secret: migrate EJBCA / GlobalSign / Sectigo credentials to *secret.Ref (Phase 2)

Phase 2 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 633a10a) shipped the secret.Ref opaque
credential type with PBKDF2-derived key, ChaCha20-Poly1305 envelope,
String/MarshalJSON redaction to "[redacted]", and the Use callback
that zero-fills the per-call buffer after the consumer returns.

This commit applies the type to the three connectors flagged by the
audit and adds the JSON-roundtrip glue that the production factory
path needs.

Shared (internal/secret/):

- Add UnmarshalJSON on *Ref so json.Unmarshal of a stored config
  blob (issuerfactory.NewFromConfig) parses the bytes-as-string into
  NewRefFromString without callers having to know the field type
  changed. Null and missing keys leave the receiver nil; non-string
  payloads (numbers, bools) are rejected with a typed error. Pinned
  by TestRef_UnmarshalJSON: string_value, null, missing_key,
  number_rejected, roundtrip_marshal_then_unmarshal (the round-trip
  goes through "[redacted]" intentionally — JSON-marshal-then-
  unmarshal of a Config with secrets is NOT a supported test pattern;
  callers that construct a rawConfig must use a JSON literal with
  the real values).

Per-connector migration:

- EJBCA (ejbca.go): Config.Token: string → *secret.Ref. ValidateConfig
  empty-check uses Token.IsEmpty() (nil-safe). setAuthHeaders rewritten
  to call Token.Use; the Bearer header string is built inside the
  callback and the buffer is zeroed on return. mTLS path is
  unaffected.

- GlobalSign (globalsign.go): Config.APIKey + Config.APISecret: string
  → *secret.Ref. Both ValidateConfig empty-checks use IsEmpty().
  Extracted setAuthHeaders helper consolidates the four duplicated
  triple-Set sites (ValidateConfig probe, IssueCertificate,
  RevokeCertificate, pollCertificateOnce) so any future header-shape
  change applies once. ValidateConfig now pulls from the local cfg
  (post-Unmarshal) so the helper takes a *Config rather than the
  receiver — needed because ValidateConfig writes the validated cfg
  onto c.config only AFTER the probe succeeds.

- Sectigo (sectigo.go): Config.Login + Config.Password: string →
  *secret.Ref. CustomerURI stays plain string (org identifier, not
  a credential). setAuthHeaders rewritten to call Login.Use +
  Password.Use; ValidateConfig's inline header writes use the same
  pattern (the ValidateConfig probe writes to a local cfg, not
  c.config, so it can't share setAuthHeaders without rewiring — the
  inline form is fine, kept consistent in shape).

Test migration:

- ejbca_test.go, ejbca_failure_test.go, ejbca_stubs_test.go: bulk
  Token: "X" → Token: secret.NewRefFromString("X") via sed; secret
  import added.
- globalsign_test.go, globalsign_failure_test.go: same pattern for
  APIKey + APISecret.
- sectigo_test.go, sectigo_failure_test.go: same pattern for Login +
  Password.

Two tests (TestGlobalSign_ServerTLSConfig/PinnedCA_TrustsExpectedServer
and TestSectigoConnector/ValidateConfig_Success) used to construct
rawConfig via json.Marshal(config) → ValidateConfig(rawConfig). After
the migration, json.Marshal redacts *secret.Ref to "[redacted]" by
design, so the roundtripped rawConfig wrote "[redacted]" as the
actual header value and the mock server's auth-header check 403'd.
Both tests now build rawConfig as a JSON literal (the production-
shape input — the factory path always feeds rawConfig from the DB
or env, never from json.Marshal of an in-memory Config). The new
tests have a comment explaining the trap so the next person who
adds a similar test sees the pattern.

Out of scope (intentional):

- The `internal/config/config.SectigoConfig` / `GlobalSignConfig` /
  `EJBCAConfig` env-var-loader structs are still plain strings —
  those types are the env-load shape, not the steady-state runtime
  shape. The seed path in service/issuer.go json-marshals them into
  a map[string]interface{} which the factory then UnmarshalJSON's
  into the connector Config; the new UnmarshalJSON on *Ref handles
  the conversion at the boundary.
- DigiCert.APIKey + Vault.Token are still plain strings; Phase 3
  will pick them up. The audit explicitly named EJBCA / GlobalSign /
  Sectigo as the Phase 2 scope (RESULTS.md L633).

Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck across all four packages clean
- go test -short -count=1 across secret, ejbca, globalsign, sectigo,
  issuerfactory, service, api/handler: green

Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 2.

internal/connector/issuer/globalsign/globalsign.go

@@ -40,6 +40,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/asyncpoll"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Config represents the GlobalSign Atlas HVCA issuer connector configuration.
@@ -51,11 +52,16 @@ type Config struct {
 
 	// APIKey is the GlobalSign API key for request authentication.
 	// Required. Set via CERTCTL_GLOBALSIGN_API_KEY environment variable.
-	APIKey string `json:"api_key"`
+	//
+	// Type: *secret.Ref (audit fix #6 Phase 2). Never stringifies;
+	// MarshalJSON returns "[redacted]"; bytes are zeroed after each
+	// header write via Ref.Use.
+	APIKey *secret.Ref `json:"api_key"`
 
 	// APISecret is the GlobalSign API secret for request authentication.
 	// Required. Set via CERTCTL_GLOBALSIGN_API_SECRET environment variable.
-	APISecret string `json:"api_secret"`
+	// Same *secret.Ref protections as APIKey.
+	APISecret *secret.Ref `json:"api_secret"`
 
 	// ClientCertPath is the filesystem path to the mTLS client certificate PEM file.
 	// The certificate must be signed by GlobalSign and loaded for TLS handshake.
@@ -159,11 +165,11 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("GlobalSign api_url is required")
 	}
 
-	if cfg.APIKey == "" {
+	if cfg.APIKey.IsEmpty() {
 		return fmt.Errorf("GlobalSign api_key is required")
 	}
 
-	if cfg.APISecret == "" {
+	if cfg.APISecret.IsEmpty() {
 		return fmt.Errorf("GlobalSign api_secret is required")
 	}
 
@@ -204,9 +210,7 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 	}
 
 	// Add both authentication layers
-	req.Header.Set("ApiKey", cfg.APIKey)
-	req.Header.Set("ApiSecret", cfg.APISecret)
-	req.Header.Set("Content-Type", "application/json")
+	setAuthHeaders(req, &cfg)
 
 	resp, err := validationClient.Do(req)
 	if err != nil {
@@ -264,6 +268,34 @@ func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
 	}, nil
 }
 
+// setAuthHeaders writes the GlobalSign double-auth headers (ApiKey,
+// ApiSecret) plus Content-Type: application/json onto req. The secret
+// values are pulled from the *secret.Ref via Use, which zero-fills the
+// per-call buffer after the header string is set; the Ref's underlying
+// bytes remain encrypted at rest. The Use return value is intentionally
+// ignored — Set never errors and the only failure modes inside Use are
+// nil-Ref / empty-Ref which the upstream IsEmpty validation has already
+// excluded for production paths. ValidateConfig and the steady-state
+// IssueCertificate / RevokeCertificate / pollCertificateOnce sites all
+// route through here so any future header-shape change applies once.
+//
+// Audit fix #6 Phase 2.
+func setAuthHeaders(req *http.Request, cfg *Config) {
+	if cfg.APIKey != nil {
+		_ = cfg.APIKey.Use(func(buf []byte) error {
+			req.Header.Set("ApiKey", string(buf))
+			return nil
+		})
+	}
+	if cfg.APISecret != nil {
+		_ = cfg.APISecret.Use(func(buf []byte) error {
+			req.Header.Set("ApiSecret", string(buf))
+			return nil
+		})
+	}
+	req.Header.Set("Content-Type", "application/json")
+}
+
 // buildServerTLSConfig returns a TLS configuration for the GlobalSign Atlas
 // HVCA API client. It always verifies the server certificate. When
 // cfg.ServerCAPath is set, the PEM bundle at that path is used as the
@@ -333,9 +365,7 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 	}
 
 	// Apply double auth: mTLS + headers
-	req.Header.Set("ApiKey", c.config.APIKey)
-	req.Header.Set("ApiSecret", c.config.APISecret)
-	req.Header.Set("Content-Type", "application/json")
+	setAuthHeaders(req, c.config)
 
 	resp, err := client.Do(req)
 	if err != nil {
@@ -422,9 +452,7 @@ func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.Revoca
 		return fmt.Errorf("failed to create revoke request: %w", err)
 	}
 
-	req.Header.Set("ApiKey", c.config.APIKey)
-	req.Header.Set("ApiSecret", c.config.APISecret)
-	req.Header.Set("Content-Type", "application/json")
+	setAuthHeaders(req, c.config)
 
 	resp, err := client.Do(req)
 	if err != nil {
@@ -510,9 +538,7 @@ func (c *Connector) pollCertificateOnce(ctx context.Context, orderID string) (*i
 		return nil, asyncpoll.Failed, fmt.Errorf("failed to create status request: %w", err)
 	}
 
-	req.Header.Set("ApiKey", c.config.APIKey)
-	req.Header.Set("ApiSecret", c.config.APISecret)
-	req.Header.Set("Content-Type", "application/json")
+	setAuthHeaders(req, c.config)
 
 	resp, err := client.Do(req)
 	if err != nil {

internal/connector/issuer/globalsign/globalsign_failure_test.go

@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	"github.com/shankar0123/certctl/internal/connector/issuer/globalsign"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Bundle N.A/B-extended: globalsign failure-mode round-out (78.2% → ≥85%).
@@ -20,8 +21,8 @@ func buildGlobalsignConnector(t *testing.T, baseURL string) *globalsign.Connecto
 	t.Helper()
 	cfg := &globalsign.Config{
 		APIUrl:             baseURL,
-		APIKey:             "k",
-		APISecret:          "s",
+		APIKey:             secret.NewRefFromString("k"),
+		APISecret:          secret.NewRefFromString("s"),
 		PollMaxWaitSeconds: 1, // keep async-pending tests fast
 	}
 	// Use NewWithHTTPClient with a test client so getHTTPClient short-circuits
@@ -133,8 +134,8 @@ func TestGlobalsign_GetHTTPClient_NoMTLSCertPaths_ReturnsClientAsIs(t *testing.T
 	// the production-default 10 minutes.
 	cfg := &globalsign.Config{
 		APIUrl:             "http://example.invalid",
-		APIKey:             "k",
-		APISecret:          "s",
+		APIKey:             secret.NewRefFromString("k"),
+		APISecret:          secret.NewRefFromString("s"),
 		PollMaxWaitSeconds: 1,
 		// no cert paths
 	}
@@ -153,8 +154,8 @@ func TestGlobalsign_GetHTTPClient_MTLSPathConfigured_LoadsKeyPair(t *testing.T)
 	// LoadX509KeyPair error branch in getHTTPClient.
 	cfg := &globalsign.Config{
 		APIUrl:         "http://example.invalid",
-		APIKey:         "k",
-		APISecret:      "s",
+		APIKey:         secret.NewRefFromString("k"),
+		APISecret:      secret.NewRefFromString("s"),
 		ClientCertPath: "/nonexistent/cert.pem",
 		ClientKeyPath:  "/nonexistent/key.pem",
 	}

internal/connector/issuer/globalsign/globalsign_test.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/globalsign"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 func TestGlobalSignConnector(t *testing.T) {
@@ -44,8 +45,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := globalsign.Config{
 			APIUrl:         srv.URL,
-			APIKey:         "gs-test-key",
-			APISecret:      "gs-test-secret",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: "unused_for_httptest",
 			ClientKeyPath:  "unused_for_httptest",
 		}
@@ -63,8 +64,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 	t.Run("ValidateConfig_MissingAPIUrl", func(t *testing.T) {
 		config := globalsign.Config{
-			APIKey:         "gs-test-key",
-			APISecret:      "gs-test-secret",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: "/tmp/cert.pem",
 			ClientKeyPath:  "/tmp/key.pem",
 		}
@@ -83,7 +84,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	t.Run("ValidateConfig_MissingAPIKey", func(t *testing.T) {
 		config := globalsign.Config{
 			APIUrl:         "https://api.example.com",
-			APISecret:      "gs-test-secret",
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: "/tmp/cert.pem",
 			ClientKeyPath:  "/tmp/key.pem",
 		}
@@ -102,7 +103,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	t.Run("ValidateConfig_MissingAPISecret", func(t *testing.T) {
 		config := globalsign.Config{
 			APIUrl:         "https://api.example.com",
-			APIKey:         "gs-test-key",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
 			ClientCertPath: "/tmp/cert.pem",
 			ClientKeyPath:  "/tmp/key.pem",
 		}
@@ -121,8 +122,8 @@ func TestGlobalSignConnector(t *testing.T) {
 	t.Run("ValidateConfig_MissingClientCertPath", func(t *testing.T) {
 		config := globalsign.Config{
 			APIUrl:        "https://api.example.com",
-			APIKey:        "gs-test-key",
-			APISecret:     "gs-test-secret",
+			APIKey:        secret.NewRefFromString("gs-test-key"),
+			APISecret:     secret.NewRefFromString("gs-test-secret"),
 			ClientKeyPath: "/tmp/key.pem",
 		}
 
@@ -140,8 +141,8 @@ func TestGlobalSignConnector(t *testing.T) {
 	t.Run("ValidateConfig_MissingClientKeyPath", func(t *testing.T) {
 		config := globalsign.Config{
 			APIUrl:         "https://api.example.com",
-			APIKey:         "gs-test-key",
-			APISecret:      "gs-test-secret",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: "/tmp/cert.pem",
 		}
 
@@ -187,8 +188,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -235,8 +236,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -276,8 +277,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -318,8 +319,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -356,8 +357,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:             mockServer.URL,
-			APIKey:             "gs-test-key",
-			APISecret:          "gs-test-secret",
+			APIKey:             secret.NewRefFromString("gs-test-key"),
+			APISecret:          secret.NewRefFromString("gs-test-secret"),
 			PollMaxWaitSeconds: 1, // keep async-pending tests fast
 		}
 
@@ -400,8 +401,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -445,8 +446,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -478,8 +479,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -524,8 +525,8 @@ func TestGlobalSignConnector(t *testing.T) {
 
 		config := &globalsign.Config{
 			APIUrl:    mockServer.URL,
-			APIKey:    "gs-test-key",
-			APISecret: "gs-test-secret",
+			APIKey:    secret.NewRefFromString("gs-test-key"),
+			APISecret: secret.NewRefFromString("gs-test-secret"),
 		}
 
 		connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
@@ -613,15 +614,22 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
 		clientCert, clientKey := writeClientMTLS(t)
 		config := globalsign.Config{
 			APIUrl:         srv.URL,
-			APIKey:         "gs-test-key",
-			APISecret:      "gs-test-secret",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   caPath,
 		}
 
 		connector := globalsign.New(&config, logger)
-		rawConfig, _ := json.Marshal(config)
+		// Build rawConfig as a JSON literal so the secrets round-trip
+		// intact via UnmarshalJSON (json.Marshal redacts *secret.Ref →
+		// "[redacted]" by design; it MUST NOT be used to construct a
+		// rawConfig that ValidateConfig will then header-write back).
+		rawConfig := []byte(fmt.Sprintf(
+			`{"api_url":%q,"api_key":"gs-test-key","api_secret":"gs-test-secret","client_cert_path":%q,"client_key_path":%q,"server_ca_path":%q}`,
+			config.APIUrl, config.ClientCertPath, config.ClientKeyPath, config.ServerCAPath,
+		))
 		if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
 			t.Fatalf("ValidateConfig with pinned CA should succeed, got: %v", err)
 		}
@@ -645,8 +653,8 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
 		clientCert, clientKey := writeClientMTLS(t)
 		config := globalsign.Config{
 			APIUrl:         srv.URL,
-			APIKey:         "gs-test-key",
-			APISecret:      "gs-test-secret",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   caPath,
@@ -671,8 +679,8 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
 		clientCert, clientKey := writeClientMTLS(t)
 		config := globalsign.Config{
 			APIUrl:         "https://example.invalid",
-			APIKey:         "gs-test-key",
-			APISecret:      "gs-test-secret",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   "/nonexistent/path/to/ca.pem",
@@ -699,8 +707,8 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
 
 		config := globalsign.Config{
 			APIUrl:         "https://example.invalid",
-			APIKey:         "gs-test-key",
-			APISecret:      "gs-test-secret",
+			APIKey:         secret.NewRefFromString("gs-test-key"),
+			APISecret:      secret.NewRefFromString("gs-test-secret"),
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   badCAPath,