-
-
Notifications
You must be signed in to change notification settings - Fork 586
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CA: Remove deprecated Issuance.Profiles field #7414
Labels
Comments
pgporada
added a commit
that referenced
this issue
Apr 8, 2024
This change introduces a new config key `certProfiles` which contains a map of `profiles`. Only one of `profile` or `certProfiles` should be used, because configuring both will result in the CA erroring and shutting down. Further, the singular `profile` is now [deprecated](#7414). The CA pre-computes several maps at startup; * A human-readable name to a `*issuance.Profile` which is referred to as "name". * A SHA-256 sum over the entire contents of the given profile to the `*issuance.Profile`. We'll refer to this as "hash". Internally, CA methods no longer pass an `*issuance.Profile`, instead they pass a structure containing maps of certificate profile identifiers. To determine the default profile used by the CA, a new config field `defaultCertificateProfileName` has been added to the Issuance struct. Absence of `defaultCertificateProfileName` will cause the CA to use the default value of `defaultBoulderCertificateProfile` such as for the the deprecated `profile`. The key for each given certificate profile will be used as the "name". Duplicate names or hashes will cause the CA to error during initialization and shutdown. When the RA calls `ra.CA.IssuePrecertificate`, it will pass an arbitrary certificate profile name to the CA triggering the CA to lookup if the name exists in its internal mapping. The RA maintains no state or knowledge of configured certificate profiles and relies on the CA to provide this information. If the name exists in the CA's map, it will return the hash along with the precertificate bytes in a `capb.IssuePrecertificateResponse`. The RA will then call `ra.CA.IssueCertificateForPrecertificate` with that same hash. The CA will lookup the hash to determine if it exists in its map, and if so will continue on with certificate issuance. Precertificate and certificate issuance audit logs will now include the certificate profile name and hex representation of the hash that they were issued with. Fixes #6966 There are no required config or SQL changes.
vbaranovskiy-plesk
pushed a commit
to plesk/boulder
that referenced
this issue
May 30, 2024
This change introduces a new config key `certProfiles` which contains a map of `profiles`. Only one of `profile` or `certProfiles` should be used, because configuring both will result in the CA erroring and shutting down. Further, the singular `profile` is now [deprecated](letsencrypt#7414). The CA pre-computes several maps at startup; * A human-readable name to a `*issuance.Profile` which is referred to as "name". * A SHA-256 sum over the entire contents of the given profile to the `*issuance.Profile`. We'll refer to this as "hash". Internally, CA methods no longer pass an `*issuance.Profile`, instead they pass a structure containing maps of certificate profile identifiers. To determine the default profile used by the CA, a new config field `defaultCertificateProfileName` has been added to the Issuance struct. Absence of `defaultCertificateProfileName` will cause the CA to use the default value of `defaultBoulderCertificateProfile` such as for the the deprecated `profile`. The key for each given certificate profile will be used as the "name". Duplicate names or hashes will cause the CA to error during initialization and shutdown. When the RA calls `ra.CA.IssuePrecertificate`, it will pass an arbitrary certificate profile name to the CA triggering the CA to lookup if the name exists in its internal mapping. The RA maintains no state or knowledge of configured certificate profiles and relies on the CA to provide this information. If the name exists in the CA's map, it will return the hash along with the precertificate bytes in a `capb.IssuePrecertificateResponse`. The RA will then call `ra.CA.IssueCertificateForPrecertificate` with that same hash. The CA will lookup the hash to determine if it exists in its map, and if so will continue on with certificate issuance. Precertificate and certificate issuance audit logs will now include the certificate profile name and hex representation of the hash that they were issued with. Fixes letsencrypt#6966 There are no required config or SQL changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[] Ensure #6966 has been merged
[] Ensure staging/prod are using
Issuance.CertProfiles
instead ofIssuance.Profiles
Part of #7309
The text was updated successfully, but these errors were encountered: