boulder icon indicating copy to clipboard operation
boulder copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

CA: Load multiple certificate profiles

Open pgporada opened this issue 1 year ago • 2 comments
trafficstars

This change introduces a new config key certProfiles which contains a list of profiles. Each profile from certProfiles and profile are added to a map comprised of a human-readable name key to a *issuance.Profile value. The name field is currently unexported so that protobuf changes can be safely deployed without risk of reading from a non-existent field. If a name is not provided in the config file, a default name is assigned. Due to the field being unexported, only the profile configuration is available to use at this time, not certProfiles.

CA methods no longer pass *issuance.Profile, instead favoring the certificate profiles map. Once CA protobuf changes have been successfully deployed to staging and production environments, the precertificate and certificate issuance methods will be able to check if the incoming profile name from the RA is present in the certificate profiles map.

Built on-top of https://github.com/letsencrypt/boulder/pull/7331 Part of https://github.com/letsencrypt/boulder/issues/6966

There are no config or SQL changes, that was from earlier commits where I was doing some manual testing.

pgporada avatar Feb 13 '24 22:02 pgporada

@pgporada, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

github-actions[bot] avatar Feb 14 '24 21:02 github-actions[bot]

Some notes from a live conversation:

  • Fields added to a JSON config should always be exported, because they can't actually be set from a config if not.
  • But also we don't want to set this new name field in config-next yet because it's not hooked up to anything (no realistic gRPC code connected to it).
  • Phil's gonna work on fleshing out the gRPC aspect, export the name field, and make this a stacked change on top of a gRPC PR.
  • Config checking:
  • It should be an error if the old profile and the new certProfiles fields are both configured in the same JSON
  • Duplicate profile names should be an error - already done 🎉
  • There should be a separate config field DefaultCertProfile that names the one that will be used when no profile name is specified
    • DefaultCertProfile is mandatory when CertProfiles is present, and vice versa

jsha avatar Feb 16 '24 20:02 jsha