Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA: Remove deprecated Issuance.Profiles field #7414

Open
pgporada opened this issue Apr 4, 2024 · 0 comments
Open

CA: Remove deprecated Issuance.Profiles field #7414

pgporada opened this issue Apr 4, 2024 · 0 comments
Labels
area/ca

Comments

@pgporada
Copy link
Member

pgporada commented Apr 4, 2024
edited

[] Ensure #6966 has been merged
[] Ensure staging/prod are using Issuance.CertProfiles instead of Issuance.Profiles

Part of #7309
@pgporada pgporada mentioned this issue Apr 4, 2024
Merged
pgporada added a commit that referenced this issue Apr 8, 2024
@pgporada
CA: Load multiple certificate profiles (#7325)
1e1f6ff 
This change introduces a new config key `certProfiles` which contains a
map of `profiles`. Only one of `profile` or `certProfiles` should be
used, because configuring both will result in the CA erroring and
shutting down. Further, the singular `profile` is now
[deprecated](#7414).

The CA pre-computes several maps at startup; 
* A human-readable name to a `*issuance.Profile` which is referred to as
"name".
* A SHA-256 sum over the entire contents of the given profile to the
`*issuance.Profile`. We'll refer to this as "hash".

Internally, CA methods no longer pass an `*issuance.Profile`, instead
they pass a structure containing maps of certificate profile
identifiers. To determine the default profile used by the CA, a new
config field `defaultCertificateProfileName` has been added to the
Issuance struct. Absence of `defaultCertificateProfileName` will cause
the CA to use the default value of `defaultBoulderCertificateProfile`
such as for the the deprecated `profile`. The key for each given
certificate profile will be used as the "name". Duplicate names or
hashes will cause the CA to error during initialization and shutdown.

When the RA calls `ra.CA.IssuePrecertificate`, it will pass an arbitrary
certificate profile name to the CA triggering the CA to lookup if the
name exists in its internal mapping. The RA maintains no state or
knowledge of configured certificate profiles and relies on the CA to
provide this information. If the name exists in the CA's map, it will
return the hash along with the precertificate bytes in a
`capb.IssuePrecertificateResponse`. The RA will then call
`ra.CA.IssueCertificateForPrecertificate` with that same hash. The CA
will lookup the hash to determine if it exists in its map, and if so
will continue on with certificate issuance.

Precertificate and certificate issuance audit logs will now include the
certificate profile name and hex representation of the hash that they
were issued with.

Fixes #6966

There are no required config or SQL changes.
vbaranovskiy-plesk pushed a commit to plesk/boulder that referenced this issue May 30, 2024
@pgporada
CA: Load multiple certificate profiles (letsencrypt#7325)
37e3c89 
This change introduces a new config key `certProfiles` which contains a
map of `profiles`. Only one of `profile` or `certProfiles` should be
used, because configuring both will result in the CA erroring and
shutting down. Further, the singular `profile` is now
[deprecated](letsencrypt#7414).

The CA pre-computes several maps at startup; 
* A human-readable name to a `*issuance.Profile` which is referred to as
"name".
* A SHA-256 sum over the entire contents of the given profile to the
`*issuance.Profile`. We'll refer to this as "hash".

Internally, CA methods no longer pass an `*issuance.Profile`, instead
they pass a structure containing maps of certificate profile
identifiers. To determine the default profile used by the CA, a new
config field `defaultCertificateProfileName` has been added to the
Issuance struct. Absence of `defaultCertificateProfileName` will cause
the CA to use the default value of `defaultBoulderCertificateProfile`
such as for the the deprecated `profile`. The key for each given
certificate profile will be used as the "name". Duplicate names or
hashes will cause the CA to error during initialization and shutdown.

When the RA calls `ra.CA.IssuePrecertificate`, it will pass an arbitrary
certificate profile name to the CA triggering the CA to lookup if the
name exists in its internal mapping. The RA maintains no state or
knowledge of configured certificate profiles and relies on the CA to
provide this information. If the name exists in the CA's map, it will
return the hash along with the precertificate bytes in a
`capb.IssuePrecertificateResponse`. The RA will then call
`ra.CA.IssueCertificateForPrecertificate` with that same hash. The CA
will lookup the hash to determine if it exists in its map, and if so
will continue on with certificate issuance.

Precertificate and certificate issuance audit logs will now include the
certificate profile name and hex representation of the hash that they
were issued with.

Fixes letsencrypt#6966

There are no required config or SQL changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ca
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pgporada