest) error {
+	c.logger.Info("processing DigiCert revocation request", "serial", request.Serial)
+
+	reason := "unspecified"
+	if request.Reason != nil {
+		reason = *request.Reason
+	}
+
+	revokeBody := map[string]interface{}{
+		"reason": reason,
+	}
+
+	body, err := json.Marshal(revokeBody)
+	if err != nil {
+		return fmt.Errorf("failed to marshal revoke request: %w", err)
+	}
+
+	// DigiCert uses certificate_id in the URL path for revocation
+	revokeURL := fmt.Sprintf("%s/certificate/%s/revoke", c.config.BaseURL, request.Serial)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPut, revokeURL, bytes.NewReader(body))
+	if err != nil {
+		return fmt.Errorf("failed to create revoke request: %w", err)
+	}
+	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("DigiCert revoke request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	// DigiCert returns 204 No Content on successful revocation
+	if resp.StatusCode != http.StatusNoContent && resp.StatusCode != http.StatusOK {
+		respBody, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("DigiCert revoke returned status %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	c.logger.Info("DigiCert certificate revoked", "serial", request.Serial, "reason", reason)
+	return nil
+}
+
+// GetOrderStatus checks the status of a DigiCert certificate order.
+// If the order is "issued", downloads the certificate and returns it.
+// If still "pending", returns pending status for continued polling.
+func (c *Connector) GetOrderStatus(ctx context.Context, orderID string) (*issuer.OrderStatus, error) {
+	c.logger.Debug("checking DigiCert order status", "order_id", orderID)
+
+	statusURL := fmt.Sprintf("%s/order/certificate/%s", c.config.BaseURL, orderID)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, statusURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create status request: %w", err)
+	}
+	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("DigiCert status request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read status response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("DigiCert order status returned %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	var statusResp orderStatusResponse
+	if err := json.Unmarshal(respBody, &statusResp); err != nil {
+		return nil, fmt.Errorf("failed to parse status response: %w", err)
+	}
+
+	now := time.Now()
+
+	switch statusResp.Status {
+	case "issued":
+		if statusResp.Certificate.ID == 0 {
+			return nil, fmt.Errorf("order is issued but certificate_id is missing")
+		}
+
+		certPEM, chainPEM, serial, notBefore, notAfter, err := c.downloadCertificate(ctx, statusResp.Certificate.ID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to download certificate: %w", err)
+		}
+
+		c.logger.Info("DigiCert order completed",
+			"order_id", orderID,
+			"serial", serial)
+
+		return &issuer.OrderStatus{
+			OrderID:   orderID,
+			Status:    "completed",
+			CertPEM:   &certPEM,
+			ChainPEM:  &chainPEM,
+			Serial:    &serial,
+			NotBefore: &notBefore,
+			NotAfter:  &notAfter,
+			UpdatedAt: now,
+		}, nil
+
+	case "pending", "processing":
+		msg := fmt.Sprintf("order %s is %s", orderID, statusResp.Status)
+		return &issuer.OrderStatus{
+			OrderID:   orderID,
+			Status:    "pending",
+			Message:   &msg,
+			UpdatedAt: now,
+		}, nil
+
+	case "rejected", "denied":
+		msg := fmt.Sprintf("order %s was %s", orderID, statusResp.Status)
+		return &issuer.OrderStatus{
+			OrderID:   orderID,
+			Status:    "failed",
+			Message:   &msg,
+			UpdatedAt: now,
+		}, nil
+
+	default:
+		msg := fmt.Sprintf("unknown order status: %s", statusResp.Status)
+		return &issuer.OrderStatus{
+			OrderID:   orderID,
+			Status:    "pending",
+			Message:   &msg,
+			UpdatedAt: now,
+		}, nil
+	}
+}
+
+// downloadCertificate downloads the PEM bundle for a DigiCert certificate.
+func (c *Connector) downloadCertificate(ctx context.Context, certificateID int) (certPEM string, chainPEM string, serial string, notBefore time.Time, notAfter time.Time, err error) {
+	downloadURL := fmt.Sprintf("%s/certificate/%d/download/format/pem_all", c.config.BaseURL, certificateID)
+	req, reqErr := http.NewRequestWithContext(ctx, http.MethodGet, downloadURL, nil)
+	if reqErr != nil {
+		err = fmt.Errorf("failed to create download request: %w", reqErr)
+		return
+	}
+	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+
+	resp, doErr := c.httpClient.Do(req)
+	if doErr != nil {
+		err = fmt.Errorf("DigiCert download request failed: %w", doErr)
+		return
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		err = fmt.Errorf("DigiCert download returned status %d: %s", resp.StatusCode, string(body))
+		return
+	}
+
+	body, readErr := io.ReadAll(resp.Body)
+	if readErr != nil {
+		err = fmt.Errorf("failed to read download response: %w", readErr)
+		return
+	}
+
+	// Parse the PEM bundle: first cert is the leaf, rest are intermediates
+	certPEM, chainPEM, serial, notBefore, notAfter, err = parsePEMBundle(string(body))
+	return
+}
+
+// parsePEMBundle splits a PEM bundle into leaf cert and chain, extracting metadata.
+func parsePEMBundle(bundle string) (certPEM string, chainPEM string, serial string, notBefore time.Time, notAfter time.Time, err error) {
+	var certs []string
+	remaining := bundle
+
+	for {
+		var block *pem.Block
+		block, rest := pem.Decode([]byte(remaining))
+		if block == nil {
+			break
+		}
+		if block.Type == "CERTIFICATE" {
+			certs = append(certs, string(pem.EncodeToMemory(block)))
+		}
+		remaining = string(rest)
+	}
+
+	if len(certs) == 0 {
+		err = fmt.Errorf("no certificates found in PEM bundle")
+		return
+	}
+
+	certPEM = certs[0]
+	if len(certs) > 1 {
+		chainPEM = strings.Join(certs[1:], "")
+	}
+
+	// Parse leaf cert for metadata
+	block, _ := pem.Decode([]byte(certPEM))
+	if block == nil {
+		err = fmt.Errorf("failed to decode leaf certificate PEM")
+		return
+	}
+
+	cert, parseErr := x509.ParseCertificate(block.Bytes)
+	if parseErr != nil {
+		err = fmt.Errorf("failed to parse leaf certificate: %w", parseErr)
+		return
+	}
+
+	serial = cert.SerialNumber.String()
+	notBefore = cert.NotBefore
+	notAfter = cert.NotAfter
+	return
+}
+
+// GenerateCRL is not supported because DigiCert manages CRL distribution.
+func (c *Connector) GenerateCRL(ctx context.Context, revokedCerts []issuer.RevokedCertEntry) ([]byte, error) {
+	return nil, fmt.Errorf("DigiCert manages CRL distribution; use DigiCert's CRL endpoints")
+}
+
+// SignOCSPResponse is not supported because DigiCert manages OCSP.
+func (c *Connector) SignOCSPResponse(ctx context.Context, req issuer.OCSPSignRequest) ([]byte, error) {
+	return nil, fmt.Errorf("DigiCert manages OCSP; use DigiCert's OCSP responder")
+}
+
+// GetCACertPEM is not directly supported. DigiCert intermediate certificates
+// come with each certificate issuance as part of the PEM bundle.
+func (c *Connector) GetCACertPEM(ctx context.Context) (string, error) {
+	return "", fmt.Errorf("DigiCert intermediate certificates are included with each issued certificate")
+}
+
+// GetRenewalInfo returns nil, nil as DigiCert does not support ACME Renewal Information (ARI).
+func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
+	return nil, nil
+}
+
+// Ensure Connector implements the issuer.Connector interface.
+var _ issuer.Connector = (*Connector)(nil)

internal/connector/issuer/digicert/digicert_test.go

@@ -0,0 +1,591 @@
+package digicert_test
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"log/slog"
+	"math/big"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+	"github.com/shankar0123/certctl/internal/connector/issuer/digicert"
+)
+
+func TestDigiCertConnector(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	t.Run("ValidateConfig_Success", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/user/me" {
+				if r.Header.Get("X-DC-DEVKEY") == "dc-test-api-key" {
+					w.WriteHeader(http.StatusOK)
+					w.Write([]byte(`{"id":12345,"first_name":"Test","last_name":"User"}`))
+					return
+				}
+				w.WriteHeader(http.StatusForbidden)
+				w.Write([]byte(`{"errors":[{"code":"invalid_api_key"}]}`))
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		config := digicert.Config{
+			APIKey:      "dc-test-api-key",
+			OrgID:       "12345",
+			ProductType: "ssl_basic",
+			BaseURL:     srv.URL,
+		}
+
+		connector := digicert.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err != nil {
+			t.Fatalf("ValidateConfig failed: %v", err)
+		}
+	})
+
+	t.Run("ValidateConfig_MissingAPIKey", func(t *testing.T) {
+		config := digicert.Config{
+			OrgID: "12345",
+		}
+
+		connector := digicert.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("Expected error for missing api_key")
+		}
+		if !strings.Contains(err.Error(), "api_key is required") {
+			t.Errorf("Expected api_key required error, got: %v", err)
+		}
+	})
+
+	t.Run("ValidateConfig_MissingOrgID", func(t *testing.T) {
+		config := digicert.Config{
+			APIKey: "dc-test-key",
+		}
+
+		connector := digicert.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("Expected error for missing org_id")
+		}
+		if !strings.Contains(err.Error(), "org_id is required") {
+			t.Errorf("Expected org_id required error, got: %v", err)
+		}
+	})
+
+	t.Run("ValidateConfig_InvalidKey", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/user/me" {
+				w.WriteHeader(http.StatusForbidden)
+				w.Write([]byte(`{"errors":[{"code":"invalid_api_key"}]}`))
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		config := digicert.Config{
+			APIKey:  "dc-bad-key",
+			OrgID:   "12345",
+			BaseURL: srv.URL,
+		}
+
+		connector := digicert.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("Expected error for invalid API key")
+		}
+		if !strings.Contains(err.Error(), "invalid") {
+			t.Logf("Got error: %v", err)
+		}
+	})
+
+	t.Run("IssueCertificate_ImmediateSuccess", func(t *testing.T) {
+		testCertPEM, _ := generateTestCert(t)
+		testChainPEM, _ := generateTestCert(t)
+		pemBundle := testCertPEM + testChainPEM
+
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case strings.HasPrefix(r.URL.Path, "/order/certificate/ssl_basic"):
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte(`{"id":99001,"status":"issued","certificate_id":88001}`))
+			case r.URL.Path == "/certificate/88001/download/format/pem_all":
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(pemBundle))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:      "dc-test-key",
+			OrgID:       "12345",
+			ProductType: "ssl_basic",
+			BaseURL:     srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "app.example.com")
+		req := issuer.IssuanceRequest{
+			CommonName: "app.example.com",
+			SANs:       []string{"app.example.com"},
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.IssueCertificate(ctx, req)
+		if err != nil {
+			t.Fatalf("IssueCertificate failed: %v", err)
+		}
+
+		if result.CertPEM == "" {
+			t.Error("CertPEM should not be empty for immediate issuance")
+		}
+		if result.Serial == "" {
+			t.Error("Serial should not be empty for immediate issuance")
+		}
+		if result.OrderID != "99001" {
+			t.Errorf("Expected OrderID '99001', got '%s'", result.OrderID)
+		}
+		t.Logf("DigiCert issued cert: serial=%s, orderID=%s", result.Serial, result.OrderID)
+	})
+
+	t.Run("IssueCertificate_Pending", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case strings.HasPrefix(r.URL.Path, "/order/certificate/ssl_ev_basic"):
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte(`{"id":99002,"status":"pending"}`))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:      "dc-test-key",
+			OrgID:       "12345",
+			ProductType: "ssl_ev_basic",
+			BaseURL:     srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "secure.example.com")
+		req := issuer.IssuanceRequest{
+			CommonName: "secure.example.com",
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.IssueCertificate(ctx, req)
+		if err != nil {
+			t.Fatalf("IssueCertificate failed: %v", err)
+		}
+
+		if result.OrderID != "99002" {
+			t.Errorf("Expected OrderID '99002', got '%s'", result.OrderID)
+		}
+		if result.CertPEM != "" {
+			t.Error("CertPEM should be empty for pending order")
+		}
+		if result.Serial != "" {
+			t.Error("Serial should be empty for pending order")
+		}
+	})
+
+	t.Run("IssueCertificate_ServerError", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusBadRequest)
+			w.Write([]byte(`{"errors":[{"code":"invalid_csr","message":"CSR is malformed"}]}`))
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:      "dc-test-key",
+			OrgID:       "12345",
+			ProductType: "ssl_basic",
+			BaseURL:     srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		req := issuer.IssuanceRequest{
+			CommonName: "test.example.com",
+			CSRPEM:     "invalid-csr",
+		}
+
+		_, err := connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error for server error response")
+		}
+	})
+
+	t.Run("GetOrderStatus_Issued", func(t *testing.T) {
+		testCertPEM, _ := generateTestCert(t)
+		testChainPEM, _ := generateTestCert(t)
+		pemBundle := testCertPEM + testChainPEM
+
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/order/certificate/99001":
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"id":99001,"status":"issued","certificate":{"id":88001,"common_name":"app.example.com"}}`))
+			case r.URL.Path == "/certificate/88001/download/format/pem_all":
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(pemBundle))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:  "dc-test-key",
+			OrgID:   "12345",
+			BaseURL: srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		status, err := connector.GetOrderStatus(ctx, "99001")
+		if err != nil {
+			t.Fatalf("GetOrderStatus failed: %v", err)
+		}
+
+		if status.Status != "completed" {
+			t.Errorf("Expected status 'completed', got '%s'", status.Status)
+		}
+		if status.CertPEM == nil || *status.CertPEM == "" {
+			t.Error("CertPEM should not be empty for issued order")
+		}
+		if status.Serial == nil || *status.Serial == "" {
+			t.Error("Serial should not be empty for issued order")
+		}
+	})
+
+	t.Run("GetOrderStatus_Pending", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/order/certificate/99002" {
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"id":99002,"status":"pending","certificate":{"id":0}}`))
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:  "dc-test-key",
+			OrgID:   "12345",
+			BaseURL: srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		status, err := connector.GetOrderStatus(ctx, "99002")
+		if err != nil {
+			t.Fatalf("GetOrderStatus failed: %v", err)
+		}
+
+		if status.Status != "pending" {
+			t.Errorf("Expected status 'pending', got '%s'", status.Status)
+		}
+		if status.CertPEM != nil {
+			t.Error("CertPEM should be nil for pending order")
+		}
+	})
+
+	t.Run("GetOrderStatus_Rejected", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/order/certificate/99003" {
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"id":99003,"status":"rejected","certificate":{"id":0}}`))
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:  "dc-test-key",
+			OrgID:   "12345",
+			BaseURL: srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		status, err := connector.GetOrderStatus(ctx, "99003")
+		if err != nil {
+			t.Fatalf("GetOrderStatus failed: %v", err)
+		}
+
+		if status.Status != "failed" {
+			t.Errorf("Expected status 'failed', got '%s'", status.Status)
+		}
+	})
+
+	t.Run("RenewCertificate_NewOrder", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case strings.HasPrefix(r.URL.Path, "/order/certificate/"):
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte(`{"id":99010,"status":"pending"}`))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:      "dc-test-key",
+			OrgID:       "12345",
+			ProductType: "ssl_basic",
+			BaseURL:     srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "renew.example.com")
+		renewReq := issuer.RenewalRequest{
+			CommonName: "renew.example.com",
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.RenewCertificate(ctx, renewReq)
+		if err != nil {
+			t.Fatalf("RenewCertificate failed: %v", err)
+		}
+
+		if result.OrderID == "" {
+			t.Error("OrderID should not be empty")
+		}
+	})
+
+	t.Run("RevokeCertificate_Success", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if strings.HasSuffix(r.URL.Path, "/revoke") && r.Method == http.MethodPut {
+				if r.Header.Get("X-DC-DEVKEY") == "" {
+					w.WriteHeader(http.StatusForbidden)
+					return
+				}
+				w.WriteHeader(http.StatusNoContent)
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:  "dc-test-key",
+			OrgID:   "12345",
+			BaseURL: srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		reason := "keyCompromise"
+		revokeReq := issuer.RevocationRequest{
+			Serial: "88001",
+			Reason: &reason,
+		}
+
+		err := connector.RevokeCertificate(ctx, revokeReq)
+		if err != nil {
+			t.Fatalf("RevokeCertificate failed: %v", err)
+		}
+	})
+
+	t.Run("RevokeCertificate_Error", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusBadRequest)
+			w.Write([]byte(`{"errors":[{"code":"certificate_not_found"}]}`))
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:  "dc-test-key",
+			OrgID:   "12345",
+			BaseURL: srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		revokeReq := issuer.RevocationRequest{
+			Serial: "00000",
+		}
+
+		err := connector.RevokeCertificate(ctx, revokeReq)
+		if err == nil {
+			t.Fatal("Expected error for revocation of nonexistent cert")
+		}
+	})
+
+	t.Run("GetOrderStatus_DownloadError", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/order/certificate/99004":
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"id":99004,"status":"issued","certificate":{"id":88004}}`))
+			case r.URL.Path == "/certificate/88004/download/format/pem_all":
+				w.WriteHeader(http.StatusInternalServerError)
+				w.Write([]byte(`{"errors":["internal server error"]}`))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &digicert.Config{
+			APIKey:  "dc-test-key",
+			OrgID:   "12345",
+			BaseURL: srv.URL,
+		}
+		connector := digicert.New(config, logger)
+
+		_, err := connector.GetOrderStatus(ctx, "99004")
+		if err == nil {
+			t.Fatal("Expected error when download fails")
+		}
+		if !strings.Contains(err.Error(), "download") {
+			t.Logf("Got error: %v", err)
+		}
+	})
+
+	t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) {
+		config := &digicert.Config{
+			APIKey:  "dc-test-key",
+			OrgID:   "12345",
+			BaseURL: "https://api.digicert.com",
+		}
+		connector := digicert.New(config, logger)
+
+		result, err := connector.GetRenewalInfo(ctx, "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----")
+		if err != nil {
+			t.Fatalf("GetRenewalInfo should not return error, got: %v", err)
+		}
+		if result != nil {
+			t.Fatal("GetRenewalInfo should return nil for DigiCert")
+		}
+	})
+
+	t.Run("DefaultProductType", func(t *testing.T) {
+		config := &digicert.Config{
+			APIKey: "dc-test-key",
+			OrgID:  "12345",
+			// ProductType intentionally left empty
+		}
+		connector := digicert.New(config, logger)
+
+		// Verify the connector was created (the default is set in New())
+		if connector == nil {
+			t.Fatal("Connector should not be nil")
+		}
+
+		// Verify via a request that uses the product type
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Verify the path includes the default product type
+			if strings.Contains(r.URL.Path, "ssl_basic") {
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte(`{"id":99099,"status":"pending"}`))
+				return
+			}
+			t.Errorf("Expected path to contain 'ssl_basic', got: %s", r.URL.Path)
+			w.WriteHeader(http.StatusBadRequest)
+		}))
+		defer srv.Close()
+
+		// Reconfigure with test server URL
+		config.BaseURL = srv.URL
+		connector = digicert.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "test.example.com")
+		req := issuer.IssuanceRequest{
+			CommonName: "test.example.com",
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.IssueCertificate(ctx, req)
+		if err != nil {
+			t.Fatalf("IssueCertificate with default product type failed: %v", err)
+		}
+		if result.OrderID == "" {
+			t.Error("OrderID should not be empty")
+		}
+	})
+}
+
+// generateTestCert creates a self-signed test certificate and returns the PEM strings.
+func generateTestCert(t *testing.T) (certPEM string, keyPEM string) {
+	t.Helper()
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	serial, _ := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	template := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName: fmt.Sprintf("Test Certificate %s", serial.String()[:8]),
+		},
+		DNSNames:              []string{"test.example.com"},
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	if err != nil {
+		t.Fatalf("Failed to create certificate: %v", err)
+	}
+
+	certPEM = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes}))
+	keyPEM = string(pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}))
+
+	return certPEM, keyPEM
+}
+
+// generateTestCSR creates a test CSR for the given common name.
+func generateTestCSR(t *testing.T, commonName string) (*x509.CertificateRequest, string) {
+	t.Helper()
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	csrTemplate := x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: commonName,
+		},
+		DNSNames:           []string{commonName},
+		SignatureAlgorithm: x509.SHA256WithRSA,
+	}
+
+	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, key)
+	if err != nil {
+		t.Fatalf("Failed to create CSR: %v", err)
+	}
+
+	csrPEM := string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrBytes,
+	}))
+
+	csr, err := x509.ParseCertificateRequest(csrBytes)
+	if err != nil {
+		t.Fatalf("Failed to parse CSR: %v", err)
+	}
+
+	return csr, csrPEM
+}